Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x Americas Headquarters
Add to my manuals
340 Pages
advertisement
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release
7.x
First Published: January 30, 2014
Last Modified: December 22, 2014
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-30921-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright
©
1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http:// www.cisco.com/go/trademarks
. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
©
2014 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
P r e f a c e
C H A P T E R 1
C H A P T E R 2
C H A P T E R 3
OL-30921-01
Related Documentation for Cisco Nexus 5600 Series NX-OS Software
Obtaining Documentation and Submitting a Service Request
Authentication, Authorization, and Accounting
RADIUS and TACACS+ Security Protocols
Configuring Authentication, Authorization, and Accounting
AAA Service Configuration Options
Authentication and Authorization Process for User Logins
Guidelines and Limitations for AAA
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x iii
Contents
C H A P T E R 4
Configuring Console Login Authentication Methods
Configuring Default Login Authentication Methods
Enabling Login Authentication Failure Messages
Configuring AAA Command Authorization
Configuring Console Authorization Commands
Enabling MSCHAP Authentication
Configuring AAA Accounting Default Methods
Specifying Switch User Roles and SNMPv3 Parameters on AAA Servers
Configuration Examples for Login Parameters
Configuring Login Block Per User
Configuration Examples for Login Block Per User
Restricting Sessions Per User—Per User Per Login
Configuring Passphrase Time Values
Enabling the Password Prompt for User Name
Support over SHA-256 Algorithm for Verifying OS Integrity
Configuring Share Key Value for using RADIUS/TACACS+
Monitoring and Clearing the Local AAA Accounting Log
Verifying the AAA Configuration
Configuration Examples for AAA
Information About RADIUS Operations
iv
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Contents
C H A P T E R 5
OL-30921-01
Guidelines and Limitations for RADIUS
Configuring RADIUS Server Hosts
Configuring RADIUS Global Preshared Keys
Configuring RADIUS Server Preshared Keys
Configuring RADIUS Server Groups
Configuring the Global Source Interface for RADIUS Server Groups
Allowing Users to Specify a RADIUS Server at Login
Configuring the Global RADIUS Transmission Retry Count and Timeout Interval
Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server
Configuring Accounting and Authentication Attributes for RADIUS Servers
Configuring Periodic RADIUS Server Monitoring
Configuring the Dead-Time Interval
Manually Monitoring RADIUS Servers or Groups
Verifying the RADIUS Configuration
Displaying RADIUS Server Statistics
Clearing RADIUS Server Statistics
Configuration Examples for RADIUS
Information About Configuring TACACS+
Default TACACS+ Server Encryption Type and Preshared Key
Command Authorization Support for TACACS+ Servers
Guidelines and Limitations for TACACS+
TACACS+ Server Configuration Process
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x v
Contents
C H A P T E R 6
Configuring TACACS+ Server Hosts
Configuring TACACS+ Global Preshared Keys
Configuring TACACS+ Server Preshared Keys
Configuring TACACS+ Server Groups
Configuring the Global Source Interface for TACACS+ Server Groups
Specifying a TACACS+ Server at Login
Configuring AAA Authorization on TACACS+ Servers
Configuring Command Authorization on TACACS+ Servers
Testing Command Authorization on TACACS+ Servers
Enabling and Disabling Command Authorization Verification
Configuring Privilege Level Support for Authorization on TACACS+ Servers
Permitting or Denying Commands for Users of Privilege Roles
Configuring the Global TACACS+ Timeout Interval
Configuring the Timeout Interval for a Server
Configuring Periodic TACACS+ Server Monitoring
Configuring the Dead-Time Interval
Manually Monitoring TACACS+ Servers or Groups
Verifying the TACACS+ Configuration
Configuration Examples for TACACS+
Information About SSH and Telnet
Guidelines and Limitations for SSH
Specifying the SSH Public Keys for User Accounts
Specifying the SSH Public Keys in Open SSH Format
vi
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Contents
C H A P T E R 7
OL-30921-01
Specifying the SSH Public Keys in IETF SECSH Format
Specifying the SSH Public Keys in PEM-Formatted Public Key Certificate Form
Starting SSH Sessions to Remote Devices
Configuration Examples for SSH
Starting Telnet Sessions to Remote Devices
Verifying the SSH and Telnet Configuration
Authentication Initiation and Message Exchange
Authenticator PAE Status for Interfaces
Ports in Authorized and Unauthorized States
Dynamic VLAN Assignment based on MAC-Based Authentication (MAB)
Single Host and Multiple Hosts Support
Licensing Requirements for 802.1X
802.1X Guidelines and Limitations
Process for Configuring 802.1X
Configuring AAA Authentication Methods for 802.1X
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x vii
Contents
C H A P T E R 8
Controlling 802.1X Authentication on an Interface
Configuring 802.1X Authentication on Member Ports
Creating or Removing an Authenticator PAE on an Interface
Enabling Periodic Reauthentication for an Interface
Manually Reauthenticating Supplicants
Manually Initializing 802.1X Authentication
Changing 802.1X Authentication Timers for an Interface
Enabling Single Host or Multiple Hosts Mode
Enabling MAC Authentication Bypass
Disabling 802.1X Authentication on the Cisco NX-OS Device
Setting the Maximum Authenticator-to-Supplicant Frame Retransmission Retry Count for an Interface
Enabling RADIUS Accounting for 802.1X Authentication
Configuring AAA Accounting Methods for 802.1X
Setting the Maximum Reauthentication Retry Count on an Interface
Verifying the 802.1X Configuration
Configuration Example for 802.1X
Additional References for 802.1X
Information About Cisco TrustSec
Cisco TrustSec and Authentication
Cisco TrustSec Enhancements to EAP-FAST
Cisco TrustSec Authentication Summary
viii
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Contents
OL-30921-01
Determining the Source Security Group
Determining the Destination Security Group
SXP for SGT Propagation Across Legacy Access Networks
Authorization and Policy Acquisition
Licensing Requirements for Cisco TrustSec
Prerequisites for Cisco TrustSec
Guidelines and Limitations for Cisco TrustSec
Default Settings for Cisco TrustSec Parameters
Enabling the Cisco TrustSec Feature
Configuring Cisco TrustSec Device Credentials
Configuring AAA for Cisco TrustSec
Configuring AAA on the Cisco TrustSec Cisco NX-OS Devices
Configuring AAA on Cisco TrustSec Nonseed Cisco NX-OS Devices
Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path Security
Cisco TrustSec Configuration Process for Cisco TrustSec Authentication and Authorization
Enabling Cisco TrustSec Authentication
Configuring Data-Path Replay Protection for Cisco TrustSec on Interfaces
Configuring SAP Operation Modes for Cisco TrustSec on Interfaces
Configuring SGT Propagation for Cisco TrustSec on Interfaces
Regenerating SAP Keys on an Interface
Configuring Cisco TrustSec Authentication in Manual Mode
Configuring Pause Frame Encryption or Decryption for Cisco TrustSec on Interfaces
SGACL Policy Configuration Process
Enabling SGACL Policy Enforcement on VLANs
Enabling SGACL Policy Enforcement on VRF Instances
Manually Configuring Cisco TrustSec SGTs
Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VLAN
Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VRF Instance
Manually Configuring SGACL Policies
Displaying the Downloaded SGACL Policies
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x ix
Contents
C H A P T E R 9
Refreshing the Downloaded SGACL Policies
Clearing Cisco TrustSec SGACL Policies
Cisco TrustSec SXP Configuration Process
Configuring Cisco TrustSec SXP Peer Connections
Configuring the Default SXP Password
Configuring the Default SXP Source IPv4 Address
Changing the SXP Reconcile Period
Verifying the Cisco TrustSec Configuration
Configuration Examples for Cisco TrustSec
Configuring AAA for Cisco TrustSec on a Cisco NX-OS Device
Enabling Cisco TrustSec Authentication on an Interface
Configuring Cisco TrustSec Authentication in Manual Mode
Configuring Cisco TrustSec Role-Based Policy Enforcement for the Default VRF
Configuring Cisco TrustSec Role-Based Policy Enforcement for a Nondefault VRF
Configuring Cisco TrustSec Role-Based Policy Enforcement for a VLAN
Configuring IPv4 Address to SGACL SGT Mapping for the Default VRF Instance
Configuring IPv4 Address to SGACL SGT Mapping for a Nondefault VRF Instance
Configuring IPv4 Address to SGACL SGT Mapping for a VLAN
Manually Configuring Cisco TrustSec SGACLs
Manually Configuring SXP Peer Connections
Additional References for Cisco TrustSec
Feature History for Cisco TrustSec
Configuring Access Control Lists
x
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Contents
OL-30921-01
Logical Operators and Logical Operation Units
Licensing Requirements for ACLs
Guidelines and Limitations for ACLs
Changing Sequence Numbers in an IP ACL
Applying an IP ACL as a Router ACL
Applying an IP ACL as a Port ACL
Verifying IP ACL Configurations
Monitoring and Clearing IP ACL Statistics
Changing Sequence Numbers in a MAC ACL
Applying a MAC ACL as a Port ACL
Verifying MAC ACL Configurations
Displaying and Clearing MAC ACL Statistics
Example Configuration for MAC ACLs
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x xi
Contents
C H A P T E R 1 0
Verifying the VACL Configuration
Displaying and Clearing VACL Statistics
Configuration Examples for VACL
Configuring ACLs on Virtual Terminal Lines
Configuration Examples for ACLs on VTY Lines
Configuring the ACL Resource Usage Threshold
Information About Port Security
Security Violations and Actions
Licensing Requirements for Port Security
Prerequisites for Port Security
Guidelines and Limitations for Port Security
Guidelines and Limitations for Port Security on vPCs
Default Settings for Port Security
Enabling or Disabling Port Security Globally
Enabling or Disabling Port Security on a Layer 2 Interface
Enabling or Disabling Sticky MAC Address Learning
Adding a Static Secure MAC Address on an Interface
Removing a Static Secure MAC Address on an Interface
Removing a Dynamic Secure MAC Address
Configuring a Maximum Number of MAC Addresses
xii
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Contents
C H A P T E R 1 1
OL-30921-01
Configuring an Address Aging Type and Time
Configuring a Security Violation Action
Verifying the Port Security Configuration
Displaying Secure MAC Addresses
Configuration Example for Port Security
Configuration Example of Port Security in a vPC Domain
Additional References for Port Security
Information About DHCP Snooping
Feature Enabled and Globally Enabled
DHCP Snooping Binding Database
DHCP Snooping Option 82 Data Insertion
DHCP Snooping in a vPC Environment
Synchronizing DHCP Snooping Binding Entries
Information About the DHCP Relay Agent
VRF Support for the DHCP Relay Agent
Information about the DHCPv6 Relay Agent
VRF Support for the DHCPv6 Relay Agent
Information About the Lightweight DHCPv6 Relay Agent
Lightweight DHCPv6 Relay Agent
Guidelines and Limitations for Lightweight DHCPv6 Relay Agent
Guidelines and Limitations for DHCP Snooping
Guidelines and Limitations for the vIP HSRP Enhancement
Default Settings for DHCP Snooping
Minimum DHCP Snooping Configuration
Enabling or Disabling the DHCP Snooping Feature
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x xiii
Contents
C H A P T E R 1 2
Enabling or Disabling DHCP Snooping Globally
Enabling or Disabling DHCP Snooping on a VLAN
Enabling or Disabling Option 82 Data Insertion and Removal
Enabling or Disabling Strict DHCP Packet Validation
Configuring an Interface as Trusted or Untrusted
Enabling or Disabling the DHCP Relay Agent
Enabling or Disabling Option 82 for the DHCP Relay Agent
Enabling or Disabling VRF Support for the DHCP Relay Agent
Enabling or Disabling Subnet Broadcast Support for the DHCP Relay Agent on a Layer 3
Creating a DHCP Static Binding
Configuring the DHCPv6 Relay Agent
Enabling or Disabling the DHCPv6 Relay Agent
Enabling or Disabling VRF Support for the DHCPv6 Relay Agent
Configuring the DHCPv6 Relay Source Interface
Configuring Lightweight DHCPv6 Relay Agent
Configuring Lightweight DHCPv6 Relay Agent for an Interface
Configuring Lightweight DHCPv6 Relay Agent for a VLAN
Enabling DHCP Relay Agent using VIP Address
Verifying the DHCP Snooping Configuration
Displaying and Clearing LDRA Information
Clearing the DHCP Snooping Binding Database
Clearing DHCP Relay Statistics
Clearing DHCPv6 Relay Statistics
Configuration Examples for DHCP Snooping
Configuration Examples for LDRA
Configuring Dynamic ARP Inspection
Interface Trust States and Network Security
xiv
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Contents
C H A P T E R 1 3
OL-30921-01
Prioritizing ARP ACLs and DHCP Snooping Entries
Licensing Requirements for DAI
Guidelines and Limitations for DAI
Enabling or Disabling DAI on VLANs
Configuring the DAI Trust State of a Layer 2 Interface
Applying ARP ACLs to VLANs for DAI Filtering
Enabling or Disabling Additional Validation
Configuring the DAI Logging Buffer Size
Verifying the DAI Configuration
Monitoring and Clearing DAI Statistics
Configuration Examples for DAI
Example 1-Two Devices Support DAI
Session Manager Support for ARP ACLs
Changing Sequence Numbers in an ARP ACL
Verifying the ARP ACL Configuration
Information About IP Source Guard
Licensing Requirements for IP Source Guard
Prerequisites for IP Source Guard
Guidelines and Limitations for IP Source Guard
Default Settings for IP Source Guard
Enabling or Disabling IP Source Guard on a Layer 2 Interface
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x xv
Contents
C H A P T E R 1 4
C H A P T E R 1 5
Adding or Removing a Static IP Source Entry
Displaying IP Source Guard Bindings
Configuration Example for IP Source Guard
Additional References for IP Source Guard
Configuring Control Plane Policing
CoPP and the Management Interface
Licensing Requirements for CoPP
Guidelines and Limitations for CoPP
Applying a CoPP Policy to the Switch
Modifying the Customized CoPP Policy
Configuring CoPP Extended Rate
Verifying the CoPP Configuration
Displaying the CoPP Configuration Status
Additional References for CoPP
Information About TCAM Carving
xvi
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Contents
Information About User-Defined Templates
Creating a User-Defined Template
Modifying a User Defined Template
Committing a User-Defined Template
Verifying the TCAM Carving Configuration
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x xvii
Contents xviii
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Preface
The Preface contains the following sections:
•
•
Document Conventions, page xix
•
Related Documentation for Cisco Nexus 5600 Series NX-OS Software, page xxi
•
Documentation Feedback, page xxii
•
Obtaining Documentation and Submitting a Service Request, page xxii
Audience
This publication is for network administrators who configure and maintain Cisco Nexus devices and Cisco
Nexus 2000 Series Fabric Extenders.
Document Conventions
Note
As part of our constant endeavor to remodel our documents to meet our customers' requirements, we have modified the manner in which we document configuration tasks. As a result of this, you may find a deviation in the style used to describe these tasks, with the newly included sections of the document following the new format.
Command descriptions use the following conventions:
Convention bold
Description
Bold text indicates the commands and keywords that you enter literally as shown.
Italic
Italic text indicates arguments for which the user supplies the values.
[x] Square brackets enclose an optional element (keyword or argument).
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x xix OL-30921-01
Preface
Document Conventions
Convention
[x | y]
{x | y}
[x {y | z}] variable string
Description
Square brackets enclosing keywords or arguments separated by a vertical bar indicate an optional choice.
Braces enclosing keywords or arguments separated by a vertical bar indicate a required choice.
Nested set of square brackets or braces indicate optional or required choices within optional or required elements. Braces and a vertical bar within square brackets indicate a required choice within an optional element.
Indicates a variable for which you supply values, in context where italics cannot be used.
A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.
Examples use the following conventions:
Convention
screen font
Description
Terminal sessions and information the switch displays are in screen font.
boldface screen font
italic screen font
Information you must enter is in boldface screen font.
Arguments for which you supply values are in italic screen font.
< >
[ ]
!, #
Nonprinting characters, such as passwords, are in angle brackets.
Default responses to system prompts are in square brackets.
An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.
This document uses the following conventions:
Note
Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.
Caution
Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.
xx
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Preface
Related Documentation for Cisco Nexus 5600 Series NX-OS Software
Related Documentation for Cisco Nexus 5600 Series NX-OS
Software
The entire Cisco NX-OS 5600 Series documentation set is available at the following URL: http://www.cisco.com/c/en/us/support/switches/nexus-5000-series-switches/ tsd-products-support-series-home.html
Release Notes
The release notes are available at the following URL: http://www.cisco.com/c/en/us/support/switches/nexus-5000-series-switches/products-release-notes-list.html
Configuration Guides
These guides are available at the following URL: http://www.cisco.com/c/en/us/support/switches/nexus-5000-series-switches/ products-installation-and-configuration-guides-list.html
The documents in this category include:
• Cisco Nexus 5600 Series NX-OS Adapter-FEX Configuration Guide
• Cisco Nexus 5600 Series NX-OS FabricPath Configuration Guide
• Cisco Nexus 5600 Series NX-OS Fibre Channel over Ethernet Configuration Guide
• Cisco Nexus 5600 Series NX-OS Fundamentals Configuration Guide
• Cisco Nexus 5600 Series NX-OS Interfaces Configuration Guide
• Cisco Nexus 5600 Series NX-OS Layer 2 Switching Configuration Guide
• Cisco Nexus 5600 Series NX-OS Multicast Routing Configuration Guide
• Cisco Nexus 5600 Series NX-OS Quality of Service Configuration Guide
• Cisco Nexus 5600 Series NX-OS SAN Switching Configuration Guide
• Cisco Nexus 5600 Series NX-OS Security Configuration Guide
• Cisco Nexus 5600 Series NX-OS System Management Configuration Guide
• Cisco Nexus 5600 Series NX-OS Unicast Routing Configuration Guide
Licensing Guide
The License and Copyright Information for Cisco NX-OS Software is available at http://www.cisco.com/en/
US/docs/switches/datacenter/sw/4_0/nx-os/license_agreement/nx-ossw_lisns.html
.
Command References
These guides are available at the following URL: http://www.cisco.com/c/en/us/support/switches/nexus-5000-series-switches/ products-command-reference-list.html
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x xxi OL-30921-01
Preface
Documentation Feedback
The documents in this category include:
• Cisco Nexus 5600 Series NX-OS Fabric Extender Command Reference
• Cisco Nexus 5600 Series NX-OS FabricPath Command Reference
• Cisco Nexus 5600 Series NX-OS Fibre Channel Command Reference
• Cisco Nexus 5600 Series NX-OS Fundamentals Command Reference
• Cisco Nexus 5600 Series NX-OS Interfaces Command Reference
• Cisco Nexus 5600 Series NX-OS Layer 2 Interfaces Command Reference
• Cisco Nexus 5600 Series NX-OS Multicast Routing Command Reference
• Cisco Nexus 5600 Series NX-OS QoS Command Reference
• Cisco Nexus 5600 Series NX-OS Security Command Reference
• Cisco Nexus 5600 Series NX-OS System Management Command Reference
• Cisco Nexus 5600 Series NX-OS TrustSec Command Reference
• Cisco Nexus 5600 Series NX-OS Unicast Routing Command Reference
• Cisco Nexus 5600 Series NX-OS Virtual Port Channel Command Reference
Error and System Messages
The Cisco Nexus 5600 Series NX-OS System Message Guide is available at http://www.cisco.com/en/US/docs/ switches/datacenter/nexus5500/sw/system_messages/reference/sl_nxos_book.html
.
Troubleshooting Guide
The Cisco Nexus 5600 Series NX-OS Troubleshooting Guide is available at http://www.cisco.com/c/en/us/ support/switches/nexus-5000-series-switches/products-troubleshooting-guides-list.html
.
Documentation Feedback
To provide technical feedback on this document, or to report an error or omission, please send your comments to: [email protected]
.
We appreciate your feedback.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation .
To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What's
New in Cisco Product Documentation RSS feed . RSS feeds are a free service.
xxii
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
1
New and Changed Information
This chapter contains the following sections:
•
New and Changed Information, page 1
New and Changed Information
The following table provides an overview of the significant changes made to this configuration guide. The table does not provide an exhaustive list of all changes made to this guide or all new features in a particular release.
Table 1: New and Changed Information
Feature
Lightweight DHCPv6
Relay Agent
Description Release
Added the support for the Lightweight
DHCPv6 Relay Agent.
7.3(0)N1(1)
Login Block Per User Added support for login block per user.
7.3(0)N1(1)
Where Documented
Configuring DHCP
Snooping
Configuring
Authentication,
Authorization, and
Accounting
Dynamic ARP
Inspection
Enhancement
Cisco TrustSec
7.1(0)N1(1)
The Cisco TrustSec security architecture builds secure networks by establishing clouds of trusted network devices.
7.0(1)N1(1)
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
1 OL-30921-01
New and Changed Information
New and Changed Information
2
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
2
Overview
The Cisco NX-OS software supports security features that can protect your network against degradation or failure and also against data loss or compromise resulting from intentional attacks and from unintended but damaging mistakes by well-meaning network users.
•
Authentication, Authorization, and Accounting, page 3
•
RADIUS and TACACS+ Security Protocols, page 4
•
•
Authentication, Authorization, and Accounting
Authentication, authorization, and accounting (AAA) is an architectural framework for configuring a set of three independent security functions in a consistent, modular manner.
Authentication
Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select, encryption. Authentication is the way a user is identified prior to being allowed access to the network and network services. You configure AAA authentication by defining a named list of authentication methods and then applying that list to various interfaces.
Authorization
Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and
Telnet.
Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights, with the appropriate user. AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform.
These attributes are compared with the information contained in a database for a given user, and the result is returned to AAA to determine the user’s actual capabilities and restrictions.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
3 OL-30921-01
Overview
RADIUS and TACACS+ Security Protocols
Accounting
Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. Accounting enables you to track the services that users are accessing, as well as the amount of network resources that they are consuming.
Note
You can configure authentication outside of AAA. However, you must configure AAA if you want to use
RADIUS or TACACS+, or if you want to configure a backup authentication method.
RADIUS and TACACS+ Security Protocols
AAA uses security protocols to administer its security functions. If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS or TACACS+ security server.
The chapters in this guide describe how to configure the following security server protocols:
RADIUS
A distributed client/server system implemented through AAA that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
TACACS+
A security application implemented through AAA that provides a centralized validation of users who are attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.
SSH and Telnet
You can use the Secure Shell (SSH) server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS software can interoperate with publicly and commercially available SSH clients.
The SSH client in the Cisco NX-OS software works with publicly and commercially available SSH servers.
The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet can accept either an IP address or a domain name as the remote device address.
IP ACLs
IP ACLs are ordered sets of rules that you can use to filter traffic based on IPv4 information in the Layer 3 header of packets. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When
4
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Overview
IP ACLs
the Cisco NX-OS software determines that an IP ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether a packet is permitted or denied, or if there is no match, the Cisco NX-OS software applies the applicable default rule. The Cisco NX-OS software continues processing packets that are permitted and drops packets that are denied.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
5
IP ACLs
Overview
6
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
3
Configuring Authentication, Authorization, and
Accounting
This chapter contains the following sections:
•
•
Prerequisites for Remote AAA, page 11
•
Guidelines and Limitations for AAA, page 12
•
•
•
Monitoring and Clearing the Local AAA Accounting Log , page 33
•
Verifying the AAA Configuration, page 33
•
Configuration Examples for AAA, page 33
Information About AAA
AAA Security Services
The authentication, authorization, and accounting (AAA) features allows you to verify the identity of, grant access to, and track the actions of users who manage Cisco Nexus devices. The Cisco Nexus device supports
Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus
(TACACS+) protocols.
Based on the user ID and password that you provide, the switches perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers. A preshared secret key provides security for communication between the switch and AAA servers. You can configure a common secret key for all AAA servers or for only a specific AAA server.
AAA security provides the following services:
• Authentication—Identifies users, including login and password dialog, challenge and response, messaging support, and, encryption depending on the security protocol that you select.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
7 OL-30921-01
Configuring Authentication, Authorization, and Accounting
Benefits of Using AAA
• Authorization—Provides access control.
Authorization to access a Cisco Nexus device is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
• Accounting—Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.
Note
The Cisco NX-OS software supports authentication, authorization, and accounting independently. For example, you can configure authentication and authorization without configuring accounting.
Benefits of Using AAA
AAA provides the following benefits:
• Increased flexibility and control of access configuration
• Scalability
• Standardized authentication methods, such as RADIUS and TACACS+
• Multiple backup devices
Remote AAA Services
Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services:
• User password lists for each switch in the fabric are easier to manage.
• AAA servers are already deployed widely across enterprises and can be easily used for AAA services.
• The accounting log for all switches in the fabric can be centrally managed.
• User attributes for each switch in the fabric are easier to manage than using the local databases on the switches.
AAA Server Groups
You can specify remote AAA servers for authentication, authorization, and accounting using server groups.
A server group is a set of remote AAA servers that implement the same AAA protocol. A server group provides for failover servers if a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, that server group option is considered a failure. If required, you can specify multiple server groups. If a switch encounters errors from the servers in the first group, it tries the servers in the next server group.
8
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Authentication, Authorization, and Accounting
AAA Service Configuration Options
AAA Service Configuration Options
On Cisco Nexus devices, you can have separate AAA configurations for the following services:
• User Telnet or Secure Shell (SSH) login authentication
• Console login authentication
• User management session accounting
The following table lists the CLI commands for each AAA service configuration option.
Table 2: AAA Service Configuration Commands
AAA Service Configuration Option
Telnet or SSH login
Console login
User session accounting
Related Command aaa authentication login default aaa authentication login console aaa accounting default
You can specify the following authentication methods for the AAA services:
• RADIUS server groups—Uses the global pool of RADIUS servers for authentication.
• Specified server groups—Uses specified RADIUS or TACACS+ server groups for authentication.
• Local—Uses the local username or password database for authentication.
• None—Uses only the username.
Note
If the method is for all RADIUS servers, instead of a specific server group, the Cisco Nexus devices choose the RADIUS server from the global pool of configured RADIUS servers in the order of configuration.
Servers from this global pool are the servers that can be selectively configured in a RADIUS server group on the Cisco Nexus devices.
The following table describes the AAA authentication methods that you can configure for the AAA services.
Table 3: AAA Authentication Methods for AAA Services
AAA Service
Console login authentication
User login authentication
User management session accounting
AAA Methods
Server groups, local, and none
Server groups, local, and none
Server groups and local
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
9
Configuring Authentication, Authorization, and Accounting
Authentication and Authorization Process for User Logins
Note
For console login authentication, user login authentication, and user management session accounting, the
Cisco Nexus devices try each option in the order specified. The local option is the default method when other configured options fail.
Authentication and Authorization Process for User Logins
The authentication and authorization process for user login is as occurs:
• When you log in to the required Cisco Nexus device, you can use the Telnet, SSH, Fabric Manager or
Device Manager, or console login options.
• When you have configured the AAA server groups using the server group authentication method, the
Cisco Nexus device sends an authentication request to the first AAA server in the group as follows:
If the AAA server fails to respond, then the next AAA server is tried and so on until the remote server responds to the authentication request.
If all AAA servers in the server group fail to respond, the servers in the next server group are tried.
If all configured methods fail, the local database is used for authentication.
• If a Cisco Nexus device successfully authenticates you through a remote AAA server, the following conditions apply:
If the AAA server protocol is RADIUS, user roles specified in the cisco-av-pair attribute are downloaded with an authentication response.
If the AAA server protocol is TACACS+, another request is sent to the same server to get the user roles specified as custom attributes for the shell.
• If your username and password are successfully authenticated locally, the Cisco Nexus device logs you in and assigns you the roles configured in the local database.
10
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Authentication, Authorization, and Accounting
Prerequisites for Remote AAA
The following figure shows a flowchart of the authentication and authorization process.
Figure 1: Authentication and Authorization Flow for User Login
Note
This figure is applicable only to username password SSH authentication. It does not apply to public key
SSH authentication. All username password SSH authentication goes through AAA.
In the figure, "No more servers left" means that there is no response from any server within this server group.
Prerequisites for Remote AAA
Remote AAA servers have the following prerequisites:
• At least one RADIUS or TACACS+ server must be IP reachable.
• The Cisco Nexus device is configured as a client of the AAA servers.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
11 OL-30921-01
Configuring Authentication, Authorization, and Accounting
Guidelines and Limitations for AAA
• The preshared secret key is configured on the Cisco Nexus device and on the remote AAA servers.
• The remote server responds to AAA requests from the Cisco Nexus device.
Guidelines and Limitations for AAA
The Cisco Nexus devices do not support all numeric usernames, whether created with TACACS+ or RADIUS, or created locally. If an all numeric username exists on an AAA server and is entered during a login, the Cisco
Nexus device still logs in the user.
Caution
You should not create user accounts with usernames that are all numeric.
Default AAA Settings
The following table lists the default settings for AAA parameters.
Table 4: Default AAA Parameters
Parameters
Console authentication method
Default authentication method
Login authentication failure messages
MSCHAP authentication
Default accounting method
Accounting log display length
Default
local local
Disabled
Disabled local
250 KB
Configuring AAA
Configuring Console Login Authentication Methods
The authentication methods include the following:
• Global pool of RADIUS servers
• Named subset of RADIUS or TACACS+ servers
• Local database on the Cisco Nexus device.
12
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Authentication, Authorization, and Accounting
Configuring Console Login Authentication Methods
• Username only none
The default method is local.
Note
The group radius and group server-name forms of the aaa authentication command are used for a set of previously defined RADIUS servers. Use the radius server-host command to configure the host servers. Use the aaa group server radius command to create a named group of servers.
Before you configure console login authentication methods, configure RADIUS or TACACS+ server groups as needed.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# aaa
authentication login console
{group group-list [none] | local
| none}
Configures login authentication methods for the console.
The group-list argument consists of a space-delimited list of group names. The group names are the following:
• radius —Uses the global pool of RADIUS servers for authentication.
• named-group —Uses a named subset of TACACS+ or
RADIUS servers for authentication.
switch(config)# exit switch# show aaa
authentication
switch# copy running-config
startup-config
The local method uses the local database for authentication.
The none method uses the username only.
The default console login method is local, which is used when no methods are configured or when all of the configured methods fail to respond.
Exits global configuration mode.
(Optional)
Displays the configuration of the console login authentication methods.
(Optional)
Copies the running configuration to the startup configuration.
This example shows how to configure authentication methods for the console login: switch#
configure terminal
switch(config)#
aaa authentication login console group radius
switch(config)#
exit
switch#
show aaa authentication
switch#
copy running-config startup-config
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
13
Configuring Authentication, Authorization, and Accounting
Configuring Default Login Authentication Methods
Configuring Default Login Authentication Methods
The default method is local.
Before you configure default login authentication methods, configure RADIUS or TACACS+ server groups as needed.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# aaa
authentication login default
{group group-list [none] | local
| none}
Configures the default authentication methods.
The group-list argument consists of a space-delimited list of group names. The group names are the following:
• radius —Uses the global pool of RADIUS servers for authentication.
• named-group —Uses a named subset of TACACS+ or
RADIUS servers for authentication.
The local method uses the local database for authentication.
The none method uses the username only.
The default login method is local , which is used when no methods are configured or when all of the configured methods do not respond.
Exits configuration mode.
switch(config)# exit switch# show aaa authentication (Optional)
Displays the configuration of the default login authentication methods.
switch# copy running-config
startup-config
(Optional)
Copies the running configuration to the startup configuration.
Enabling Login Authentication Failure Messages
When you log in, the login is processed by the local user database if the remote AAA servers do not respond.
If you have enabled the displaying of login failure messages, the following message is displayed:
Remote AAA servers unreachable; local authentication done.
Remote AAA servers unreachable; local authentication failed.
14
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Authentication, Authorization, and Accounting
Configuring AAA Command Authorization
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal switch(config)# aaa authentication login
error-enable
Enables login authentication failure messages.
The default is disabled.
switch(config)# exit Exits configuration mode.
switch# show aaa authentication switch# copy running-config
startup-config
Purpose
Enters global configuration mode.
(Optional)
Displays the login failure message configuration.
(Optional)
Copies the running configuration to the startup configuration.
Configuring AAA Command Authorization
When a TACACS+ server authorization method is configured, you can authorize every command that a user executes with the TACACS+ server which includes all EXEC mode commands and all configuration mode commands.
The authorization methods include the following:
• Group—TACACS+ server group
• Local—Local role-based authorization
• None—No authorization is performed
The default method is Local.
Note
Authorization on the console session is not supported on the Cisco Nexus 5000 platform. It is supported on the Cisco Nexus 5500 platform, release 6.x onwards.
Before You Begin
You must enable TACACS+ before configuring AAA command authorization.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
15
Configuring Authentication, Authorization, and Accounting
Configuring AAA Command Authorization
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Example:
switch# configure terminal switch(config)#
aaa authorization {commands |
config-commands} {default} {{[group
group-name] | [ local]} | {[group group-name] |
[ none]}}
Example:
switch(config)# aaa authorization config-commands default group tac1
Configures authorization parameters.
Use the commands keyword to authorize EXEC mode commandes.
Use the config-commands keyword to authorize configuration mode commands.
Use the group, local, or none keywords to identify the authorization method.
Example:
switch# aaa authorization commands default group tac1
The following example shows how to authorize EXEC mode commands with TACACS+ server group tac1: switch#
aaa authorization commands default group tac1
The following example shows how to authorize configuration mode commands with TACACS+ server group
tac1: switch(config)#
aaa authorization config-commands default group tac1
The following example shows how to authorize configuration mode commands with TACACS+ server group
tac1:
• If the server is reachable, the command is allowed or not allowed based on the server response.
• If there is an error reaching the server, the command is authorized based on the user's local role.
switch(config)#
aaa authorization config-commands default group tac1 local
The followng example shows how to authorize configuration mode commands with TACACS+ server group
tac1:
• If the server is reachable, the command is allowed or not allowed based on the server response.
• If there is an error reaching the server, allow the command regardless of the local role.
switch#
aaa authorization commands default group tac1 none
The following example shows how to authorize EXEC mode commands regardless of the local role: switch#
aaa authorization commands default none
16
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Authentication, Authorization, and Accounting
Configuring Console Authorization Commands
The following example shows how to authorize EXEC mode commands using the local role for authorization: switch#
aaa authorization commands default local
Configuring Console Authorization Commands
The authorization methods include the following:
• Named subset of TACACS+ servers
• Local database on the Cisco Nexus device.
• Username only none
The default method is local.
Before you configure console authorization commands, configure TACACS+ server groups as needed.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# aaa authorization
commands console {group
group-list [none] | local | none}
Configures authorization for the console.
The group-list argument consists of a space-delimited list of group name. The group name is:
• named-group —Uses a named subset of TACACS+ servers for authorization.
The local method uses the local database for authorization.
The none method uses the username only.
The default console authorization is local, which is used when no methods are configured or when all of the configured methods fail to respond.
switch(config)# exit Exits global configuration mode.
switch# show aaa authorization (Optional)
Displays the configuration of the console authorization commands.
switch# copy running-config
startup-config
(Optional)
Copies the running configuration to the startup configuration.
This example shows how to configure the console authorization commands: switch#
configure terminal
switch(config)#
aaa authorization commands console group tacacs+
switch(config)#
exit
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
17
Configuring Authentication, Authorization, and Accounting
Enabling MSCHAP Authentication
switch#
show aaa authorization
switch#
copy running-config startup-config
Enabling MSCHAP Authentication
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. You can use MSCHAP for user logins to a Cisco Nexus device through a remote authentication server (RADIUS or TACACS+).
By default, the Cisco Nexus device uses Password Authentication Protocol (PAP) authentication between the switch and the remote server. If you enable MSCHAP, you must configure your RADIUS server to recognize the MSCHAP vendor-specific attributes (VSAs).
The following table describes the RADIUS VSAs required for MSCHAP.
Table 5: MSCHAP RADIUS VSAs
Vendor-ID Number
311
Vendor-Type Number
11
VSA
MSCHAP-Challenge
211 11 MSCHAP-Response
Description
Contains the challenge sent by an AAA server to an MSCHAP user. It can be used in both
Access-Request and
Access-Challenge packets.
Contains the response value provided by an
MSCHAP user in response to the challenge.
It is only used in
Access-Request packets.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# aaa authentication login
mschap enable
Enables MS-CHAP authentication. The default is disabled.
switch(config)# exit switch# show aaa authentication login
mschap
Exits configuration mode.
(Optional)
Displays the MS-CHAP configuration.
18
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Authentication, Authorization, and Accounting
Configuring AAA Accounting Default Methods
Step 5
Command or Action
switch# copy running-config
startup-config
Purpose
(Optional)
Copies the running configuration to the startup configuration.
Configuring AAA Accounting Default Methods
The Cisco Nexus device supports TACACS+ and RADIUS methods for accounting. The switches report user activity to TACACS+ or RADIUS security servers in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the AAA server.
When you activate AAA accounting, the Cisco Nexus device reports these attributes as accounting records, which are then stored in an accounting log on the security server.
You can create default method lists defining specific accounting methods, which include the following:.
• RADIUS server group—Uses the global pool of RADIUS servers for accounting.
• Specified server group—Uses a specified RADIUS or TACACS+ server group for accounting.
• Local—Uses the local username or password database for accounting.
Note
If you have configured server groups and the server groups do not respond, by default, the local database is used for authentication.
Before You Begin
Before you configure AAA accounting default methods, configure RADIUS or TACACS+ server groups as needed.
Procedure
Step 1
Step 2
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# aaa accounting
default {group group-list |
local}
Configures the default accounting method. One or more server group names can be specified in a space-separated list.
The group-list argument consists of a space-delimited list of group names. The group names are the following:
• radius —Uses the global pool of RADIUS servers for accounting.
• named-group —Uses a named subset of TACACS+ or
RADIUS servers for accounting.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
19
Configuring Authentication, Authorization, and Accounting
Using AAA Server VSAs
Step 3
Step 4
Step 5
Command or Action Purpose
The local method uses the local database for accounting.
The default method is local, which is used when no server groups are configured or when all the configured server group do not respond.
Exits configuration mode.
switch(config)# exit switch# show aaa accounting (Optional)
Displays the configuration AAA accounting default methods.
switch# copy running-config
startup-config
(Optional)
Copies the running configuration to the startup configuration.
Using AAA Server VSAs
VSAs
You can use vendor-specific attributes (VSAs) to specify the Cisco Nexus device user roles and SNMPv3 parameters on AAA servers.
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating VSAs between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor
ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format: protocol : attribute seperator value *
The protocol is a Cisco attribute for a particular type of authorization, separator is an equal sign (=) for mandatory attributes, and an asterisk (* ) indicates optional attributes.
When you use RADIUS servers for authentication on a Cisco Nexus device, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, with authentication results.
This authorization information is specified through VSAs.
VSA Format
The following VSA protocol options are supported by the Cisco Nexus device:
• Shell— Used in access-accept packets to provide user profile information.
• Accounting—Used in accounting-request packets. If a value contains any white spaces, put it within double quotation marks.
The following attributes are supported by the Cisco Nexus device:
• roles—Lists all the roles assigned to the user. The value field is a string that stores the list of group names delimited by white space.
20
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Authentication, Authorization, and Accounting
Secure Login Enhancements
• accountinginfo—Stores additional accounting information in addition to the attributes covered by a standard RADIUS accounting protocol. This attribute is sent only in the VSA portion of the
Account-Request frames from the RADIUS client on the switch, and it can only be used with the accounting protocol-related PDUs.
Specifying Switch User Roles and SNMPv3 Parameters on AAA Servers
You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Cisco Nexus device using this format: shell:roles="roleA roleB
…"
If you do not specify the role option in the cisco-av-pair attribute, the default user role is network-operator.
Note
For information on Cisco Unified Wireless Network TACACS+ configurations and to change the user roles, see Cisco Unified Wireless Network TACACS+ Configuration .
You can also specify your SNMPv3 authentication and privacy protocol attributes as follows: shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128
The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If you do not specify these options in the cisco-av-pair attribute, MD5 and DES are the default authentication protocols.
For additional information, see the Configuring User Accounts and RBAC chapter in the System Management
Configuration Guide for your Cisco Nexus device.
Secure Login Enhancements
The following secure login enhancements are supported in Cisco NX-OS:
Configuring Login Parameters
Use this task to configure your Cisco NX-OS device for login parameters that help detect suspected DoS attacks and slow down dictionary attacks.
All login parameters are disabled by default. You must enter the login block-for command, which enables default login functionality, before using any other login commands. After the login block-for command is enabled, the following default is enforced:
• All login attempts made through Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is entered.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
21
Configuring Authentication, Authorization, and Accounting
Secure Login Enhancements
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
Switch# configure terminal
[no] login block-for seconds attempts
tries within seconds
Configures your Cisco NX-OS device for login parameters that help provide DoS detection.
Example:
Note
This command must be issued before any other login command can be used.
Switch(config)# login block-for 100 attempts 2 within 100
[no] login quiet-mode access-class
{acl-name | acl-number}
Example:
Switch(config)# login quiet-mode access-class myacl
(Optional) Although this command is optional, it is recommended that it be configured to specify an ACL that is to be applied to the device when the device switches to quiet mode. When the device is in quiet mode, all login requests are denied and the only available connection is through the console.
exit
Exits to privileged EXEC mode.
Example:
Switch(config)# exit
show login failures
Example:
Switch# show login
Displays login parameters.
• failures --Displays information related only to failed login attempts.
Configuration Examples for Login Parameters
Setting Login Parameters Example
The following example shows how to configure your switch to enter a 100 second quiet period if 15 failed login attempts is exceeded within 100 seconds; all login requests are denied during the quiet period except hosts from the ACL "myacl."
Switch(config)#
login block-for 100 attempts 15 within 100
Switch(config)#
login quiet-mode access-class myacl
22
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Authentication, Authorization, and Accounting
Secure Login Enhancements
Showing Login Parameters Example
The following sample output from the show login command verifies that no login parameters have been specified:
Switch#
show login
No Quiet-Mode access list has been configured, default ACL will be applied.
Switch is enabled to watch for login Attacks.
If more than 2 login failures occur in 45 seconds or less, logins will be disabled for 70 seconds.
Switch presently in Normal-Mode.
Current Watch Window remaining time 10 seconds.
Present login failure count 0.
The following sample output from the show login failures command shows all failed login attempts on the switch:
Switch#
show login failures
Information about last 20 login failures with the device.
--------------------------------------------------------------------------------
Username
TimeStamp
Line Source Appname
-------------------------------------------------------------------------------admin pts/0 bgl-ads-728.cisco.com
login
Wed Jun 10 04:56:16 2015 admin pts/0 bgl-ads-728.cisco.com
login
Wed Jun 10 04:56:19 2015
--------------------------------------------------------------------------------
The following sample output from the show login failures command verifies that no information is presently logged:
Switch#
show login failures
*** No logged failed login attempts with the device.***
Configuring Login Block Per User
The Login Block Per User feature helps detect suspected Denial of Service (DoS) attacks and to slow down dictionary attacks. This feature is applicable only for local users. Use this task to configure login parameters to block an user after failed login attempts.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Example:
switch# configure terminal
aaa authentication rejected attempts in seconds
ban seconds
Configures login parameters to block an user.
Note
Use the no aaa authentication
rejected command to revert to the default login parameters.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
23
Configuring Authentication, Authorization, and Accounting
Secure Login Enhancements
Step 3
Step 4
Step 5
Step 6
Command or Action Purpose
Example:
switch(config)# aaa authentication rejected 3 in 20 ban 300
exit
Example:
switch(config)# exit
show running config
Exits to privileged EXEC mode.
(Optional) Displays the login parameters.
Example:
switch# show running config
show aaa local user blocked
(Optional) Displays the blocked local users.
Example:
switch# show aaa local user blocked
clear aaa local user blocked {username user |
all}
(Optional) Clears the blocked local users.
• all–Clears all the blocked local users.
Example:
switch# clear aaa local user blocked username testuser
Configuration Examples for Login Block Per User
Setting Parameters for Login Block Per User
The following example shows how to configure the login parameters to block a user for 300 seconds when five login attempts fail within a period of 60 seconds: switch(config)#
aaa authentication rejected 5 in 60 ban 300
Showing Login Parameters
The following example shows the login parameters configured for a switch: switch#
show run | i rejected
aaa authentication rejected 5 in 60 ban 300
24
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Authentication, Authorization, and Accounting
Secure Login Enhancements
Showing Blocked Local Users
The following example shows the blocked local users: switch#
show aaa local user blocked
Local-user State testuser Watched (till 11:34:42 IST Feb 5 2015)
Clearing Blocked Local Users
The following example shows how to clear the blocked local user testuser: switch#
clear aaa local user blocked username testuser
Restricting Sessions Per User—Per User Per Login
Use this task to restrict the maximum sessions per user.
Procedure
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
Switch# configure terminal
[no] user max-logins max-logins
Example:
Switch(config)# user max-logins 1
exit
Restricts the maximum sessions per user. The range is from 1 to 7. If you set the maximum login limit as 1, then only one session (telnet/SSH) is allowed per user.
Exits to privileged EXEC mode.
Example:
Switch(config)# exit
Configuring Passphrase Length
Use this task to configure the maximum and minimum passphrase length.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
25
Configuring Authentication, Authorization, and Accounting
Secure Login Enhancements
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal
Example:
switch(config)# no userpassphrase max-length
exit
Purpose
Enters global configuration mode.
Example:
switch# configure terminal
userpassphrase {{min-length value |
max-length value} | min-length value
max-length value}
Configures the user passphrase length. The range of minimum passphrase length values are from
8 to 127. The range of maximum passphrase length values are from 80 to 127. The default minimum passphrase length is 8 and the default maximum passphrase length is 127.
Example:
switch(config)# userpassphrase max-length 127
no userpassphrase {min-length | max-length
| length}
Resets the passphrase length configuration to the default configuration.
Exits to privileged EXEC mode.
Example:
switch(config)# exit
show userpassphrase {min-length |
max-length | length}
Displays the maximum and minimum user passphrase length.
Example:
switch# show userpassphrase length
Configuring Passphrase Time Values
You can configure the following passphrase time values for a user:
• Lifetime – Life time of a passphrase in days. After the passphrase expires, the user is prompted to change the passphrase upon first login.
• Gracetime – Grace time of a passphrase in days. Gracetime is the number of days of inactivity after a passphrase has expired before an account is locked.
• Warntime – Warning time of the expiry of a passphrase in days. Warntime is the number of days prior to a passphrase expiring, when a user is warned that the user's passphrase is about to expire.
26
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Authentication, Authorization, and Accounting
Secure Login Enhancements
The default time values are 99999 days for lifetime, 14 days for warntime, and 3 days for gracetime.
The value 99999 indicates that a user's passphrase never expires by default.
Note
By default, an extra configuration is added to the running configuration for every user except 'admin'. This indicates a user's passphrase time values. By default, the extra configuration displays the default passphrase time values for users.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal
username username passphrase {{lifetime |
warntime | gracetime} time-value | {lifetime
time-value warntime time-value gracetime
time-value}}
Configures passphrase time values for a user.
Note that this step can be performed only by a network-admin.
Example:
switch(config)# username test-user passphrase lifetime 990
no username username passphrase {lifetime |
warntime | gracetime | timevalues}
Example:
(Optional)
Resets passphrase time value to default values for a user.
Note that this step can be performed only by a network-admin.
switch(config)# no username test-user passphrase lifetime
userpassphrase {default-lifetime |
default-warntime | default-gracetime}
time-value
(Optional)
Updates default passphrase time values.
Note that this step can be performed only by a network-admin.
Example:
switch(config)# userpassphrase default-lifetime 990
no userpassphrase {default-lifetime |
default-warntime | default-gracetime
timevalue}
Example:
switch(config)# no userpassphrase default-lifetime
(Optional)
Resets the configured default values to the initial default values.
Note that this step can be performed only by a network-admin.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
27
Configuring Authentication, Authorization, and Accounting
Secure Login Enhancements
Step 6
Step 7
Step 8
Step 9
Step 10
Command or Action
username username expire-userpassphrase
Example:
switch(config)# username john expire-userpassphrase
exit
Purpose
(Optional)
Sets any userpassphrase to expire immediately.
When you try to log in after a passphrase expires, you are prompted to enter and create a new password after entering the old password correctly.
Note that this step can be performed only by an admin.
Exits to privileged EXEC mode.
Example:
switch(config)# exit
show userpassphrase {default-lifetime |
default-warntime | default-gracetime |
timevalues}
Displays the passphrase time values.
Example:
switch# show userpassphrase default-lifetime
show username username passphrase
timevalues
Example:
switch# show username john passphrase timevalues
show running-config
Example:
switch# show running-config
Displays the passphrase lifetime, warning time, and grace time for a specific user.
(Optional)
Displays the configured values.
Configuring Passphrase Time Values
The following example shows how to configure passphrase time values for test-user.
switch(config)#
username test-user passphrase lifetime 365 warntime 10 gracetime 5
switch(config)#
show username test-user passphrase timevalues
Last passphrase change(Y-M-D): 2016-01-28
Passphrase lifetime: 365 days after last passphrase change
Passphrase warning time starts: 10 days before passphrase lifetime
Passphrase Gracetime ends: 5 days after passphrase lifetime switch#
show running-config
!Command: show running-config
!Time: Mon Nov 30 02:32:51 2015 version 7.3(0)N1(1) hostname switch
28
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Authentication, Authorization, and Accounting
Secure Login Enhancements
role name test username admin password 5 5$0sCUUZQm$fXdGj90e9yXv1XeuY9qResKmLGKQtn8Tj6ab4s4IcVA role network-admin username test-user password 5
5$c9Gmvm8E$aoSQ1X7vfphlJ6WeRQl3C0Py6TlpiDjhWcF6kYi4hg6 expire 1970-01-01 role network-operator
username test-user passphrase lifetime 365 warntime 10 gracetime 5
Locking User Accounts
As an admin, you can lock or unlock any user account.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal
Example:
switch(config)# exit
show locked-users
Purpose
Enters global configuration mode.
Example:
switch# configure terminal
[no] username username lock-user-account Locks the specified user account. Use the
no form of this command to unlock a user account.
Example:
switch(config)# username john lock-user-account
unlock locked-users
(Optional)
Unlocks all the locked user accounts.
Example:
switch(config)# unlock locked-users
exit
Exits to privileged EXEC mode.
Displays all the locked users.
Example:
switch# show locked-users
Logging Invalid Usernames
As an admin, you can ensure non-logging or logging of invalid usernames in logs during an authentication failure. By default, invalid usernames during authentication failures are not logged. Any username that does not pass authentication is considered as an invalid username and it is not logged, because when a password
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
29
Configuring Authentication, Authorization, and Accounting
Secure Login Enhancements
is entered in the username field by mistake, it can get logged. This feature can be used to mitigate the risk of logging passwords.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Step 3
Step 4
Example:
switch# configure terminal
[no] aaa authentication login invalid-username-log
Example:
switch(config)# aaa authentication login invalid-username-log
Enables the logging of invalid usernames during an authentication failure. Use the no form of this command to disable the logging of invalid usernames.
exit
Exits to privileged EXEC mode.
Example:
switch(config)# exit
show aaa authentication login invalid-username-log
Displays whether logging invalid names is enabled.
Example:
switch# show aaa authentication login invalid-username-log
Changing Password
Use this task to change the password.
Procedure
Step 1
Enter global configuration mode: switch# configure terminal
Step 2
To change the password, perform one of the following:
• Authenticate with the old password and then enter the new password: switch(config)# change-password
30
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Authentication, Authorization, and Accounting
Secure Login Enhancements
Note
By default, password secure-mode is enabled. So, users must use the old password for authentication before changing the password. An admin user can disable password secure-mode by using the no password secure-mode command. This enables users to change password without authenticating with the old password by using the username username password
new_password command.
• If password secure-mode is enabled, an admin user can still use the username command to change password: switch(config)# username admin password new-password role role-name
Note
If password secure-mode is disabled, any user can use the username command to change the password.
Step 3
Exit to the privileged mode: switch(config)# exit
Step 4
Display the status of password secure-mode: switch# show password secure-mode
Changing Password
This example shows a running configuration to change the password. Replace the placeholders with relevant values for your setup.
config t change-password
Enter old password:
Enter new password:
Confirm new password: exit
Enabling the Password Prompt for User Name
Procedure
Step 1
Step 2
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
Switch# configure terminal
[no] password prompt username
Example:
Switch(config)# password prompt username
Enables the login knob. If this command is enabled and the user enters the username command without the password option, then the password is prompted.
The password accepts hidden characters. Use the no form of this command to disable the login knob.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
31
Configuring Authentication, Authorization, and Accounting
Secure Login Enhancements
Step 3
Command or Action exit
Example:
Switch(config)# exit
Purpose
Exits to privileged EXEC mode.
Support over SHA-256 Algorithm for Verifying OS Integrity
Use the show file bootflash:/ sha256sum command to display the sha256sum of the file. The sample output for this command is shown below:
Switch#
show file bootflash:/ sha256sum
abd9d40020538acc363df3d1bae7d1df16841e4903fca2c07c7898bf4f549ef5
Configuring Share Key Value for using RADIUS/TACACS+
The shared secret you configure for remote authentication and accounting must be hidden. For the radius-server
key and tacacs-server key commands, a separate command to generate encrypted shared secret can be used.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Step 3
Example:
Switch# configure terminal
generate type7_encrypted_secret
Example:
Switch(config)# generate type7_encrypted_secret
Configures RADIUS and TACACS shared secret with key type 7. While generating an encrypted shared secret, user input is hidden.
Note
You can generate encrypted equivalent of plain text separately and can configure the encrypted shared secret later.
Exits to privileged EXEC mode.
exit
Example:
Switch(config)# exit
32
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Authentication, Authorization, and Accounting
Monitoring and Clearing the Local AAA Accounting Log
Monitoring and Clearing the Local AAA Accounting Log
The Cisco Nexus device maintains a local log for the AAA accounting activity.
Procedure
Step 1
Step 2
Command or Action Purpose
switch# show accounting log [size]
[start-time year month day hh : mm
: ss]
Displays the accounting log contents. By default, the command output contains up to 250,000 bytes of the accounting log. You can use the size argument to limit command output. The range is from 0 to 250000 bytes. You can also specify a start time for the log output.
switch# clear accounting log (Optional)
Clears the accounting log contents.
Verifying the AAA Configuration
To display AAA information, perform one of the following tasks:
Command show aaa accounting
Purpose
Displays AAA accounting configuration.
show aaa authentication [login {error-enable |
mschap}]
Displays AAA authentication information.
show aaa authorization show aaa groups
show running-config aaa [all]
show startup-config aaa
Displays AAA authorization information.
Displays the AAA server group configuration.
Displays the AAA configuration in the running configuration.
Displays the AAA configuration in the startup configuration.
Configuration Examples for AAA
The following example shows how to configure AAA: switch(config)#
aaa authentication login default group radius
switch(config)#
aaa authentication login console group radius
switch(config)#
aaa accounting default group radius
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
33 OL-30921-01
Configuration Examples for AAA
Configuring Authentication, Authorization, and Accounting
34
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
4
Configuring RADIUS
This chapter contains the following sections:
•
Information About RADIUS, page 35
•
Prerequisites for RADIUS, page 38
•
Guidelines and Limitations for RADIUS, page 38
•
Default Settings for RADIUS, page 38
•
Configuring RADIUS Servers, page 39
•
Verifying the RADIUS Configuration, page 50
•
Displaying RADIUS Server Statistics, page 50
•
Clearing RADIUS Server Statistics, page 50
•
Configuration Examples for RADIUS, page 51
Information About RADIUS
The Remote Access Dial-In User Service (RADIUS) distributed client/server system allows you to secure networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco Nexus devices and send authentication and accounting requests to a central RADIUS server that contains all user authentication and network service access information.
RADIUS Network Environments
RADIUS can be implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.
You can use RADIUS in the following network environments that require access security:
• Networks with multiple-vendor network devices, each supporting RADIUS.
For example, network devices from several vendors can use a single RADIUS server-based security database.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
35 OL-30921-01
Configuring RADIUS
Information About RADIUS Operations
• Networks already using RADIUS.
You can add a Cisco Nexus device with RADIUS to the network. This action might be the first step when you make a transition to an AAA server.
• Networks that require resource accounting.
You can use RADIUS accounting independent of RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and end of services, indicating the amount of resources (such as time, packets, bytes, and so on) used during the session. An Internet service provider
(ISP) might use a freeware-based version of the RADIUS access control and accounting software to meet special security and billing needs.
• Networks that support authentication profiles.
Using the RADIUS server in your network, you can configure AAA authentication and set up per-user profiles. Per-user profiles enable the Cisco Nexus device to manage ports using their existing RADIUS solutions and to efficiently manage shared resources to offer different service-level agreements.
Information About RADIUS Operations
When a user attempts to log in and authenticate to a Cisco Nexus device using RADIUS, the following process occurs:
1
The user is prompted for and enters a username and password.
2
The username and encrypted password are sent over the network to the RADIUS server.
3
The user receives one of the following responses from the RADIUS server:
• ACCEPT—The user is authenticated.
• REJECT—The user is not authenticated and is prompted to reenter the username and password, or access is denied.
• CHALLENGE—A challenge is issued by the RADIUS server. The challenge collects additional data from the user.
• CHANGE PASSWORD—A request is issued by the RADIUS server, asking the user to select a new password.
The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization. You must first complete RADIUS authentication before using RADIUS authorization. The additional data included with the ACCEPT or REJECT packets consists of the following:
• Services that the user can access, including Telnet, rlogin, or local-area transport (LAT) connections, and Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services.
• Connection parameters, including the host or client IPv4 or IPv6 address, access list, and user timeouts.
RADIUS Server Monitoring
An unresponsive RADIUS server can cause delay in processing of AAA requests. You can configure the switch to periodically monitor a RADIUS server to check whether it is responding (or alive) to save time in
36
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring RADIUS
Vendor-Specific Attributes
processing AAA requests. The switch marks unresponsive RADIUS servers as dead and does not send AAA requests to any dead RADIUS servers. The switch periodically monitors the dead RADIUS servers and brings them to the alive state once they respond. This process verifies that a RADIUS server is in a working state before real AAA requests are sent to the server. Whenever a RADIUS server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the switch displays an error message that a failure is taking place.
The following figure shows the different RADIUS server states:
Figure 2: RADIUS Server States
Note
The monitoring interval for alive servers and dead servers are different and can be configured by the user.
The RADIUS server monitoring is performed by sending a test authentication request to the RADIUS server.
Vendor-Specific Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format: protocol : attribute separator value *
The protocol is a Cisco attribute for a particular type of authorization, the separator is an equal sign (=) for mandatory attributes, and an asterisk (*) indicates optional attributes.
When you use RADIUS servers for authentication on a Cisco Nexus device, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, with authentication results.
This authorization information is specified through VSAs.
The following VSA protocol options are supported by the Cisco Nexus device:
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
37
Configuring RADIUS
Prerequisites for RADIUS
• Shell— Used in access-accept packets to provide user profile information.
• Accounting— Used in accounting-request packets. If a value contains any white spaces, you should enclose the value within double quotation marks.
The Cisco Nexus device supports the following attributes:
• roles—Lists all the roles to which the user belongs. The value field is a string that lists the role names delimited by white spaces.
• accountinginfo—Stores accounting information in addition to the attributes covered by a standard
RADIUS accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the RADIUS client on the switch. It can be used only with the accounting protocol data units (PDUs).
Prerequisites for RADIUS
RADIUS has the following prerequisites:
• You must obtain IPv4 or IPv6 addresses or hostnames for the RADIUS servers.
• You must obtain preshared keys from the RADIUS servers.
• Ensure that the Cisco Nexus device is configured as a RADIUS client of the AAA servers.
Guidelines and Limitations for RADIUS
RADIUS has the following configuration guidelines and limitations:
• You can configure a maximum of 64 RADIUS servers on the Cisco Nexus device.
Default Settings for RADIUS
The following table lists the default settings for RADIUS parameters.
Table 6: Default RADIUS Parameters
Parameters
Server roles
Dead timer interval
Retransmission count
Retransmission timer interval
Idle timer interval
Default
Authentication and accounting
0 minutes
1
5 seconds
0 minutes
38
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring RADIUS
Configuring RADIUS Servers
Parameters
Periodic server monitoring username
Periodic server monitoring password
Default
test test
Configuring RADIUS Servers
This section describes how to configure RADIUS servers.
Procedure
Step 1
Establish the RADIUS server connections to the Cisco Nexus device.
Step 2
Configure the preshared secret keys for the RADIUS servers.
Step 3
If needed, configure RADIUS server groups with subsets of the RADIUS servers for AAA authentication methods.
Step 4
If needed, configure any of the following optional parameters:
• Dead-time interval.
• Allow specification of a RADIUS server at login.
• Transmission retry count and timeout interval.
• Accounting and authentication attributes.
Step 5
If needed, configure periodic RADIUS server monitoring.
Configuring RADIUS Server Hosts
You must configure the IPv4 or IPv6 address or the hostname for each RADIUS server that you want to use for authentication. All RADIUS server hosts are added to the default RADIUS server group. You can configure up to 64 RADIUS servers.
Procedure
Step 1
Step 2
Step 3
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# radius-server host
{ipv4-address | ipv6-address | host-name}
Specifies the IPv4 or IPv6 address or hostname for a RADIUS server.
switch(config)# exit Exits configuration mode.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
39 OL-30921-01
Configuring RADIUS
Configuring RADIUS Global Preshared Keys
Step 4
Step 5
Command or Action
switch# show radius-server switch# copy running-config
startup-config
Purpose
(Optional)
Displays the RADIUS server configuration.
(Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
The following example shows how to configure host 10.10.1.1 as a RADIUS server: switch#
configure terminal
switch(config)#
radius-server host 10.10.1.1
switch(config)#
exit
switch#
copy running-config startup-config
Configuring RADIUS Global Preshared Keys
You can configure preshared keys at the global level for all servers used by the Cisco Nexus device. A preshared key is a shared secret text string between the switch and the RADIUS server hosts.
Before You Begin
Obtain the preshared key values for the remote RADIUS servers
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# radius-server
key [0 | 7] key-value
Specifies a preshared key for all RADIUS servers. You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key. The default format is clear text.
The maximum length is 63 characters.
By default, no preshared key is configured.
switch(config)# exit switch# show radius-server
Exits configuration mode.
(Optional)
Displays the RADIUS server configuration.
Note
The preshared keys are saved in encrypted form in the running configuration. Use the show
running-config command to display the encrypted preshared keys.
40
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring RADIUS
Configuring RADIUS Server Preshared Keys
Step 5
Command or Action
switch# copy running-config
startup-config
Purpose
(Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
This example shows how to configure preshared keys at the global level for all servers used by the device: switch#
configure terminal
switch(config)#
radius-server key 0 QsEfThUkO
switch(config)#
exit
switch#
copy running-config startup-config
Configuring RADIUS Server Preshared Keys
A preshared key is a shared secret text string between the Cisco Nexus device and the RADIUS server host.
Before You Begin
Obtain the preshared key values for the remote RADIUS servers.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# radius-server
host {ipv4-address | ipv6-address
| host-name} key [0 | 7] key-value
Specifies a preshared key for a specific RADIUS server.
You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key. The default format is clear text.
The maximum length is 63 characters.
This preshared key is used instead of the global preshared key.
switch(config)# exit switch# show radius-server switch# copy running-config
startup-config
Exits configuration mode.
(Optional)
Displays the RADIUS server configuration.
Note
The preshared keys are saved in encrypted form in the running configuration. Use the show
running-config command to display the encrypted preshared keys.
(Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
41
Configuring RADIUS
Configuring RADIUS Server Groups
This example shows how to configure RADIUS preshared keys: switch#
configure terminal
switch(config)#
radius-server host 10.10.1.1 key 0 PlIjUhYg
switch(config)#
exit
switch#
show radius-server
switch#
copy running-config startup-config
Configuring RADIUS Server Groups
You can specify one or more remote AAA servers for authentication using server groups. All members of a group must belong to the RADIUS protocol. The servers are tried in the same order in which you configure them.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch (config)# aaa group server
radius group-name
Creates a RADIUS server group and enters the RADIUS server group configuration submode for that group.
The group-name argument is a case-sensitive, alphanumeric string with a maximum of 127 characters.
switch (config-radius)# server
{ipv4-address | ipv6-address |
server-name}
Configures the RADIUS server as a member of the RADIUS server group.
If the specified RADIUS server is not found, configure it using the radius-server host command and retry this command.
switch (config-radius)# deadtime
minutes
(Optional)
Configures the monitoring dead time. The default is 0 minutes. The range is from 1 through 1440.
switch(config-radius)#
source-interface interface
Note
If the dead-time interval for a RADIUS server group is greater than zero (0), that value takes precedence over the global dead-time value.
(Optional)
Assigns a source interface for a specific RADIUS server group.
The supported interface types are management and VLAN.
Note
Use the source-interface command to override the global source interface assigned by the ip radius
source-interface command.
switch(config-radius)# exit Exits configuration mode.
switch(config)# show
radius-server group [group-name]
(Optional)
Displays the RADIUS server group configuration.
42
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring RADIUS
Configuring the Global Source Interface for RADIUS Server Groups
Step 8
Command or Action
switch(config)# copy
running-config startup-config
Purpose
(Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
The following example shows how to configure a RADIUS server group: switch#
configure terminal
switch (config)#
aaa group server radius RadServer
switch (config-radius)#
server 10.10.1.1
switch (config-radius)#
deadtime 30
switch (config-radius)#
use-vrf management
switch (config-radius)#
exit
switch (config)#
show radius-server group
switch (config)#
copy running-config startup-config
What to Do Next
Apply the RADIUS server groups to an AAA service.
Configuring the Global Source Interface for RADIUS Server Groups
You can configure a global source interface for RADIUS server groups to use when accessing RADIUS servers. You can also configure a different source interface for a specific RADIUS server group.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal switch(config)# ip radius
source-interface interface
Purpose
Enters global configuration mode.
Configures the global source interface for all RADIUS server groups configured on the device. The source interface can be the management or the VLAN interface.
switch(config)# exit switch# show radius-server
Exits configuration mode.
(Optional)
Displays the RADIUS server configuration information.
switch# copy running-config startup
config
(Optional)
Copies the running configuration to the startup configuration.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
43
Configuring RADIUS
Allowing Users to Specify a RADIUS Server at Login
This example shows how to configure the mgmt 0 interface as the global source interface for RADIUS server groups: switch#
configure terminal
switch(config)#
ip radius source-interface mgmt 0
switch(config)#
exit
switch#
copy running-config startup-config
Allowing Users to Specify a RADIUS Server at Login
You can allow users to specify a RADIUS server at login.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal switch(config)# radius-server
directed-request
switch(config)# exit switch# show radius-server
directed-request
switch# copy running-config
startup-config
Purpose
Enters global configuration mode.
Allows users to specify a RADIUS server to send the authentication request when logging in. The default is disabled.
Exits configuration mode.
(Optional)
Displays the directed request configuration.
(Optional)
Copies the running configuration to the startup configuration.
This example shows how to allow users to select a RADIUS server when logging in to a network: switch#
configure terminal
switch(config)#
radius-server directed-request
switch#
exit
switch#
copy running-config startup-config
Configuring the Global RADIUS Transmission Retry Count and Timeout Interval
You can configure a global retransmission retry count and timeout interval for all RADIUS servers. By default, a switch retries transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server. The timeout interval determines how long the Cisco Nexus device waits for responses from RADIUS servers before declaring a timeout failure.
44
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring RADIUS
Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action
switch# configure terminal switch(config)# radius-server
retransmit count switch(config)# radius-server
timeout seconds switch(config)# exit switch# show radius-server switch# copy running-config
startup-config
Purpose
Enters global configuration mode.
Specifies the retransmission count for all RADIUS servers. The default retransmission count is 1 and the range is from 0 to 5.
Specifies the transmission timeout interval for
RADIUS servers. The default timeout interval is 5 seconds and the range is from 1 to 60 seconds.
Exits global configuration mode.
(Optional)
Displays the RADIUS server configuration.
(Optional)
Copies the running configuration to the startup configuration.
This example shows how to set the retry count to 3 and the transmission timeout interval to 5 seconds for
RADIUS servers: switch#
configure terminal
switch(config)#
radius-server retransmit 3
switch(config)#
radius-server timeout 5
switch(config)#
exit
switch#
copy running-config startup-config
Configuring the RADIUS Transmission Retry Count and Timeout Interval for a
Server
By default, a Cisco Nexus switch retries transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server. You can also set a timeout interval that the switch waits for responses from RADIUS servers before declaring a timeout failure.
Procedure
Step 1
Step 2
Command or Action
switch# configure terminal switch(config)# radius-server host
{ipv4-address | ipv6-address |
host-name} retransmit count
Purpose
Enters global configuration mode.
Specifies the retransmission count for a specific server.
The default is the global value.
Note
The retransmission count value specified for a
RADIUS server overrides the count specified for all RADIUS servers.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
45
Configuring RADIUS
Configuring Accounting and Authentication Attributes for RADIUS Servers
Step 3
Step 4
Step 5
Step 6
Command or Action
switch(config)#radius-server host
{ipv4-address | ipv6-address |
host-name} timeout seconds switch(config)# exit switch# show radius-server switch# copy running-config
startup-config
Purpose
Specifies the transmission timeout interval for a specific server. The default is the global value.
Note
The timeout interval value specified for a
RADIUS server overrides the interval value specified for all RADIUS servers.
Exits global configuration mode.
(Optional)
Displays the RADIUS server configuration.
(Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
This example shows how to set the RADIUS transmission retry count to 3 and the timeout interval to 10 seconds on RADIUS host server server1: switch#
configure terminal
switch(config)#
radius-server host server1 retransmit 3
switch(config)#
radius-server host server1 timeout 10
switch(config)#
exit
switch#
copy running-config startup-config
Configuring Accounting and Authentication Attributes for RADIUS Servers
You can specify that a RADIUS server is to be used only for accounting purposes or only for authentication purposes. By default, RADIUS servers are used for both accounting and authentication. You can also specify the destination UDP port numbers where RADIUS accounting and authentication messages should be sent.
Procedure
Step 1
Step 2
Step 3
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# radius-server host
{ipv4-address | ipv6-address | host-name}
acct-port udp-port
(Optional)
Specifies a UDP port to use for RADIUS accounting messages. The default UDP port is 1812.
The range is from 0 to 65535.
switch(config)# radius-server host
{ipv4-address | ipv6-address | host-name}
accounting
(Optional)
Specifies that the specified RADIUS server is to be used only for accounting purposes. The default is both accounting and authentication.
46
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring RADIUS
Configuring Periodic RADIUS Server Monitoring
Step 4
Step 5
Step 6
Step 7
Step 8
Command or Action Purpose
switch(config)# radius-server host
{ipv4-address | ipv6-address | host-name}
auth-port udp-port
(Optional)
Specifies a UDP port to use for RADIUS authentication messages. The default UDP port is
1812.
The range is from 0 to 65535.
switch(config)# radius-server host
{ipv4-address | ipv6-address | host-name}
authentication
(Optional)
Specifies that the specified RADIUS server only be used for authentication purposes. The default is both accounting and authentication.
switch(config)# exit switch(config)# show radius-server switch(config)# copy running-config
startup-config
Exits configuration mode.
(Optional)
Displays the RADIUS server configuration.
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
This example shows how to configure accounting and authentication attributes for a RADIUS server: switch# configure terminal switch(config)#
radius-server host 10.10.1.1 acct-port 2004
switch(config)#
radius-server host 10.10.1.1 accounting
switch(config)#
radius-server host 10.10.2.2 auth-port 2005
switch(config)#
radius-server host 10.10.2.2 authentication
switch #
exit
switch #
copy running-config startup-config
switch #
Configuring Periodic RADIUS Server Monitoring
You can monitor the availability of RADIUS servers. These parameters include the username and password to use for the server and an idle timer. The idle timer specifies the interval during which a RADIUS server receives no requests before the switch sends out a test packet. You can configure this option to test servers periodically.
Note
For security reasons, we recommend that you do not configure a test username that is the same as an existing user in the RADIUS database.
The test idle timer specifies the interval during which a RADIUS server receives no requests before the switch sends out a test packet.
The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, the switch does not perform periodic RADIUS server monitoring.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
47
Configuring RADIUS
Configuring the Dead-Time Interval
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# radius-server host
{ipv4-address | ipv6-address |
host-name} test {idle-time minutes |
password password [idle-time minutes]
| username name [password password
[idle-time minutes]]}
Specifies parameters for server monitoring. The default username is test and the default password is test.
The default value for the idle timer is 0 minutes.
The valid range is from 0 to 1440 minutes.
Note
For periodic RADIUS server monitoring, you must set the idle timer to a value greater than
0.
switch(config)# radius-server
deadtime minutes
Specifies the number of minutes before the switch checks a RADIUS server that was previously unresponsive.
The default value is 0 minutes.
The valid range is 1 to 1440 minutes.
switch(config)# exit switch# show radius-server switch# copy running-config
startup-config
Exits configuration mode.
(Optional)
Displays the RADIUS server configuration.
(Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
This example shows how to configure RADIUS server host 10.10.1.1 with a username (user1) and password
(Ur2Gd2BH) and with an idle timer of 3 minutes and a deadtime of 5 minutes: switch#
configure terminal
switch(config)#
radius-server host 10.10.1.1 test username user1 password Ur2Gd2BH idle-time
3
switch(config)#
radius-server deadtime 5
switch(config)#
exit
switch#
copy running-config startup-config
Configuring the Dead-Time Interval
You can configure the dead-time interval for all RADIUS servers. The dead-time interval specifies the time that the Cisco Nexus device waits after declaring a RADIUS server is dead, before sending out a test packet to determine if the server is now alive. The default value is 0 minutes.
48
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring RADIUS
Manually Monitoring RADIUS Servers or Groups
Note
When the dead-time interval is 0 minutes, RADIUS servers are not marked as dead even if they are not responding. You can configure the dead-time interval for a RADIUS server group.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal switch(config)# radius-server
deadtime
switch(config)# exit switch# show radius-server switch# copy running-config
startup-config
Purpose
Enters global configuration mode.
Configures the dead-time interval. The default value is 0 minutes. The range is from 1 to 1440 minutes.
Exits configuration mode.
(Optional)
Displays the RADIUS server configuration.
(Optional)
Copies the running configuration to the startup configuration.
This example shows how to configure a deadtime of 5 minutes for a radius server: switch#
configure terminal
switch(config)#
radius-server deadtime 5
switch(config#
exit
switch#
copy running-config startup-config
Manually Monitoring RADIUS Servers or Groups
Procedure
Step 1
Step 2
Command or Action Purpose
switch# test aaa server radius {ipv4-address|
ipv6-address | server-name} [vrf vrf-name] username
password test aaa server radius {ipv4-address |
ipv6-address | server-name} [vrf vrf-name] username
password
Sends a test message to a RADIUS server to confirm availability.
switch# test aaa group group-name username password Sends a test message to a RADIUS server group to confirm availability.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
49
Configuring RADIUS
Verifying the RADIUS Configuration
This example shows how to send a test message to the RADIUS server and server group to confirm availability: switch#
test aaa server radius 10.10.1.1 user 1 Ur2Gd2BH
switch#
test aaa group RadGroup user2 As3He3CI
Verifying the RADIUS Configuration
To display AAA information, perform one of the following tasks:
Command
show running-config radius [all]
show startup-config radius
Purpose
Displays the RADIUS configuration in the running configuration.
Displays the RADIUS configuration in the startup configuration.
show radius-server [server-name | ipv4-address |
ipv6-address] [directed-request | groups | sorted |
statistics]
Displays all configured RADIUS server parameters.
Displaying RADIUS Server Statistics
Procedure
Step 1
Command or Action
switch# show radius-server statistics {hostname |
ipv4-address | ipv6-address}
Purpose
Displays the RADIUS statistics.
Clearing RADIUS Server Statistics
You can display the statistics that the Cisco NX-OS device maintains for RADIUS server activity.
Before You Begin
Configure RADIUS servers on the Cisco NX-OS device.
50
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring RADIUS
Configuration Examples for RADIUS
Procedure
Step 1
Step 2
Command or Action Purpose
switch# show radius-server statistics {hostname
| ipv4-address | ipv6-address}
(Optional)
Displays the RADIUS server statistics on the Cisco NX-OS device.
switch# clear radius-server statistics {hostname
| ipv4-address | ipv6-address}
Clears the RADIUS server statistics.
Configuration Examples for RADIUS
The following example shows how to configure RADIUS: switch#
configure terminal
switch(config)#
radius-server key 7 "ToIkLhPpG"
switch(config)#
radius-server host 10.10.1.1 key 7 "ShMoMhTl" authentication accounting
switch(config)#
aaa group server radius RadServer
switch(config-radius)#
server 10.10.1.1
switch(config-radius)#
exit
switch(config-radius)#
use-vrf management
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
51
Configuration Examples for RADIUS
Configuring RADIUS
52
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
5
Configuring TACACS+
This chapter contains the following sections:
•
Information About Configuring TACACS+, page 53
•
Prerequisites for TACACS+, page 56
•
Guidelines and Limitations for TACACS+, page 56
•
Default Settings for TACACS+, page 56
•
•
Displaying TACACS+ Statistics, page 73
•
Verifying the TACACS+ Configuration, page 74
•
Configuration Examples for TACACS+, page 74
Information About Configuring TACACS+
The Terminal Access Controller Access Control System Plus (TACACS+) security protocol provides centralized validation of users attempting to gain access to a Cisco Nexus device. TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your
Cisco Nexus device are available.
TACACS+ provides for separate authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service (authentication, authorization, and accounting) independently. Each service is associated with its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.
The TACACS+ client/server protocol uses TCP (TCP port 49) for transport requirements. The Cisco Nexus device provides centralized authentication using the TACACS+ protocol.
TACACS+ Advantages
TACACS+ has the following advantages over RADIUS authentication:
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
53 OL-30921-01
Configuring TACACS+
User Login with TACACS+
• Provides independent AAA facilities. For example, the Cisco Nexus device can authorize access without authenticating.
• Uses the TCP transport protocol to send data between the AAA client and server, making reliable transfers with a connection-oriented protocol.
• Encrypts the entire protocol payload between the switch and the AAA server to ensure higher data confidentiality. The RADIUS protocol only encrypts passwords.
User Login with TACACS+
When a user attempts a Password Authentication Protocol (PAP) login to a Cisco Nexus device using
TACACS+, the following actions occur:
1
When the Cisco Nexus device establishes a connection, it contacts the TACACS+ daemon to obtain the username and password.
Note
TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon receives enough information to authenticate the user. This action is usually done by prompting for a username and password combination, but may include prompts for other items, such as the user’s mother’s maiden name.
2
The Cisco Nexus device receives one of the following responses from the TACACS+ daemon:
• ACCEPT—User authentication succeeds and service begins. If the Cisco Nexus device requires user authorization, authorization begins.
• REJECT—User authentication failed. The TACACS+ daemon either denies further access to the user or prompts the user to retry the login sequence.
• ERROR—An error occurred at some time during authentication dither at the daemon or in the network connection between the daemon and the Cisco Nexus device. If the Cisco Nexus deviceh receives an ERROR response, the switch tries to use an alternative method for authenticating the user.
The user also undergoes an additional authorization phase, if authorization has been enabled on the Cisco
Nexus device. Users must first successfully complete TACACS+ authentication before proceeding to
TACACS+ authorization.
3
If TACACS+ authorization is required, the Cisco Nexus device again contacts the TACACS+ daemon and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes that are used to direct the EXEC or NETWORK session for that user and determines the services that the user can access.
Services include the following:
• â—¦ Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services
â—¦Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and user timeouts
54
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring TACACS+
Default TACACS+ Server Encryption Type and Preshared Key
Default TACACS+ Server Encryption Type and Preshared Key
You must configure the TACACS+ that is preshared key to authenticate the switch to the TACACS+ server.
A preshared key is a secret text string shared between the Cisco Nexus device and the TACACS+ server host.
The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global preshared secret key for all TACACS+ server configurations on the Cisco Nexus deviceh to use.
You can override the global preshared key assignment by using the key option when configuring an individual
TACACS+ server.
Command Authorization Support for TACACS+ Servers
By default, command authorization is done against a local database in the Cisco NX-OS software when an authenticated user enters a command at the command-line interface (CLI). You can also verify authorized commands for authenticated users using TACACS+.
TACACS+ Server Monitoring
An unresponsive TACACS+ server can delay the processing of AAA requests. A Cisco Nexus device can periodically monitor an TACACS+ server to check whether it is responding (or alive) to save time in processing
AAA requests. The Cisco Nexus device marks unresponsive TACACS+ servers as dead and does not send
AAA requests to any dead TACACS+ servers. The Cisco Nexus device periodically monitors dead TACACS+ servers and brings them to the alive state once they are responding. This process verifies that a TACACS+ server is in a working state before real AAA requests are sent to the server. Whenever an TACACS+ server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the
Cisco Nexus device displays an error message that a failure is taking place before it can impact performance.
The following figure shows the different TACACS+ server states:
Figure 3: TACACS+ Server States
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
55
Configuring TACACS+
Prerequisites for TACACS+
Note
The monitoring interval for alive servers and dead servers are different and can be configured by the user.
The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+ server.
Prerequisites for TACACS+
TACACS+ has the following prerequisites:
• You must obtain the IPv4 or IPv6 addresses or hostnames for the TACACS+ servers.
• You must obtain the preshared keys from the TACACS+ servers, if any.
• Ensure that the Cisco Nexus device is configured as a TACACS+ client of the AAA servers.
Guidelines and Limitations for TACACS+
TACACS+ has the following configuration guidelines and limitations:
• You can configure a maximum of 64 TACACS+ servers on the Cisco Nexus device.
Default Settings for TACACS+
The following table lists the default settings for TACACS+ parameters.
Table 7: Default TACACS+ Parameters
Parameters
TACACS+
Dead-time interval
Timeout interval
Idle timer interval
Periodic server monitoring username
Periodic server monitoring password
Default
Disabled
0 minutes
5 seconds
0 minutes test test
56
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring TACACS+
Configuring TACACS+
Configuring TACACS+
TACACS+ Server Configuration Process
This section describes how to configure TACACS+ servers.
Procedure
Step 1
Enable TACACS+.
Step 2
Establish the TACACS+ server connections to the Cisco Nexus device.
Step 3
Configure the preshared secret keys for the TACACS+ servers.
Step 4
If needed, configure TACACS+ server groups with subsets of the TACACS+ servers for AAA authentication methods.
Step 5
If needed, configure any of the following optional parameters:
• Dead-time interval
• Allow TACACS+ server specification at login
• Timeout interval
• TCP port
Step 6
If needed, configure periodic TACACS+ server monitoring.
Enabling TACACS+
Although by default, the TACACS+ feature is disabled on the Cisco Nexus device. You can enable the
TACACS+ feature to access the configuration and verification commands for authentication.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action
switch# configure terminal switch(config)# feature tacacs+ switch(config)# exit switch# copy running-config
startup-config
Purpose
Enters global configuration mode.
Enables TACACS+.
Exits configuration mode.
(Optional)
Copies the running configuration to the startup configuration.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
57 OL-30921-01
Configuring TACACS+
TACACS+ Server Configuration Process
Configuring TACACS+ Server Hosts
To access a remote TACACS+ server, you must configure the IPv4 or IPv6 address or the hostname for the
TACACS+ server on the Cisco Nexus device. All TACACS+ server hosts are added to the default TACACS+ server group.You can configure up to 64 TACACS+ servers.
If a preshared key is not configured for a configured TACACS+ server, a warning message is issued if a global key is not configured. If a TACACS+ server key is not configured, the global key (if configured) is used for that server.
Before you configure TACACS+ server hosts, you should do the following:
• Enable TACACS+.
• Obtain the IPv4 or IPv6 addresses or the hostnames for the remote TACACS+ servers.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal switch(config)# tacacs-server host
{ipv4-address | ipv6-address | host-name}
Specifies the IPv4 or IPv6 address or hostname for a TACACS+ server.
switch(config)# exit Exits configuration mode.
switch# show tacacs-server
Purpose
Enters global configuration mode.
switch# copy running-config
startup-config
(Optional)
Displays the TACACS+ server configuration.
(Optional)
Copies the running configuration to the startup configuration.
You can delete a TACACS+ server host from a server group.
Configuring TACACS+ Global Preshared Keys
You can configure preshared keys at the global level for all servers used by the Cisco Nexus device. A preshared key is a shared secret text string between the Cisco Nexus device and the TACACS+ server hosts.
Before you configure preshared keys, you should do the following:
• Enable TACACS+.
• Obtain the preshared key values for the remote TACACS+ servers.
58
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring TACACS+
TACACS+ Server Configuration Process
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal switch(config)# tacacs-server
key [0 | 7] key-value switch(config)# exit switch# show tacacs-server switch# copy running-config
startup-config
Purpose
Enters global configuration mode.
Specifies a preshared key for all TACACS+ servers. You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key.
The default format is clear text. The maximum length is 63 characters.
By default, no preshared key is configured.
Exits configuration mode.
(Optional)
Displays the TACACS+ server configuration.
Note
The preshared keys are saved in encrypted form in the running configuration. Use the show
running-config command to display the encrypted preshared keys.
(Optional)
Copies the running configuration to the startup configuration.
The following example shows how to configure global preshared keys: switch#
configure terminal
switch(config)#
tacacs-server key 0 QsEfThUkO
switch(config)#
exit
switch#
show tacacs-server
switch#
copy running-config startup-config
Configuring TACACS+ Server Preshared Keys
You can configure preshared keys for a TACACS+ server. A preshared key is a shared secret text string between the Cisco Nexus device and the TACACS+ server host.
Procedure
Step 1
Step 2
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# tacacs-server host
{ipv4-address | ipv6-address |
host-name} key [0 | 7] key-value
Specifies a preshared key for a specific TACACS+ server.
You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key. The default format is clear text. The maximum length is 63 characters.
This preshared key is used instead of the global preshared key.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
59
Configuring TACACS+
TACACS+ Server Configuration Process
Step 3
Step 4
Step 5
Command or Action
switch(config)# exit switch# show tacacs-server switch# copy running-config
startup-config
Purpose
Exits configuration mode.
(Optional)
Displays the TACACS+ server configuration.
Note
The preshared keys are saved in encrypted form in the running configuration. Use the show
running-config command to display the encrypted preshared keys.
(Optional)
Copies the running configuration to the startup configuration.
The following example shows how to configure the TACACS+ preshared keys: switch#
configure terminal
switch(config)#
tacacs-server host 10.10.1.1 key 0 PlIjUhYg
switch(config)#
exit
switch#
show tacacs-server
switch#
copy running-config startup-config
Configuring TACACS+ Server Groups
You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must belong to the TACACS+ protocol. The servers are tried in the same order in which you configure them.
You can configure these server groups at any time but they only take effect when you apply them to an AAA service.
Before You Begin
You must use the feature tacacs+ command to enable TACACS+ before you configure TACACS+.
Procedure
Step 1
Step 2
Step 3
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# aaa group server
tacacs+ group-name
Creates a TACACS+ server group and enters the
TACACS+ server group configuration mode for that group.
switch(config-tacacs+)# server
{ipv4-address | ipv6-address |
host-name}
Configures the TACACS+ server as a member of the
TACACS+ server group.
If the specified TACACS+ server is not found, configure it using the tacacs-server host command and retry this command.
60
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring TACACS+
TACACS+ Server Configuration Process
Step 4
Step 5
Step 6
Step 7
Step 8
Command or Action Purpose
switch(config-tacacs+)# deadtime
minutes
(Optional)
Configures the monitoring dead time. The default is 0 minutes. The range is from 0 through 1440.
Note
If the dead-time interval for a TACACS+ server group is greater than zero (0), that value takes precedence over the global dead-time value.
switch(config-tacacs+)#
source-interface interface
(Optional)
Assigns a source interface for a specific TACACS+ server group.
The supported interface types are management and VLAN.
Note
Use the source-interface command to override the global source interface assigned by the ip
tacacs source-interface command.
switch(config-tacacs+)# exit Exits configuration mode.
switch(config)# show tacacs-server
groups
(Optional)
Displays the TACACS+ server group configuration.
switch(config)# copy
running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
The following example shows how to configure a TACACS+ server group: switch#
configure terminal
switch(config)#
aaa group server tacacs+ TacServer
switch(config-tacacs+)#
server 10.10.2.2
switch(config-tacacs+)#
deadtime 30
switch(config-tacacs+)#
exit
switch(config)#
show tacacs-server groups
switch(config)#
copy running-config startup-config
Configuring the Global Source Interface for TACACS+ Server Groups
You can configure a global source interface for TACACS+ server groups to use when accessing TACACS+ servers. You can also configure a different source interface for a specific TACACS+ server group.
Procedure
Step 1
Step 2
Command or Action configure terminal
ip tacacs source-interface interface
Example:
switch(config)# ip tacacs source-interface mgmt 0
Purpose
Enters global configuration mode.
Configures the global source interface for all
TACACS+ server groups configured on the device. The source interface can be the management or the VLAN interface.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
61
Configuring TACACS+
TACACS+ Server Configuration Process
Step 3
Step 4
Step 5
Command or Action exit
Example:
switch(config)# exit switch#
show tacacs-server
Example:
switch# show tacacs-server
copy running-config startup config
Example:
switch# copy running-config startup-config
Purpose
Exits configuration mode.
(Optional)
Displays the TACACS+ server configuration information.
(Optional)
Copies the running configuration to the startup configuration.
Specifying a TACACS+ Server at Login
You can configure the switch to allow the user to specify which TACACS+ server to send the authenticate request by enabling the directed-request option. By default, a Cisco Nexus device forwards an authentication request based on the default AAA authentication method. If you enable this option, the user can log in as
username@hostname, where hostname is the name of a configured RADIUS server.
Note
User specified logins are only supported for Telnet sessions.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal switch(config)# tacacs-server
directed-request
switch(config)# exit switch# show tacacs-server
directed-request
switch# copy running-config
startup-config
Purpose
Enters global configuration mode.
Allows users to specify a TACACS+ server to send the authentication request when logging in. The default is disabled.
Exits configuration mode.
(Optional)
Displays the TACACS+ directed request configuration.
(Optional)
Copies the running configuration to the startup configuration.
62
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring TACACS+
TACACS+ Server Configuration Process
Configuring AAA Authorization on TACACS+ Servers
You can configure the default AAA authorization method for TACACS+ servers.
Before You Begin
Enable TACACS+.
Procedure
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
aaa authorization ssh-certificate
default {group group-list [none] | local
| none}
Configures the default AAA authorization method for the TACACS+ servers.
Example:
switch(config)# aaa authorization ssh-certificate default group TACACSServer1
TACACSServer2
The ssh-certificate keyword configures TACACS+ or local authorization with certificate authentication. The default authorization is local authorization, which is the list of authorized commands for the user’s assigned role.
The group-list argument consists of a space-delimited list of TACACS+ server group names. Servers belonging to this group are contacted for AAA authorization. The
local method uses the local database for authorization, and the none method specifies that no AAA authorization be used.
exit
Exits global configuration mode.
Step 4
Step 5
Example:
switch(config)# exit switch#
show aaa authorization [all]
Example:
switch# show aaa authorization
copy running-config startup-config
(Optional)
Displays the AAA authorization configuration. The all keyword displays the default values.
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch# copy running-config startup-config
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
63
Configuring TACACS+
TACACS+ Server Configuration Process
Configuring Command Authorization on TACACS+ Servers
You can configure authorization for commands on TACACS+ servers. Command authorization disables user role-based authorization control (RBAC), including the default roles.
Note
By default, context-sensitive help and command tab completion show only the commands that are supported for a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.
Before You Begin
Enable TACACS+.
Configure TACACS host and server groups before configuring AAA command authorization.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Example:
switch# configure terminal switch(config)#
aaa authorization {commands |
config-commands} default [group
group-list [local] | local]
Example:
switch(config)# aaa authorization commands default group TacGroup
Configures the default authorization method for commands for all roles.
The commands keyword configures authorization sources for all EXEC commands, and the config-commands keyword configures authorization sources for all configuration commands. The default authorization for all commands is local authorization, which is the list of authorized commands for the user's assigned role.
The group-list argument consists of a space-delimited list of
TACACS+ server group names. Servers that belong to this group are contacted for command authorization. The local method uses the local role-based database for authorization.
The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
The default method is local.
If you have not configured a fallback method after the
TACACS+ server group method, authorization fails if all server groups fail to respond.
64
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring TACACS+
TACACS+ Server Configuration Process
Step 3
Command or Action exit
Purpose
Exits global configuration mode.
Step 4
Step 5
Example:
switch(config)# exit switch#
show aaa authorization [all]
(Optional)
Displays the AAA authorization configuration. The all keyword displays the default values.
Example:
switch(config)# show aaa authorization
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Testing Command Authorization on TACACS+ Servers
You can test the command authorization for a user on the TACACS+ servers.
Note
You must send correct commands for authorization or the results might not be reliable.
Before You Begin
Enable TACACS+.
Ensure that you have configured command authorization for the TACACS+ servers.
Procedure
Command or Action
Step 1 test aaa authorization command-type
{commands | config-commands} user
username command command-string
Example:
switch# test aaa authorization command-type commands user TestUser command reload
Purpose
Tests a user's authorization for a command on the
TACACS+ servers.
The commands keyword specifies only EXEC commands and the config-commands keyword specifies only configuration commands.
Note
Put double quotes (") before and after the
command-string argument if it contains spaces.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
65
Configuring TACACS+
TACACS+ Server Configuration Process
Enabling and Disabling Command Authorization Verification
You can enable and disable command authorization verificaiton on the command-line interface (CLI) for the default user session or for another username.
Note
The commands do not execute when you enable authorization verification.
Procedure
Step 1
Step 2
Command or Action Purpose
terminal verify-only [username username]
Example:
switch# terminal verify-only
Enables command authorization verification. After you enter this command, the Cisco NX-OS software indicates whether the commands you enter are authorized or not.
terminal no verify-only [username
username]
Disables command authorization verification.
Example:
switch# terminal no verify-only
Configuring Privilege Level Support for Authorization on TACACS+ Servers
You can configure privilege level support for authorization on TACACS+ servers.
Unlike Cisco IOS devices, which use privilege levels to determine authorization, Cisco NX-OS devices use role-based access control (RBAC). To enable both types of devices to be administered by the same TACACS+ servers, you can map the privilege levels configured on TACACS+ servers to user roles configured on Cisco
NX-OS devices.
When a user authenticates with a TACACS+ server, the privilege level is obtained and used to form a local user role name of the format “priv-n,” where n is the privilege level. The user assumes the permissions of this local role. Sixteen privilege levels, which map directly to corresponding user roles, are available. The following table shows the user role permissions that correspond to each privilege level.
Privilege Level
15
14
13 - 1
User Role Permissions
network-admin permissions vdc-admin permissions
• Standalone role permissions, if the feature
privilege command is disabled.
• Same permissions as privilege level 0 with cumulative privileges for roles, if the feature
privilege command is enabled.
66
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring TACACS+
TACACS+ Server Configuration Process
Privilege Level
0
User Role Permissions
Permission to execute show commands and exec commands (such as ping, trace, and ssh).
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
[no] feature privilege Enables or disables the cumulative privilege of roles. Users can see the enable command only if this feature is enabled.
The default is disabled.
Example:
switch(config)# feature privilege
[no] enable secret [0 | 5] password
[priv-lvl priv-lvl | all]
Enables or disables a secret password for a specific privilege level. Users are prompted to enter the correct password upon each privilege level escalation. The default is disabled.
Example:
switch(config)# enable secret
5 def456 priv-lvl 15
You can enter 0 to specify that the password is in clear text or 5 to specify that the password is in encrypted format. The
password argument can be up to 64 alphanumeric characters.
The priv-lvl argument is from 1 to 15.
Note
To enable the secret password, you must have enabled the cumulative privilege of roles by entering the feature privilege command.
[no] username username priv-lvl n Enables or disables a user to use privilege levels for authorization. The default is disabled.
Example:
switch(config)# username user2 priv-lvl 15
The priv-lvl keyword specifies the privilege level to which the user is assigned. There is no default privilege level.
Privilege levels 0 to 15 (priv-lvl 0 to priv-lvl 15) map to user roles priv-0 to priv-15.
show privilege
Example:
switch(config)# show privilege
(Optional)
Displays the username, current privilege level, and status of cumulative privilege support.
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
67
Configuring TACACS+
TACACS+ Server Configuration Process
Step 7
Step 8
Command or Action exit
Example:
switch(config)# exit switch#
enable level
Example:
switch# enable 15
Purpose
Exits global configuration mode.
Enables a user to move to a higher privilege level. This command prompts for the secret password. The level argument specifies the privilege level to which the user is granted access. The only available level is 15.
Permitting or Denying Commands for Users of Privilege Roles
As a network administrator, you can modify the privilege roles to permit users to execute specific commands or to prevent users from running those commands.
You must follow these guidelines when changing the rules of privilege roles:
• You cannot modify the priv-14 and priv-15 roles.
• You can add deny rules only to the priv-0 role.
• These commands are always permitted for the priv-0 role: configure, copy, dir, enable, ping, show,
ssh, telnet, terminal, traceroute, end, and exit.
Procedure
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
[no] role name priv-n Enables or disables a privilege role and enters role configuration mode. The n argument specifies the privilege level and is a number between 0 and 13.
Example:
switch(config)# role name priv-5 switch(config-role)#
rule number {deny | permit} command
command-string
Example:
switch(config-role)# rule 2 permit command pwd
Configures a command rule for users of privilege roles.
These rules permit or deny users to execute specific commands. You can configure up to 256 rules for each role. The rule number determines the order in which the rules are applied. Rules are applied in descending order.
For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.
The command-string argument can contain spaces.
68
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring TACACS+
TACACS+ Server Configuration Process
Step 4
Step 5
Command or Action exit
Purpose
Note
Repeat this command for 256 rules.
Exits role configuration mode.
Example:
switch(config-role)# exit switch(config)#
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Configuring the Global TACACS+ Timeout Interval
You can set a global timeout interval that the Cisco Nexus device waits for responses from all TACACS+ servers before declaring a timeout failure. The timeout interval determines how long the switch waits for responses from TACACS+ servers before declaring a timeout failure.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# tacacs-server timeout
seconds
Specifies the timeout interval for TACACS+ servers.
The default timeout interval is 5 second and the range is from 1 to 60 seconds.
switch(config)# exit switch# show tacacs-server switch# copy running-config
startup-config
Exits configuration mode.
(Optional)
Displays the TACACS+ server configuration.
(Optional)
Copies the running configuration to the startup configuration.
Configuring the Timeout Interval for a Server
You can set a timeout interval that the Cisco Nexus device waits for responses from a TACACS+ server before declaring a timeout failure. The timeout interval determines how long the switch waits for responses from a
TACACS+ server before declaring a timeout failure.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
69
Configuring TACACS+
TACACS+ Server Configuration Process
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal switch(config)# switch(config)#
tacacs-server host {ipv4-address |
ipv6-address | host-name} timeout
seconds
switch(config)# exit switch# show tacacs-server switch# copy running-config
startup-config
Purpose
Enters global configuration mode.
Specifies the timeout interval for a specific server.
The default is the global value.
Note
The timeout interval value specified for a
TACACS+ server overrides the global timeout interval value specified for all
TACACS+ servers.
Exits configuration mode.
(Optional)
Displays the TACACS+ server configuration.
(Optional)
Copies the running configuration to the startup configuration.
Configuring TCP Ports
You can configure another TCP port for the TACACS+ servers if there are conflicts with another application.
By default, the Cisco Nexus device uses port 49 for all TACACS+ requests.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# tacacs-server host
{ipv4-address | ipv6-address | host-name}
port tcp-port
Specifies the UDP port to use for TACACS+ accounting messages.The default TCP port is 49.
The range is from 1 to 65535.
switch(config)# exit switch# show tacacs-server switch# copy running-config
startup-config
Exits configuration mode.
(Optional)
Displays the TACACS+ server configuration.
(Optional)
Copies the running configuration to the startup configuration.
The following example shows how to configure TCP ports: switch#
configure terminal
70
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring TACACS+
TACACS+ Server Configuration Process
switch(config)#
tacacs-server host 10.10.1.1 port 2
switch(config)#
exit
switch#
show tacacs-server
switch#
copy running-config startup-config
Configuring Periodic TACACS+ Server Monitoring
You can monitor the availability of TACACS+ servers. These parameters include the username and password to use for the server and an idle timer. The idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco Nexus device sends out a test packet.You can configure this option to test servers periodically, or you can run a one-time only test.
Note
To protect network security, we recommend that you use a username that is not the same as an existing username in the TACACS+ database.
The test idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco
Nexus device sends out a test packet.
Note
The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action
switch# configure terminal switch(config)# tacacs-server host
{ipv4-address | ipv6-address |
host-name} test {idle-time minutes |
password password [idle-time minutes]
| username name [password password
[idle-time minutes]]}
Specifies parameters for server monitoring. The default username is test and the default password is test. The default value for the idle timer is 0 minutes and the valid range is from 0 to 1440 minutes.
Note
For periodic TACACS+ server monitoring, the idle timer value must be greater than 0.
switch(config)# tacacs-server dead-time
minutes
Specifies the number minutes before the Cisco Nexus device checks a TACACS+ server that was previously unresponsive. The default value is 0 minutes and the valid range is 0 to 1440 minutes.
switch(config)# exit Exits configuration mode.
switch# show tacacs-server
Purpose
Enters global configuration mode.
switch# copy running-config
startup-config
(Optional)
Displays the TACACS+ server configuration.
(Optional)
Copies the running configuration to the startup configuration.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
71
Configuring TACACS+
TACACS+ Server Configuration Process
The following example shows how to configure periodic TACACS+ server monitoring: switch#
configure terminal
switch(config)#
tacacs-server host 10.10.1.1 test username user1 password Ur2Gd2BH idle-time
3
switch(config)#
tacacs-server dead-time 5
switch(config)#
exit
switch#
show tacacs-server
switch#
copy running-config startup-config
Configuring the Dead-Time Interval
You can configure the dead-time interval for all TACACS+ servers. The dead-time interval specifies the time that the Cisco Nexus device waits, after declaring a TACACS+ server is dead, before sending out a test packet to determine if the server is now alive.
Note
When the dead-time interval is 0 minutes, TACACS+ servers are not marked as dead even if they are not responding. You can configure the dead-time interval per group.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# tacacs-server deadtime
minutes
Configures the global dead-time interval. The default value is 0 minutes. The range is from 1 to
1440 minutes.
switch(config)# exit switch# show tacacs-server switch# copy running-config
startup-config
Exits configuration mode.
(Optional)
Displays the TACACS+ server configuration.
(Optional)
Copies the running configuration to the startup configuration.
Manually Monitoring TACACS+ Servers or Groups
Procedure
Step 1
Command or Action Purpose
switch# test aaa server tacacs+ {ipv4-address |
ipv6-address | host-name} [vrf vrf-name]
username password
Sends a test message to a TACACS+ server to confirm availability.
72
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring TACACS+
Displaying TACACS+ Statistics
Step 2
Command or Action
switch# test aaa group group-name username
password
Purpose
Sends a test message to a TACACS+ server group to confirm availability.
The following example shows how to manually issue a test message: switch#
test aaa server tacacs+ 10.10.1.1 user1 Ur2Gd2BH
switch#
test aaa group TacGroup user2 As3He3CI
Disabling TACACS+
You can disable TACACS+.
Caution
When you disable TACACS+, all related configurations are automatically discarded.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action
switch# configure terminal switch(config)# no feature tacacs+ switch(config)# exit switch# copy running-config
startup-config
Purpose
Enters global configuration mode.
Disables TACACS+.
Exits configuration mode.
(Optional)
Copies the running configuration to the startup configuration.
Displaying TACACS+ Statistics
To display the statistics, the switch maintains for TACACS+ activity, perform this task:
Procedure
Step 1
Command or Action
switch# show tacacs-server statistics {hostname |
ipv4-address | ipv6-address}
Purpose
Displays the TACACS+ statistics.
For detailed information about the fields in the output from this command, see the Command Reference for your Nexus switch.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
73 OL-30921-01
Configuring TACACS+
Verifying the TACACS+ Configuration
Verifying the TACACS+ Configuration
To display TACACS+ information, perform one of the following tasks:
Command
show tacacs+ {status | pending | pending-diff}
Purpose
Displays the TACACS+ Cisco Fabric Services distribution status and other details.
show running-config tacacs [all] Displays the TACACS+ configuration in the running configuration.
show startup-config tacacs
Displays the TACACS+ configuration in the startup configuration.
show tacacs-serve [host-name | ipv4-address |
ipv6-address] [directed-request | groups | sorted |
statistics]
Displays all configured TACACS+ server parameters.
Configuration Examples for TACACS+
This example shows how to configure TACACS+: switch#
configure terminal
switch(config)#
feature tacacs+
switch(config)#
tacacs-server key 7 "ToIkLhPpG"
switch(config)#
tacacs-server host 10.10.2.2 key 7 "ShMoMhTl"
switch(config)#
aaa group server tacacs+ TacServer
switch(config-tacacs+)#
server 10.10.2.2
switch(config-tacacs+)#
use-vrf management
This example shows how to enable tacacs+ and how to configure the tacacs+ server preshared keys to specify remote AAA servers to authenticate server group TacServer1: switch#
configure terminal
switch(config)#
feature tacacs+
switch(config)#
tacacs-server key 7 "ikvhw10"
switch(config)#
tacacs-server host 1.1.1.1
switch(config)#
tacacs-server host 1.1.1.2
switch(config)#
aaa group server tacacs+ TacServer1
switch(config-tacacs+)#
server 1.1.1.1
switch(config-tacacs+)#
server 1.1.1.2
74
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
6
Configuring SSH and Telnet
This chapter contains the following sections:
•
Information About SSH and Telnet, page 75
•
Guidelines and Limitations for SSH, page 76
•
Default Settings for SSH, page 76
•
•
Configuration Examples for SSH, page 82
•
•
Verifying the SSH and Telnet Configuration, page 84
Information About SSH and Telnet
SSH Server
The Secure Shell Protocol (SSH) server feature enables a SSH client to make a secure, encrypted connection to a Cisco Nexus device. SSH uses strong encryption for authentication. The SSH server in the Cisco Nexus device switch interoperates with publicly and commercially available SSH clients.
The user authentication mechanisms supported for SSH are RADIUS, TACACS+, and the use of locally stored user names and passwords.
SSH Client
The SSH client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a switch to make a secure, encrypted connection to another Cisco Nexus device or to any other device running an SSH server. This connection provides an outbound connection that is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.
The SSH client in the Cisco Nexus device works with publicly and commercially available SSH servers.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
75 OL-30921-01
Configuring SSH and Telnet
SSH Server Keys
SSH Server Keys
SSH requires server keys for secure communications to the Cisco Nexus device. You can use SSH keys for the following SSH options:
• SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography
• SSH version 2 using the Digital System Algrorithm (DSA)
Be sure to have an SSH server key-pair with the appropriate version before enabling the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts three types of key-pairs for use by SSH version 2:
• The dsa option generates the DSA key-pair for the SSH version 2 protocol.
• The rsa option generates the RSA key-pair for the SSH version 2 protocol.
By default, the Cisco Nexus device generates an RSA key using 1024 bits.
SSH supports the following public key formats:
• OpenSSH
• IETF Secure Shell (SECSH)
Caution
If you delete all of the SSH keys, you cannot start the SSH services.
Telnet Server
The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site, and then passes the keystrokes from one system to the other. Telnet can accept either an IP address or a domain name as the remote system address.
The Telnet server is enabled by default on the Cisco Nexus device.
Guidelines and Limitations for SSH
SSH has the following configuration guidelines and limitations:
• The Cisco Nexus device supports only SSH version 2 (SSHv2).
Default Settings for SSH
The following table lists the default settings for SSH parameters.
76
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring SSH and Telnet
Configuring SSH
Table 8: Default SSH Parameters
Parameters
SSH server
SSH server key
RSA key bits for generation
Telnet server
Default
Enabled
RSA key generated with 1024 bits
1024
Enabled
Configuring SSH
Generating SSH Server Keys
You can generate an SSH server key based on your security requirements. The default SSH server key is an
RSA key that is generated using 1024 bits.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# ssh key {dsa [force]
| rsa [bits [force]]}
Generates the SSH server key.
The bits argument is the number of bits used to generate the key. The range is from 768 to 2048 and the default value is 1024.
Use the force keyword to replace an existing key.
switch(config)# exit switch# show ssh key switch# copy running-config
startup-config
Exits global configuration mode.
(Optional)
Displays the SSH server keys.
(Optional)
Copies the running configuration to the startup configuration.
The following example shows how to generate an SSH server key: switch#
configure terminal
switch(config)#
ssh key rsa 2048
switch(config)#
exit
switch#
show ssh key
switch#
copy running-config startup-config
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
77 OL-30921-01
Configuring SSH and Telnet
Specifying the SSH Public Keys for User Accounts
Specifying the SSH Public Keys for User Accounts
You can configure an SSH public key to log in using an SSH client without being prompted for a password.
You can specify the SSH public key in one of three different formats:
• Open SSH format
• IETF SECSH format
• Public Key Certificate in PEM format
Specifying the SSH Public Keys in Open SSH Format
You can specify the SSH public keys in SSH format for user accounts.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal switch(config)# username username
sshkey ssh-key switch(config)# exit switch# show user-account switch# copy running-config
startup-config
Purpose
Enters global configuration mode.
Configures the SSH public key in SSH format.
Exits global configuration mode.
(Optional)
Displays the user account configuration.
(Optional)
Copies the running configuration to the startup configuration.
The following example shows how to specify an SSH public key in open SSH format: switch#
configure terminal
switch(config)#
username User1 sshkey ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYz
CfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZcTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4Z
XIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5Ninn0McNinn0Mc=
switch(config)#
exit
switch#
show user-account
switch#
copy running-config startup-config
Note
The username command in the example above is a single line that has been broken for legibility.
Specifying the SSH Public Keys in IETF SECSH Format
You can specify the SSH public keys in IETF SECSH format for user accounts.
78
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring SSH and Telnet
Specifying the SSH Public Keys for User Accounts
Step 2
Step 3
Step 4
Step 5
Step 6
Procedure
Step 1
Command or Action
switch# copy server-file bootflash:
filename
switch# configure terminal switch(config)# username username
sshkey file filename switch(config)# exit switch# show user-account switch# copy running-config
startup-config
Purpose
Downloads the file that contains the SSH key in
IETF SECSH format from a server. The server can be FTP, SCP, SFTP, or TFTP.
Enters global configuration mode.
Configures the SSH public key in SSH format.
Exits global configuration mode.
(Optional)
Displays the user account configuration.
(Optional)
Copies the running configuration to the startup configuration.
The following example shows how to specify the SSH public key in the IETF SECSH format: switch#
copy tftp://10.10.1.1/secsh_file.pub bootflash:secsh_file.pub
switch#
configure terminal
switch(config)#
username User1 sshkey file bootflash:secsh_file.pub
switch(config)#
exit
switch#
show user-account
switch#
copy running-config startup-config
Specifying the SSH Public Keys in PEM-Formatted Public Key Certificate Form
You can specify the SSH public keys in PEM-formatted Public Key Certificate form for user accounts.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action
switch# copy server-file bootflash:
filename
switch# configure terminal switch# show user-account switch# copy running-config
startup-config
Purpose
Downloads the file that contains the SSH key in
PEM-formatted Public Key Certificate form from a server. The server can be FTP, SCP, SFTP, or TFTP
Enters global configuration mode.
(Optional)
Displays the user account configuration.
(Optional)
Copies the running configuration to the startup configuration.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
79
Configuring SSH and Telnet
Starting SSH Sessions to Remote Devices
The following example shows how to specify the SSH public keys in PEM-formatted public key certificate form: switch#
copy tftp://10.10.1.1/cert.pem bootflash:cert.pem
switch#
configure terminal
switch#
show user-account
switch#
copy running-config startup-config
Starting SSH Sessions to Remote Devices
You can start SSH sessions to connect to remote devices from your Cisco Nexus device.
Procedure
Step 1
Command or Action
switch# ssh {hostname |
username@hostname} [vrf vrf-name]
Purpose
Creates an SSH session to a remote device. The
hostname argument can be an IPv4 address, an IPv6 address, or a hostname.
Clearing SSH Hosts
When you download a file from a server using SCP or SFTP, you establish a trusted SSH relationship with that server.
Procedure
Step 1
Command or Action
switch# clear ssh hosts
Purpose
Clears the SSH host sessions.
Disabling the SSH Server
By default, the SSH server is enabled on the Cisco Nexus device.
Procedure
Step 1
Step 2
Command or Action
switch# configure terminal switch(config)# [no] feature ssh
Purpose
Enters global configuration mode.
Enables/disables the SSH server. The default is enabled.
80
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring SSH and Telnet
Deleting SSH Server Keys
Step 3
Step 4
Step 5
Command or Action
switch(config)# exit switch# show ssh server switch# copy running-config
startup-config
Purpose
Exits global configuration mode.
(Optional)
Displays the SSH server configuration.
(Optional)
Copies the running configuration to the startup configuration.
Deleting SSH Server Keys
You can delete SSH server keys after you disable the SSH server.
Note
To reenable SSH, you must first generate an SSH server key.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action
switch# configure terminal switch(config)# no feature ssh switch(config)# no ssh key [dsa | rsa] switch(config)# exit switch# show ssh key switch# copy running-config
startup-config
Purpose
Enters global configuration mode.
Disables the SSH server.
Deletes the SSH server key.
The default is to delete all the SSH keys.
Exits global configuration mode.
(Optional)
Displays the SSH server configuration.
(Optional)
Copies the running configuration to the startup configuration.
Clearing SSH Sessions
You can clear SSH sessions from the Cisco Nexus device.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
81
Configuring SSH and Telnet
Configuration Examples for SSH
Procedure
Step 1
Step 2
Command or Action
switch# show users switch# clear line vty-line
Purpose
Displays user session information.
Clears a user SSH session.
Configuration Examples for SSH
The following example shows how to configure SSH:
Procedure
Step 1
Generate an SSH server key.
switch(config)#
ssh key rsa
generating rsa key(1024 bits).....
.
generated rsa key
Step 2
Enable the SSH server.
switch#
configure terminal
switch(config)#
feature ssh
Note
This step should not be required because the SSH server is enabled by default.
Step 3
Display the SSH server key.
switch(config)#
show ssh key
rsa Keys generated:Fri May 8 22:09:47 2009 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYzCfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZ/ cTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4ZXIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5/
Ninn0Mc= bitcount:1024 fingerprint:
4b:4d:f6:b9:42:e9:d9:71:3c:bd:09:94:4a:93:ac:ca
************************************** could not retrieve dsa key information
**************************************
82
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring SSH and Telnet
Configuring Telnet
Step 4
Specify the SSH public key in Open SSH format.
switch(config)#
username User1 sshkey ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYz
CfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZcTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4Z
XIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5Ninn0McNinn0Mc=
Step 5
Save the configuration.
switch(config)#
copy running-config startup-config
Configuring Telnet
Enabling the Telnet Server
By default, the Telnet server is enabled. You can disable the Telnet server on your Cisco Nexus device.
Procedure
Step 1
Step 2
Command or Action
switch# configure terminal switch(config)# [no] feature telnet
Purpose
Enters global configuration mode.
Enables/disables the Telnet server. The default is enabled.
Reenabling the Telnet Server
If the Telnet server on your Cisco Nexus device has been disabled, you can reenable it.
Procedure
Step 1
Command or Action
switch(config)# [no] feature telnet
Purpose
Reenables the Telnet server.
Starting Telnet Sessions to Remote Devices
Before you start a Telnet session to connect to remote devices, you should do the following:
• Obtain the hostname for the remote device and, if needed, obtain the username on the remote device.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
83 OL-30921-01
Configuring SSH and Telnet
Clearing Telnet Sessions
• Enable the Telnet server on the Cisco Nexus device.
• Enable the Telnet server on the remote device.
Procedure
Step 1
Command or Action
switch# telnet hostname
Purpose
Creates a Telnet session to a remote device. The hostname argument can be an IPv4 address, an IPv6 address, or a device name.
The following example shows how to start a Telnet session to connect to a remote device: switch#
telnet 10.10.1.1
Trying 10.10.1.1...
Connected to 10.10.1.1.
Escape character is '^]'.
switch login:
Clearing Telnet Sessions
You can clear Telnet sessions from the Cisco Nexus device.
Procedure
Step 1
Step 2
Command or Action
switch# show users switch# clear line vty-line
Purpose
Displays user session information.
Clears a user Telnet session.
Verifying the SSH and Telnet Configuration
To display SSH and Telnet information, perform one of the following tasks:
Command
show ssh key [dsa | rsa]
Purpose
Displays SSH server key-pair information.
show running-config security [all]
Displays the SSH and user account configuration in the running configuration. The all keyword displays the default values for the SSH and user accounts.
show ssh server show user-account
Displays the SSH server configuration.
Displays user account information.
84
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring SSH and Telnet
Verifying the SSH and Telnet Configuration
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
85
Verifying the SSH and Telnet Configuration
Configuring SSH and Telnet
86
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
7
Configuring 802.1X
This chapter contains the following sections:
•
Information About 802.1X, page 87
•
Licensing Requirements for 802.1X, page 95
•
Prerequisites for 802.1X, page 95
•
802.1X Guidelines and Limitations, page 95
•
Default Settings for 802.1X, page 96
•
•
Verifying the 802.1X Configuration, page 116
•
•
Configuration Example for 802.1X, page 117
•
Additional References for 802.1X, page 118
•
Feature History for 802.1X, page 119
Information About 802.1X
802.1X defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client connected to a Cisco NX-OS device port.
Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over
LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Device Roles
With 802.1X port-based authentication, the devices in the network have specific roles.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
87 OL-30921-01
Configuring 802.1X
Device Roles
This figure shows the device roles in 802.1X.
Figure 4: 802.1X Device Roles
The specific roles are as follows:
Supplicant
The client device that requests access to the LAN and Cisco NX-OS device services and responds to requests from the Cisco NX-OS device. The workstation must be running 802.1X-compliant client software such as that offered in the Microsoft Windows XP operating device.
Note
To resolve Windows XP network connectivity and Cisco 802.1X port-based authentication issues, read the Microsoft Knowledge Base article at this URL: http://support.microsoft.com/support/kb/articles/Q303/5/97.ASP
Authentication server
The authentication server performs the actual authentication of the supplicant. The authentication server validates the identity of the supplicant and notifies the Cisco NX-OS device regarding whether the supplicant is authorized to access the LAN and Cisco NX-OS device services. Because the Cisco NX-OS device acts as the proxy, the authentication service is transparent to the supplicant. The Remote
Authentication Dial-In User Service (RADIUS) security device with Extensible Authentication Protocol
(EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access
Control Server, version 3.0. RADIUS uses a supplicant-server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Authenticator
The authenticator controls the physical access to the network based on the authentication status of the supplicant. The authenticator acts as an intermediary (proxy) between the supplicant and the authentication server, requesting identity information from the supplicant, verifying the requested identity information with the authentication server, and relaying a response to the supplicant. The authenticator includes the RADIUS client, which is responsible for encapsulating and decapsulating the EAP frames and interacting with the authentication server.
When the authenticator receives EAPOL frames and relays them to the authentication server, the authenticator strips off the Ethernet header and encapsulates the remaining EAP frame in the RADIUS format. This encapsulation process does not modify or examine the EAP frames, and the authentication server must support
EAP within the native frame format. When the authenticator receives frames from the authentication server, the authenticator removes the server’s frame header, leaving the EAP frame, which the authenticator then encapsulates for Ethernet and sends to the supplicant.
88
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Authentication Initiation and Message Exchange
Note
The Cisco NX-OS device can only be an 802.1X authenticator.
Authentication Initiation and Message Exchange
Either the authenticator (Cisco NX-OS device) or the supplicant (client) can initiate authentication. If you enable authentication on a port, the authenticator must initiate authentication when it determines that the port link state transitions from down to up. The authenticator then sends an EAP-request/identity frame to the supplicant to request its identity (typically, the authenticator sends an initial identity/request frame followed by one or more requests for authentication information). When the supplicant receives the frame, it responds with an EAP-response/identity frame.
If the supplicant does not receive an EAP-request/identity frame from the authenticator during bootup, the supplicant can initiate authentication by sending an EAPOL-start frame, which prompts the authenticator to request the supplicant’s identity.
Note
If 802.1X is not enabled or supported on the network access device, the Cisco NX-OS device drops any
EAPOL frames from the supplicant. If the supplicant does not receive an EAP-request/identity frame after three attempts to start authentication, the supplicant transmits data as if the port is in the authorized state.
A port in the authorized state means that the supplicant has been successfully authenticated.
When the supplicant supplies its identity, the authenticator begins its role as the intermediary, passing EAP frames between the supplicant and the authentication server until authentication succeeds or fails. If the authentication succeeds, the authenticator port becomes authorized.
The specific exchange of EAP frames depends on the authentication method being used.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
89
Configuring 802.1X
Authenticator PAE Status for Interfaces
This figure shows a message exchange initiated by the supplicant using the One-Time-Password (OTP) authentication method with a RADIUS server. The OTP authentication device uses a secret pass-phrase to generate a sequence of one-time (single use) passwords.
Figure 5: Message Exchange
The user’s secret pass-phrase never crosses the network at any time such as during authentication or during pass-phrase changes.
Authenticator PAE Status for Interfaces
When you enable 802.1X on an interface, the Cisco NX-OS software creates an authenticator port access entity (PAE) instance. An authenticator PAE is a protocol entity that supports authentication on the interface.
When you disable 802.1X on the interface, the Cisco NX-OS software does not automatically clear the authenticator PAE instances. You can explicitly remove the authenticator PAE from the interface and then reapply it, as needed.
Ports in Authorized and Unauthorized States
The authenticator port state determines if the supplicant is granted access to the network. The port starts in the unauthorized state. In this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets. When a supplicant is successfully authenticated, the port transitions to the authorized state, allowing all traffic for the supplicant to flow normally.
If a client that does not support 802.1X is connected to an unauthorized 802.1X port, the authenticator requests the client’s identity. In this situation, the client does not respond to the request, the port remains in the unauthorized state, and the client is not granted access to the network.
In contrast, when an 802.1X-enabled client connects to a port that is not running the 802.1X protocol, the client initiates the authentication process by sending the EAPOL-start frame. When no response is received,
90
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
MAC Authentication Bypass
the client sends the request for a fixed number of times. Because no response is received, the client begins sending frames as if the port is in the authorized state.
Ports can have the following authorization states:
Force authorized
Disables 802.1X port-based authentication and transitions to the authorized state without requiring any authentication exchange. The port transmits and receives normal traffic without 802.1X-based authentication of the client. This authorization state is the default.
Force unauthorized
Auto
Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate.
The authenticator cannot provide authentication services to the client through the interface.
Enables 802.1X port-based authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received from the supplicant. The authenticator requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each supplicant that attempts to access the network is uniquely identified by the authenticator by using the supplicant’s MAC address.
If the supplicant is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated supplicant are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried.
If the authentication server cannot be reached, the authenticator can retransmit the request. If no response is received from the server after the specified number of attempts, authentication fails, and the supplicant is not granted network access.
When a supplicant logs off, it sends an EAPOL-logoff message, which causes the authenticator port to transition to the unauthorized state.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state.
MAC Authentication Bypass
You can configure the Cisco NX-OS device to authorize a supplicant based on the supplicant MAC address by using the MAC authentication bypass feature. For example, you can enable this feature on interfaces configured for 802.1X that are connected to devices such as printers.
If 802.1X authentication times out while waiting for an EAPOL response from the supplicant, the Cisco
NX-OS device tries to authorize the client by using MAC authentication bypass.
When you enable the MAC authentication bypass feature on an interface, the Cisco NX-OS device uses the
MAC address as the supplicant identity. The authentication server has a database of supplicant MAC addresses that are allowed network access. After detecting a client on the interface, the Cisco NX-OS device waits for an Ethernet packet from the client. The Cisco NX-OS device sends the authentication server a
RADIUS-access/request frame with a username and password based on the MAC address. If authorization succeeds, the Cisco NX-OS device grants the client access to the network. If authorization fails, the Cisco
NX-OS device assigns the port to the guest VLAN if one is configured.
If an EAPOL packet is detected on the interface during the lifetime of the link, the Cisco NX-OS device determines that the device connected to that interface is an 802.1X-capable supplicant and uses 802.1X
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
91
Configuring 802.1X
802.1X and Port Security
authentication (not MAC authentication bypass) to authorize the interface. EAPOL history is cleared if the interface link status goes down.
If the Cisco NX-OS device already authorized an interface by using MAC authentication bypass and detects an 802.1X supplicant, the Cisco NX-OS device does not unauthorize the client connected to the interface.
When reauthentication occurs, the Cisco NX-OS device uses 802.1X authentication as the preferred reauthentication process if the previous session ended because the Termination-Action RADIUS attribute value is DEFAULT.
Clients that were authorized with MAC authentication bypass can be reauthenticated. The reauthentication process is the same as that for clients that were authenticated with 802.1X. During reauthentication, the port remains in the previously assigned VLAN. If reauthentication is successful, the switch keeps the port in the same VLAN. If reauthentication fails, the switch assigns the port to the guest VLAN, if one is configured.
If reauthentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the
Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute
(Attribute [29]) action is Initialize (the attribute value is DEFAULT), the MAC authentication bypass session ends, and connectivity is lost during reauthentication. If MAC authentication bypass is enabled and the 802.1X
authentication times out, the switch uses the MAC authentication bypass feature to initiate reauthorization.
For more information about these AV pairs, see RFC 3580, IEEE 802.1X Remote Authentication Dial In User
Service (RADIUS) Usage Guidelines.
MAC authentication bypass interacts with the following features:
• 802.1X authentication—You can enable MAC authentication bypass only if 802.1X authentication is enabled on the port.
• Port security— You can configure 802.1X authentication and port security on the same Layer 2 ports.
• Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an 802.1X port is authenticated with MAC authentication bypass, including hosts in the exception list.
802.1X and Port Security
You can configure port security and 802.1X on the same interfaces. Port security secures the MAC addresses that 802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an interface, 802.1X is already preventing inbound traffic on the interface from unknown MAC addresses.
When you enable 802.1X and port security on the same interface, port security continues to learn MAC addresses by the sticky or dynamic method, as configured. Additionally, depending on whether you enable
802.1X in single-host mode or multiple-host mode, one of the following occurs:
Single host mode
Port security learns the MAC address of the authenticated host.
Multiple host mode
Port security drops any MAC addresses learned for this interface by the dynamic method and learns the MAC address of the first host authenticated by 802.1X.
If a MAC address that 802.1X passes to port security would violate the applicable maximum number of secure
MAC addresses, the device sends an authentication failure message to the host.
92
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Dynamic VLAN Assignment based on MAC-Based Authentication (MAB)
The device treats MAC addresses authenticated by 802.1X as though they were learned by the dynamic method, even if port security previously learned the address by the sticky or static methods. If you attempt to delete a secure MAC address that has been authenticated by 802.1X, the address remains secure.
If the MAC address of an authenticated host is secured by the sticky or static method, the device treats the address as if it were learned by the dynamic method, and you cannot delete the MAC address manually.
Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the host reaches its port security age limit. The device behaves differently depending upon the type of aging, as follows:
Absolute
Port security notifies 802.1X and the device attempts to reauthenticate the host. The result of reauthentication determines whether the address remains secure. If reauthentication succeeds, the device restarts the aging timer on the secure address; otherwise, the device drops the address from the list of secure addressees for the interface.
Inactivity
Port security drops the secure address from the list of secure addresses for the interface and notifies
802.1X. The device attempts to reauthenticate the host. If reauthentication succeeds, port security secures the address again.
Dynamic VLAN Assignment based on MAC-Based Authentication (MAB)
The Cisco Nexus 5000 and 6000 series switches supports dynamic VLAN assignment. After the 802.1x
authentication or MAB is completed; before bringing up the port, you may want to (as part of authorization) allow the peer/host to be placed into a particular VLAN based as a result of the authentication. The RADIUS server typically indicates the desired VLAN by including tunnel attributes within the Access-Accept message.
This procedure of getting the VLAN an binding it to the port constitutes to Dynamic VLAN assignment.
VLAN Assignment from RADIUS
After authentication is completed either through dot1x or MAB, the response from the RADIUS server can have dynamic VLAN information, which can be assigned to a port. This information is present in response from RADIUS server in Accept-Access message in the form of tunnel attributes. For use in VLAN assignment, the following tunnel attributes are sent:
• Tunnel-type=VLAN(13)
• Tunnel-Medium-Type=802
• Tunnel-Private-Group-ID=VLANID
All the three parameters must be received for configuring access VLAN.
Single Host and Multiple Hosts Support
The 802.1X feature can restrict traffic on a port to only one endpoint device (single-host mode) or allow traffic from multiple endpoint devices on a port (multi-host mode).
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
93
Configuring 802.1X
Supported Topologies
Single-host mode allows traffic from only one endpoint device on the 802.1X port. Once the endpoint device is authenticated, the Cisco NX-OS device puts the port in the authorized state. When the endpoint device leaves the port, the Cisco NX-OS device put the port back into the unauthorized state. A security violation in
802.1X is defined as a detection of frames sourced from any MAC address other than the single MAC address authorized as a result of successful authentication. In this case, the interface on which this security association violation is detected (EAPOL frame from the other MAC address) will be disabled. Single host mode is applicable only for host-to-switch topology and when a single host is connected to the Layer 2 (Ethernet access port) or Layer 3 port (routed port) of the Cisco NX-OS device.
Only the first host has to be authenticated on the 802.1X port configured with multiple host mode. The port is moved to the authorized state after the successful authorization of the first host. Subsequent hosts are not required to be authorized to gain network access once the port is in the authorized state. If the port becomes unauthorized when reauthentication fails or an EAPOL logoff message is received, all attached hosts are denied access to the network. The capability of the interface to shut down upon security association violation is disabled in multiple host mode. This mode is applicable for both switch-to-switch and host-to-switch topologies.
Supported Topologies
The 802.1X port-based authentication is supported in two topologies:
• Point-to-point
• Wireless LAN
In a point-to-point configuration, only one supplicant (client) can connect to the 802.1X-enabled authenticator
(Cisco NX-OS device) port. The authenticator detects the supplicant when the port link state changes to the up state. If a supplicant leaves or is replaced with another supplicant, the authenticator changes the port link state to down, and the port returns to the unauthorized state.
This figure shows 802.1X port-based authentication in a wireless LAN. The 802.1X port is configured as a multiple-host port that becomes authorized as soon as one supplicant is authenticated.
Figure 6: Wireless LAN Example
When the port is authorized, all other hosts indirectly attached to the port are granted access to the network.
If the port becomes unauthorized (reauthentication fails or an EAPOL-logoff message is received), the Cisco
NX-OS device denies access to the network to all of the attached supplicants.
94
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Licensing Requirements for 802.1X
Licensing Requirements for 802.1X
The following table shows the licensing requirements for this feature:
Product
Cisco NX-OS
License Requirement
802.1X requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.
Prerequisites for 802.1X
802.1X has the following prerequisites:
• One or more RADIUS servers are accessible in the network.
• 802.1X supplicants are attached to the ports, unless you enable MAC address authentication bypass.
802.1X Guidelines and Limitations
802.1X port-based authentication has the following configuration guidelines and limitations:
• The Cisco NX-OS software supports 802.1X authentication only on physical ports.
• The Cisco NX-OS software does not support 802.1X authentication on port channels or subinterfaces.
• The Cisco NX-OS software supports 802.1X authentication on member ports of a port channel but not on the port channel itself.
• The Cisco NX-OS software does not support the following 802.1X configurations on port channel members when the members are configured for 802.1X:
â—¦Host mode cannot be configured in single-host mode. Only multi-host mode is supported on the member ports.
â—¦MAC authentication bypass cannot be enabled on the member ports.
â—¦Port security cannot be configured on the port channel.
• Member ports with and without 802.1X configuration can coexist in a port channel. However, you must ensure the identical 802.1X configuration on all the member ports in order for channeling to operate with 802.1X.
• When you enable 802.1X authentication, supplicants are authenticated before any other Layer 2 or
Layer 3 features are enabled on an Ethernet interface.
• The Cisco NX-OS software supports 802.1X authentication only on Ethernet interfaces that are in a port channel, a trunk, or an access port.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
95 OL-30921-01
Configuring 802.1X
Default Settings for 802.1X
• The Cisco NX-OS software does not support single host mode on trunk interfaces or member interfaces in a port channel.
• The Cisco NX-OS software does not support MAC address authentication bypass on trunk interfaces.
• The Cisco NX-OS software does not support MAC address authentication bypass on a port channel.
• The Cisco NX-OS software does not support Dot1X on vPC ports and MCT.
• The Cisco NX-OS software does not support the following 802.1X protocol enhancements:
â—¦One-to-many logical VLAN name to ID mapping
â—¦Web authorization
â—¦Dynamic domain bridge assignment
â—¦IP telephony
• The following are the restrictions for dynamic VLAN assignment:
â—¦Dynamic VLAN assignment is supported for HIF ports (FEX ports) only in Straight Through connection.
â—¦This feature is supported only for Switchport access ports.
â—¦The VLAN assigned by RADIUS must be already configured on the switch.
â—¦This feature is not supported on VPC ports, port-channels, trunk ports, and L3 ports.
â—¦After a VLAN is assigned by RADIUS, you cannot override it with a different access VLAN.
Default Settings for 802.1X
This table lists the default settings for 802.1X parameters.
Table 9: Default 802.1X Parameters
Parameters
802.1X feature
AAA 802.1X authentication method
Default
Disabled
Not configured
Per-interface 802.1X protocol enable state Disabled (force-authorized)
Note
The port transmits and receives normal traffic without 802.1X-based authentication of the supplicant.
Disabled Periodic reauthentication
Number of seconds between reauthentication attempts 3600 seconds
96
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Configuring 802.1X
Parameters
Quiet timeout period
Retransmission timeout period
Maximum retransmission number
Host mode
Supplicant timeout period
Authentication server timeout period
Default
60 seconds (number of seconds that the Cisco NX-OS device remains in the quiet state following a failed authentication exchange with the supplicant)
30 seconds (number of seconds that the Cisco NX-OS device should wait for a response to an EAP request/identity frame from the supplicant before retransmitting the request)
2 times (number of times that the Cisco NX-OS device will send an EAP-request/identity frame before restarting the authentication process)
Single host
30 seconds (when relaying a request from the authentication server to the supplicant, the amount of time that the Cisco NX-OS device waits for a response before retransmitting the request to the supplicant)
30 seconds (when relaying a response from the supplicant to the authentication server, the amount of time that the Cisco NX-OS device waits for a reply before retransmitting the response to the server)
Configuring 802.1X
This section describes how to configure the 802.1X feature.
Note
If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.
Process for Configuring 802.1X
This section describes the process for configuring 802.1X.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
97 OL-30921-01
Configuring 802.1X
Enabling the 802.1X Feature
Procedure
Step 1
Enable the 802.1X feature.
Step 2
Configure the connection to the remote RADIUS server.
Step 3
Enable 802.1X feature on the Ethernet interfaces.
Enabling the 802.1X Feature
You must enable the 802.1X feature on the Cisco NX-OS device before authenticating any supplicant devices.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Step 3
Step 4
Step 5
Example:
switch# configure terminal switch(config)#
feature dot1x
Example:
switch(config)# feature dot1x
exit
Example:
switch(config)# exit switch#
show dot1x
Example:
switch# show dot1x
copy running-config startup-config
Example:
switch# copy running-config startup-config
Enables the 802.1X feature. The default is disabled.
Exits configuration mode.
(Optional)
Displays the 802.1X feature status.
(Optional)
Copies the running configuration to the startup configuration.
Configuring AAA Authentication Methods for 802.1X
You can use remote RADIUS servers for 802.1X authentication. You must configure RADIUS servers and
RADIUS server groups and specify the default AAA authentication method before the Cisco NX-OS device can perform 802.1X authentication.
98
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Controlling 802.1X Authentication on an Interface
Before You Begin
Obtain the names or addresses for the remote RADIUS server groups.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Example:
switch# configure terminal switch(config)#
aaa authentication dot1x default group
group-list
Example:
switch(config)# aaa authentication dot1x default group rad2
Specifies the RADIUS server groups to use for
802.1X authentication.
The group-list argument consists of a space-delimited list of group names. The group names are the following:
• radius—Uses the global pool of RADIUS servers for authentication.
• named-group —Uses the global pool of
RADIUS servers for authentication.
Step 3
Step 4
Step 5
Step 6 exit
Exits configuration mode.
Example:
switch(config)# exit switch#
show radius-server
(Optional)
Displays the RADIUS server configuration.
Example:
switch# show radius-server
show radius-server group [group-name] (Optional)
Displays the RADIUS server group configuration.
Example:
switch# show radius-server group rad2
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch# copy running-config startup-config
Controlling 802.1X Authentication on an Interface
You can control the 802.1X authentication performed on an interface. An interface can have the following
802.1X authentication states:
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
99
Configuring 802.1X
Controlling 802.1X Authentication on an Interface
Auto
Enables 802.1X authentication on the interface.
Force-authorized
Disables 802.1X authentication on the interface and allows all traffic on the interface without authentication. This state is the default.
Force-unauthorized
Disallows all traffic on the interface.
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
interface ethernet slot / port Selects the interface to configure and enters interface configuration mode.
Example:
switch(config)# interface ethernet 2/1 switch(config-if)#
dot1x port-control {auto | force-authorized |
forced-unauthorized}
Changes the 802.1X authentication state on the interface. The default is force-authorized.
Step 4
Step 5
Step 6
Example:
switch(config-if)# dot1x port-control auto
exit
Exits configuration mode.
Example:
switch(config)# exit switch#
show dot1x all
(Optional)
Displays all 802.1X feature status and configuration information.
Example:
switch# show dot1x all
show dot1x interface ethernet slot / port
Example:
switch# show dot1x interface ethernet
2/1
(Optional)
Displays 802.1X feature status and configuration information for an interface.
100
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Configuring 802.1X Authentication on Member Ports
Step 7
Command or Action copy running-config startup-config
Example:
switch# copy running-config startup-config
Purpose
(Optional)
Copies the running configuration to the startup configuration.
Configuring 802.1X Authentication on Member Ports
You can configure 802.1X authentication on the members of a port channel.
Note
You cannot configure 802.1X authentication on the port channel itself.
There are two ways to configure 802.1X authentication on member ports: 1) by configuring 802.1X on a member port and then adding the port to a port channel or 2) by creating a port channel, adding a port to the port channel, and then configuring 802.1X on the port. The following procedure provides instructions for the first method. To configure 802.1X using the second method, use these commands:
• interface port-channel channel-number
• interface ethernet slot/port
• channel-group channel-number [force] [mode {on | active | passive}]
• dot1x port-control auto
Note
For more information on the above commands, see the Cisco NX-OS Interfaces Command
Reference for your platform.
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
101
Configuring 802.1X
Configuring 802.1X Authentication on Member Ports
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Command or Action Purpose
interface ethernet slot/port
Example:
switch(config-if)# dot1x port-control auto
[no] switchport
Selects the interface to configure and enters interface configuration mode.
Example:
switch(config)# interface ethernet
7/1 switch(config-if)#
dot1x port-control auto
Changes the 802.1X authentication state on the interface.
Configures the interface as a Layer 2 port or, if you use the no keyword, as a Layer 3 port.
Example:
switch(config-if)# switchport
dot1x host-mode multi-host
Example:
switch(config-if)# dot1x host-mode multi-host
Enables multiple hosts mode for the interface. This command is required in order to add a port to a port channel.
channel-group channel-number [force]
[mode {on | active | passive}]
Example:
switch(config-if)# channel-group 5 force
Configures the port in a channel group and sets the mode. The channel number range is from 1 to
4096.The Cisco NX-OS software creates the port channel associated with this channel group if the port channel does not already exist.
The optional force keyword allows you to force an interface with some incompatible configurations to join the channel. The forced interface must have the same speed, duplex, and flow control settings as the channel group.
Note
To remove an 802.1X-enabled port from a port channel, use the no channel-group
channel-number command.
exit
Exits interface configuration mode.
Example:
switch(config-if)# exit switch(config)#
exit
Exits global configuration mode.
Example:
switch(config)# exit switch#
102
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Creating or Removing an Authenticator PAE on an Interface
Step 9
Step 10
Step 11
Command or Action Purpose show dot1x all
Example:
switch# show dot1x all
show dot1x interface ethernet slot/port (Optional)
Displays 802.1X feature status and configuration information for an interface.
Example:
switch# show dot1x interface ethernet 7/1
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch# copy running-config startup-config
(Optional)
Displays all 802.1X feature status and configuration information.
Creating or Removing an Authenticator PAE on an Interface
You can create or remove the 802.1X authenticator port access entity (PAE) instance on an interface.
Note
By default, the Cisco NX-OS software creates the authenticator PAE instance on the interface when you enable 802.1X on an interface.
Before You Begin
Enable the 802.1X feature.
Procedure
Step 1
Step 2
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
show dot1x interface ethernet slot/port
Example:
switch# show do1x interface ethernet
2/1
(Optional)
Displays the 802.1X configuration on the interface.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
103
Configuring 802.1X
Enabling Periodic Reauthentication for an Interface
Step 3
Step 4
Step 5
Command or Action Purpose
interface ethernet slot/port Selects the interface to configure and enters interface configuration mode.
Example:
switch(config)# interface ethernet 2/1 switch(config-if)#
[no] dot1x pae authenticator Creates an authenticator PAE instance on the interface. Use the no form to remove the PAE instance from the interface.
Example:
switch(config-if)# dot1x pae authenticator
Note
If an authenticator PAE already exists on the interface the dot1x pae
authentication command does not change the configuration on the interface.
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Enabling Periodic Reauthentication for an Interface
You can enable periodic 802.1X reauthentication on an interface and specify how often it occurs. If you do not specify a time period before enabling reauthentication, the number of seconds between reauthentication defaults to the global value.
Note
During the reauthentication process, the status of an already authenticated supplicant is not disrupted.
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
104
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Manually Reauthenticating Supplicants
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action
interface ethernet slot/port
Purpose
Selects the interface to configure and enters interface configuration mode.
Example:
switch(config)# interface ethernet
2/1 switch(config-if)#
dot1x re-authentication
Enables periodic reauthentication of the supplicants connected to the interface. By default, periodic authentication is disabled.
Example:
switch(config-if)# dot1x re-authentication
dot1x timeout re-authperiod seconds
Example:
switch(config-if)# dot1x timeout re-authperiod 3300
exit
(Optional)
Sets the number of seconds between reauthentication attempts. The default is 3600 seconds. The range is from 1 to 65535.
Note
This command affects the behavior of the
Cisco NX-OS device only if you enable periodic reauthentication on the interface.
Exits configuration mode.
Example:
switch(config-if)# exit switch(config)#
show dot1x all
(Optional)
Displays all 802.1X feature status and configuration information.
Example:
switch(config)# show dot1x all
copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Manually Reauthenticating Supplicants
You can manually reauthenticate the supplicants for the entire Cisco NX-OS device or for an interface.
Note
During the reauthentication process, the status of an already authenticated supplicant is not disrupted.
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
105
Configuring 802.1X
Manually Initializing 802.1X Authentication
Procedure
Step 1
Command or Action
dot1x re-authenticate [interface slot/port]
Example:
switch# dot1x re-authenticate interface
2/1
Purpose
Reauthenticates the supplicants on the Cisco
NX-OS device or on an interface.
Manually Initializing 802.1X Authentication
You can manually initialize the authentication for all supplicants on a Cisco NX-OS device or for a specific interface.
Note
Initializing the authentication clears any existing authentication status before starting the authentication process for the client.
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Command or Action
dot1x initialize [interface ethernet slot/port]
Purpose
Initializes 802.1X authentication on the Cisco
NX-OS device or on a specified interface.
Example:
switch# dot1x initialize interface ethernet 2/1
Changing 802.1X Authentication Timers for an Interface
You can change the following 802.1X authentication timers on the Cisco NX-OS device interfaces:
Quiet-period timer
When the Cisco NX-OS device cannot authenticate the supplicant, the switch remains idle for a set period of time and then tries again. The quiet-period timer value determines the idle period. An authentication failure might occur because the supplicant provided an invalid password. You can provide a faster response time to the user by entering a smaller number than the default. The default is the value of the global quiet period timer. The range is from 1 to 65535 seconds.
106
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Changing 802.1X Authentication Timers for an Interface
Rate-limit timer
The rate-limit period throttles EAPOL-Start packets from supplicants that are sending too many
EAPOL-Start packets. The authenticator ignores EAPOL-Start packets from supplicants that have successfully authenticated for the rate-limit period duration. The default value is 0 seconds and the authenticator processes all EAPOL-Start packets. The range is from 1 to 65535 seconds.
Switch-to-authentication-server retransmission timer for Layer 4 packets
The authentication server notifies the switch each time that it receives a Layer 4 packet. If the switch does not receive a notification after sending a packet, the Cisco NX-OS device waits a set period of time and then retransmits the packet. The default is 30 seconds. The range is from 1 to 65535 seconds.
Switch-to-supplicant retransmission timer for EAP response frames
The supplicant responds to the EAP-request/identity frame from the Cisco NX-OS device with an
EAP-response/identity frame. If the Cisco NX-OS device does not receive this response, it waits a set period of time (known as the retransmission time) and then retransmits the frame. The default is 30 seconds. The range is from 1 to 65535 seconds.
Switch-to-supplicant retransmission timer for EAP request frames
The supplicant notifies the Cisco NX-OS device it that received the EAP request frame. If the authenticator does not receive this notification, it waits a set period of time and then retransmits the frame. The default is the value of the global retransmission period timer. The range is from 1 to 65535 seconds.
Note
You should change the default values only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Example:
switch# configure terminal switch(config)#
interface ethernet slot/port
Example:
switch(config)# interface ethernet
2/1 switch(config-if)
Selects the interface to configure and enters interface configuration mode.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
107
Configuring 802.1X
Changing 802.1X Authentication Timers for an Interface
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Command or Action
dot1x timeout quiet-period seconds
Example:
switch(config-if)# dot1x timeout quiet-period 25
Purpose
(Optional)
Sets the number of seconds that the authenticator waits for a response to an EAP-request/identity frame from the supplicant before retransmitting the request. The default is the global number of seconds set for all interfaces. The range is from 1 to 65535 seconds.
dot1x timeout ratelimit-period seconds
Example:
switch(config-if)# dot1x timeout ratelimit-period 10
(Optional)
Sets the number of seconds that the authenticator ignores
EAPOL-Start packets from supplicants that have successfully authenticated. The default value is 0 seconds. The range is from 1 to 65535 seconds.
dot1x timeout server-timeout seconds
Example:
switch(config-if)# dot1x timeout server-timeout 60
(Optional)
Sets the number of seconds that the Cisco NX-OS device waits before retransmitting a packet to the authentication server. The default is 30 seconds. The range is from 1 to 65535 seconds.
dot1x timeout supp-timeout seconds
Example:
switch(config-if)# dot1x timeout supp-timeout 20
(Optional)
Sets the number of seconds that the Cisco NX-OS device waits for the supplicant to respond to an EAP request frame before the Cisco NX-OS device retransmits the frame. The default is 30 seconds. The range is from 1 to 65535 seconds.
dot1x timeout tx-period seconds
Example:
switch(config-if)# dot1x timeout tx-period 40
(Optional)
Sets the number of seconds between the retransmission of EAP request frames when the supplicant does not send notification that it received the request. The default is the global number of seconds set for all interfaces.
The range is from 1 to 65535 seconds.
exit
Exits configuration mode.
Example:
switch(config)# exit switch#
show dot1x all
(Optional)
Displays the 802.1X configuration.
Example:
switch# show dot1x all
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch# copy running-config startup-config
108
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Enabling Single Host or Multiple Hosts Mode
Enabling Single Host or Multiple Hosts Mode
You can enable single host or multiple hosts mode on an interface.
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
interface ethernet slot/port Selects the interface to configure and enters interface configuration mode.
Example:
switch(config)# interface ethernet 2/1 switch(config-if)
dot1x host-mode {multi-host | single-host}
Example:
switch(config-if)# dot1x host-mode multi-host
Configures the host mode. The default is single-host.
Note
Make sure that the dot1x port-control interface configuration command is set to auto for the specified interface.
exit
Exits configuration mode.
Example:
switch(config-if)# exit switch(config)#
show dot1x all
(Optional)
Displays all 802.1X feature status and configuration information.
Example:
switch# show dot1x all
copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Enabling MAC Authentication Bypass
You can enable MAC authentication bypass on an interface that has no supplicant connected.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
109
Configuring 802.1X
Disabling 802.1X Authentication on the Cisco NX-OS Device
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Command or Action configure terminal
Step 2
Step 3
Step 4
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
interface ethernet slot/port Selects the interface to configure and enters interface configuration mode.
Example:
switch(config)# interface ethernet 2/1 switch(config-if)
dot1x mac-auth-bypass [eap]
Example:
switch(config-if)# dot1x mac-auth-bypass
exit
Enables MAC authentication bypass. The default is bypass disabled. Use the eap keyword to configure the Cisco NX-OS device to use
EAP for authorization.
Exits configuration mode.
Step 5
Step 6
Example:
switch(config-if)# exit switch(config)#
show dot1x all
(Optional)
Displays all 802.1X feature status and configuration information.
Example:
switch# show dot1x all
copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Disabling 802.1X Authentication on the Cisco NX-OS Device
You can disable 802.1X authentication on the Cisco NX-OS device. By default, the Cisco NX-OS software enables 802.1X authentication after you enable the 802.1X feature. However, when you disable the 802.1X
feature, the configuration is removed from the Cisco NX-OS device. The Cisco NX-OS software allows you to disable 802.1X authentication without losing the 802.1X configuration.
110
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Disabling the 802.1X Feature
Note
When you disable 802.1X authentication, the port mode for all interfaces defaults to force-authorized regardless of the configured port mode. When you reenable 802.1X authentication, the Cisco NX-OS software restores the configured port mode on the interfaces.
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Step 3
Example:
switch# configure terminal switch(config)#
no dot1x system-auth-control
Example:
switch(config)# no dot1x system-auth-control
Disables 802.1X authentication on the Cisco
NX-OS device. The default is enabled.
Note
Use the dot1x system-auth-control command to enable 802.1X
authentication on the Cisco NX-OS device.
Exits configuration mode.
Step 4 exit
Example:
switch(config)# exit switch#
show dot1x
(Optional)
Displays the 802.1X feature status.
Step 5
Example:
switch# show dot1x
copy running-config startup-config
Example:
switch# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Disabling the 802.1X Feature
You can disable the 802.1X feature on the Cisco NX-OS device.
When you disable 802.1X, all related configurations are automatically discarded. The Cisco NX-OS software creates an automatic checkpoint that you can use if you reenable 802.1X and want to recover the configuration.
For more information, see the Cisco NX-OS System Management Configuration Guide for your platform.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
111
Configuring 802.1X
Setting the Maximum Authenticator-to-Supplicant Frame Retransmission Retry Count for an Interface
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Command or Action configure terminal
Step 2
Step 3
Example:
switch# configure terminal switch(config)#
no feature dot1x
Example:
switch(config)# no feature dot1x
exit
Step 4
Example:
switch(config)# exit switch#
copy running-config startup-config
Example:
switch# copy running-config startup-config
Purpose
Enters global configuration mode.
Disables 802.1X.
Caution
Disabling the 802.1X feature removes all 802.1X configuration.
Exits configuration mode.
(Optional)
Copies the running configuration to the startup configuration.
Setting the Maximum Authenticator-to-Supplicant Frame Retransmission Retry
Count for an Interface
You can set the maximum number of times that the Cisco NX-OS device retransmits authentication requests to the supplicant on an interface before the session times out. The default is 2 times and the range is from 1 to 10.
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
112
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Enabling RADIUS Accounting for 802.1X Authentication
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action
interface ethernet slot/port
Purpose
Selects the interface to configure and enters interface configuration mode.
Example:
switch(config)# interface ethernet
2/1 switch(config-if)#
dot1x max-req count
Example:
switch(config-if)# dot1x max-req 3
exit
Changes the maximum authorization request retry count. The default is 2 times and the range is from
1 to 10.
Note
Make sure that the dot1x port-control interface configuration command is set to
auto for the specified interface.
Exits interface configuration mode.
Example:
switch(config)# exit switch#
show dot1x all
(Optional)
Displays all 802.1X feature status and configuration information.
Example:
switch# show dot1x all
copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Enabling RADIUS Accounting for 802.1X Authentication
You can enable RADIUS accounting for the 802.1X authentication activity.
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Command or Action configure terminal
Example:
switch# configure terminal switch(config)#
Purpose
Enters global configuration mode.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
113
Configuring 802.1X
Configuring AAA Accounting Methods for 802.1X
Step 2
Step 3
Step 4
Step 5
Command or Action Purpose dot1x radius-accounting
Enables RADIUS accounting for 802.1X.
The default is disabled.
Example:
switch(config)# dot1x radius-accounting
exit
Exits configuration mode.
Example:
switch(config)# exit switch#
show dot1x
(Optional)
Displays the 802.1X configuration.
Example:
switch# show dot1x
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch# copy running-config startup-config
Configuring AAA Accounting Methods for 802.1X
You can enable AAA accounting methods for the 802.1X feature.
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Step 2
Command or Action configure terminal aaa accounting dot1x default
group group-list
Purpose
Enters global configuration mode.
Configures AAA accounting for 802.1X. The default is disabled.
The group-list argument consists of a space-delimited list of group names. The group names are the following:
• radius—For all configured RADIUS servers.
• named-group—Any configured RADIUS server group name.
Step 3 exit
Exits configuration mode.
114
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Setting the Maximum Reauthentication Retry Count on an Interface
Step 4
Step 5
Command or Action show aaa accounting copy running-config startup-config
Purpose
(Optional)
Displays the AAA accounting configuration.
(Optional)
Copies the running configuration to the startup configuration.
This example shows how to enable the 802.1x feature: switch#
configure terminal
switch(config)#
aaa accounting dot1x default group radius
switch(config)#
exit
switch#
show aaa accounting
switch#
copy running-config startup-config
Setting the Maximum Reauthentication Retry Count on an Interface
You can set the maximum number of times that the Cisco NX-OS device retransmits reauthentication requests to the supplicant on an interface before the session times out. The default is 2 times and the range is from 1 to 10.
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Step 3
Step 4
Example:
switch# configure terminal switch(config)#
interface ethernet slot/port Selects the interface to configure and enters interface configuration mode.
Example:
switch(config)# interface ethernet 2/1 switch(config-if)#
dot1x max-reauth-req retry-count
Example:
switch(config-if)# dot1x max-reauth-req
3
Changes the maximum reauthentication request retry count. The default is 2 times and the range is from 1 to 10.
exit
Exits interface configuration mode.
Example:
switch(config)# exit switch#
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
115
Configuring 802.1X
Configuring Guest VLAN
Step 5
Step 6
Command or Action show dot1x all
Example:
switch# show dot1x all
copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
Purpose
(Optional)
Displays all 802.1X feature status and configuration information.
(Optional)
Copies the running configuration to the startup configuration.
Configuring Guest VLAN
If MAB is configured, and if there is an authentication failure due to MAB, then the guest VLAN (if available), will be assigned as access VLAN.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal
interface ethernet slot / port Selects the interface to configure and enters interface configuration mode.
Example:
switch(config)# interface ethernet 2/1
dot1x guest-vlan guest-vlan Specifies the guest VLAN to be assigned.
Example:
switch(config-if)# dot1x guest-vlan 5
exit
Returns to privileged EXEC mode.
Example:
switch(config-if)# exit
Verifying the 802.1X Configuration
To display 802.1X information, perform one of the following tasks:
116
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Monitoring 802.1X
Command show dot1x
show dot1x all [details | statistics | summary]
show dot1x interface ethernet slot/port [details |
statistics | summary]
Purpose
Displays the 802.1X feature status.
Displays all 802.1X feature status and configuration information.
Displays the 802.1X feature status and configuration information for an Ethernet interface.
show running-config dot1x [all]
show startup-config dot1x
Displays the 802.1X feature configuration in the running configuration.
Displays the 802.1X feature configuration in the startup configuration.
For detailed information about the fields in the output from these commands, see the Cisco NX-OS Security
Command Reference for your platform.
Monitoring 802.1X
You can display the statistics that the Cisco NX-OS device maintains for the 802.1X activity.
Before You Begin
Enable the 802.1X feature on the Cisco NX-OS device.
Procedure
Step 1
Command or Action Purpose
show dot1x {all | interface ethernet slot/port} statistics Displays the 802.1X statistics.
Example:
switch# show dot1x all statistics
Configuration Example for 802.1X
The following example shows how to configure 802.1X for an access port:
feature dot1x aaa authentication dot1x default group rad2 interface Ethernet2/1 dot1x pae-authenticator dot1x port-control auto
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
117 OL-30921-01
Configuring 802.1X
Additional References for 802.1X
The following example shows how to configure 802.1X for a trunk port:
feature dot1x aaa authentication dot1x default group rad2 interface Ethernet2/1 dot1x pae-authenticator dot1x port-control auto dot1x host-mode multi-host
Note
Repeat the dot1x pae authenticator and dot1x port-control auto commands for all interfaces that require
802.1X authentication.
Additional References for 802.1X
This section includes additional information related to implementing 802.1X.
Related Documents
Related Topic
Cisco NX-OS Licensing
Command reference
VRF configuration
Document Title
Cisco NX-OS Licensing Guide
Standards
Standards
IEEE Std 802.1X- 2004 (Revision of IEEE Std
802.1X-2001)
RFC 2284
RFC 3580
Title
802.1X IEEE Standard for Local and Metropolitan
Area Networks Port-Based Network Access Control
PPP Extensible Authentication Protocol (EAP)
IEEE 802.1X Remote Authentication Dial In User
Service (RADIUS) Usage Guidelines
MIBs
MIBs
• IEEE8021-PAE-MIB
MIBs Link
To locate and download MIBs, go to the following
URL: http://www.cisco.com/public/sw-center/netmgmt/ cmtk/mibs.shtml
118
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring 802.1X
Feature History for 802.1X
Table 10: Feature History for 802.1X
Feature Name
802.1X
Release
6.0(2)N1(2)
Feature History for 802.1X
Feature Information
This feature was introduced.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
119
Feature History for 802.1X
Configuring 802.1X
120
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
8
Configuring Cisco TrustSec
This chapter describes how to configure Cisco TrustSec on Cisco NX-OS devices.
This chapter includes the following sections:
•
Information About Cisco TrustSec , page 121
•
Licensing Requirements for Cisco TrustSec , page 131
•
Prerequisites for Cisco TrustSec , page 131
•
Guidelines and Limitations for Cisco TrustSec , page 131
•
Default Settings for Cisco TrustSec Parameters, page 132
•
Configuring Cisco TrustSec , page 133
•
Verifying the Cisco TrustSec Configuration, page 168
•
Configuration Examples for Cisco TrustSec, page 169
•
Additional References for Cisco TrustSec, page 173
•
Feature History for Cisco TrustSec, page 173
Information About Cisco TrustSec
This section provides information about Cisco TrustSec.
Cisco TrustSec Architecture
The Cisco TrustSec security architecture builds secure networks by establishing clouds of trusted network devices. Cisco TrustSec also uses the device information acquired during authentication for classifying, or coloring, the packets as they enter the network. This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec network so that they can be properly identified for the purpose of applying security and other policy criteria along the data path. The tag, also called the security group tag (SGT), allows the network to enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
121 OL-30921-01
Configuring Cisco TrustSec
Cisco TrustSec Architecture
Note
Ingress refers to entering the first Cisco TrustSec-capable device encountered by a packet on its path to the destination and egress refers to leaving the last Cisco TrustSec-capable device on the path.
This figure shows an example of a Cisco TrustSec cloud. In this example, several networking devices and an endpoint device are inside the Cisco TrustSec cloud. One endpoint device and one networking device are outside the cloud because they are not Cisco TrustSec-capable devices.
Figure 7: Cisco TrustSec Network Cloud Example
The Cisco TrustSec architecture consists of the following major components:
Authentication
Verifies the identity of each device before allowing them to join the Cisco TrustSec network.
Authorization
Decides the level of access to the Cisco TrustSec network resources for a device based on the authenticated identity of the device.
Access control
Applies access policies on a per-packet basis using the source tags on each packet.
A Cisco TrustSec network has the following entities:
Authenticators (AT)
Devices that are already part of a Cisco TrustSec network.
Authorization server (AS)
Servers that may provide authentication information, authorization information, or both.
When the link first comes up, authorization occurs in which each side of the link obtains policies, such as
SGT and ACLs, that apply to the link.
122
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Authentication
Authentication
Cisco TrustSec authenticates a device before allowing it to join the network.
Cisco TrustSec and Authentication
Cisco TrustSec uses EAP-FAST for authentication. EAP-FAST conversations allow for other EAP method exchanges inside the EAP-FAST tunnel using chains, which allows administrators to use traditional user authentication methods, such as Microsoft Challenge Handshake Authentication Protocol Version 2
(MSCHAPv2), while still having security provided by the EAP-FAST tunnel.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
123
Authentication
Configuring Cisco TrustSec
This figure shows the EAP-FAST tunnel and inner methods as used in Cisco TrustSec.
Figure 8: Cisco TrustSec Authentication
Cisco TrustSec Enhancements to EAP-FAST
The implementation of EAP-FAST for Cisco TrustSec has the following enhancements:
Authenticate the authenticator
Securely determines the identity of the AT by requiring the AT to use its protected access credential
(PAC) to derive the shared secret between itself and the authentication server. This feature also prevents you from configuring RADIUS shared secrets on the authentication server for every possible IP address that can be used by the AT.
124
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Authentication
Notify each peer of the identity of its neighbor
By the end of the authentication exchange, the authentication server has identified both the supplicant and the AT. The authentication server conveys the identity of the AT, and whether the AT is Cisco
TrustSec-capable, to the supplicant by using additional type-length-value parameters (TLVs) in the protected EAP-FAST termination. The authentication server also conveys the identity of the supplicant and whether the supplicant is Cisco TrustSec-capable, to the AT by using RADIUS attributes in the
Access-Accept message. Because each peer knows the identity of its neighbor, it can send additional
RADIUS Access-Requests to the authentication server to acquire the policy to be applied on the link.
AT posture evaluation
The AT provides its posture information to the authentication server whenever it starts the authentication exchange with the authentication server on behalf of the supplicant.
802.1X Role Selection
In 802.1X, the AT must have IP connectivity with the authentication server because it has to relay the authentication exchange between the supplicant and the AT using RADIUS over UDP/IP. When an endpoint device, such as a PC, connects to a network, it is obvious that it should act as a supplicant. However, in the case of a Cisco TrustSec connection between two network devices, the 802.1X role of each network device might not be immediately apparent to the other network device.
Instead of requiring manual configuration of the AT and supplicant roles for the Cisco NX-OS devices, Cisco
TrustSec runs a role-selection algorithm to automatically determine which Cisco NX-OS device acts as the
AT and which device acts as the supplicant. The role-selection algorithm assigns the AT role to the device that has IP reachability to a RADIUS server. Both devices start both the AT and supplicant state machines.
When a Cisco NX-OS device detects that its peer has access to a RADIUS server, it terminates its own AT state machine and assumes the role of the supplicant. If both Cisco NX-OS devices have access to a RADIUS server, the algorithm compares the MAC addresses used as the source for sending the EAP over LAN (EAPOL) packets. The Cisco NX-OS device that has the MAC address with the higher value becomes the AT and the other Cisco NX-OS device becomes the supplicant.
Cisco TrustSec Authentication Summary
By the end of the Cisco TrustSec authentication process, the authentication server has performed the following actions:
• Verified the identities of the supplicant and the AT.
• Authenticated the user if the supplicant is an endpoint device.
At the end of the Cisco TrustSec authentication process, both the AT and the supplicant know the following:
• Device ID of the peer
• Cisco TrustSec capability information of the peer
• Key used for the SAP
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
125
Configuring Cisco TrustSec
SGACLs and SGTs
Device Identities
Cisco TrustSec does not use IP addresses or MAC addresses as device identities. Instead, you assign a name
(device ID) to each Cisco TrustSec-capable Cisco NX-OS device to identify it uniquely in the Cisco TrustSec network. This device ID is used for the following:
• Looking up authorization policy
• Looking up passwords in the databases during authentication
Device Credentials
Cisco TrustSec supports password-based credentials. The authentication servers may use self-signed certificates instead. Cisco TrustSec authenticates the supplicants through passwords and uses MSCHAPv2 to provide mutual authentication even if the authentication server certificate is not verifiable.
The authentication server uses a temporarily configured password to authenticate the supplicant when the supplicant first joins the Cisco TrustSec network. When the supplicant first joins the Cisco TrustSec network, the authentication server authenticates the supplicant using a manufacturing certificate and then generates a strong password and pushes it to the supplicant with the PAC. The authentication server also keeps the new password in its database.
User Credentials
Cisco TrustSec does not require a specific type of user credentials for endpoint devices. You can choose any type of authentication method for the user (for example, MSCHAPv2, LEAP, generic token card (GTC), or
OTP) and use the corresponding credentials.
SGACLs and SGTs
In security group access lists (SGACLs), you can control the operations that users can perform based on assigned security groups. The grouping of permissions into a role simplifies the management of the security policy. As you add users to the Cisco NX-OS device, you simply assign one or more security groups and they immediately receive the appropriate permissions. You can modify security groups to introduce new privileges or restrict current permissions.
Cisco TrustSec assigns a unique 16-bit tag, called the security group tag (SGT), to a security group. The number of SGTs in the Cisco NX-OS device is limited to the number of authenticated network entities. The
SGT is a single label that indicates the privileges of the source within the entire enterprise. Its scope is global within a Cisco TrustSec network.
The management server derives the SGTs based on the security policy configuration. You do not have to configure them manually.
Once authenticated, Cisco TrustSec tags any packet that originates from a device with the SGT that represents the security group to which the device is assigned. The packet carries this SGT throughout the network within the Cisco TrustSec header. Because this tag represents the group of the source, the tag is referred to as the source SGT. At the egress edge of the network, Cisco TrustSec determines the group that is assigned to the packet destination device and applies the access control policy.
126
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
SGACLs and SGTs
Cisco TrustSec defines access control policies between the security groups. By assigning devices within the network to security groups and applying access control between and within the security groups, Cisco TrustSec essentially achieves access control within the network.
This figure shows an example of an SGACL policy.
Figure 9: SGACL Policy Example
This figure shows how the SGT assignment and the SGACL enforcement operate in a Cisco TrustSec network.
Figure 10: SGT and SGACL in Cisco TrustSec Network
OL-30921-01
The Cisco NX-OS device defines the Cisco TrustSec access control policy for a group of devices as opposed to IP addresses in traditional ACLs. With such a decoupling, the network devices are free to move throughout the network and change IP addresses. Entire network topologies can change. As long as the roles and the permissions remain the same, changes to the network do not change the security policy. This feature greatly reduces the size of ACLs and simplifies their maintenance.
In traditional IP networks, the number of access control entries (ACEs) configured is determined as follows:
# of ACEs = (# of sources specified) X (# of destinations specified) X (# of permissions specified)
Cisco TrustSec uses the following formula:
# of ACEs = # of permissions specified
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
127
Configuring Cisco TrustSec
SGACLs and SGTs
Determining the Source Security Group
A network device at the ingress of the Cisco TrustSec cloud needs to determine the SGT of the packet entering the Cisco TrustSec cloud so that it can tag the packet with that SGT when it forwards it into the Cisco TrustSec cloud. The egress network device needs to determine the SGT of the packet so that it can apply the SGACLs.
The network device can determine the SGT for a packet in one of the following methods:
• Obtain the source SGT during policy acquisition—After the Cisco TrustSec authentication phase, a network device acquires a policy from an authentication server. The authentication server indicates whether the peer device is trusted or not. If a peer device is not trusted, the authentication server can also provide an SGT to apply to all packets coming from the peer device.
• Obtain the source SGT field from the Cisco TrustSec header—If a packet comes from a trusted peer device, the Cisco TrustSec header carries the correct SGT field if the network device is not the first network device in the Cisco TrustSec cloud for the packet.
Determining the Destination Security Group
The egress network device in a Cisco TrustSec cloud determines the destination group for applying the SGACL.
In some cases, ingress devices or other nonegress devices might have destination group information available.
In those cases, SGACLs might be applied in these devices rather than in egress devices.
Cisco TrustSec determines the destination group for the packet based on the destination IP address.
You do not configure the destination SGT to enforce Cisco TrustSec on egress broadcast, multicast, and unknown unicast traffic on Fabric Extender (FEX) or vEthernet ports. Instead, you set the DST to zero
(unknown). The following is an example of the correct configuration: cts role-based access-list acl-on-fex-egress deny udp deny ip cts role-based sgt 9 dst 0 access-list acl-on-fex-egress
SXP for SGT Propagation Across Legacy Access Networks
The Cisco NX-OS device hardware in the access layer supports Cisco TrustSec. Without the Cisco TrustSec hardware, the Cisco TrustSec software cannot tag the packets with SGTs. You can use SXP to propagate the
SGTs across network devices that do not have hardware support for Cisco TrustSec.
SXP operates between access layer devices and distribution layer devices. The access layer devices use SXP to pass the IP addresses of the Cisco TrustSec-authenticated devices with their SGTs to the distribution switches. Distribution devices with both Cisco TrustSec-enabled software and hardware can use this information to tag packets appropriately and enforce SGACL policies.
128
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Authorization and Policy Acquisition
This figure shows how to use SXP to propagate SGT information in a legacy network.
Figure 11: Using SXP to Propagate SGT Information
Tagging packets with SGTs requires hardware support. You might have devices in your network that cannot tag packets with SGTs. To allow these devices to send IP address-to-SGT mappings to a device that has Cisco
TrustSec-capable hardware, you must manually set up the SXP connections. Manually setting up an SXP connection requires the following:
• If you require SXP data integrity and authentication, you must configure both the same SXP password on both of the peer devices. You can configure the SXP password either explicitly for each peer connection or globally for the device. The SXP password is not required.
• You must configure each peer on the SXP connection as either an SXP speaker or an SXP listener. The speaker device distributes the SXP information to the listener device.
Note
This Cisco Nexus device does not have the functionality to be an SXP listener. It can only be an SXP speaker.
• You can specify a source IP address to use for each peer relationship or you can configure a default source IP address for peer connections where you have not configured a specific source IP address.
Authorization and Policy Acquisition
After authentication ends, both the supplicant and AT obtain the security policy from the authentication server.
The supplicant and AT enforce the policy against each other. Both the supplicant and AT provide the peer device ID that each receives after authentication. If the peer device ID is not available, Cisco TrustSec can use a manually configured peer device ID.
The authentication server returns the following policy attributes:
Cisco TrustSec trust
Indicates whether the neighbor device is to be trusted for the purpose of putting the SGT in the packets.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
129
Configuring Cisco TrustSec
Environment Data Download
Peer SGT
Indicates the security group that the peer belongs to. If the peer is not trusted, all packets received from the peer are tagged with the SGT configured on the ingress interface. If enforcement is enabled on this interface, the SGACLs that are associated with the peer SGT are downloaded. If the device does not know if the SGACLs are associated with the peer’s SGT, the device might send a follow-up request to fetch the SGACLs.
Authorization expiry time
Indicates the number of seconds before the policy expires. The Cisco-proprietary attribute-value (AV) pairs indicate the expiration time of an authorization or policy response to a Cisco TrustSec device. A
Cisco TrustSec device should refresh its policy and authorization before it times out.
Tip
Each Cisco TrustSec device should support some minimal default access policy in case it is not able to contact the authentication server to get an appropriate policy for the peer.
Environment Data Download
The Cisco TrustSec environment data is a collection of information or policies that assists a device to function as a Cisco TrustSec node. The device acquires the environment data from the authentication server when the device first joins a Cisco TrustSec cloud, although you might also manually configure some of the data on a device. For example, you must configure the seed Cisco TrustSec device with the authentication server information, which can later be augmented by the server list that the device acquires from the authentication server.
The device must refresh the Cisco TrustSec environment data before it expires. The device can also cache the data and reuse it after a reboot if the data has not expired.
The device uses RADIUS to acquire the following environment data from the authentication server:
Server lists
List of servers that the client can use for future RADIUS requests (for both authentication and authorization).
Device SGT
Security group to which the device itself belongs.
Expiry timeout
Interval that controls how often the Cisco TrustSec device should refresh its environment data.
RADIUS Relay Functionality
The Cisco NX-OS device that plays the role of the Cisco TrustSec AT in the 802.1X authentication process has IP connectivity to the authentication server, which allows it to acquire the policy and authorization from the authentication server by exchanging RADIUS messages over UDP/IP. The supplicant device may not have IP connectivity with the authentication server. In such cases, Cisco TrustSec allows the AT to act as a
RADIUS relay for the supplicant.
130
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Licensing Requirements for Cisco TrustSec
The supplicant sends a special EAP over LAN (EAPOL) message to the Cisco TrustSec AT that contains the
RADIUS server IP address and UDP port and the complete RADIUS request. The Cisco TrustSec AT extracts the RADIUS request from the received EAPOL message and sends it over UDP/IP to the authentication server.
When the RADIUS response returns from the authentication server, the Cisco TrustSec AT forwards the message back to the supplicant, encapsulated in an EAPOL frame.
Licensing Requirements for Cisco TrustSec
The following table shows the licensing requirements for this feature:
Product
Cisco NX-OS
License Requirement
Cisco TrustSec requires no license. Any feature not included in a license package is bundled with the
Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco NX-OS licensing scheme, see the License
and Copyright Information for Cisco NX-OS Software.
Prerequisites for Cisco TrustSec
Cisco TrustSec has the following prerequisites:
• You must enable the 802.1X feature before you enable the Cisco TrustSec feature. Although none of the 802.1X interface level features are available, 802.1X is required for the device to authenticate with
RADIUS.
• You must enable the Cisco TrustSec feature.
Guidelines and Limitations for Cisco TrustSec
Cisco TrustSec has the following guidelines and limitations:
• Cisco TrustSec uses RADIUS for authentication.
• AAA authentication and authorization for Cisco TrustSec is only supported by the Cisco Secure Access
Control Server (ACS).
• Cisco TrustSec supports IPv4 addressing only.
• SXP cannot use the management (mgmt 0) interface.
• You cannot enable Cisco TrustSec on interfaces in half-duplex mode.
• Clearing policies does not take affect immediately; it requires a flap to occur. In addition, the way policies are cleared depends on whether the SGT is static or dynamic. For a static SGT, the SGT is reset to 0 after the flap occurs. For dynamic SGT, the SGT is downloaded again from the RADIUS server after the flap occurs.
• Cisco TrustSec supports management switch virtual interfaces (SVIs), not routed SVIs.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
131 OL-30921-01
Configuring Cisco TrustSec
Default Settings for Cisco TrustSec Parameters
• The 802.1X feature must be enabled before you enable the Cisco TrustSec feature. However, none of the 802.1X interface level features are available. The 802.1X feature is only used for the device to authenticate with RADIUS.
• RBACL is only implemented on bridged Ethernet traffic and cannot be enabled on a routing VLAN or routing interface.
• The determination of whether a peer is trusted or not and its capability to propagate SGTs on egress are made at the physical interface level.
• Cisco TrustedSec interface configurations on port channel members must be exactly the same. If a port channel member is inconsistent with the other port channel members, it will be error disabled.
• In a vPC domain, use the configuration synchronization mode (config-sync) to create switch profiles to ensure that the Cisco TrustSec configuration is synchronized between peers. If you configure the same vPC differently on two peer switches, traffic is treated differently.
• The maximum number of RBACL TCAM entries is 128, with 4 entries used by default, and the remaining
124 entries user-configurable.
• Cisco TrustSec is not supported on Layer 3 interfaces or Virtual Routing and Forwarding (VRF) interfaces.
• The cts-manual, cts trusted mode, and no-propagate sgt configurations must be consistent among all
FEX ports or vEthernet ports on the same fabric port. If these configurations are inconsistent, the interfaces are err-disabled.
• The cts-manual, sgt value, cts trusted mode, and no-propagate sgt configurations must be consistent among all port channel members on the same port channel. If these configurations are inconsistent, the interfaces are err-disabled.
Default Settings for Cisco TrustSec Parameters
This table lists the default settings for Cisco TrustSec parameters.
Table 11: Default Cisco TrustSec Parameters Settings
Parameters
Cisco TrustSec
SXP
SXP default password
SXP reconcile period
SXP retry period
RBACL logging
RBACL statistics
Default
Disabled
Disabled
None
120 seconds (2 minutes)
60 seconds (1 minute)
Disabled
Disabled
132
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring Cisco TrustSec
Configuring Cisco TrustSec
This section provides information about the configuration tasks for Cisco TrustSec.
Enabling the Cisco TrustSec Feature
You must enable both the 802.1X feature and the Cisco TrustSec feature on the Cisco NX-OS device before you can configure Cisco TrustSec. However, none of the 802.1X interface level features are available. The
802.1X feature is only used for the device to authenticate with RADIUS.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action configure terminal
Example:
switch# configure terminal switch(config)#
feature dot1x
Example:
switch(config)# feature dot1x
feature cts
Example:
switch(config)# feature cts
exit
Example:
switch(config)# exit switch#
show cts
Example:
switch# show cts
show feature
Example:
switch# show feature
copy running-config startup-config
Example:
switch# copy running-config startup-config
Purpose
Enters global configuration mode.
Enables the 802.1X feature.
Enables the Cisco TrustSec feature.
Exits global configuration mode.
(Optional)
Displays the Cisco TrustSec configuration.
(Optional)
Displays the enabled status for features.
(Optional)
Copies the running configuration to the startup configuration.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
133 OL-30921-01
Configuring Cisco TrustSec
Configuring Cisco TrustSec Device Credentials
Configuring Cisco TrustSec Device Credentials
You must configure unique Cisco TrustSec credentials on each Cisco TrustSec-enabled Cisco NX-OS device in your network. Cisco TrustSec uses the password in the credentials for device authentication.
Note
You must also configure the Cisco TrustSec credentials for the Cisco NX-OS device on the Cisco Secure
ACS (see the documentation at the following URL: http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_installation_and_configuration_ guides_list.html
).
Before You Begin
Ensure that you enabled Cisco TrustSec.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Step 3
Example:
switch# configure terminal switch(config)#
cts device-id name password password
Example:
switch(config)# cts device-id
MyDevice1 password CiscO321
Configures a unique device ID and password. The
name argument has a maximum length of 32 characters and is case sensitive.
Note
To remove the configuration of device
ID and the password, use the no form of the command.
Exits global configuration mode.
Step 4 exit
Example:
switch(config)# exit switch#
show cts
(Optional)
Displays the Cisco TrustSec configuration.
Step 5
Step 6
Example:
switch# show cts
show cts environment
Example:
switch# show cts environment
copy running-config startup-config
Example:
switch# copy running-config startup-config
(Optional)
Displays the Cisco TrustSec environment data.
(Optional)
Copies the running configuration to the startup configuration.
134
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring AAA for Cisco TrustSec
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Configuring AAA for Cisco TrustSec
You can use Cisco Secure ACS for Cisco TrustSec authentication. You must configure RADIUS server groups and specify the default AAA authentication and authorization methods on one of the Cisco TrustSec-enabled
Cisco NX-OS devices in your network cloud.
Note
Only the Cisco Secure ACS supports Cisco TrustSec.
Configuring AAA on the Cisco TrustSec Cisco NX-OS Devices
This section describes how to configure AAA on the Cisco NX-OS device in your Cisco TrustSec network cloud.
Before You Begin
Obtain the IPv4 address or hostname for the Cisco Secure ACS.
Ensure that you enabled Cisco TrustSec.
Procedure
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
radius-server host {ipv4-address |
ipv6-address | hostname} key [0 | 7] key pac
Example:
switch(config)# radius-server host
10.10.1.1 key L1a0K2s9 pac
Configures a RADIUS server host with a key and
PAC. The hostname argument is alphanumeric, case sensitive, and has a maximum of 256 characters. The key argument is alphanumeric, case sensitive, and has a maximum length of 63 characters. The 0 option indicates that the key is in clear text. The 7 option indicates that the key is encrypted. The default is clear text.
show radius-server
(Optional)
Displays the RADIUS server configuration.
Example:
switch# show radius-server
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
135
Configuring Cisco TrustSec
Configuring AAA for Cisco TrustSec
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Command or Action
aaa group server radius group-name
Example:
switch(config)# aaa group server radius Rad1 switch(config-radius)#
server {ipv4-address | ipv6-address |
hostname}
Example:
switch(config-radius)# server
10.10.1.1
use-vrf vrf-name
Example:
switch(config-radius)# use-vrf management
Purpose
Specifies the RADIUS server group and enters
RADIUS server group configuration mode.
Specifies the RADIUS server host address.
Specifies the management VRF instance for the
AAA server group.
Note
If you use the management VRF instance, no further configuration is necessary for the devices in the network cloud. If you use a different VRF instance, you must configure the devices with that VRF instance.
Exits RADIUS server group configuration mode.
exit
Example:
switch(config-radius)# exit switch(config)#
aaa authentication cts default group
group-name
Specifies the RADIUS server groups to use for
Cisco TrustSec authentication.
Example:
switch(config)# aaa authentication cts default group Rad1
aaa authorization cts default group
group-name
Specifies the RADIUS server groups to use for
Cisco TrustSec authorization.
Example:
switch(config)# aaa authentication cts default group Rad1
exit
Exits global configuration mode.
Example:
switch(config)# exit switch#
show radius-server groups [group-name]
(Optional)
Displays the RADIUS server group configuration.
Example:
switch# show radius-server group rad1
136
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring AAA for Cisco TrustSec
Step 12
Step 13
Step 14
Step 15
Command or Action show aaa authentication
Example:
switch# show aaa authentication
show aaa authorization
Example:
switch# show aaa authorization
show cts pacs
Example:
switch# show cts pacs
copy running-config startup-config
Example:
switch# copy running-config startup-config
Purpose
(Optional)
Displays the AAA authentication configuration.
(Optional)
Displays the AAA authorization configuration.
(Optional)
Displays the Cisco TrustSec PAC information.
(Optional)
Copies the running configuration to the startup configuration.
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Configuring AAA on Cisco TrustSec Nonseed Cisco NX-OS Devices , on page 137
Configuring AAA on Cisco TrustSec Nonseed Cisco NX-OS Devices
Cisco TrustSec configures an AAA server group named aaa-private-sg on the nonseed Cisco NX-OS devices in the network cloud. By default, the aaa-private-sg server group uses the management VRF instance to communicate with the Cisco Secure ACS and no further configuration is required on the nonseed Cisco NX-OS devices. However, if you choose to use a different VRF instance, you must change the aaa-private-sg on the nonseed Cisco NX-OS device to use the correct VRF instance.
Before You Begin
Ensure that you enabled Cisco TrustSec.
Ensure that you have configured a seed Cisco NX-OS device in your network.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
137
Configuring Cisco TrustSec
Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path Security
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action Purpose aaa group server radius aaa-private-sg
Specifies the RADIUS server group aaa-private-sg and enters RADIUS server group configuration mode.
Example:
switch(config)# aaa group server radius aaa-private-sg switch(config-radius)#
use-vrf vrf-name Specifies the management VRF instance for the AAA server group.
Example:
switch(config-radius)# use-vrf MyVRF
exit
Exits RADIUS server group configuration mode.
Example:
switch(config-radius)# exit switch(config)#
show radius-server groups aaa-private-sg
Example:
switch(config)# show radius-server groups aaa-private-sg
(Optional)
Displays the RADIUS server group configuration for the default server group.
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Configuring AAA on the Cisco TrustSec Cisco NX-OS Devices , on page 135
Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path
Security
This section provides information about the configuration tasks for Cisco TrustSec authentication, authorization,
SAP, and data path security.
Cisco TrustSec Configuration Process for Cisco TrustSec Authentication and Authorization
Follow these steps to configure Cisco TrustSec authentication and authorization:
138
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path Security
Procedure
Step 1
Enable the Cisco TrustSec feature.
Step 2
Enable Cisco TrustSec authentication.
Step 3
Enable 802.1X authentication for Cisco TrustSec on the interfaces.
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Enabling Cisco TrustSec Authentication , on page 139
Enabling Cisco TrustSec Authentication
You must enable Cisco TrustSec authentication on the interfaces. By default, the data path replay protection feature is enabled and the SAP operating mode is GCM-encrypt.
Caution
For the Cisco TrustSec authentication configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.
Note
Enabling 802.1X mode for Cisco TrustSec automatically enables authorization and SAP on the interface.
Procedure
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
interface ethernet slot/port [- port2] Specifies a single port or a range of ports and enters interface configuration mode.
Example:
switch(config)# interface ethernet 2/2 switch(config-if)#
cts dot1x
Enables 802.1X authentication for Cisco TrustSec and enters Cisco TrustSec 802.1X configuration mode.
Example:
switch(config-if)# cts dot1x switch(config-if-cts-dot1x)#
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
139
Configuring Cisco TrustSec
Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path Security
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Command or Action no replay-protection
Purpose
(Optional)
Disables replay protection. The default is enabled.
Example:
switch(config-if-cts-dot1x)# no replay-protection
sap modelist {gcm-encrypt | gmac |
no-encap | null}
Example:
switch(config-if-cts-dot1x)# sap modelist gcm-encrypt
exit
(Optional)
Configures the SAP operation mode on the interface.
Use the gcm-encrypt keyword for GCM encryption. This option is the default.
Use the gmac keyword for GCM authentication only.
Use the no-encap keyword for no encapsulation for SAP and no SGT insertion.
Use the null keyword for encapsulation without authentication or encryption.
Exits Cisco TrustSec 802.1X configuration mode.
Example:
switch(config-if-cts-dot1x)# exit switch(config-if)#
shutdown
Disables the interface.
Example:
switch(config-if)# shutdown
no shutdown
Enables the interface and enables Cisco TrustSec authentication on the interface.
Example:
switch(config-if)# no shutdown
exit
Exits interface configuration mode.
Example:
switch(config-if)# exit switch(config)#
show cts interface {all | brief | ethernet
slot/port}
(Optional)
Displays the Cisco TrustSec configuration on the interfaces.
Example:
switch(config)# show cts interface all
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
140
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path Security
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Configuring Data-Path Replay Protection for Cisco TrustSec on Interfaces
By default, the Cisco NX-OS software enables the data-path reply protection feature. You can disable the data-path replay protection feature on the interfaces for Layer 2 Cisco TrustSec if the connecting device does not support SAP.
Caution
For the data-path replay protection configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.
Before You Begin
Ensure that you enabled Cisco TrustSec authentication on the interface.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Step 3
Step 4
Step 5
Example:
switch# configure terminal switch(config)#
interface ethernet slot/port [- port2] Specifies a single port or a range of ports and enters interface configuration mode.
Example:
switch(config)# interface ethernet 2/2 switch(config-if)#
cts dot1x
Enables 802.1X authentication for Cisco
TrustSec and enters Cisco TrustSec 802.1X
configuration mode.
Example:
switch(config-if)# cts dot1x switch(config-if-cts-dot1x)#
no replay-protection
Example:
switch(config-if-cts-dot1x)# no replay-protection
Disables data-path replay protection. The default is enabled.
Use the replay-protection command to enable data-path replay protection on the interface.
exit
Exits Cisco TrustSec 802.1X configuration mode.
Example:
switch(config-if-cts-dot1x)# exit switch(config-if)#
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
141
Configuring Cisco TrustSec
Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path Security
Step 6
Step 7
Step 8
Step 9
Step 10
Command or Action shutdown
Purpose
Disables the interface.
Example:
switch(config-if)# shutdown
no shutdown
Example:
switch(config-if)# no shutdown
exit
Enables the interface and disables the data-path reply protection feature on the interface.
Exits interface configuration mode.
Example:
switch(config-if)# exit switch(config)#
show cts interface {all | brief | ethernet
slot/port}
(Optional)
Displays the Cisco TrustSec configuration on the interface.
Example:
switch(config)# show cts interface all
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Related Topics
Enabling Cisco TrustSec Authentication , on page 139
Configuring SAP Operation Modes for Cisco TrustSec on Interfaces
You can configure the SAP operation mode on the interfaces for Layer 2 Cisco TrustSec. The default SAP operation mode is GCM-encrypt.
Caution
For the SAP operation mode configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.
Before You Begin
Ensure that you enabled Cisco TrustSec authentication on the interface.
142
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path Security
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
interface ethernet slot/port [- port2]
Specifies a single interface or a range of interfaces and enters interface configuration mode.
Example:
switch(config)# interface ethernet
2/2 switch(config-if)#
cts dot1x
Enables 802.1X authentication for Cisco TrustSec and enters Cisco TrustSec 802.1X configuration mode.
Example:
switch(config-if)# cts dot1x switch(config-if-cts-dot1x)#
sap modelist [gcm-encrypt | gmac |
no-encap | null]
Example:
switch(config-if-cts-dot1x)# sap modelist gmac
exit
Configures the SAP authentication mode on the interface.
Use the gcm-encrypt keyword for GCM encryption. This option is the default.
Use the gmac keyword for GCM authentication only.
Use the no-encap keyword for no encapsulation for SAP on the interface and no SGT insertion.
Use the null keyword for encapsulation without authentication or encryption for SAP on the interface. Only the SGT is encapsulated.
Exits Cisco TrustSec 802.1X configuration mode.
Example:
switch(config-if-cts-dot1x)# exit switch(config-if)#
shutdown
Disables the interface.
Example:
switch(config-if)# shutdown
no shutdown
Enables the interface and SAP operation mode on the interface.
Example:
switch(config-if)# no shutdown
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
143
Configuring Cisco TrustSec
Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path Security
Step 8
Step 9
Step 10
Command or Action exit
Purpose
Exits interface configuration mode.
Example:
switch(config-if)# exit switch(config)#
show cts interface {all | brief | ethernet
slot/port}
(Optional)
Displays the Cisco TrustSec configuration on the interface.
Example:
switch(config)# show cts interface all
copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Related Topics
Enabling Cisco TrustSec Authentication , on page 139
Configuring SGT Propagation for Cisco TrustSec on Interfaces
The SGT propagation feature on the Layer 2 interface is enabled by default. You can disable the SGT propagation feature on an interface if the peer device connected to the interface cannot handle Cisco TrustSec packets tagged with an SGT.
Caution
For the SGT propagation configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.
Before You Begin
Ensure that you enabled Cisco TrustSec authentication on the interface.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
144
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path Security
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Command or Action Purpose
interface ethernet slot/port [- port2] Specifies a single port or a range of ports and enters interface configuration mode.
Example:
switch(config)# interface ethernet 2/2 switch(config-if)#
cts dot1x
Enables 802.1X authentication for Cisco
TrustSec and enters Cisco TrustSec 802.1X
configuration mode.
Example:
switch(config-if)# cts dot1x switch(config-if-cts-dot1x)#
no propagate-sgt
Example:
switch(config-if-cts-dot1x)# no propagate-sgt
Disables SGT propagation. The default is enabled.
Use the propagate-sgt command to enable
SGT propagation on the interface.
exit
Exits Cisco TrustSec 802.1X configuration mode.
Example:
switch(config-if-cts-dot1x)# exit switch(config-if)#
shutdown
Disables the interface.
Example:
switch(config-if)# shutdown
no shutdown
Example:
switch(config-if)# no shutdown
exit
Enables the interface and disables the data-path reply protection feature on the interface.
Exits interface configuration mode.
Example:
switch(config-if)# exit switch(config)#
show cts interface {all | brief | ethernet
slot/port}
(Optional)
Displays the Cisco TrustSec configuration on the interface.
Example:
switch(config)# show cts interface all
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
145
Configuring Cisco TrustSec
Configuring Cisco TrustSec Authentication in Manual Mode
Related Topics
Enabling Cisco TrustSec Authentication , on page 139
Regenerating SAP Keys on an Interface
You can trigger an SAP exchange to generate a new set of keys and protect the data traffic flowing on an interface.
Before You Begin
Ensure that you enabled Cisco TrustSec.
Procedure
Step 1
Step 2
Command or Action
cts rekey ethernet slot/port
Purpose
Generates the SAP keys for an interface.
Example:
switch# cts rekey ethernet 2/3
show cts interface {all | brief | ethernet slot/port}
Example:
switch# show cts interface all
(Optional)
Displays the Cisco TrustSec configuration on the interfaces.
Related Topics
Enabling Cisco TrustSec Authentication , on page 139
Configuring Cisco TrustSec Authentication in Manual Mode
You can manually configure Cisco TrustSec on an interface if your Cisco NX-OS device does not have access to a Cisco Secure ACS. You must manually configure the interfaces on both ends of the connection.
Caution
For the Cisco TrustSec manual mode configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.
Before You Begin
Ensure that you enabled Cisco TrustSec.
146
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring Cisco TrustSec Authentication in Manual Mode
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
interface interface slot/port
Specifies an interface and enters interface configuration mode.
Example:
switch(config)# interface ethernet 2/2 switch(config-if)#
cts manual
Enters Cisco TrustSec manual configuration mode.
Note
You cannot enable Cisco TrustSec on interfaces in half-duplex mode.
Example:
switch(config-if)# cts manual switch(config-if-cts-manual)#
policy dynamic identity peer-name
Example:
switch(config-if-cts-manual)# policy dynamic identity MyDevice2
(Optional)
Configures a dynamic authorization policy download.
The peer-name argument is the Cisco TrustSec device
ID for the peer device. The peer name is case sensitive.
Note
Note
Ensure that you have configured the Cisco
TrustSec credentials and AAA for Cisco
TrustSec.
The policy dynamic and policy static commands are mutually exclusive. Only one can be applied at a time. To change from one to the other, you must use the no form of the command to remove the configuration before configuring the other command.
policy static sgt tag [trusted]
Example:
switch(config-if-cts-manual)# policy static sgt 0x2
(Optional)
Configures a static authorization policy. The tag argument is a hexadecimal value in the format 0xhhhh.
The range is from 0x2 to 0xffef. The trusted keyword indicates that traffic coming on the interface with this
SGT should not have its tag overridden.
Note
The policy dynamic and policy static commands are mutually exclusive. Only one can be applied at a time. To change from one to the other, you must use the no form of the command to remove the configuration before configuring the other command.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
147
Configuring Cisco TrustSec
Configuring Pause Frame Encryption or Decryption for Cisco TrustSec on Interfaces
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Command or Action exit
Purpose
Exits Cisco TrustSec manual configuration mode.
Example:
switch(config-if-cts-manual)# exit switch(config-if)#
shutdown
Disables the interface.
Example:
switch(config-if)# shutdown
no shutdown
Enables the interface and enables Cisco TrustSec authentication on the interface.
Example:
switch(config-if)# no shutdown
exit
Exits interface configuration mode.
Example:
switch(config-if)# exit switch(config)#
show cts interface {all | brief |
ethernet slot/port}
(Optional)
Displays the Cisco TrustSec configuration for the interfaces.
Example:
switch# show cts interface all
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch# copy running-config startup-config
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Configuring Pause Frame Encryption or Decryption for Cisco TrustSec on
Interfaces
Pause frames are MAC control frames used for Ethernet flow control. The ports on some line cards encrypt and decrypt pause frames while the ports on other line cards do not have this ability. This disparity causes interoperability issues and causes the ports to discard or ignore the pause frames.
You can determine if the pause frames are to be encrypted or clear on individual interfaces. You must configure the interfaces on both ends of the connection but can do so using either dot1x or manual mode. If two ports are connected to form a CTS link and one is clear pause capable and the other is secure (encryption or decryption) pause capable, the pause frames must be sent in the clear across the link in order for them to be correctly sent and received.
148
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring Pause Frame Encryption or Decryption for Cisco TrustSec on Interfaces
Note
Beginning with Cisco NX-OS Release 6.2.2, all F Series and M1 Series modules support both secure
(encrypted and decrypted) and clear pause frames. In prior releases, F1 Series modules, F2 Series modules,
F2e Series modules, and the N7K-M132XP-12(L) module support only clear pause frames.
Note
You cannot enable Cisco TrustSec on interfaces in half-duplex mode. Use the show interface command to determine if an interface is configured for half-duplex mode.
Caution
For the pause frame encryption or decryption configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.
Before You Begin
Ensure that you enabled Cisco TrustSec.
Ensure that you have enabled flow control on the interface using the flowcontrol {send | receive} command.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Step 3
Step 4
Example:
switch# configure terminal switch(config)#
interface ethernet slot/port Specifies an interface and enters interface configuration mode.
Example:
switch(config)# interface ethernet
2/2 switch(config-if)#
cts dot1x or cts manual
Example:
switch(config-if)# cts dot1x switch(config-if-cts-dot1x)#
[no] encrypt pause-frame
Example:
switch(config-if-cts-dot1x)# no encrypt pause-frame
Enters Cisco TrustSec dot1x or manual configuration mode.
Note
You cannot enable Cisco TrustSec on interfaces in half-duplex mode.
Configures pause frame encryption or decryption for Cisco TrustSec on the interface. When no
encrypt pause-frame is configured, the pause frames are sent in the clear. When encrypt
pause-frame is configured, pause frames are sent encrypted over the CTS link.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
149
Configuring Cisco TrustSec
Configuring SGACL Policies
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Command or Action exit
Example:
switch(config-if-cts-dot1x)# exit switch(config-if)#
shutdown
Purpose
Exits Cisco TrustSec dot1x or manual configuration mode.
Disables the interface.
Example:
switch(config-if)# shutdown
no shutdown
Enables the interface and enables pause frame encryption or decryption for Cisco TrustSec on the interface.
Example:
switch(config-if)# no shutdown
exit
Exits interface configuration mode.
Example:
switch(config-if)# exit switch(config)#
show cts interface {all | brief | ethernet
slot/port}
(Optional)
Displays the Cisco TrustSec configuration for the interfaces.
Example:
switch# show cts interface all
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch# copy running-config startup-config
Configuring SGACL Policies
This section provides information about the configuration tasks for SGACL policies.
SGACL Policy Configuration Process
Follow these steps to configure Cisco TrustSec SGACL policies:
150
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring SGACL Policies
Procedure
Step 1
For Layer 2 interfaces, enable SGACL policy enforcement for the VLANs with Cisco TrustSec-enabled interfaces.
Step 2
If you are not using AAA on a Cisco Secure ACS to download the SGACL policy configuration, manually configure the SGACL mapping and policies.
Enabling SGACL Policy Enforcement on VLANs
If you use SGACLs, you must enable SGACL policy enforcement in the VLANs that have Cisco
TrustSec-enabled Layer 2 interfaces.
Note
This operation cannot be performed on FCoE VLANs.
Before You Begin
• Ensure that you enabled Cisco TrustSec.
• Ensure that you enabled SGACL batch programming.
Procedure
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
vlan vlan-id
Specifies a VLAN and enters VLAN configuration mode.
Example:
switch(config)# vlan 10 switch(config-vlan)#
cts role-based enforcement
Enables Cisco TrustSec SGACL policy enforcement on the VLAN.
Example:
switch(config-vlan)# cts role-based enforcement
Note
If you enable the cts role-based enforcement on a VLAN and no other configuration on ports, the traffic traversing through these ports are subject to (0,0) SGACL. You can either configure this SGACL statically or download it from Cisco ISE.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
151
Configuring Cisco TrustSec
Configuring SGACL Policies
Step 4
Step 5
Step 6
Command or Action Purpose exit
Saves the VLAN configuration and exits VLAN configuration mode.
Example:
switch(config-vlan)# exit switch(config)#
show cts role-based enable
Example:
switch(config)# show cts role-based enable
(Optional)
Displays the Cisco TrustSec SGACL enforcement configuration.
copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Enabling SGACL Policy Enforcement on VRF Instances
If you use SGACLs, you must enable SGACL policy enforcement in the VRF instances that have Cisco
TrustSec-enabled Layer 3 interfaces.
Note
You cannot enable SGACL policy enforcement on the management VRF instance.
Before You Begin
• Ensure that you enabled Cisco TrustSec.
• Ensure that you enabled SGACL batch programming.
• Ensure that you enabled dynamic Address Resolution Protocol (ARP) inspection or Dynamic Host
Configuration Protocol (DHCP) snooping.
Procedure
Step 1
Command or Action configure terminal
Example:
switch# configure terminal switch(config)#
Purpose
Enters global configuration mode.
152
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring SGACL Policies
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action
vrf context vrf-name
Purpose
Specifies a VRF instance and enters VRF configuration mode.
Example:
switch(config)# vrf context MyVrf switch(config-vrf)#
cts role-based enforcement
Enables Cisco TrustSec SGACL policy enforcement on the VRF instance.
Example:
switch(config-vrf)# cts role-based enforcement
exit
Exits VRF configuration mode.
Example:
switch(config-vrf)# exit switch(config)#
show cts role-based enable
Example:
switch(config)# show cts role-based enable
(Optional)
Displays the Cisco TrustSec SGACL enforcement configuration.
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Manually Configuring Cisco TrustSec SGTs
You can manually configure unique Cisco TrustSec security group tags (SGTs) for the packets originating from this device.
Before You Begin
Ensure that you have enabled Cisco TrustSec.
Procedure
Step 1
Command or Action configure terminal
Example:
switch# configure terminal switch(config)#
Purpose
Enters global configuration mode.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
153
Configuring Cisco TrustSec
Configuring SGACL Policies
Step 2
Step 3
Step 4
Step 5
Command or Action
cts sgt tag
Example:
switch(config)# cts sgt 0x00a2
exit
Example:
switch(config)# exit switch#
show cts environment-data
Example:
switch# show cts environment-data
copy running-config startup-config
Example:
switch# copy running-config startup-config
Purpose
Configures the SGT for packets sent from the device. The tag argument is a hexadecimal value in the format 0xhhhh. The range is from 0x2 to
0xffef.
Exits global configuration mode.
(Optional)
Displays the Cisco TrustSec environment data information.
(Optional)
Copies the running configuration to the startup configuration.
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VLAN
You can manually configure an IPv4 address to SGACL SGT mapping on a VLAN so that the policies for that SGT are downloaded from the Secure ACS server, or if you are using SXP mode, the SGT mapping is relayed to the listener.
Before You Begin
Ensure that you enabled Cisco TrustSec.
Ensure that you enabled SGACL policy enforcement on the VLAN.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
154
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring SGACL Policies
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action Purpose
vlan vlan-id Specifies a VLAN and enters VLAN configuration mode.
Example:
switch(config)# vlan 10 switch(config-vlan)#
cts role-based sgt-map ipv4-address tag
Configures SGT mapping for the SGACL policies for the VLAN.
Example:
switch(config-vlan)# cts role-based sgt-map
10.10.1.1 100
exit
Saves the VLAN configuration and exits
VLAN configuration mode.
Example:
switch(config-vlan)# exit switch(config)#
show cts role-based sgt-map [summary | sxp
peer peer-ipv4-addr | vlan vlan-id | vrf vrf-name]
(Optional)
Displays the Cisco TrustSec SGACL SGT mapping configuration.
Example:
switch(config)# show cts role-based sgt-map
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Enabling SGACL Policy Enforcement on VLANs , on page 151
Enabling SGACL Policy Enforcement on VRF Instances, on page 152
Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VRF Instance
You can manually configure IPv4-address-to-SGACL SGT mapping on a VRF instance if a Cisco Secure
ACS is not available to download the SGACL policy configuration. You can use this feature if you do not have Cisco Secure ACS available on your Cisco NX-OS device. The IPv4-SGT mapping for VRF is useful for the SXP speaker.
Note
The cts role based enforcement command is not supported on VRF.
Before You Begin
Ensure that you enabled Cisco TrustSec.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
155
Configuring Cisco TrustSec
Configuring SGACL Policies
Ensure that the Layer-3 module is enabled.
Procedure
Step 1
Command or Action configure terminal
Step 2
Step 3
Step 4
Step 5
Step 6
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
vrf context vrf-name Specifies a VRF instance and enters VRF configuration mode.
Example:
switch(config)# vrf context accounting switch(config-vrf)#
cts role-based sgt-map ipv4-address tag Configures SGT mapping for the SGACL policies for the VLAN.
Example:
switch(config-vrf)# cts role-based sgt-map
10.10.1.1 100
exit
Exits VRF configuration mode.
Example:
switch(config-vrf)# exit switch(config)#
show cts role-based sgt-map [summary | sxp peer
peer-ipv4-addr | vlan vlan-id | vrf vrf-name]
(Optional)
Displays the Cisco TrustSec SGACL SGT mapping configuration.
Example:
switch(config)# show cts role-based sgt-map
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Manually Configuring SGACL Policies
You can manually configure SGACL policies on your Cisco NX-OS device if a Cisco Secure ACS is not available to download the SGACL policy configuration. You can also enable role-based access control list
(RBACL) logging, which allows users to monitor specific types of packets exiting the Cisco NX-OS device.
Before You Begin
Ensure that you have enabled Cisco TrustSec.
For Cisco TrustSec logging to function, you must enable Cisco TrustSec counters or statistics.
Ensure that you have enabled SGACL policy enforcement on the VLAN.
156
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring SGACL Policies
If you plan to enable RBACL logging, ensure that you have enabled RBACL policy enforcement on the
VLAN.
If you plan to enable RBACL logging, ensure that you have set the logging level of CTS manager syslogs to
6 or less.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
cts role-based access-list list-name
Example:
switch(config)# cts role-based access-list MySGACL switch(config-rbacl)#
{deny | permit} all [log]
Specifies an SGACL and enters role-based access list configuration mode. The list-name argument value is alphanumeric, case sensitive, and has a maximum length of 32 characters.
Example:
switch(config-rbacl)# deny all log
(Optional)
Denies or permits all traffic. Optionally, you can use the log keyword to specify that packets matching this configuration be logged.
{deny | permit} icmp [log]
Example:
switch(config-rbacl)# permit icmp
{deny | permit} igmp [log]
Example:
switch(config-rbacl)# deny igmp
(Optional)
Denies or permits Internet Control Message Protocol
(ICMP) traffic. Optionally, you can use the log keyword to specify that packets matching this configuration be logged.
(Optional)
Denies or permits Internet Group Management
Protocol (IGMP) traffic. Optionally, you can use the
log keyword to specify that packets matching this configuration be logged.
{deny | permit} ip [log]
Example:
switch(config-rbacl)# permit ip
(Optional)
Denies or permits IP traffic. Optionally, you can use the log keyword to specify that packets matching this configuration be logged.
{deny | permit} tcp [{dst | src} {{eq | gt
| lt | neq} port-number | range
port-number1 port-number2}] [log]
Example:
switch(config-rbacl)# deny tcp dst eq 100
(Optional)
Denies or permits TCP traffic. The default permits all
TCP traffic. The range for the port-number,
port-number1, and port-number2 arguments is from
0 to 65535. Optionally, you can use the log keyword to specify that packets matching this configuration be logged.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
157
Configuring Cisco TrustSec
Configuring SGACL Policies
Step 8
Step 9
Step 10
Step 11
Step 12
Command or Action Purpose
{deny | permit} udp [{dst | src} {{eq | gt
| lt | neq} port-number | range
port-number1 port-number2}] [log]
Example:
switch(config-rbacl)# permit udp src eq 1312
Denies or permits UDP traffic. The default permits all UDP traffic. The range for the port-number,
port-number1, and port-number2 arguments is from
0 to 65535. Optionally, you can use the log keyword to specify that packets matching this configuration be logged.
exit
Exits role-based access-list configuration mode.
Example:
switch(config-rbacl)# exit switch(config)#
cts role-based sgt {sgt-value | any |
unknown} dgt {dgt-value | any |
unknown} access-list list-name
Maps the SGT values to the SGACL. The sgt-value and dgt-value argument values range from 0 to 65519.
Note
You must create the SGACL before you can map SGTs to it.
Example:
switch(config)# cts role-based sgt
3 dgt 10 access-list MySGACL
show cts role-based access-list
(Optional)
Displays the Cisco TrustSec SGACL configuration.
Example:
switch(config)# show cts role-based access-list
copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Enabling SGACL Policy Enforcement on VLANs , on page 151
Enabling SGACL Policy Enforcement on VRF Instances, on page 152
Displaying the Downloaded SGACL Policies
After you configure the Cisco TrustSec device credentials and AAA, you can verify the Cisco TrustSec
SGACL policies downloaded from the Cisco Secure ACS. The Cisco NX-OS software downloads the SGACL policies when it learns of a new SGT through authentication and authorization on an interface or from manual
IPv4 address to SGACL SGT mapping.
Before You Begin
Ensure that you enabled Cisco TrustSec.
158
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring SGACL Policies
Procedure
Step 1
Command or Action show cts role-based access-list
Example:
switch# show cts role-based access-list
Purpose
Displays Cisco TrustSec SGACLs, both downloaded from the Cisco Secure ACS and manually configured on the Cisco NX-OS device.
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Refreshing the Downloaded SGACL Policies
You can refresh the SGACL policies downloaded to the Cisco NX-OS device by the Cisco Secure ACS.
Before You Begin
Ensure that you enabled Cisco TrustSec.
Procedure
Step 1
Step 2
Command or Action cts refresh role-based-policy
Purpose
Refreshes the Cisco TrustSec SGACL policies from the Cisco Secure ACS.
Example:
switch# cts refresh role-based-policy
show cts role-based policy
(Optional)
Displays the Cisco TrustSec SGACL policies.
Example:
switch# show cts role-based policy
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Enabling Statistics for RBACL
You can request a count of the number of packets that match role-based access control list (RBACL) policies.
These statistics are collected per ACE.
Note
RBACL statistics are lost only when the Cisco NX-OS device reloads or you deliberately clear the statistics.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
159
Configuring Cisco TrustSec
Configuring SGACL Policies
Before You Begin
Ensure that you have enabled Cisco TrustSec.
If you plan to enable RBACL statistics, ensure that you have enabled RBACL policy enforcement on the
VLAN.
When you enable RBACL statistics, each policy requires one entry in the hardware. If you do not have enough space remaining in the hardware, an error message appears, and you are unable to enable the statistics.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Step 3
Step 4
Step 5
Step 6
Example:
switch# configure terminal switch(config)#
[no] cts role-based counters enable Enables or disables RBACL statistics. The default is disabled.
Example:
switch(config)# cts role-based counters enable
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
exit
Exits global configuration mode.
Example:
switch(config)# exit switch#
show cts role-based counters
Example:
switch# show cts role-based counters
clear cts role-based counters
Example:
switch# clear cts role-based counters
(Optional)
Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies.
(Optional)
Clears the RBACL statistics so that all counters are reset to 0.
Clearing Cisco TrustSec SGACL Policies
You can clear the Cisco TrustSec SGACL policies.
160
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Manually Configuring SXP
Note
Clearing policies does not take affect immediately; it requires a flap to occur. In addition, the way policies are cleared depends on whether the SGT is static or dynamic. For a static SGT, the SGT is reset to 0 after the flap occurs. For dynamic SGT, the SGT is downloaded again from the RADIUS server after the flap occurs.
Before You Begin
Ensure that you enabled Cisco TrustSec.
Procedure
Step 1
Command or Action show cts role-based policy
Purpose
(Optional)
Displays the Cisco TrustSec RBACL policy configuration.
Step 2
Example:
switch# clear cts policy all
clear cts policy {all | peer device-name | sgt
sgt-value}
Clears the policies for Cisco TrustSec connection information.
Example:
switch# clear cts policy all
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Manually Configuring SXP
You can use the SGT Exchange Protocol (SXP) to propagate the SGTs across network devices that do not have hardware support for Cisco TrustSec. This section describes how to configure Cisco TrustSec SXP on
Cisco NX-OS devices in your network.
Cisco TrustSec SXP Configuration Process
Follow these steps to manually configure Cisco TrustSec SXP:
Procedure
Step 1
Enable the Cisco TrustSec feature.
Step 2
Enable Cisco TrustSec SXP.
Step 3
Configure SXP peer connections.
Note
You cannot use the management (mgmt 0) connection for
SXP.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
161
Configuring Cisco TrustSec
Manually Configuring SXP
Related Topics
Enabling SGACL Policy Enforcement on VLANs , on page 151
Enabling SGACL Policy Enforcement on VRF Instances, on page 152
Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VLAN, on page 154
Manually Configuring SGACL Policies, on page 156
Enabling the Cisco TrustSec Feature , on page 133
Enabling Cisco TrustSec SXP , on page 162
Configuring Cisco TrustSec SXP Peer Connections, on page 163
Enabling Cisco TrustSec SXP
You must enable Cisco TrustSec SXP before you can configure peer connections.
Before You Begin
Ensure that you enabled Cisco TrustSec.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Example:
switch# configure terminal switch(config)#
cts sxp enable
Enables SXP for Cisco TrustSec.
Step 3
Example:
switch(config)# cts sxp enable
exit
Exits global configuration mode.
Step 4
Example:
switch(config)# exit switch#
show cts sxp
(Optional)
Displays the SXP configuration.
Step 5
Example:
switch# show cts sxp
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch# copy running-config startup-config
162
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Manually Configuring SXP
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Configuring Cisco TrustSec SXP Peer Connections
You must configure the SXP peer connection on both the speaker and listener devices. When using password protection, make sure to use the same password on both ends.
Note
If the default SXP source IP address is not configured and you do not specify the SXP source address in the connection, the Cisco NX-OS software derives the SXP source IP address from existing local IP addresses. The SXP source address could be different for each TCP connection initiated from the Cisco
NX-OS device.
Note
This Cisco Nexus switch supports SXP speaker mode only. Therefore, any SXP peer must be configured as a listener.
Before You Begin
Ensure that you enabled Cisco TrustSec.
Ensure that you enabled SXP.
Ensure that you enabled RBACL policy enforcement in the VRF instance.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Example:
switch# configure terminal switch(config)#
cts sxp connection peer
peer-ipv4-addr [source src-ipv4-addr]
password {default | none | required
password} mode listener [vrf
vrf-name]
Configures the SXP address connection.
The source keyword specifies the IPv4 address of the source device. The default source is IPv4 address you configured using the cts sxp default source-ip command.
Example:
switch(config)# cts sxp connection peer 10.10.1.1 source
20.20.1.1 password default mode listener
The password keyword specifies the password that SXP should use for the connection using the following options:
• Use the default option to use the default SXP password that you configured using the cts sxp
default password command.
• Use the none option to not use a password.
• Use the required option to use the password specified in the command.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
163
Configuring Cisco TrustSec
Manually Configuring SXP
Command or Action
Step 3 exit
Purpose
The speaker and listener keywords specify the role of the remote peer device. Because this Cisco Nexus Series switch can only act as the speaker in the connection, the peer must be configured as the listener.
The vrf keyword specifies the VRF instance to the peer.
The default is the default VRF instance.
Note
You cannot use the management (mgmt 0) interface for SXP.
Exits global configuration mode.
Step 4
Step 5
Example:
switch(config)# exit switch#
show cts sxp connections
(Optional)
Displays the SXP connections and their status.
Example:
switch# show cts sxp connections
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch# copy running-config startup-config
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Enabling Cisco TrustSec SXP , on page 162
Enabling SGACL Policy Enforcement on VRF Instances, on page 152
Configuring the Default SXP Password
By default, SXP uses no password when setting up connections. You can configure a default SXP password for the Cisco NX-OS device.
Before You Begin
Ensure that you enabled Cisco TrustSec.
Ensure that you enabled SXP.
164
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Manually Configuring SXP
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action configure terminal
Example:
switch# configure terminal switch(config)#
cts sxp default password password
Purpose
Enters global configuration mode.
Configures the SXP default password.
Example:
switch(config)# cts sxp default password
A2Q3d4F5
exit
Exits global configuration mode.
Example:
switch(config)# exit switch#
show cts sxp
(Optional)
Displays the SXP configuration.
Example:
switch# show cts sxp
show running-config cts
(Optional)
Displays the SXP configuration in the running configuration.
Example:
switch# show running-config cts
copy running-config startup-config
Example:
switch# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Enabling Cisco TrustSec SXP , on page 162
Configuring the Default SXP Source IPv4 Address
The Cisco NX-OS software uses the default source IPv4 address in all new TCP connections where a source
IPv4 address is not specified. When you change the default source IP address, the existing SXP connections are reset and the IP-SGT bindings learned over SXP are cleared. The SXP connections, for which a source
IP address has been configured, will continue to use the same IP address, while coming back up.
The SXP connections, for which a source IP address has not been configured, uses the default IP address as the source IP address. Note that for such connections, correct destination IP address configuration on the peer and the reachability to the default source IP address are the required conditions before such connections can
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
165
Configuring Cisco TrustSec
Manually Configuring SXP
become operational. It is recommended to ensure that these conditions are met for existing operational connections, before configuring default source IP address on a device.
Before You Begin
Ensure that you enabled Cisco TrustSec.
Ensure that you enabled SXP.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Step 3
Step 4
Step 5
Example:
switch# configure terminal switch(config)#
cts sxp default source-ip src-ip-addr Configures the SXP default source IPv4 address.
Example:
switch(config)# cts sxp default source-ip
10.10.3.3
exit
Exits global configuration mode.
Example:
switch(config)# exit switch#
show cts sxp
(Optional)
Displays the SXP configuration.
Example:
switch# show cts sxp
copy running-config startup-config
Example:
switch# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Enabling Cisco TrustSec SXP , on page 162
Changing the SXP Reconcile Period
After a peer terminates an SXP connection, an internal hold-down timer starts. If the peer reconnects before the internal hold-down timer expires, the SXP reconcile period timer starts. While the SXP reconcile period timer is active, the Cisco NX-OS software retains the SGT mapping entries learned from the previous connection and removes invalid entries. The default value is 120 seconds (2 minutes). Setting the SXP reconcile period to 0 seconds disables the timer and causes all entries from the previous connection to be removed.
166
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Manually Configuring SXP
Before You Begin
Ensure that you enabled Cisco TrustSec.
Ensure that you enabled SXP.
Procedure
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
cts sxp reconcile-period seconds
Example:
switch(config)# cts sxp reconcile-period
180
Changes the SXP reconcile timer period. The default value is 120 seconds (2 minutes). The range is from 0 to 64000.
exit
Exits global configuration mode.
Step 4
Step 5
Example:
switch(config)# exit switch#
show cts sxp
Example:
switch# show cts sxp
copy running-config startup-config
Example:
switch# copy running-config startup-config
(Optional)
Displays the SXP configuration.
(Optional)
Copies the running configuration to the startup configuration.
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Enabling Cisco TrustSec SXP , on page 162
Changing the SXP Retry Period
The SXP retry period determines how often the Cisco NX-OS software retries an SXP connection. When an
SXP connection is not successfully set up, the Cisco NX-OS software makes a new attempt to set up the connection after the SXP retry period timer expires. The default value is 60 seconds (1 minute). Setting the
SXP retry period to 0 seconds disables the timer and retries are not attempted.
Before You Begin
Ensure that you enabled Cisco TrustSec.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
167
Configuring Cisco TrustSec
Verifying the Cisco TrustSec Configuration
Ensure that you enabled SXP.
Procedure
Step 1
Command or Action configure terminal
Step 2
Step 3
Step 4
Step 5
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
cts sxp retry-period seconds
Example:
switch(config)# cts sxp retry-period
120
exit
Changes the SXP retry timer period. The default value is 60 seconds (1 minute). The range is from 0 to 64000.
Exits global configuration mode.
Example:
switch(config)# exit switch#
show cts sxp
(Optional)
Displays the SXP configuration.
Example:
switch# show cts sxp
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch# copy running-config startup-config
Related Topics
Enabling the Cisco TrustSec Feature , on page 133
Enabling Cisco TrustSec SXP , on page 162
Verifying the Cisco TrustSec Configuration
To display Cisco TrustSec configuration information, perform one of the following tasks:
Command show cts
Purpose
Displays Cisco TrustSec information.
show cts credentials show cts environment-data
Displays Cisco TrustSec credentials for EAP-FAST.
Displays Cisco TrustSec environmental data.
168
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuration Examples for Cisco TrustSec
Command
show cts interface {all | brief | ethernet slot/port}
Purpose
Displays the Cisco TrustSec configuration for the interfaces.
show cts role-based access-list
Displays Cisco TrustSec SGACL information.
show cts pacs show cts role-based counters
Displays Cisco TrustSec authorization information and PACs in the device key store.
Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies.
show cts role-based enable show cts role-based policy
Displays Cisco TrustSec SGACL enforcement status.
Displays Cisco TrustSec SGACL policy information.
show cts role-based sgt-map [summary | sxp peer
peer-ipv4-addr | vlan vlan-id | vrf vrf-name]
Displays the Cisco TrustSec SGACL SGT map configuration.
Use the summary keyword to display a summary of the SGT mappings.
Use the sxp peer option to display the SGT map configuration for a specific SXP peer.
Use the vlan option to display the SGT map configuration for a specific VLAN.
Use the vrf option to display the SGT map configuration for a specific VRF.
show cts sxp show running-config cts
Displays Cisco TrustSec SXP information.
Displays the Cisco TrustSec information in the running configuration.
Configuration Examples for Cisco TrustSec
This section provides configuration examples for Cisco TrustSec.
Enabling Cisco TrustSec
The following example shows how to enable Cisco TrustSec: feature dot1x feature cts cts device-id device1 password Cisco321
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
169 OL-30921-01
Configuring Cisco TrustSec
Configuring AAA for Cisco TrustSec on a Cisco NX-OS Device
Configuring AAA for Cisco TrustSec on a Cisco NX-OS Device
The following example shows how to configure AAA for Cisco TrustSec on the Cisco NX-OS device: radius-server host 10.10.1.1 key Cisco123 pac aaa group server radius Rad1 server 10.10.1.1
use-vrf management aaa authentication cts default group Rad1 aaa authorization cts default group Rad1
Enabling Cisco TrustSec Authentication on an Interface
The following example shows how to enable Cisco TrustSec authentication with a clear text password on an interface: interface ethernet 2/1 cts dot1x shutdown no shutdown
Configuring Cisco TrustSec Authentication in Manual Mode
The following example shows how to configure Cisco TrustSec authentication in manual mode static policy on an interface: interface ethernet 2/1 cts manual policy static sgt 0x20 no propagate-sgt
The following example shows how to configure Cisco TrustSec authentication in manual mode dynamic policy on an interface: interface ethernet 2/2 cts manual policy dynamic identity device2
Configuring Cisco TrustSec Role-Based Policy Enforcement for the Default
VRF Instance
The following example shows how to enable Cisco TrustSec role-based policy enforcement for the default
VRF instance: cts role-based enforcement
170
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Configuring Cisco TrustSec Role-Based Policy Enforcement for a Nondefault VRF
Configuring Cisco TrustSec Role-Based Policy Enforcement for a Nondefault
VRF
The following example shows how to enable Cisco TrustSec role-based policy enforcement for a nondefault
VRF: vrf context test cts role-based enforcement
Configuring Cisco TrustSec Role-Based Policy Enforcement for a VLAN
The following example shows how to enable Cisco TrustSec role-based policy enforcement for a VLAN: vlan 10 cts role-based enforcement
Configuring IPv4 Address to SGACL SGT Mapping for the Default VRF Instance
The following example shows how to manually configure IPv4 address to SGACL SGT mapping for Cisco
TrustSec role-based policies for the default VRF instance: cts role-based sgt-map 10.1.1.1 20
Configuring IPv4 Address to SGACL SGT Mapping for a Nondefault VRF Instance
The following example shows how to manually configure IPv4 address to SGACL SGT mapping for Cisco
TrustSec role-based policies for a nondefault VRF instance: vrf context test cts role-based sgt-map 30.1.1.1 30
Configuring IPv4 Address to SGACL SGT Mapping for a VLAN
The following example shows how to manually configure IPv4 address to SGACL SGT mapping for Cisco
TrustSec role-based policies for a VLAN: vlan 10 cts role-based sgt-map 20.1.1.1 20
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
171
Configuring Cisco TrustSec
Manually Configuring Cisco TrustSec SGACLs
Manually Configuring Cisco TrustSec SGACLs
The following example shows how to manually configure Cisco TrustSec SGACLs: cts role-based access-list abcd permit icmp cts role-based sgt 10 dgt 20 access-list abcd
The following example shows how to enable RBACL logging: cts role-based access-list RBACL1 deny tcp src eq 1111 dest eq 2222 log cts role-based sgt 10 dgt 20 access-list RBACL1
The above configuration generates the following ACLLOG syslog:
%$ VDC-1 %$ %CTS-6-CTS_RBACL_STAT_LOG: CTS ACE permit all log, Threshold exceeded: Hit count in 10s period = 4
Note
The ACLLOG syslog does not contain the destination group tag (DGT) information of the matched RBACL policy.
The following example shows how to enable and display RBACL statistics: cts role-based counters enable show cts role-based counters
RBACL policy counters enabled
Counters last cleared: 06/08/2009 at 01:32:59 PM rbacl:abc deny tcp dest neq 80 deny tcp dest range 78 79 rbacl:def deny udp deny ip deny igmp
[0]
[0]
[0]
[0]
[0]
Manually Configuring SXP Peer Connections
This figure shows an example of SXP peer connections over the default VRF instance.
Note
Because this Cisco Nexus switch supports only SXP speaker mode, it can only be configured as SwitchA in this example.
172
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Cisco TrustSec
Figure 12: Example SXP Peer Connections
Additional References for Cisco TrustSec
The following example shows how to configure the SXP peer connections on SwitchA: feature cts cts sxp enable cts sxp connection peer 10.20.2.2 password required A2BsxpPW mode listener cts sxp connection peer 10.30.3.3 password required A2CsxpPW mode listener
The following example shows how to configure the SXP peer connection on SwitchB: feature cts cts sxp enable cts sxp connection peer 10.10.1.1 password required A2BsxpPW mode speaker
The following example shows how to configure the SXP peer connection on SwitchC: feature cts cts sxp enable cts sxp connection peer 10.10.1.1 password required A2CsxpPW mode speaker
Additional References for Cisco TrustSec
This sections provides additional information related to implementing Cisco TrustSec.
Related Documentation
Related Topic
Cisco NX-OS licensing
Command Reference
Document Title
Cisco NX-OS Licensing Guide
Feature History for Cisco TrustSec
This table lists the release history for this feature.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
173 OL-30921-01
Feature History for Cisco TrustSec
Table 12: Feature History for Cisco TrustSec
Feature Name
Cisco TrustSec
Releases
5.1(3)N1(1)
Configuring Cisco TrustSec
Feature Information
This feature was introduced.
174
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
9
Configuring Access Control Lists
This chapter contains the following sections:
•
Information About ACLs, page 175
•
•
Configuring MAC ACLs, page 191
•
Example Configuration for MAC ACLs, page 195
•
Information About VLAN ACLs, page 195
•
•
Configuration Examples for VACL, page 199
•
Configuring ACLs on Virtual Terminal Lines, page 199
•
Configuring the ACL Resource Usage Threshold, page 202
Information About ACLs
An access control list (ACL) is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the switch determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether the packet is permitted or denied. If there is no match, the switch applies the applicable default rule. The switch continues processing packets that are permitted and drops packets that are denied.
You can use ACLs to protect networks and specific hosts from unnecessary or unwanted traffic. For example, you could use ACLs to disallow HTTP traffic from a high-security network to the Internet. You could also use ACLs to allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an
IP ACL.
IP ACL Types and Applications
The Cisco Nexus device supports IPv4, IPv6, and MAC ACLs for security traffic filtering. The switch allows you to use IP access control lists (ACLs) as port ACLs, VLAN ACLs, and Router ACLs as shown in the following table.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
175 OL-30921-01
Configuring Access Control Lists
IP ACL Types and Applications
Table 13: Security ACL Applications
Application Supported Interfaces
Port ACL An ACL is considered a port ACL when you apply it to one of the following:
• Ethernet interface
• Ethernet port-channel interface
Types of ACLs Supported
IPv4 ACLs
IPv6 ACLs
MAC ACLs
When a port ACL is applied to a trunk port, the ACL filters traffic on all VLANs on the trunk port.
Router ACL
• VLAN interfaces
Note
You must enable VLAN interfaces globally before you can configure a VLAN interface.
IPv4 ACLs
IPv6 ACLs
• Physical Layer 3 interfaces
• Layer 3 Ethernet subinterfaces
• Layer 3 Ethernet port-channel interfaces
• Layer 3 Ethernet port-channel subinterfaces
• Tunnels
• Management interfaces
VLAN
ACL
(VACL)
VTY ACL
An ACL is a VACL when you use an access map to associate the ACL with an action and then apply the map to a VLAN.
IPv4 ACLs
MAC ACLs
VTYs IPv4 ACLs
IPv6 ACLs
Application Order
When the device processes a packet, it determines the forwarding path of the packet. The path determines which ACLs that the device applies to the traffic. The device applies the ACLs in the following order:
1
Port ACL
2
Ingress VACL
3
Ingress Router ACL
4
Egress Router ACL
5
Egress VACL
176
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Access Control Lists
Rules
Rules
You can create rules in access-list configuration mode by using the permit or deny command. The switch allows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria in a deny rule. You have many options for configuring the criteria that traffic must meet in order to match the rule.
Source and Destination
In each rule, you specify the source and the destination of the traffic that matches the rule. You can specify both the source and destination as a specific host, a network or group of hosts, or any host.
Protocols
IPv4, IPv6, and MAC ACLs allow you to identify traffic by protocol. For your convenience, you can specify some protocols by name. For example, in an IPv4 ACL, you can specify ICMP by name.
You can specify any protocol by the integer that represents the Internet protocol number. For example, you can use 115 to specify Layer 2 Tunneling Protocol (L2TP) traffic.
Implicit Rules
IP and MAC ACLs have implicit rules, which means that although these rules do not appear in the running configuration, the switch applies them to traffic when no other rules in an ACL match.
All IPv4 ACLs include the following implicit rule: deny ip any any
This implicit rule ensures that the switch denies unmatched IP traffic.
All IPv6 ACLs include the following implicit rule: deny ipv6 any any
Additional Filtering Options
You can identify traffic by using additional options. IPv4 ACLs support the following additional filtering options:
• Layer 4 protocol
• TCP and UDP ports
• ICMP types and codes
• IGMP types
• Precedence level
• Differentiated Services Code Point (DSCP) value
• TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set
• Established TCP connections
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
177
Configuring Access Control Lists
Rules
IPv6 ACLs support the following additional filtering options:
• Layer 4 protocol
• Authentication Header Protocol
• Encapsulating Security Payload
• Payload Compression Protocol
• Stream Control Transmission Protocol (SCTP)
• SCTP, TCP, and UDP ports
• ICMP types and codes
• IGMP types
• Flow label
• DSCP value
• TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set
• Established TCP connections
• Packet length
MAC ACLs support the following additional filtering options:
• Layer 3 protocol
• VLAN ID
• Class of Service (CoS)
Sequence Numbers
The Cisco Nexus device supports sequence numbers for rules. Every rule that you enter receives a sequence number, either assigned by you or assigned automatically by the device. Sequence numbers simplify the following ACL tasks:
• Adding new rules between existing rules—By specifying the sequence number, you specify where in the ACL a new rule should be positioned. For example, if you need to insert a rule between rules numbered
100 and 110, you could assign a sequence number of 105 to the new rule.
• Removing a rule—Without using a sequence number, removing a rule requires that you enter the whole rule, as follows: switch(config-acl)#
no permit tcp 10.0.0.0/8 any
However, if the same rule had a sequence number of 101, removing the rule requires only the following command: switch(config-acl)#
no 101
• Moving a rule—With sequence numbers, if you need to move a rule to a different position within an
ACL, you can add a second instance of the rule using the sequence number that positions it correctly, and then you can remove the original instance of the rule. This action allows you to move the rule without disrupting traffic.
178
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Access Control Lists
Logical Operators and Logical Operation Units
If you enter a rule without a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule to the rule. For example, if the last rule in an ACL has a sequence number of 225 and you add a rule without a sequence number, the device assigns the sequence number 235 to the new rule.
In addition, the device allows you to reassign sequence numbers to rules in an ACL. Resequencing is useful when an ACL has rules numbered contiguously, such as 100 and 101, and you need to insert one or more rules between those rules.
Logical Operators and Logical Operation Units
IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers.
The Cisco Nexus device stores operator-operand couples in registers called logical operation units (LOUs) to perform operations (greater than, less than, not equal to, and range) on the TCP and UDP ports specified in an IP ACL.
Note
The range operator is inclusive of boundary values.
These LOUs minimize the number of ternary content addressable memory (TCAM) entries needed to perform these operations. A maximum of two LOUs are allowed for each feature on an interface. For example an ingress RACL can use two LOUs, and a QoS feature can use two LOUs. If an ACL feature requires more than two arithmetic operations, the first two operations use LOUs, and the remaining access control entries
(ACEs) get expanded.
The following guidelines determine when the device stores operator-operand couples in LOUs:
• If the operator or operand differs from other operator-operand couples that are used in other rules, the couple is stored in an LOU.
For example, the operator-operand couples "gt 10" and "gt 11" would be stored separately in half an
LOU each. The couples "gt 10" and "lt 10" would also be stored separately.
• Whether the operator-operand couple is applied to a source port or a destination port in the rule affects
LOU usage. Identical couples are stored separately when one of the identical couples is applied to a source port and the other couple is applied to a destination port.
For example, if a rule applies the operator-operand couple "gt 10" to a source port and another rule applies a "gt 10" couple to a destination port, both couples would also be stored in half an LOU, resulting in the use of one whole LOU. Any additional rules using a "gt 10" couple would not result in further
LOU usage.
ACL Resource Management
Understanding the ACL capacities when configuring ACLs helps avoid resource contention and exhaustion.
Because the platform enforces several types of ACLs in hardware rather than in software, the switch programs hardware lookup tables and various hardware resources so that when a packet arrives, the switch can perform a hardware table lookup and execute the appropriate action without affecting performance, while the packets are cut-through switched.
For typical configurations, the switch uses one of the following main hardware resources:
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
179
Configuring Access Control Lists
Statistics and ACLs
• Logical operation units (LOUs)-Registers that are used to store Layer 2, Layer 3, and Layer 4 operations information.
• Value, Mask, Result (VMR)-Entries in the TCAM that consist of a value pattern, the associated mask value, and a result for lookups returning a hit for the entry.
The switch optimizes the use of these hardware resources for Layer 4 operations (L4Op). When the number of (L4Ops) are exhausted, an ACL that needs to check a particular value using a L4Op can be expanded to use a set of entries in the TCAM instead. The ACL uses the TCAM entries to perform the same filtering that
L4Op would have performed.
If the number of L4Ops are not exhausted, the switch computes the cost of using each resource. If the cost of using a set of expanded TCAM entries is less than that of using a L4Op, the switch expands the set of TCAM entries to preserve the L4Op for higher priority operations.
Depending on the size of ACL TCAM, and the size of various regions in the TCAM, it is possible that policies that are expanded might not fit within the available space. For example, after the switch is reloaded, the set of policies that were expanded before might not be expanded again.
To manage this issue, you can configure a threshold value. The threshold value is from 0 to 32 and the default value is 5. When an ACL policy needs a L4Op, the policy is expanded to check if the number of expanded
TCAM entries needed exceeds the threshold value. If the number exceeds the threshold value, the expansion is not used, and L4Op is used instead. If the number of TCAM entries do not exceed the threshold value (that is, they are less than or equal to the threshold value), then the expanded TCAM entries are installed.
Note
If there is an ACL policy that uses both a source L4Op and destination L4Op, the source L4Op and destination L4Op are expanded individually. The following example shows an ACL policy with source and destination L4Ops: permit tcp any get 546 any range 236 981
Statistics and ACLs
The device can maintain global statistics for each rule that you configure in IPv4, IPv6, and MAC ACLs. If an ACL is applied to multiple interfaces, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that ACL is applied.
Note
The device does not support interface-level ACL statistics.
For each ACL that you configure, you can specify whether the device maintains statistics for that ACL, which allows you to turn ACL statistics on or off as needed to monitor traffic filtered by an ACL or to help troubleshoot the configuration of an ACL.
The device does not maintain statistics for implicit rules in an ACL. For example, the device does not maintain a count of packets that match the implicit deny ip any any rule at the end of all IPv4 ACLs. If you want to maintain statistics for implicit rules, you must explicitly configure the ACL with rules that are identical to the implicit rules.
180
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Access Control Lists
Licensing Requirements for ACLs
Licensing Requirements for ACLs
The following table shows the licensing requirements for this feature:
Product
Cisco NX-OS
License Requirement
No license is required to use ACLs.
Prerequisites for ACLs
IP ACLs have the following prerequisites:
• You must be familiar with IP addressing and protocols to configure IP ACLs.
• You must be familiar with the interface types that you want to configure with ACLs.
VACLs have the following prerequisite:
• Ensure that the IP ACL or MAC ACL that you want to use in the VACL exists and is configured to filter traffic in the manner that you need for this application.
Guidelines and Limitations for ACLs
IP ACLs have the following configuration guidelines and limitations:
• We recommend that you perform ACL configuration using the Session Manager. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. This is especially useful for ACLs that include more than about 1000 rules.
• When you apply an ACL that uses time ranges, the device updates the ACL entries whenever a time range referenced in an ACL entry starts or ends. Updates that are initiated by time ranges occur on a best-effort priority. If the device is especially busy when a time range causes an update, the device may delay the update by up to a few seconds.
• To apply an IP ACL to a VLAN interface, you must have enabled VLAN interfaces globally.
MAC ACLs have the following configuration guidelines and limitations:
• MAC ACLs apply to ingress traffic only.
• ACL statistics are not supported if the DHCP snooping feature is enabled.
• To filter Address Resolution Protocol (ARP) traffic using MAC ACL, the user needs to filter the Ether type as 0x806 for ARP in the Application Control Engine (ACE).
VACLs have the following configuration guidelines and limitations:
• We recommend that you perform ACL configurations using the Session Manager. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
181
Configuring Access Control Lists
Default ACL Settings
• ACL statistics are not supported if the DHCP snooping feature is enabled.
• There is no defined sequence of application to match ACLs under the same sequence number. For a definite sequence of match statements, use different sequence numbers.
• You need to configure the default deny command at the end when you are using different types of ACLs such as MAC, IP, or IPv6. For example: switch(config)#
ip access-list drop_ip
switch(config-acl)#
deny ip any any
switch(config)#
mac access-list drop_mac
switch(config-acl)#
deny any any
switch(config)#
ipv6 access-list drop_ipv6
switch(config-acl)#
deny ipv6 any any
switch(config)#
vlan access-map abc 10
<match statements> switch(config)#
vlan access-map xyz 20
<match statements>
.
.
.
.
switch(config)#
vlan access-map gef 100
switch(config-access-map)#
match ip address drop_ip
switch(config-access-map)#
match mac address drop_mac
switch(config-access-map)#
match ipv6 address drop_ipv6
• To permit all traffic while updating ACL use the hardware access-list update default-result permit command.
• Traffic is run against system ACL with implicit permit which punts control traffic to supervise before it is run against user-configured ACLs. Hence, any user configured ACL designed to deny control traffic is not effective.
• The Cisco Nexus 5600 platform uses SUP redirect mechanism for ICMP-V6 RA/RS/ND packet processing. The SUP redirect has the higher priority over ACL deny operation and does not allow the user to use ACL deny command for blocking the packet.
Default ACL Settings
The following table lists the default settings for IP ACLs parameters.
Table 14: Default IP ACLs Parameters
Parameters
IP ACLs
ACL rules
Default
No IP ACLs exist by default.
Implicit rules apply to all ACLs .
The following table lists the default settings for MAC ACLs parameters.
182
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Access Control Lists
Configuring IP ACLs
Table 15: Default MAC ACLs Parameters
Parameters
MAC ACLs
ACL rules
Default
No MAC ACLs exist by default.
Implicit rules apply to all ACLs .
The following table lists the default settings for VACL parameters.
Table 16: Default VACL Parameters
Parameters
VACLs
ACL rules
Default
No IP ACLs exist by default.
Implicit rules apply to all ACLs.
Configuring IP ACLs
Creating an IP ACL
You can create an IPv4 or IPv6 ACL on the switch and add rules to it.
Procedure
Step 1
switch# configure terminal
Enters global configuration mode.
Step 2
switch(config)# {ip | ipv6} access-list name
Creates the IP ACL and enters IP ACL configuration mode. The name argument can be up to 64 characters.
Step 3
switch(config-acl)# [sequence-number] {permit | deny} protocol source destination
Creates a rule in the IP ACL. You can create many rules. The sequence-number argument can be a whole number between 1 and 4294967295.
The permit and deny commands support many ways of identifying traffic. For more information, see the
Command Reference for the specific Cisco Nexus device.
Step 4
(Optional) switch(config-acl)# statistics
Specifies that the switch maintains global statistics for packets that match the rules in the ACL.
Step 5
(Optional) switch# show {ip | ipv6} access-lists name
Displays the IP ACL configuration.
Step 6
(Optional) switch# show ip access-lists name
Displays the IP ACL configuration.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
183 OL-30921-01
Configuring Access Control Lists
Changing an IP ACL
Step 7
(Optional) switch# copy running-config startup-config
Copies the running configuration to the startup configuration.
This example shows how to create an IPv4 ACL: switch#
configure terminal
switch(config)#
ip access-list acl-01
switch(config-acl)#
permit ip 192.168.2.0/24 any
switch(config-acl)#
statistics
This example shows how to create an IPv6 ACL: switch#
configure terminal
switch(config)#
ipv6 access-list acl-01-ipv6
switch(config-ipv6-acl)#
permit tcp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64
Changing an IP ACL
You can add and remove rules in an existing IPv4 or IPv6 ACL. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.
If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# {ip | ipv6}
access-list name
Enters IP ACL configuration mode for the ACL that you specify by name.
switch(config)# ip access-list name Enters IP ACL configuration mode for the ACL that you specify by name.
switch(config-acl)#
[sequence-number] {permit | deny}
protocol source destination
Creates a rule in the IP ACL. Using a sequence number allows you to specify a position for the rule in the ACL.
Without a sequence number, the rule is added to the end of the rules. The sequence-number argument can be a whole number between 1 and 4294967295.
The permit and deny commands support many ways of identifying traffic. For more information, see the Command
Reference for your Cisco Nexus device.
switch(config-acl)# no
{sequence-number | {permit |
deny} protocol source destination}
(Optional)
Removes the rule that you specified from the IP ACL.
The permit and deny commands support many ways of identifying traffic. For more information, see the Command
Reference for your Cisco Nexus device.
184
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Access Control Lists
Removing an IP ACL
Step 6
Step 7
Step 8
Command or Action Purpose
switch(config-acl)# [no] statistics (Optional)
Specifies that the switch maintains global statistics for packets that match the rules in the ACL.
The no option stops the switch from maintaining global statistics for the ACL.
switch#show ip access-lists name (Optional)
Displays the IP ACL configuration.
switch# copy running-config
startup-config
(Optional)
Copies the running configuration to the startup configuration.
Related Topics
Changing Sequence Numbers in an IP ACL, on page 186
Removing an IP ACL
You can remove an IP ACL from the switch.
Before you remove an IP ACL from the switch, be sure that you know whether the ACL is applied to an interface. The switch allows you to remove ACLs that are currently applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the switch considers the removed ACL to be empty.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal switch(config)# no {ip | ipv6}
access-list name
Removes the IP ACL that you specified by name from the running configuration.
switch(config)# no ip access-list name Removes the IP ACL that you specified by name from the running configuration.
switch# show running-config
Purpose
Enters global configuration mode.
switch# copy running-config
startup-config
(Optional)
Displays the ACL configuration. The removed IP
ACL should not appear.
(Optional)
Copies the running configuration to the startup configuration.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
185
Configuring Access Control Lists
Changing Sequence Numbers in an IP ACL
Changing Sequence Numbers in an IP ACL
You can change all the sequence numbers assigned to the rules in an IP ACL.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# resequence {ip |
ipv6} access-list name
starting-sequence-number increment
Assigns sequence numbers to the rules contained in the
ACL, where the first rule receives the starting sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment that you specify.
The starting-sequence-number argument and the
increment argument can be a whole number between 1 and 4294967295.
switch# show {ip | ipv6} access-lists
name
(Optional)
Displays the IP ACL configuration.
switch# copy running-config
startup-config
(Optional)
Copies the running configuration to the startup configuration.
Configuring ACLs with Logging
You can create an access-control list for logging traffic of a specified protocol and address.
Procedure
Step 1
Step 2
Step 3
Command or Action
switch# configure terminal switch(config)# {ip | ipv6}
access-list name
Purpose
Enters global configuration mode.
Creates the IP ACL and enters IP ACL configuration mode. The
name argument can be up to 64 characters.
switch(config-acl)# permit
protocol source destination log
Creates a rule to log traffic of the specified protocol in the syslog file. in the IP ACL. Valid values for the protocol argument are:
• icmp—ICMP
• igmp—IGMP
• ip—IPv4
• ipv6—IPv6
186
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Access Control Lists
OL-30921-01
Applying an IP ACL to mgmt0
Step 4
Step 5
Command or Action Purpose
• tcp—TCP
• udp—UDP
• sctp—SCTP (IPv6 only)
The source and destination arguments can be the IP address with a network wildcard (IPv4 only), IP address and variable-length subnet mask, host address, or any to designate any address. For more information, see the System Management configuration guide and the Security command reference for your platform.
Exists the current configuration mode.
switch(config-acl)# exit switch(config)# copy
running-config startup-config
(Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
The following example shows how to create an ACL for logging entries that match IPv4 TCP traffic from any source and any destination: switch#
configuration terminal
switch(config)#
ip access-list tcp_log
switch(config-acl)#
permit tcp any any log
switch(config-acl)#
exit
switch(config)#
copy running-config startup-config
Applying an IP ACL to mgmt0
You can apply an IPv4 or IPv6 ACL to the management interface (mgmt0).
Before You Begin
Ensure that the ACL that you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.
Procedure
Step 1
Step 2
Command or Action configure terminal
Example:
switch# configure terminal switch(config)#
interface mgmt port
Example:
switch(config)# interface mgmt0 switch(config-if)#
Purpose
Enters global configuration mode.
Enters configuration mode for the management interface.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
187
Configuring Access Control Lists
Applying an IP ACL as a Router ACL
Step 3
Step 4
Step 5
Command or Action Purpose
ip access-group access-list {in | out}
Example:
switch(config-if)#ip access-group acl-120 out
Applies an IPv4 or IPv6 ACL to the Layer 3 interface for traffic flowing in the direction specified. You can apply one router ACL per direction.
show running-config aclmgr
(Optional)
Displays the ACL configuration.
Example:
switch(config-if)# show running-config aclmgr
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config-if)# copy running-config startup-config
Related Topics
• Creating an IP ACL
Applying an IP ACL as a Router ACL
You can apply an IPv4 or IPv6 ACL to any of the following types of interfaces:
• Physical Layer 3 interfaces and subinterfaces
• Layer 3 Ethernet port-channel interfaces and subinterfaces
• VLAN interfaces
• Tunnels
• Management interfaces
ACLs applied to these interface types are considered router ACLs.
Before You Begin
Ensure that the ACL you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.
Procedure
Step 1
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
188
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Access Control Lists
Applying an IP ACL as a Port ACL
Step 2
Step 3
Step 4
Step 5
Command or Action Purpose
Enter one of the following commands:
• switch(config)# interface ethernet slot/port[.
number]
Enters configuration mode for the interface type that you specified.
• switch(config)# interface port-channel
channel-number[. number]
• switch(config)# interface tunnel
tunnel-number
• switch(config)# interface vlan vlan-ID
• switch(config)# interface mgmt port
Enter one of the following commands:
• switch(config-if)# ip access-group access-list
{in | out}
Applies an IPv4 or IPv6 ACL to the Layer
3 interface for traffic flowing in the direction specified. You can apply one router ACL per direction.
• switch(config-if)# ipv6 traffic-filter access-list
{in | out} switch(config-if)# show running-config aclmgr switch(config-if)# copy running-config
startup-config
(Optional)
Displays the ACL configuration.
(Optional)
Copies the running configuration to the startup configuration.
Applying an IP ACL as a Port ACL
You can apply an IPv4 or IPv6 ACL to a physical Ethernet interface or a PortChannel. ACLs applied to these interface types are considered port ACLs.
Note
Some configuration parameters when applied to an PortChannel are not reflected on the configuration of the member ports.
Procedure
Step 1
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
189
Configuring Access Control Lists
Verifying IP ACL Configurations
Step 2
Step 3
Step 4
Step 5
Command or Action Purpose
switch(config)# interface {ethernet
[chassis/]slot/port | port-channel
channel-number} switch(config-if)# {ip port access-group
| ipv6 port traffic-filter} access-list in
Enters interface configuration mode for the specified interface.
Applies an IPv4 or IPv6 ACL to the interface or
PortChannel. Only inbound filtering is supported with port ACLs. You can apply one port ACL to an interface.
switch# show running-config switch# copy running-config
startup-config
(Optional)
Displays the ACL configuration.
(Optional)
Copies the running configuration to the startup configuration.
Verifying IP ACL Configurations
To display IP ACL information, perform one of the following tasks:
Command show running-config
Purpose
Displays ACL configuration, including IP ACL configuration and interfaces that IP ACLs are applied to.
show running-config interface
Displays the configuration of an interface to which you have applied an ACL.
For detailed information about the fields in the output from these commands, refer to the Command Reference for your Cisco Nexus device.
Monitoring and Clearing IP ACL Statistics
Command or Action
show {ip | ipv6} access-lists name
Purpose
Displays IP ACL configuration. If the IP ACL includes the statistics command, then the show ip
access-lists and show ipv6 access-list command output includes the number of packets that have matched each rule.
190
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Access Control Lists
Configuring MAC ACLs
Command or Action
show ip access-lists name
clear {ip | ipv6} access-list counters
[access-list-name]
clear ip access-list counters [access-list-name]
Purpose
Displays IP ACL configuration. If the IP ACL includes the statistics command, then the show ip
access-lists command output includes the number of packets that have matched each rule.
Clears statistics for all IP ACLs or for a specific IP
ACL.
Clears statistics for all IP ACLs or for a specific IP
ACL.
Configuring MAC ACLs
Creating a MAC ACL
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action
switch# configure terminal switch# mac access-list name switch(config-mac-acl)#
[sequence-number] {permit | deny}
source destination protocol
switch(config-mac-acl)# statistics switch# show mac access-lists name switch# copy running-config
startup-config
Purpose
Enters global configuration mode.
Creates the MAC ACL and enters ACL configuration mode.
Creates a rule in the MAC ACL.
The permit and deny options support many ways of identifying traffic. For more information, see the
Security command reference for your platform.
(Optional)
Specifies that the switch maintains global statistics for packets matching the rules in the ACL.
(Optional)
Displays the MAC ACL configuration.
(Optional)
Copies the running configuration to the startup configuration.
The following example shows how to create a MAC ACL and add rules to it: switch#
configure terminal
switch(config)#
mac access-list acl-mac-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
191 OL-30921-01
Configuring Access Control Lists
Changing a MAC ACL
switch(config-mac-acl)#
permit 00c0.4f00.0000 0000.00ff.ffff any
switch(config-mac-acl)#
statistics
Changing a MAC ACL
In an existing MAC ACL, you can add and remove rules. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.
If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# mac access-list name Enters ACL configuration mode for the ACL that you specify by name.
switch(config-mac-acl)#
[sequence-number] {permit | deny}
source destination protocol
Creates a rule in the MAC ACL. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules.
The permit and deny commands support many ways of identifying traffic.
switch(config-mac-acl)# no
{sequence-number | {permit|deny}
source destination protocol}
(Optional)
Removes the rule that you specify from the MAC ACL.
The permit and deny commands support many ways of identifying traffic.
switch(config-mac-acl)# [no] statistics (Optional)
Specifies that the switch maintains global statistics for packets matching the rules in the ACL.
The no option stops the switch from maintaining global statistics for the ACL.
switch# show mac access-lists name (Optional)
Displays the MAC ACL configuration.
switch# copy running-config
startup-config
(Optional)
Copies the running configuration to the startup configuration.
The following example shows how to change a MAC ACL: switch#
configure terminal
switch(config)#
mac access-list acl-mac-01
switch(config-mac-acl)#
100 permit mac 00c0.4f00.00 0000.00ff.ffff any
switch(config-mac-acl)#
statistics
192
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Access Control Lists
Removing a MAC ACL
Removing a MAC ACL
You can remove a MAC ACL from the switch.
Be sure that you know whether the ACL is applied to an interface. The switch allows you to remove ACLs that are current applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the switch considers the removed ACL to be empty.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# no mac access-list name Removes the MAC ACL that you specify by name from the running configuration.
switch# show mac access-lists (Optional)
Displays the MAC ACL configuration.
switch# copy running-config
startup-config
(Optional)
Copies the running configuration to the startup configuration.
Changing Sequence Numbers in a MAC ACL
You can change all the sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# resequence mac
access-list name
starting-sequence-number increment
Assigns sequence numbers to the rules contained in the
ACL, where the first rule receives the number specified by the starting-sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment number that you specify.
switch# show mac access-lists name
(Optional)
Displays the MAC ACL configuration.
switch# copy running-config
startup-config
(Optional)
Copies the running configuration to the startup configuration.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
193
Configuring Access Control Lists
Applying a MAC ACL as a Port ACL
Related Topics
Applying a MAC ACL as a Port ACL
You can apply a MAC ACL as a port ACL to any of the following interface types:
• Ethernet interfaces
• EtherChannel interfaces
Be sure that the ACL that you want to apply exists and is configured to filter traffic as necessary for this application.
Note
Some configuration parameters when applied to an EtherChannel are not reflected on the configuration of the member ports.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# interface {ethernet
[chassis/]slot/port | port-channel
channel-number} switch(config-if)# mac port access-group
access-list
switch# show running-config
Enters interface configuration mode for the
Ethernet specified interface.
Applies a MAC ACL to the interface.
(Optional)
Displays ACL configuration.
switch# copy running-config startup-config (Optional)
Copies the running configuration to the startup configuration.
Related Topics
Creating an IP ACL, on page 183
Verifying MAC ACL Configurations
To display MAC ACL information, perform one of the following tasks:
194
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Access Control Lists
Example Configuration for MAC ACLs
Command show mac access-lists show running-config show running-config interface
Purpose
Displays the MAC ACL configuration.
Displays ACL configuration, including MAC ACLs and the interfaces that ACLs are applied to.
Displays the configuration of the interface to which you applied the ACL.
Displaying and Clearing MAC ACL Statistics
To display and clear MAC ACL statistics, perform one of the following tasks:
Command show mac access-lists
Purpose
Displays MAC ACL configuration. If the MAC ACL includes the statistics command, the show mac
access-lists command output includes the number of packets that have matched each rule.
clear mac access-list counters
Clears statistics for all MAC ACLs or for a specific
MAC ACL.
Example Configuration for MAC ACLs
This example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 1/1: switch#
configure terminal
switch(config)#
mac access-list acl-mac-01
switch(config-mac-acl)#
permit 00c0.4f00.0000 0000.00ff.ffff any
switch(config-mac-acl)#
exit
switch(config)#
interface ethernet 1/1
switch(config-if)#
mac access-group acl-mac-01
Information About VLAN ACLs
A VLAN ACL (VACL) is one application ofa MAC ACL or an IP ACL. You can configure VACLs to apply to all packets that are bridged within a VLAN. VACLs are used strictly for security packet filtering. VACLs are not defined by direction (ingress or egress).
VACLs and Access Maps
VACLs use access maps to link an IP ACL or a MAC ACL to an action. The switch takes the configured action on packets that are permitted by the VACL.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
195 OL-30921-01
Configuring Access Control Lists
VACLs and Actions
Starting with the Cisco NX-OS Release 7.2(1)N1(1), you can configure more than one instance of a VLAN access map by assigning a sequence number. In this case, the lower sequence number of a VLAN access map has a higher priority. Additionally, you can specify an ACL for multiple access maps.
VACLs and Actions
In access map configuration mode, you use the action command to specify one of the following actions:
• Forward—Sends the traffic to the destination determined by normal operation of the switch.
• Drop—Drops the traffic.
Statistics
The Cisco Nexus device can maintain global statistics for each rule in a VACL. If a VACL is applied to multiple VLANs, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that VACL is applied.
Note
The Cisco Nexus device does not support interface-level VACL statistics.
For each VLAN access map that you configure, you can specify whether the switch maintains statistics for that VACL. This allows you to turn VACL statistics on or off as needed to monitor traffic filtered by a VACL or to help troubleshoot VLAN access-map configuration.
Configuring VACLs
Creating or Changing a VACL
You can create or change a VACL. Creating a VACL includes creating an access map that associates an IP
ACL or MAC ACL with an action to be applied to the matching traffic.
Procedure
Step 1
Step 2
Command or Action
switch# configure terminal switch(config)# vlan access-map
map-name [sequence-number]
Purpose
Enters global configuration mode.
Enters access map configuration mode for the access map specified. The sequence-number argument specifies the sequence number of a VLAN access map. The default sequence number is set as 10. If you do not specify the sequence number, the device assigns a sequence number that is 10 greater than the sequence number of the preceding access map instance.
196
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Access Control Lists
Removing a VACL
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Command or Action Purpose
switch(config-access-map)# match ip
address ip-access-list
Specifies an IPv4 and IPv6 ACL for the map.
Specifies a MAC ACL for the map.
switch(config-access-map)# match
mac address mac-access-list switch(config-access-map)# action
{drop | forward}
Specifies the action that the switch applies to traffic that matches the ACL.
switch(config-access-map)# [no]
statistics
(Optional)
Specifies that the switch maintains global statistics for packets matching the rules in the VACL.
The no option stops the switch from maintaining global statistics for the VACL.
switch(config-access-map)# show
running-config
switch(config-access-map)# copy
running-config startup-config
(Optional)
Displays the ACL configuration.
(Optional)
Copies the running configuration to the startup configuration.
Removing a VACL
You can remove a VACL, which means that you will delete the VLAN access map.
Be sure that you know whether the VACL is applied to a VLAN. The switch allows you to remove VACLs that are current applied. Removing a VACL does not affect the configuration of VLANs where you have applied the VACL. Instead, the switch considers the removed VACL to be empty.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action
switch# configure terminal switch(config)# no vlan access-map
map-name
switch(config)# show running-config switch(config)# copy running-config
startup-config
Purpose
Enters global configuration mode.
Removes the VLAN access map configuration for the specified access map.
(Optional)
Displays ACL configuration.
(Optional)
Copies the running configuration to the startup configuration.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
197
Configuring Access Control Lists
Applying a VACL to a VLAN
Applying a VACL to a VLAN
You can apply a VACL to a VLAN.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action
switch# configure terminal switch(config)# [no] vlan filter
map-name vlan-list list
Purpose
Enters global configuration mode.
Applies the VACL to the VLANs by the list that you specified. The no option unapplies the VACL.
The vlan-list command can specify a list of up to 32
VLANs, but multiple vlan-list commands can be configured to cover more than 32 VLANs.
switch(config)# show running-config (Optional)
Displays ACL configuration.
switch(config)# copy running-config
startup-config
(Optional)
Copies the running configuration to the startup configuration.
Verifying the VACL Configuration
To display VACL configuration information, perform one of the following tasks:
Command show running-config aclmgr
Purpose
Displays ACL configuration, including VACL-related configuration.
show vlan filter show vlan access-map
Displays information about VACLs that are applied to a VLAN.
Displays information about VLAN access maps.
Displaying and Clearing VACL Statistics
To display or clear VACL statistics, perform one of the following tasks:
198
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Access Control Lists
Configuration Examples for VACL
Command show vlan access-list clear vlan access-list counters
Purpose
Displays VACL configuration. If the VLAN access-map includes the statistics command, then the
show vlan access-list command output includes the number of packets that have matched each rule.
Clears statistics for all VACLs or for a specific
VACL.
Configuration Examples for VACL
The following example shows how to configure a VACL to forward traffic permitted by an IP ACL named acl-ip-01 and how to apply the VACL to VLANs 50 through 82: switch#
configure terminal
switch(config)#
vlan access-map acl-ip-map
switch(config-access-map)#
match ip address acl-ip-01
switch(config-access-map)#
action forward
switch(config-access-map)#
exit
switch(config)#
vlan filter acl-ip-map vlan-list 50-82
Configuring ACLs on Virtual Terminal Lines
To restrict incoming and outgoing connections for IPv4 or IPv6 between a Virtual Terminal (VTY) line and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.
Follow these guidelines when configuring ACLs on VTY lines:
• Set identical restrictions on all VTY lines because a user can connect to any of them.
• Statistics per entry is not supported for ACLs on VTY lines.
Before You Begin
Be sure that the ACL that you want to apply exists and is configured to filter traffic for this application.
Procedure
Step 1
Step 2
Command or Action
switch# configure terminal switch(config)# line vty
Purpose
Enters global configuration mode.
Enters line configuration mode.
Example:
switch(config)# line vty switch(config-line)#
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
199 OL-30921-01
Configuring Access Control Lists
Verifying ACLs on VTY Lines
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action Purpose
switch(config-line)# access-class access-list-number
{in | out}
Specifies inbound or outbound access restrictions.
Example:
switch(config-line)# access-class ozi2 in switch(config-line)#access-class ozi3 out switch(config)# switch(config-line)# no access-class
access-list-number {in | out}
(Optional)
Removes inbound or outbound access restrictions.
Example:
switch(config-line)# no access-class ozi2 in switch(config-line)# no access-class ozi3 out switch(config)# switch(config-line)# exit Exits line configuration mode.
Example:
switch(config-line)# exit switch# switch# show running-config aclmgr (Optional)
Displays the running configuration of the ACLs on the switch.
Example:
switch# show running-config aclmgr switch# copy running-config startup-config
Example:
switch# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
The following example shows how to apply the access-class ozi2 command to the in-direction of the vty line.
switch#
configure terminal
Enter configuration commands, one per line.
End with CNTL/Z.
switch(config)#
line vty
switch(config-line)#
access-class ozi2 in
switch(config-line)#
exit
switch#
Verifying ACLs on VTY Lines
To display the ACL configurations on VTY lines, perform one of the following tasks:
Command show running-config aclmgr show users
show access-lists access-list-name
Purpose
Displays the running configuration of the ACLs configured on the switch.
Displays the users that are connected.
Display the statistics per entry.
200
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Access Control Lists
Configuration Examples for ACLs on VTY Lines
Configuration Examples for ACLs on VTY Lines
The following example shows the connected users on the console line (ttyS0) and the VTY lines (pts/0 and pts/1).
switch#
show users
NAME LINE admin admin admin ttyS0 pts/0 pts/1
TIME IDLE
Aug 27 20:45 .
Aug 27 20:06 00:46
Aug 27 20:52 .
PID COMMENT
14425 *
14176 (172.18.217.82) session=ssh
14584 (10.55.144.118)
The following example shows how to allow vty connections to all IPv4 hosts except 172.18.217.82 and how to deny vty connections to any IPv4 host except 10.55.144.118, 172.18.217.79, 172.18.217.82, 172.18.217.92:
• Applying the ipv6 access-list ozi7 command to the in direction of the VTY line, denies VTY connections to all IPv6 hosts.
• Applying the ipv6 access-list ozip6 command to the out direction of the VTY line, allows VTY connections to all IPv6 hosts.
switch#
show running-config aclmgr
!Time: Fri Aug 27 22:01:09 2010 version 5.0(2)N1(1) ip access-list ozi
10 deny ip 172.18.217.82/32 any
20 permit ip any any ip access-list ozi2
10 permit ip 10.55.144.118/32 any
20 permit ip 172.18.217.79/32 any
30 permit ip 172.18.217.82/32 any
40 permit ip 172.18.217.92/32 any ipv6 access-list ozi7
10 deny tcp any any ipv6 access-list ozip6
10 permit tcp any any line vty access-class ozi in access-class ozi2 out ipv6 access-class ozi7 in ipv6 access-class ozip6 out
The following example shows how to configure the IP access list by enabling per-entry statistics for the ACL: switch#
configure terminal
Enter configuration commands, one per line.
End with CNTL/Z.
switch(config)#
ip access-list ozi2
switch(config-acl)#
statistics per-entry
switch(config-acl)#
deny tcp 172.18.217.83/32 any
switch(config-acl)#
exit
switch(config)#
ip access-list ozi
switch(config-acl)#
statistics per-entry
switch(config-acl)#
permit ip 172.18.217.20/24 any
switch(config-acl)#
exit
switch#
The following example shows how to apply the ACLs on VTY in and out directions: switch(config)#
line vty
switch(config-line)#
ip access-class ozi in
switch(config-line)#
access-class ozi2 out
switch(config-line)#
exit
switch#
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
201
Configuring Access Control Lists
Configuring the ACL Resource Usage Threshold
The following example shows how to remove the access restrictions on the VTY line: switch#
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)#
line vty
switch(config-line)#
no access-class ozi2 in
switch(config-line)#
no ip access-class ozi2 in
switch(config-line)#
exit
switch#
Configuring the ACL Resource Usage Threshold
You can configure a threshold value for the number of Logical Operation Units (LOUs).
Procedure
Step 1
Step 2
Step 3
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# hardware access-list lou
resource threshold value
Configures the threshold value for the number of
LOUs.
switch(config-if)# copy running-config
startup-config
(Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
The following example shows how to configure the maximum threshold value for LOUs: switch#
configuration terminal
switch(config)#
hardware access-list lou resource threshold 15
202
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
10
Configuring Port Security
This chapter includes the following sections:
•
Information About Port Security, page 203
•
Licensing Requirements for Port Security, page 208
•
Prerequisites for Port Security, page 208
•
Guidelines and Limitations for Port Security, page 209
•
Guidelines and Limitations for Port Security on vPCs, page 209
•
Default Settings for Port Security, page 210
•
Configuring Port Security, page 210
•
Verifying the Port Security Configuration, page 220
•
Displaying Secure MAC Addresses, page 220
•
Configuration Example for Port Security, page 220
•
Configuration Example of Port Security in a vPC Domain, page 221
•
Additional References for Port Security, page 221
Information About Port Security
Port security allows you to configure Layer 2 physical interfaces, Layer 2 port-channel interfaces, and virtual port channels (vPCs) to allow inbound traffic from only a restricted set of MAC addresses. The MAC addresses in the restricted set are called secure MAC addresses. In addition, the device does not allow traffic from these
MAC addresses on another interface within the same VLAN. The number of MAC addresses that the device can secure is configurable per interface.
Note
Unless otherwise specified, the term interface refers to physical interfaces, port-channel interfaces, and vPCs; likewise, the term Layer 2 interface refers to both Layer 2 physical interfaces and Layer 2 port-channel interfaces.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
203 OL-30921-01
Configuring Port Security
Secure MAC Address Learning
Secure MAC Address Learning
The process of securing a MAC address is called learning. A MAC address can be a secure MAC address on one interface only. For each interface that you enable port security on, the device can learn a limited number of MAC addresses by the static, dynamic, or sticky methods. The way that the device stores secure MAC addresses varies depending upon how the device learned the secure MAC address.
Note
All learned MAC addresses are synchronized between vPC peers.
Static Method
The static learning method allows you to manually add or remove secure MAC addresses to the running configuration of an interface. If you copy the running configuration to the startup configuration, static secure
MAC addresses are unaffected if the device restarts.
A static secure MAC address entry remains in the configuration of an interface until one of the following events occurs:
• You explicitly remove the address from the configuration.
• You configure the interface to act as a Layer 3 interface.
Adding secure addresses by the static method is not affected by whether dynamic or sticky address learning is enabled.
Dynamic Method
By default, when you enable port security on an interface, you enable the dynamic learning method. With this method, the device secures MAC addresses as ingress traffic passes through the interface. If the address is not yet secured and the device has not reached any applicable maximum, it secures the address and allows the traffic.
The device stores dynamic secure MAC addresses in memory. A dynamic secure MAC address entry remains in the configuration of an interface until one of the following events occurs:
• The device restarts.
• The interface restarts.
• The address reaches the age limit that you configured for the interface.
• You explicitly remove the address.
• You configure the interface to act as a Layer 3 interface.
Sticky Method
If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning, but the device stores addresses learned by this method in nonvolatile RAM (NVRAM). As a result,
204
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Port Security
Dynamic Address Aging
addresses learned by the sticky method persist through a device restart. Sticky secure MAC addresses do not appear in the running configuration of an interface.
Dynamic and sticky address learning are mutually exclusive. When you enable sticky learning on an interface, the device stops dynamic learning and performs sticky learning instead. If you disable sticky learning, the device resumes dynamic learning.
A sticky secure MAC address entry remains in the configuration of an interface until one of the following events occurs:
• You explicitly remove the address.
• You configure the interface to act as a Layer 3 interface.
Dynamic Address Aging
The device ages MAC addresses learned by the dynamic method and drops them after the age limit is reached.
You can configure the age limit on each interface. The range is from 0 to 1440 minutes, where 0 disables aging.
In vPC domains, dynamic MAC addresses are dropped only after the age limit is reached on both vPC peers.
The method that the device uses to determine that the MAC address age is also configurable. The two methods of determining address age are as follows:
Inactivity
The length of time after the device last received a packet from the address on the applicable interface.
Absolute
The length of time after the device learned the address. This is the default aging method; however, the default aging time is 0 minutes, which disables aging.
Note
If the absolute method is used to age out a MAC address, then depending on the traffic rate, few packets may drop each time a MAC address is aged out and relearned. To avoid this use inactivity timeout.
Secure MAC Address Maximums
By default, an interface can have only one secure MAC address. You can configure the maximum number of
MAC addresses permitted per interface or per VLAN on an interface. Maximums apply to secure MAC addresses learned by any method: dynamic, sticky, or static.
Note
In vPC domains, the configuration on the primary vPC takes effect.
Tip
To ensure that an attached device has the full bandwidth of the port, set the maximum number of addresses to one and configure the MAC address of the attached device.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
205
Configuring Port Security
Security Violations and Actions
The following three limits can determine how many secure MAC addresses are permitted on an interface:
Device maximum
The device has a nonconfigurable limit of 8192 secure MAC addresses. If learning a new address would violate the device maximum, the device does not permit the new address to be learned, even if the interface or VLAN maximum has not been reached.
Interface maximum
You can configure a maximum number of 1025 secure MAC addresses for each interface protected by port security. The default interface maximum is one address. Interface maximums cannot exceed the device maximum.
In vPC domains, you set the maximum number of secure MAC addresses on the primary vPC switch.
The primary vPC switch does the count validation, even if a maximum number of secure MAC addresses is set on the secondary switch.
VLAN maximum
You can configure the maximum number of secure MAC addresses per VLAN for each interface protected by port security. A VLAN maximum cannot exceed the configured interface maximum.
VLAN maximums are useful only for trunk ports. There are no default VLAN maximums.
You can configure VLAN and interface maximums per interface, as needed; however, when the new limit is less than the applicable number of secure addresses, you must reduce the number of secure MAC addresses first.
Security Violations and Actions
Port security triggers security violations when either of the two following events occur:
MAX Count Violation
Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses. The blocked entry is added to the
Forwarding Module (FWM) of the Cisco Nexus switch.
When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs when either maximum is exceeded. For example, consider the following on a single interface configured with port security:
• VLAN 1 has a maximum of 5 addresses
• The interface has a maximum of 10 addresses
The device detects a violation when any of the following occurs:
• The device has learned five addresses for VLAN 1 and inbound traffic from a sixth address arrives at the interface in VLAN 1.
• The device has learned 10 addresses on the interface and inbound traffic from an 11th address arrives at the interface.
206
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Port Security
Security Violations and Actions
MAC Move Violation
Ingress traffic from a secure MAC address arrives at a different interface in the same VLAN as the interface on which the address is secured. The blocked entry is added as a drop entry in the Port Security table.
When a security violation occurs, the device increments the security violation counter for the interface and takes the action specified by the port security configuration of the interface. If a violation occurs because ingress traffic from a secure MAC address arrives at a different interface than the interface on which the address is secure, the device applies the action on the interface that received the traffic.
The possible actions that the device can take are as follows:
Shutdown
Shuts down the interface that received the packet triggering the violation. The interface is error disabled.
This action is the default. After you reenable the interface, it retains its port security configuration, including its secure MAC addresses.
You can use the errdisable global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands.
Restrict
Drops ingress traffic from any nonsecure MAC addresses and adds the MAC address as a blocked
MAC entry in the port security table..
Note
In vPC domains, blocked MAC addresses added to the port security table due to violations occuring in the Restrict mode are not synchronized across vPC peers.
The device keeps a count of the number of dropped packets, which is called the security violation count.
Address learning continues until the maximum security violations have occurred on the interface. Traffic from addresses learned after the first security violation is dropped.
Protect
Prevents further violations from occurring. The address that triggered the security violation is learned but any traffic from the address is dropped. Further address learning stops.
Note
In vPCs, the violation action configured on the primary vPC switch takes affect. So, whenever a security violation is triggered, the security action defined on the primary vPC switch occurs.
After the maximum number of MAX move violations (10) is reached, the interface is shut down and placed in the errdisabled state.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
207
Configuring Port Security
Port Type Changes
Port Type Changes
When you have configured port security on a Layer 2 interface and you change the port type of the interface, the device behaves as follows:
Access port to trunk port
Trunk port to access port
When you change a Layer 2 interface from a trunk port to an access port, the device drops all secure addresses learned by the dynamic method. It also moves all addresses learned by the sticky method on the native trunk VLAN to the access VLAN. The device drops secure addresses learned by the sticky method if they are not on the native trunk VLAN.
Switched port to routed port
When you change an interface from a Layer 2 interface to a Layer 3 interface, the device disables port security on the interface and discards all port security configuration for the interface. The device also discards all secure MAC addresses for the interface, regardless of the method used to learn the address.
Routed port to switched port
When you change an interface from a Layer 3 interface to a Layer 2 interface, the device has no port security configuration for the interface.
Licensing Requirements for Port Security
The following table shows the licensing requirements for this feature:
Product
Cisco NX-OS
License Requirement
Port security requires no license. Any feature not included in a license package is bundled with the
Cisco NX-OS device images and is provided at no extra charge to you. For an explanation of the Cisco
NX-OS licensing scheme, see the License and
Copyright Information for Cisco NX-OS Software
available at the following URL: http:// www.cisco.com/en/US/docs/switches/datacenter/sw/
4_0/nx-os/license_agreement/nx-ossw_lisns.html
.
Prerequisites for Port Security
Port security has the following prerequisites:
• You must globally enable port security for the device that you want to protect with port security.
208
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Port Security
Guidelines and Limitations for Port Security
• In a vPC domain, you must enable port security globally on both vPC peers and on both vPC interfaces on the vPC peers. We recommend that you use the config sync command to ensure that the configuration is consistent on both vPC peers.
Guidelines and Limitations for Port Security
When configuring port security, follow these guidelines:
• Port security is supported on PVLAN ports.
• Port security does not support switched port analyzer (SPAN) destination ports.
• Port security does not depend upon other features.
• Port security is not supported on vPC peer links.
• Port security is not supported on Network Interface (NIF) port, Flex Link ports, or vEthernet interfaces.
Guidelines and Limitations for Port Security on vPCs
In addition to the guidelines and limitations for port security, there are additional guidelines and limitations for port security on vPCs. When configuring port security on vPCs, follow these guidelines:
• You must enabled port security globally on both vPC peers in a vPC domain.
• You must enable port security on the vPC interfaces of both vPC peers.
• You must configure a static secure MAC address on the primary vPC peer. This MAC address is synchronized with the secondary vPC peer. Do not configure a static secure MAC address on the secondary peer. This MAC address appears in the secondary vPC configuration, but does not take affect.
• All learned MAC addresses are synchronized between vPC peers.
• Both vPC peers can be configured with either the dynamic or sticky MAC address learning method.
However, we recommend that both vPC peers be configured for the same method.
• Dynamic MAC addresses are dropped only after the age limit is reached on both vPC peers.
• You set the maximum number of secure MAC addresses on the primary vPC switch. The primary vPC switch does the count validation, even if a maximum number of secure MAC addresses is set on the secondary switch.
• You configure the violation action on the primary vPC. So, whenever a security violation is triggered, the security action defined on the primary vPC switch occurs.
• Port security is enabled on a vPC interface when the port security feature is enabled on both vPC peers and port security is enabled on both vPC interfaces of the vPC peers. You can use the config sync command to verify that the configuration is correct.
• While a switch undergoes an in-service software upgrade (ISSU), port security operations are stopped on its peer switch. The peer switch does not learn any new MAC addresses, and MAC moves occurring during this operation are ignored. When the ISSU is complete, the peer switch is notified and normal port security functionality resumes.
• ISSU to higher versions is supported; however ISSU to lower versions is not supported.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
209 OL-30921-01
Configuring Port Security
Default Settings for Port Security
Default Settings for Port Security
This table lists the default settings for port security parameters.
Table 17: Default Port Security Parameters
Parameters
Port security enablement globally
Port security enablement per interface
MAC address learning method
Default
Disabled
Disabled
Dynamic
Interface maximum number of secure MAC addresses 1
Security violation action Shutdown
Configuring Port Security
Enabling or Disabling Port Security Globally
You can enable or disable port security globally on a device. By default, port security is disabled globally.
When you disable port security, all port security configuration on the interface is ineffective. When you disable port security globally, all port security configuration is lost.
Note
To enable or disable port security in a vPC domain, you must enable or disable port security globally on both vPC peers.
Procedure
Step 1
Step 2
Command or Action configure terminal
Example:
switch# configure terminal switch(config)#
[no] feature port-security
Example:
switch(config)# feature port-security
Purpose
Enters global configuration mode.
Enables port security globally. The no option disables port security globally.
210
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Port Security
Enabling or Disabling Port Security on a Layer 2 Interface
Step 3
Step 4
Step 5
Command or Action show port-security
Purpose
Displays the status of port security.
Example:
switch(config)# show port-security
copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
If you are configuring port security for a vPC domain, repeat steps 1 through 4 on the vPC peer to enable port security globally.
—
(Optional)
Copies the running configuration to the startup configuration.
Example:
Enabling or Disabling Port Security on a Layer 2 Interface
You can enable or disable port security on a Layer 2 interface. By default, port security is disabled on all interfaces.
When you disable port security on an interface, all switchport port security configuration for the interface is lost.
Before You Begin
You must have enabled port security globally.
If you are setting up port security in a vPC domain, you must have enabled port security globally on both vPC peers.
If a Layer 2 Ethernet interface is a member of a port-channel interface, you cannot enable or disable port security on the Layer 2 Ethernet interface.
If any member port of a secure Layer 2 port-channel interface has port security enabled, you cannot disable port security for the port-channel interface unless you first remove all secure member ports from the port-channel interface.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
211
Configuring Port Security
Enabling or Disabling Sticky MAC Address Learning
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action
Enter one of the following commands:
• interface ethernet slot/port
• interface port-channel channel-number
Purpose
Enters interface configuration mode for the Ethernet or port-channel interface that you want to configure with port security.
Example:
switch(config)# interface ethernet 2/1 switch(config-if)#
switchport
Configures the interface as a Layer 2 interface.
Example:
switch(config-if)# switchport
[no] switchport port-security
Example:
switch(config-if)# switchport port-security
Enables port security on the interface.
The no option disables port security on the interface.
show running-config port-security
Displays the port security configuration.
Example:
switch(config-if)# show running-config port-security
copy running-config startup-config
Example:
switch(config-if)# copy running-config startup-config
If you are configuring port security for a vPC domain, repeat steps 1 through 6 to on the vPC peer to enable port security on its vPC interface.
—
(Optional)
Copies the running configuration to the startup configuration.
Enabling or Disabling Sticky MAC Address Learning
You can disable or enable sticky MAC address learning on an interface. If you disable sticky learning, the device returns to dynamic MAC address learning on the interface, which is the default learning method.
By default, sticky MAC address learning is disabled.
Before You Begin
You must have enabled port security globally.
212
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Port Security
Adding a Static Secure MAC Address on an Interface
Procedure
Step 1
Step 2
Command or Action configure terminal
Example:
switch# configure terminal switch(config)#
Enter one of the following commands:
• interface ethernet slot/port
• interface port-channel channel-number
Purpose
Enters global configuration mode.
Enters interface configuration mode for the interface that you want to configure with sticky MAC address learning.
Step 3
Step 4
Step 5
Step 6
Example:
switch(config)# interface ethernet 2/1 switch(config-if)#
switchport
Configures the interface as a Layer 2 interface.
Example:
switch(config-if)# switchport
[no] switchport port-security mac-address sticky
Example:
switch(config-if)# switchport port-security mac-address sticky
Enables sticky MAC address learning on the interface. The no option disables sticky
MAC address learning.
show running-config port-security
Displays the port security configuration.
Example:
switch(config-if)# show running-config port-security
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config-if)# copy running-config startup-config
Adding a Static Secure MAC Address on an Interface
You can add a static secure MAC address on a Layer 2 interface.
Note
If the MAC address is a secure MAC address on any interface, you cannot add it as a static secure MAC address to another interface until you remove it from the interface on which it is already a secure MAC address.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
213
Configuring Port Security
Removing a Static Secure MAC Address on an Interface
By default, no static secure MAC addresses are configured on an interface.
Before You Begin
You must have enabled port security globally.
Verify that the interface maximum has not been reached for secure MAC addresses. If needed, you can remove a secure MAC address or you can change the maximum number of addresses on the interface.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Example:
switch# configure terminal switch(config)#
Enter one of the following commands:
• interface ethernet slot/port
• interface port-channel channel-number
Enters interface configuration mode for the interface that you specify.
Step 3
Step 4
Step 5
Example:
switch(config)# interface ethernet 2/1 switch(config-if)#
[no] switchport port-security mac-address
address [vlan vlan-ID]
Example:
switch(config-if)# switchport port-security mac-address 0019.D2D0.00AE
Configures a static MAC address for port security on the current interface. Use the
vlan keyword if you want to specify the
VLAN that traffic from the address is allowed on.
show running-config port-security
Displays the port security configuration.
Example:
switch(config-if)# show running-config port-security
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config-if)# copy running-config startup-config
Removing a Static Secure MAC Address on an Interface
You can remove a static secure MAC address on a Layer 2 interface.
214
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Port Security
Removing a Dynamic Secure MAC Address
Procedure
Step 1
Step 2
Command or Action configure terminal
Example:
switch# configure terminal switch(config)#
Enter one of the following commands:
• interface ethernet slot/port
• interface port-channel channel-number
Purpose
Enters global configuration mode.
Enters interface configuration mode for the interface from which you want to remove a static secure MAC address.
Step 3
Step 4
Step 5
Example:
switch(config)# interface ethernet 2/1 switch(config-if)#
no switchport port-security mac-address address Removes the static secure MAC address from port security on the current interface.
Example:
switch(config-if)# no switchport port-security mac-address 0019.D2D0.00AE
show running-config port-security
Displays the port security configuration.
Example:
switch(config-if)# show running-config port-security
copy running-config startup-config
Example:
switch(config-if)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Removing a Dynamic Secure MAC Address
You can remove dynamically learned, secure MAC addresses.
Before You Begin
You must have enabled port security globally.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
215
Configuring Port Security
Configuring a Maximum Number of MAC Addresses
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
clear port-security dynamic {interface
ethernet slot/port | address address} [vlan
vlan-ID]
Example:
switch(config)# clear port-security dynamic interface ethernet 2/1
Removes dynamically learned, secure MAC addresses, as specified.
If you use the interface keyword, you remove all dynamically learned addresses on the interface that you specify.
If you use the address keyword, you remove the single, dynamically learned address that you specify.
Use the vlan keyword if you want to further limit the command to removing an address or addresses on a particular VLAN.
show port-security address
Displays secure MAC addresses.
Example:
switch(config)# show port-security address
copy running-config startup-config
Example:
switch(config-if)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Configuring a Maximum Number of MAC Addresses
You can configure the maximum number of MAC addresses that can be learned or statically configured on a Layer 2 interface. You can also configure a maximum number of MAC addresses per VLAN on a Layer 2 interface. The largest maximum number of addresses that you can configure on an interface is 1025 addresses.
The system maximum number of address is 8192.
By default, an interface has a maximum of one secure MAC address. VLANs have no default maximum number of secure MAC addresses.
Note
When you specify a maximum number of addresses that is less than the number of addresses already learned or statically configured on the interface, the device rejects the command. To remove all addresses learned by the dynamic method, use the shutdown and no shutdown commands to restart the interface.
216
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Port Security
Configuring an Address Aging Type and Time
Before You Begin
You must have enabled port security globally.
Procedure
Step 1
Command or Action configure terminal
Step 2
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
Enter one of the following commands:
• interface ethernet slot/port
• interface port-channel channel-number
Enters interface configuration mode, where slot is the interface that you want to configure with the maximum number of MAC addresses.
Step 3
Step 4
Step 5
Example:
switch(config)# interface ethernet 2/1 switch(config-if)#
[no] switchport port-security maximum
number [vlan vlan-ID]
Example:
switch(config-if)# switchport port-security maximum 425
Configures the maximum number of MAC addresses that can be learned or statically configured for the current interface. The highest valid number is 1025. The no option resets the maximum number of MAC addresses to the default, which is 1.
If you want to specify the VLAN that the maximum applies to, use the vlan keyword.
show running-config port-security
Displays the port security configuration.
Example:
switch(config-if)# show running-config port-security
copy running-config startup-config
Example:
switch(config-if)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Configuring an Address Aging Type and Time
You can configure the MAC address aging type and the length of time that the device uses to determine when
MAC addresses learned by the dynamic method have reached their age limit.
Absolute aging is the default aging type.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
217
Configuring Port Security
Configuring an Address Aging Type and Time
By default, the aging time is 0 minutes, which disables aging.
Before You Begin
You must have enabled port security globally.
Procedure
Step 1
Step 2
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
Enter one of the following commands:
• interface ethernet slot/port
• interface port-channel channel-number
Enters interface configuration mode for the interface that you want to configure with the
MAC aging type and time.
Step 3
Step 4
Step 5
Step 6
Example:
switch(config)# interface ethernet 2/1 switch(config-if)#
[no] switchport port-security aging type
{absolute | inactivity}
Configures the type of aging that the device applies to dynamically learned MAC addresses.
The no option resets the aging type to the default, which is absolute aging.
Example:
switch(config-if)# switchport port-security aging type inactivity
[no] switchport port-security aging time
minutes
Example:
switch(config-if)# switchport port-security aging time 120
Configures the number of minutes that a dynamically learned MAC address must age before the device drops the address. The maximum valid minutes is 1440. The no option resets the aging time to the default, which is 0 minutes (no aging).
show running-config port-security
Displays the port security configuration.
Example:
switch(config-if)# show running-config port-security
copy running-config startup-config
Example:
switch(config-if)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
218
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Port Security
Configuring a Security Violation Action
Configuring a Security Violation Action
You can configure the action that the device takes if a security violation occurs. The violation action is configurable on each interface that you enable with port security.
The default security action is to shut down the port on which the security violation occurs.
Before You Begin
You must have enabled port security globally.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Example:
switch# configure terminal switch(config)#
Enter one of the following commands:
• interface ethernet slot/port
• interface port-channel channel-number
Enters interface configuration mode for the interface that you want to configure with a security violation action.
Step 3
Step 4
Step 5
Example:
switch(config)# interface ethernet 2/1 switch(config-if)#
[no] switchport port-security violation {protect
| restrict | shutdown}
Example:
switch(config-if)# switchport port-security violation restrict
Configures the security violation action for port security on the current interface. The no option resets the violation action to the default, which is to shut down the interface.
show running-config port-security
Displays the port security configuration.
Example:
switch(config-if)# show running-config port-security
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config-if)# copy running-config startup-config
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
219
Configuring Port Security
Verifying the Port Security Configuration
Verifying the Port Security Configuration
To display the port security configuration information, perform one of the following tasks. For detailed information about the fields in the output from this command, see the Security Command Reference for your platform.
Command show running-config port-security
Purpose
Displays the port security configuration.
show port-security
Displays the port security status of the device.
show port-security interface show port-security address show running-config interface show mac address-table show system internal port-security info global
Displays the port security status of a specific interface.
Displays secure MAC addresses.
Displays the interfaces that are in the running-configuration.
Displays the contents of the MAC address table.
Displays the port security settings of the device.
Displaying Secure MAC Addresses
Use the show port-security address command to display secure MAC addresses. For detailed information about the fields in the output from this command, see the Security Command Reference for your platform.
Configuration Example for Port Security
The following example shows a port security configuration for the Ethernet 2/1 interface with VLAN and interface maximums for secure addresses. In this example, the interface is a trunk port. Additionally, the violation action is set to Restrict.
feature port-security interface Ethernet 2/1 switchport switchport port-security switchport port-security maximum 10 switchport port-security maximum 7 vlan 10 switchport port-security maximum 3 vlan 20 switchport port-security violation restrict
220
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Port Security
Configuration Example of Port Security in a vPC Domain
Configuration Example of Port Security in a vPC Domain
The following example shows how to enable and configure port security on vPC peers in a vPC domain. The first switch is the primary vPC peer and the second switch is the secondary vPC peer. It is assumed that domain
103 has already been created.
primary_switch(config)#
feature port-security
primary_switch(config-if)#
int e1/1
primary_switch(config-if)#
switchport port-security
primary_switch(config-if)#
switchport port-security max 1025
primary_switch(config-if)#
switchport port-security violation restrict
primary_switch(config-if)#
switchport port-security aging time 4
primary_switch(config-if)#
switchport port-security aging type absolute
primary_switch(config-if)#
switchport port-security mac sticky
primary_switch(config-if)#
switchport port-security mac-address 0.0.1 vlan 101
primary_switch(config-if)#
switchport port-security mac-address 0.0.2 vlan 101
primary_switch(config-if)#
copy running-config startup-config
secondary_switch(config)#
int e103/1/1
secondary_switch(config-if)#
switchport port-security
secondary_switch(config-if)#
copy running-config startup-config
Additional References for Port Security
Related Documents
Related Topic
Layer 2 switching
Port security commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples
Document Title
Standards
Standards Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
Cisco NX-OS provides read-only SNMP support for port security.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
221 OL-30921-01
Configuring Port Security
Additional References for Port Security
MIBs MIBs Link
Note
• CISCO-PORT-SECURITY-MIB
To locate and download MIBs, go to the following
URL:
Traps are supported for notification of secure
MAC address violations.
http://www.cisco.com/public/sw-center/netmgmt/ cmtk/mibs.shtml
222
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
OL-30921-01
C H A P T E R
11
Configuring DHCP Snooping
This chapter contains the following sections:
•
Information About DHCP Snooping, page 224
•
Information About the DHCP Relay Agent, page 228
•
Information about the DHCPv6 Relay Agent, page 230
•
Information About the Lightweight DHCPv6 Relay Agent, page 230
•
vIP HSRP Enhancement, page 231
•
Guidelines and Limitations for DHCP Snooping, page 231
•
Guidelines and Limitations for the vIP HSRP Enhancement, page 232
•
Default Settings for DHCP Snooping, page 233
•
Configuring DHCP Snooping, page 233
•
Configuring the DHCPv6 Relay Agent, page 244
•
Configuring Lightweight DHCPv6 Relay Agent, page 247
•
Enabling DHCP Relay Agent using VIP Address, page 249
•
Verifying the DHCP Snooping Configuration, page 250
•
Displaying DHCP Bindings, page 250
•
Displaying and Clearing LDRA Information, page 250
•
Clearing the DHCP Snooping Binding Database, page 254
•
Clearing DHCP Relay Statistics, page 255
•
Clearing DHCPv6 Relay Statistics, page 255
•
•
Configuration Examples for DHCP Snooping, page 255
•
Configuration Examples for LDRA, page 256
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
223
Configuring DHCP Snooping
Information About DHCP Snooping
Information About DHCP Snooping
DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities:
• Validates DHCP messages received from untrusted sources and filters out invalid messages.
• Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
• Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
Feature Enabled and Globally Enabled
When you are configuring DHCP snooping, it is important that you understand the difference between enabling the DHCP snooping feature and globally enabling DHCP snooping.
Feature Enablement
The DHCP snooping feature is disabled by default. When the DHCP snooping feature is disabled, you cannot configure it or any of the features that depend on DHCP snooping. The commands to configure DHCP snooping and its dependent features are unavailable when DHCP snooping is disabled.
When you enable the DHCP snooping feature, the switch begins building and maintaining the DHCP snooping binding database. Features dependent on the DHCP snooping binding database can now make use of it and can therefore also be configured.
Enabling the DHCP snooping feature does not globally enable it. You must separately enable DHCP snooping globally.
Disabling the DHCP snooping feature removes all DHCP snooping configuration from the switch. If you want to disable DHCP snooping and preserve the configuration, globally disable DHCP snooping but do not disable the DHCP snooping feature.
Global Enablement
After DHCP snooping is enabled, DHCP snooping is globally disabled by default. Global enablement is a second level of enablement that allows you to have separate control of whether the switch is actively performing
DHCP snooping that is independent from enabling the DHCP snooping binding database.
When you globally enable DHCP snooping, on each untrusted interface of VLANs that have DHCP snooping enabled, the switch begins validating DHCP messages that are received and used the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
When you globally disable DHCP snooping, the switch stops validating DHCP messages and validating subsequent requests from untrusted hosts. It also removes the DHCP snooping binding database. Globally disabling DHCP snooping does not remove any DHCP snooping configuration or the configuration of other features that are dependent upon the DHCP snooping feature.
224
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Trusted and Untrusted Sources
Trusted and Untrusted Sources
You can configure whether DHCP snooping trusts traffic sources. An untrusted source might initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted sources.
In an enterprise network, a trusted source is a switch that is under your administrative control. These switches include the switches, routers, and servers in the network. Any switch beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.
In a service provider environment, any switch that is not in the service provider network is an untrusted source
(such as a customer switch). Host ports are untrusted sources.
In a Cisco Nexus device, you indicate that a source is trusted by configuring the trust state of its connecting interface.
The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted.
You can also configure other interfaces as trusted if they connect to switches (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.
Note
For DHCP snooping to function properly, you must connect all DHCP servers to the switch through trusted interfaces.
DHCP Snooping Binding Database
Using information extracted from intercepted DHCP messages, DHCP snooping dynamically builds and maintains a database. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts that are connected through trusted interfaces.
Note
The DHCP snooping binding database is also referred to as the DHCP snooping binding table.
DHCP snooping updates the database when the switch receives specific DHCP messages. For example, the feature adds an entry to the database when the switch receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the switch receives a
DHCPRELEASE message from the host.
Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.
You can remove entries from the binding database by using the clear ip dhcp snooping binding command.
DHCP Snooping Option 82 Data Insertion
DHCP can centrally manage the IP address assignments for a large number of subscribers. When you enable
Option 82, the device identifies a subscriber device that connects to the network (in addition to its MAC
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
225
Configuring DHCP Snooping
DHCP Snooping Option 82 Data Insertion
address). Multiple hosts on the subscriber LAN can connect to the same port on the access device and are uniquely identified.
When you enable Option 82 on the Cisco NX-OS device, the following sequence of events occurs:
1
The host (DHCP client) generates a DHCP request and broadcasts it on the network.
2
When the Cisco NX-OS device receives the DHCP request, it adds the Option 82 information in the packet.
The Option 82 information contains the device MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption). For hosts behind the port channel, the circuit ID is filled with the if_index of the port channel.
Note
For vPC peer switches, the remote ID suboption contains the vPC switch MAC address, which is unique in both switches. This MAC address is computed with the vPC domain ID. The Option 82 information is inserted at the switch where the DHCP request is first received before it is forwarded to the other vPC peer switch.
3
The device forwards the DHCP request that includes the Option 82 field to the DHCP server.
4
The DHCP server receives the packet. If the server is Option 82 capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server echoes the Option
82 field in the DHCP reply.
5
The DHCP server sends the reply to the Cisco NX-OS device. The Cisco NX-OS device verifies that it originally inserted the Option 82 data by inspecting the remote ID and possibly the circuit ID fields. The
Cisco NX-OS device removes the Option 82 field and forwards the packet to the interface that connects to the DHCP client that sent the DHCP request.
If the previously described sequence of events occurs, the following values do not change:
• Circuit ID suboption fields
â—¦Suboption type
â—¦Length of the suboption type
â—¦Circuit ID type
â—¦Length of the circuit ID type
• Remote ID suboption fields
â—¦Suboption type
â—¦Length of the suboption type
â—¦Remote ID type
â—¦Length of the circuit ID type
This figure shows the packet formats for the remote ID suboption and the circuit ID suboption. The Cisco
NX-OS device uses the packet formats when you globally enable DHCP snooping and when you enable
Option 82 data insertion and removal. For the circuit ID suboption, the module field is the slot number of the module.
226
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Figure 13: Suboption Packet Formats
DHCP Snooping in a vPC Environment
DHCP Snooping in a vPC Environment
A virtual port channel (vPC) allows two Cisco NX-OS switches to appear as a single logical port channel to a third switch. The third switch can be a switch, server, or any other networking switch that supports port channels.
In a typical vPC environment, DHCP requests can reach one vPC peer switch and the responses can reach the other vPC peer switch, resulting in a partial DHCP (IP-MAC) binding entry in one switch and no binding entry in the other switch. This issue is addressed by using Cisco Fabric Service over Ethernet (CFSoE) distribution to ensure that all DHCP packets (requests and responses) appear on both switches, which helps in creating and maintaining the same binding entry on both switches for all clients behind the vPC link.
CFSoE distribution also allows only one switch to forward the DHCP requests and responses on the vPC link.
In non-vPC environments, both switches forward the DHCP packets.
Synchronizing DHCP Snooping Binding Entries
The dynamic DHCP binding entries should be in sync in the following scenarios:
• When the remote vPC is online, all the binding entries for that vPC link should be in sync with the peer.
• When DHCP snooping is enabled on the peer switch, the dynamic binding entries for all vPC links that are up remotely should be in sync with the peer.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
227
Configuring DHCP Snooping
Information About the DHCP Relay Agent
Packet Validation
The switch validates DHCP packets received on the untrusted interfaces of VLANs that have DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case, the packet is dropped):
• The switch receives a DHCP response packet (such as a DHCPACK, DHCPNAK, or DHCPOFFER packet) on an untrusted interface.
• The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
• The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
• The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
In addition, you can enable strict validation of DHCP packets, which checks the options field of DHCP packets, including the “magic cookie” value in the first four bytes of the options field. By default, strict validation is disabled. When you enable it, by using the ip dhcp packet strict-validation command, if DHCP snooping processes a packet that has an invalid options field, it drops the packet.
Information About the DHCP Relay Agent
DHCP Relay Agent
You can configure the device to run a DHCP relay agent, which forwards DHCP packets between clients and servers. This feature is useful when clients and servers are not on the same physical subnet. Relay agents receive DHCP messages and then generate a new DHCP message to send out on another interface. The relay agent sets the gateway address (giaddr field of the DHCP packet) and, if configured, adds the relay agent information option (Option 82) in the packet and forwards it to the DHCP server. The reply from the server is forwarded back to the client after removing Option 82.
After you enable Option 82, the device uses the binary ifindex format by default. If needed, you can change the Option 82 setting to use an encoded string format instead. When a device acts as a relay agent and is configured to insert Option 82, the circuit ID is same for all hosts even when they are connected to different ports. You can use the ip dhcp relay sub-option circuit-id customized command to retain the unique circuit
ID that is inserted by a client.
Note
When the device relays a DHCP request that already includes Option 82 information, the device forwards the request with the original Option 82 information without altering it.
228
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
VRF Support for the DHCP Relay Agent
VRF Support for the DHCP Relay Agent
You can configure the DHCP relay agent to forward DHCP broadcast messages from clients in a virtual routing and forwarding (VRF) instance to DHCP servers in a different VRF. By using a single DHCP server to provide DHCP support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF.
Enabling VRF support for the DHCP relay agent requires that you enable Option 82 for the DHCP relay agent.
If a DHCP request arrives on an interface that you have configured with a DHCP relay address and VRF information, and the address of the DCHP server belongs to a network on an interface that is a member of a different VRF, the device inserts Option 82 information in the request and forwards it to the DHCP server in the server VRF. The Option 82 information includes the following:
VPN identifier
Name of the VRF that the interface that receives the DHCP request is a member of.
Link selection
Subnet address of the interface that receives the DHCP request.
Server identifier override
IP address of the interface that receives the DHCP request.
Note
The DHCP server must support the VPN identifier, link selection, and server identifier override options.
When the device receives the DHCP response message, it strips off the Option 82 information and forwards the response to the DHCP client in the client VRF.
DHCP Relay Binding Database
A relay binding is an entity that associates a DHCP or BOOTP client with a relay agent address and its subnet.
Each relay binding stores the client MAC address, active relay agent address, active relay agent address mask, logical and physical interfaces to which the client is connected, giaddr retry count, and total retry count. The giaddr retry count is the number of request packets transmitted with that relay agent address, and the total retry count is the total number of request packets transmitted by the relay agent. One relay binding entry is maintained for each DHCP or BOOTP client.
Note
When DHCP smart relay is enabled globally or at the interface level on any switch, the relay bindings on all switches should be synchronized with the vPC peer.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
229
Configuring DHCP Snooping
Information about the DHCPv6 Relay Agent
Information about the DHCPv6 Relay Agent
DHCPv6 Relay Agent
You can configure the device to run a DHCPv6 relay agent, which forwards DHCPv6 packets between clients and servers. This feature is useful when clients and servers are not on the same physical subnet. Relay agents receive DHCPv6 messages and then generate a new DHCPv6 message to send out on another interface. The relay agent sets the gateway address (giaddr field of the DHCPv6 packet) and forwards it to the DHCPv6 server.
VRF Support for the DHCPv6 Relay Agent
You can configure the DHCPv6 relay agent to forward DHCPv6 broadcast messages from clients in a virtual routing and forwarding (VRF) instance to DHCPv6 servers in a different VRF. By using a single DHCPv6 server to provide DHCPv6 support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF.
Information About the Lightweight DHCPv6 Relay Agent
Lightweight DHCPv6 Relay Agent
A variety of different link-layer network topologies exist for the aggregation of IPv6 nodes into one or more routers. In Layer 2 aggregation networks (IEEE 802.1D bridging or similar) that have many nodes on a single link, a DHCP Version 6 (DHCPv6) server or DHCP relay agent normally does not recognize how a DHCP client is attached to a network. From Cisco NX-OS Release 7.3(0)N1(1), you can configure the interface of a device to run Lightweight DHCPv6 Relay Agent (LDRA), which forwards DHCPv6 messages between clients and servers.
The LDRA feature is used to insert relay agent options in DHCPv6 message exchanges primarily to identify client-facing interfaces. LDRA resides on the same IPv6 link as the client and a DHCPv6 relay agent or server.
LDRA for VLANs and Interfaces
You can configure LDRA on VLANs and interfaces. LDRA is not enabled by default. To enable LDRA, it should be enabled globally and at the interface level. You should configure the interfaces as client-facing trusted, client-facing untrusted, or server-facing. All client-facing interfaces must be configured as trusted or untrusted. By default, all the client-facing interfaces in LDRA are configured as untrusted. When a client-facing interface is deemed untrusted, LDRA will discard messages of type RELAY-FORWARD, which are received from the client-facing interface.
The LDRA configuration on a VLAN should be configured as client-facing trusted or client-facing untrusted.
When you configure LDRA functionality on a VLAN, the functionality is configured on all the ports or interfaces within the VLAN. However, if you configure an interface in a VLAN as client-facing untrusted,
230
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Guidelines and Limitations for Lightweight DHCPv6 Relay Agent
and configure the VLAN as client-facing trusted, the configuration of an interface takes precedence over the configuration of a VLAN. At least one interface in a VLAN should be configured as server-facing interface.
Guidelines and Limitations for Lightweight DHCPv6 Relay Agent
• Access nodes implementing LDRA do not support IPv6 control or routing.
• An interface or port cannot be configured as both client facing and server facing at the same time.
• To support virtual port channel, LDRA configuration should be symmetric on the vPC peers.
• LDRA supports Cisco Fabricpath.
vIP HSRP Enhancement
Starting with Cisco NX-OS Release 7.2(0)N1(1), the vIP HSRP enhancement provides support for an HSRP
VIP configuration to be in a differnet subnet than that of the interface subnet. This feature is applicable only for IPv4 and not for IPv6. The following are the enhancements:
• Enhance ARP to source with VIP from SUP for hosts when hosts in VIP subnet are referenced by static route to VLAN configuration.
• Periodic ARP sync support to VPC peer if this feature enabled.
• Allow use of the VIP address as L3 source address and gateway address for all communications with
DHCP server.
• Enhance DHCP relay agent to relay DHCP packets with source as VIP instead of SVI IP when the feature is enabled.
Guidelines and Limitations for DHCP Snooping
Consider the following guidelines and limitations when configuring DHCP snooping:
• The DHCP snooping database can store 2000 bindings.
• DHCP snooping is not active until you enable the feature, enable DHCP snooping globally, and enable
DHCP snooping on at least one VLAN.
• Before globally enabling DHCP snooping on the switch, make sure that the switches that act as the
DHCP server and the DHCP relay agent are configured and enabled.
• If a VLAN ACL (VACL) is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts.
• DHCP snooping and DHCP relay feature are not supported on the same VLAN.
• By default, DHCP bindings are not saved persistently across switch reboots. To maintain persistent bindings across switch reboots, use the copy r s command. When the copy r s command is issued, all bindings that exist at that time are made persistent across switch reboots.
• Make sure that the DHCP configuration is synchronized across the switches in a vPC link. Otherwise, a run-time error can occur, resulting in dropped packets.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
231 OL-30921-01
Configuring DHCP Snooping
Guidelines and Limitations for the vIP HSRP Enhancement
• To use both remote and local DHCP servers, you must configure the DHCP relay feature and either define the unicast address of the local DHCP server or configure a local broadcast address for the subnet where the local DHCP server resides. If you do not define the unicast address of the DHCP server or configure a local broadcast address for the subnet, local DHCP packets cannot be delivered. For example, this situation can occur when you apply an IP DHCP address to an SVI.
• When you configure DHCPv6 server addresses on an interface, a destination interface cannot be used with global IPv6 addresses.
The following additional guidelines and limitations apply to implementations that include FabricPath:
• DHCP snooping should be enabled on CE-Fabric boundary switches.
• DHCP snooping is enabled on all access layer switches to secure the network at the access layer.
• DHCP does not learn which binding entries are on ports configured in FabricPath mode. DHCP snooping must be manually enabled on all access layer switches.
• When Dynamic ARP Inspection (DAI) is enabled, ARP packets received on FabricPath ports are allowed.
• IPSG cannot be enabled on ports in FabricPath mode.
• All FabricPath ports in the system must be configured as trusted ports.
• DHCP snooping with Fabric Path has to be enabled on all of the configured VLANs for a switch. If you do not enable FabricPath for all of the VLANs on the switch, DHCP packets will drop for the VLANs where DHCP has not been enabled.
To ensure that DHCP packets are not dropped, you must complete all of the following configurations:
â—¦Enable the DHCP feature using the feature dhcp command.
â—¦Install the FabricPath feature set using the install feature-set fabricpath and feature-set fabricpath commands
â—¦Globally enable DHCP snooping using the ip dhcp snooping command.
â—¦Enable DHCP snooping for each of the configured VLANs on the switch using the ip dhcp snooping
vlan vlan command.
Guidelines and Limitations for the vIP HSRP Enhancement
• This feature will work only for HSRP in combination with VPC topologies. In scenarios where HSRP standby is not a VPC pair, this feature will not work, as there will not be periodic adjacency sync support for non-VPC cases.
• This feature is applicable only for IPv4 and not for IPv6.
• Support for this feature is only for Regular HSRP and not for Anycast HSRP, so this feature will not work if Anycast HSRP is enabled.
• SUP generated IP traffic (for example, ping/traceroute/ICMP Error packets) destined for VIP subnets originated from the HSRP Active/Standby box will continue to source with IPv4 SVI interface IP and not the vIP. If you want to explicitly source using the loopback IP for ping/traceroute, you can specify the loopback IP along with the source keyword.
• Static ARP configuration for creating entries in VIP subnets is not supported.
232
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Default Settings for DHCP Snooping
• DHCP relay agent will always use primary VIP address to communicate with DHCP server. DHCP relay agent does not consider use of secondary VIP addresses as long as primary VIP is available.
• DHCP relay agent behavior in case inter-vrf is different and requires use of Option-82 information in
DHCP packets. DHCP server and clients will be in the same VRF and use of VIP is not supported for inter-vrf relay.
Default Settings for DHCP Snooping
This table lists the default settings for DHCP snooping parameters.
Table 18: Default DHCP Snooping Parameters
Parameters
DHCP snooping feature
DHCP snooping globally enabled
DHCP snooping VLAN
DHCP snooping Option 82 support
DHCP snooping trust
VRF support for the DHCP relay agent
VRF support for the DHCPv6 relay agent
DHCP relay agent
DHCPv6 relay agent
DHCPv6 relay option type cisco
Default
Disabled
No
None
Disabled
Untrusted
Disabled
Disabled
Disabled
Disabled
Disabled
Configuring DHCP Snooping
Minimum DHCP Snooping Configuration
1
Enable the DHCP snooping feature.
2
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
233 OL-30921-01
Configuring DHCP Snooping
Enabling or Disabling the DHCP Snooping Feature
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action
Enable the DHCP snooping feature.
Purpose
When the DHCP snooping feature is disabled, you cannot configure DHCP snooping.
For details, see
Enabling or Disabling the DHCP
.
Enable DHCP snooping globally.
Enable DHCP snooping on at least one VLAN.
For details, see
Enabling or Disabling DHCP Snooping
.
By default, DHCP snooping is disabled on all VLANs.
For details, see
Enabling or Disabling DHCP Snooping on a VLAN, on page 235
.
Ensure that the DHCP server is connected to the switch using a trusted interface.
For details, see
Configuring an Interface as Trusted or
.
Enabling or Disabling the DHCP Snooping Feature
You can enable or disable the DHCP snooping feature on the switch. By default, DHCP snooping is disabled.
Before You Begin
If you disable the DHCP snooping feature, all DHCP snooping configuration is lost. If you want to turn off
DHCP snooping and preserve the DHCP snooping configuration, disable DHCP globally.
Procedure
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
[no] feature dhcp Enables the DHCP snooping feature. The no option disables the DHCP snooping feature and erases all DHCP snooping configuration.
Example:
switch(config)# feature dhcp
show running-config dhcp
Example:
switch(config)# show running-config dhcp
(Optional)
Shows the DHCP snooping configuration.
234
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Enabling or Disabling DHCP Snooping Globally
Step 4
Command or Action copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
Purpose
(Optional)
Copies the running configuration to the startup configuration.
Enabling or Disabling DHCP Snooping Globally
You can enable or disable the DHCP snooping globally on the switch. Globally disabling DHCP snooping stops the switch from performing any DHCP snooping or relaying DHCP messages but preserves DCHP snooping configuration.
Before You Begin
Ensure that you have enabled the DHCP snooping feature. By default, DHCP snooping is globally disabled.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Step 3
Step 4
Example:
switch# configure terminal switch(config)#
[no] ip dhcp snooping Enables DHCP snooping globally. The no option disables DHCP snooping.
Example:
switch(config)# ip dhcp snooping
show running-config dhcp
(Optional)
Shows the DHCP snooping configuration.
Example:
switch(config)# show running-config dhcp
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Enabling or Disabling DHCP Snooping on a VLAN
You can enable or disable DHCP snooping on one or more VLANs.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
235
Configuring DHCP Snooping
Enabling or Disabling Option 82 Data Insertion and Removal
Before You Begin
By default, DHCP snooping is disabled on all VLANs.
Ensure that DHCP snooping is enabled.
Note
If a VACL is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
[no] ip dhcp snooping vlan vlan-list Enables DHCP snooping on the VLANs specified by vlan-list. The no option disables
DHCP snooping on the VLANs specified.
Example:
switch(config)# ip dhcp snooping vlan
100,200,250-252
show running-config dhcp
(Optional)
Shows the DHCP snooping configuration.
Example:
switch(config)# show running-config dhcp
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Enabling or Disabling Option 82 Data Insertion and Removal
You can enable or disable the insertion and removal of Option 82 information for DHCP packets forwarded without the use of the DHCP relay agent.
Before You Begin
By default, the switch does not include Option 82 information in DHCP packets.
Ensure that DHCP snooping is enabled.
236
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Enabling or Disabling Strict DHCP Packet Validation
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
[no] ip dhcp snooping information option
Example:
switch(config)# ip dhcp snooping information option
show running-config dhcp
Enables the insertion and removal of Option
82 information from DHCP packets. The no option disables the insertion and removal of
Option 82 information.
Shows the DHCP snooping configuration.
Example:
switch(config)# show running-config dhcp
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Enabling or Disabling Strict DHCP Packet Validation
You can enable or disable the strict validation of DHCP packets by the DHCP snooping feature. By default, strict validation of DHCP packets is disabled.
Procedure
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
[no] ip dhcp packet strict-validation Enables the strict validation of DHCP packets by the DHCP snooping feature. The no option disables strict DHCP packet validation.
Example:
switch(config)# ip dhcp packet strict-validation
show running-config dhcp
Example:
switch(config)# show running-config dhcp
(Optional)
Shows the DHCP snooping configuration.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
237
Configuring DHCP Snooping
Configuring an Interface as Trusted or Untrusted
Step 4
Command or Action copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
Purpose
(Optional)
Copies the running configuration to the startup configuration.
Configuring an Interface as Trusted or Untrusted
You can configure whether an interface is a trusted or untrusted source of DHCP messages. You can configure
DHCP trust on the following types of interfaces:
• Layer 2 Ethernet interfaces
• Layer 2 port-channel interfaces
Before You Begin
By default, all interfaces are untrusted.
Ensure that DHCP snooping is enabled.
Procedure
Step 1
Command or Action configure terminal
Step 2
Step 3
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
Enter one of the following commands:
• interface ethernet port/slot
• interface port-channel channel-number
• Enters interface configuration mode, where
port / slot is the Layer 2 Ethernet interface that you want to configure as trusted or untrusted for DHCP snooping.
• Enters interface configuration mode, where
port / slot is the Layer 2 port-channel interface that you want to configure as trusted or untrusted for DHCP snooping.
Example:
switch(config)# interface ethernet 2/1 switch(config-if)#
[no] ip dhcp snooping trust
Example:
switch(config-if)# ip dhcp snooping trust
Configures the interface as a trusted interface for
DHCP snooping. The no option configures the port as an untrusted interface.
238
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Enabling or Disabling the DHCP Relay Agent
Step 4
Step 5
Command or Action Purpose show running-config dhcp
(Optional)
Shows the DHCP snooping configuration.
Example:
switch(config-if)# show running-config dhcp
copy running-config startup-config
Example:
switch(config-if)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Enabling or Disabling the DHCP Relay Agent
You can enable or disable the DHCP relay agent. By default, the DHCP relay agent is enabled.
Before You Begin
Ensure that the DHCP feature is enabled.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action config t
Purpose
Enters global configuration mode.
Example:
switch# config t switch(config)#
[no] ip dhcp relay Enables the DHCP relay agent. The no option disables the relay agent.
Example:
switch(config)# ip dhcp relay
show ip dhcp relay
(Optional)
Displays the DHCP relay configuration.
Example:
switch(config)# show ip dhcp relay
show running-config dhcp
(Optional)
Displays the DHCP configuration.
Example:
switch(config)# show running-config dhcp
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
239
Configuring DHCP Snooping
Enabling or Disabling Option 82 for the DHCP Relay Agent
Enabling or Disabling Option 82 for the DHCP Relay Agent
You can enable or disable the device to insert and remove Option 82 information on DHCP packets forwarded by the relay agent.
By default, the DHCP relay agent does not include Option 82 information in DHCP packets.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
[no] ip dhcp relay
Example:
switch(config)# show ip dhcp relay
show running-config dhcp
Enables the DHCP relay feature. The no option disables this behavior.
Example:
switch(config)# ip dhcp relay
[no] ip dhcp relay information option
Example:
switch(config)# ip dhcp relay information option
[no] ip dhcp relay sub-option circuit-id
customized
Example:
switch(config)# ip dhcp relay sub-option circuit-id customized
show ip dhcp relay
Enables the DHCP relay agent to insert and remove
Option 82 information on the packets that it forwards. The Option 82 information is in binary ifindex format by default. The no option disables this behavior.
(Optional)
Enables retention of the unique circuit ID that is inserted by a client. The no option disables this behavior.
Note
By default, the circuit ID is same for all hosts even when they are connected to different ports.
(Optional)
Displays the DHCP relay configuration.
(Optional)
Displays the DHCP configuration.
Example:
switch(config)# show running-config dhcp
240
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
OL-30921-01
Enabling or Disabling VRF Support for the DHCP Relay Agent
Step 7
Command or Action copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
Purpose
(Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
Enabling or Disabling VRF Support for the DHCP Relay Agent
You can configure the device to support the relaying of DHCP requests that arrive on an interface in one VRF to a DHCP server in a different VRF instance.
Before You Begin
You must enable Option 82 for the DHCP relay agent.
Procedure
Step 1
Command or Action config t
Purpose
Enters global configuration mode.
Step 2
Step 3
Step 4
Step 5
Example:
switch# config t switch(config)#
[no] ip dhcp relay information option vpn Enables VRF support for the DHCP relay agent.
The no option disables this behavior.
Example:
switch(config)# ip dhcp relay information option vpn
[no] ip dhcp relay sub-option type cisco
Example:
switch(config)# ip dhcp relay sub-option type cisco
Enables DHCP to use Cisco proprietary numbers
150, 152, and 151 when filling the link selection, server ID override, and VRF name/VPN ID relay agent Option 82 suboptions. The no option causes
DHCP to use RFC numbers 5, 11, and 151 for the link selection, server ID override, and VRF name/VPN ID suboptions.
show ip dhcp relay
(Optional)
Displays the DHCP relay configuration.
Example:
switch(config)# show ip dhcp relay
show running-config dhcp
(Optional)
Displays the DHCP configuration.
Example:
switch(config)# show running-config dhcp
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
241
Configuring DHCP Snooping
Enabling or Disabling Subnet Broadcast Support for the DHCP Relay Agent on a Layer 3 Interface
Step 6
Command or Action copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
Purpose
(Optional)
Copies the running configuration to the startup configuration.
Enabling or Disabling Subnet Broadcast Support for the DHCP Relay Agent on a Layer 3 Interface
You can configure the device to support the relaying of DHCP packets from clients to a subnet broadcast IP address. When this feature is enabled, the VLAN ACLs (VACLs) accept IP broadcast packets and all subnet broadcast (primary subnet broadcast as well as secondary subnet broadcast) packets.
Before You Begin
Ensure that the DHCP feature is enabled.
Ensure that the DHCP relay agent is enabled.
Procedure
Step 1
Command or Action config t
Purpose
Enters global configuration mode.
Step 2
Step 3
Step 4
Example:
switch# config t switch(config)#
interface interface slot/port
Example:
switch(config)# interface ethernet 2/2 switch(config-if)#
Enters interface configuration mode, where
slot/port is the interface for which you want to enable or disable subnet broadcast support for the DHCP relay agent.
[no] ip dhcp relay subnet-broadcast Enables subnet broadcast support for the DHCP relay agent. The no option disables this behavior.
Example:
switch(config-if)# ip dhcp relay subnet-broadcast
exit
Exits interface configuration mode.
Example:
switch(config-if)# exit switch(config)#
242
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Creating a DHCP Static Binding
Step 5
Step 6
Step 7
Step 8
Command or Action exit
Example:
switch(config)# exit switch#
show ip dhcp relay
Example:
switch# show ip dhcp relay
show running-config dhcp
Example:
switch# show running-config dhcp
copy running-config startup-config
Example:
switch# copy running-config startup-config
Purpose
Exits global configuration mode.
(Optional)
Displays the DHCP relay configuration.
(Optional)
Displays the DHCP configuration.
(Optional)
Copies the running configuration to the startup configuration.
Creating a DHCP Static Binding
You can create a static DHCP source binding to a Layer 2 interface.
Before You Begin
Ensure that you have enabled the DHCP snooping feature.
Procedure
Step 1
Step 2
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
ip source binding IP-address MAC-address vlan
vlan-id {interface ethernet slot/port | port-channel
channel-no}
Binds the static source address to the
Layer 2 Ethernet interface.
Example:
switch(config)# ip source binding 10.5.22.7
001f.28bd.0013 vlan 100 interface ethernet
2/3
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
243
Configuring DHCP Snooping
Configuring the DHCPv6 Relay Agent
Step 3
Step 4
Step 5
Command or Action show ip dhcp snooping binding
Example:
switch(config)# ip dhcp snooping binding
show ip dhcp snooping binding dynamic
Example:
switch(config)# ip dhcp snooping binding dynamic
copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
Purpose
(Optional)
Shows the DHCP snooping static and dynamic bindings.
(Optional)
Shows the DHCP snooping dynamic bindings.
(Optional)
Copies the running configuration to the startup configuration.
The following example shows how to create a static IP source entry associated with VLAN 100 on Ethernet interface 2/3: switch#
configure terminal
switch(config)#
ip source binding 10.5.22.7 001f.28bd.0013 vlan 100 interface ethernet 2/3
switch(config)#
Configuring the DHCPv6 Relay Agent
Enabling or Disabling the DHCPv6 Relay Agent
Before You Begin
Ensure that the DHCP feature is enabled.
Procedure
Step 1
Step 2
Command or Action configure terminal
Example:
switch# configure terminal switch(config)#
[no] ipv6 dhcp relay
Example:
switch(config)# ipv6 dhcp relay
Purpose
Enters global configuration mode.
Enables the DHCPv6 relay agent. The no option disables the relay agent.
244
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Enabling or Disabling VRF Support for the DHCPv6 Relay Agent
Step 3
Step 4
Step 5
Command or Action
show ipv6 dhcp relay [interface interface]
Purpose
(Optional)
Displays the DHCPv6 relay configuration.
Example:
switch(config)# show ipv6 dhcp relay
show running-config dhcp
(Optional)
Displays the DHCP configuration.
Example:
switch(config)# show running-config dhcp
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Enabling or Disabling VRF Support for the DHCPv6 Relay Agent
You can configure the device to support the relaying of DHCPv6 requests that arrive on an interface in one
VRF to a DHCPv6 server in a different VRF.
Before You Begin
Ensure that the DHCP feature is enabled.
Ensure that the DHCPv6 relay agent is enabled.
Procedure
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
[no] ipv6 dhcp relay option vpn Enables VRF support for the DHCPv6 relay agent.
The no option disables this behavior.
Example:
switch(config)# ipv6 dhcp relay option vpn
[no] ipv6 dhcp relay option type cisco
Example:
switch(config)# ipv6 dhcp relay option type cisco
Causes the DHCPv6 relay agent to insert virtual subnet selection (VSS) details as part of the vendor-specific option. The no option causes the
DHCPv6 relay agent to insert VSS details as part of the VSS option (68), which is defined in RFC-6607.
This command is useful when you want to use
DHCPv6 servers that do not support RFC-6607 but
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
245
Configuring DHCP Snooping
Configuring the DHCPv6 Relay Source Interface
Step 4
Step 5
Step 6
Command or Action Purpose
allocate IPv6 addresses based on the client VRF name.
show ipv6 dhcp relay [interface interface] (Optional)
Displays the DHCPv6 relay configuration.
Example:
switch(config)# show ipv6 dhcp relay
show running-config dhcp
(Optional)
Displays the DHCP configuration.
Example:
switch(config)# show running-config dhcp
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Configuring the DHCPv6 Relay Source Interface
You can configure the source interface for the DHCPv6 relay agent. By default, the DHCPv6 relay agent uses the relay agent address as the source address of the outgoing packet. Configuring the source interface enables you to use a more stable address (such as the loopback interface address) as the source address of relayed messages.
Before You Begin
Ensure that the DHCP feature is enabled.
Ensure that the DHCPv6 relay agent is enabled.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Example:
switch# configure terminal switch(config)#
[no] ipv6 dhcp relay source-interface
interface
Example:
switch(config)# ipv6 dhcp relay source-interface loopback 2
Configures the source interface for the DHCPv6 relay agent.
246
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Configuring Lightweight DHCPv6 Relay Agent
Step 3
Step 4
Step 5
Command or Action
show ipv6 dhcp relay [interface interface]
Purpose
Note
The DHCPv6 relay source interface can be configured globally, per interface, or both. When both the global and interface levels are configured, the interface-level configuration overrides the global configuration.
(Optional)
Displays the DHCPv6 relay configuration.
Example:
switch(config)# show ipv6 dhcp relay
show running-config dhcp
(Optional)
Displays the DHCP configuration.
Example:
switch(config)# show running-config dhcp
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Configuring Lightweight DHCPv6 Relay Agent
Configuring Lightweight DHCPv6 Relay Agent for an Interface
Perform this task to configure Lightweight DHCPv6 Relay Agent (LDRA) for an interface.
Procedure
Step 1
Command or Action configure terminal
Step 2
Example:
switch# configure terminal
[no] ipv6 dhcp ldra
Purpose
Enters global configuration mode.
Enables the LDRA functionality globally.
Example:
switch(config)# ipv6 dhcp ldra
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
247 OL-30921-01
Configuring DHCP Snooping
Configuring Lightweight DHCPv6 Relay Agent for a VLAN
Step 3
Step 4
Step 5
Command or Action
interface slot/port
Purpose
Specifies an interface type and number, and enters interface configuration mode.
Example:
switch(config)# interface ethernet 0/0
switchport
Switches an interface that is in Layer 3 mode to Layer 2 mode for Layer 2 configuration.
Example:
switch(config-if)# switchport
[no] ipv6 dhcp-ldra
{client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing}
Example:
switch(config-if)# ipv6 dhcp-ldra server-facing
Enables LDRA functionality on a specified interface or port.
The no option disables the LDRA functionality.
Note
The client-facing-trusted specifies client-facing interfaces or ports as trusted. The trusted port allows the DHCPv6 packets and they are encapsulated as per LDRA options. The client-facing-untrusted specifies client-facing interfaces or ports as untrusted. The untrusted ports perform LDRA functionality, but drop only the relay forward packets received on it. The client-facing-disable keyword disables LDRA functionality on an interface or port. Disabled port performs the Layer-2 forwarding of DHCPv6 packets. The server-facing keyword specifies an interface or port as server facing. Server facing port allows the reply packets from server.
Configuring Lightweight DHCPv6 Relay Agent for a VLAN
Perform this task to configure Lightweight DHCPv6 Relay Agent (LDRA) for a VLAN.
Before You Begin
Ensure that the VLAN is not assigned an IP address.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal
248
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Enabling DHCP Relay Agent using VIP Address
Step 2
Step 3
Command or Action
[no] ipv6 dhcp ldra
Purpose
Enables the LDRA functionality globally.
Example:
switch(config)# ipv6 dhcp ldra
[no] ipv6 dhcp-ldra attach–policy vlan
vlan-id {client-facing-trusted |
client-facing-untrusted}
Example:
switch(config)# ipv6 dhcp-ldra attach-policy vlan 25 client-facing-trusted
Enables LDRA functionality on the specified VLAN.
The no option disables the LDRA functionality.
Note
The client-facing-trusted keyword configures all the ports or interfaces associated with the VLAN as client-facing, trusted ports. The client-facing-untrusted keyword configures all the ports or interfaces associated with the VLAN as client-facing, untrusted ports.
Enabling DHCP Relay Agent using VIP Address
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action
switch# configure terminal switch(config)# [no] ip dhcp relay
source-address hsrp
switch(config)# interface type number switch(config-if)# [no] ip dhcp relay
source-address hsrp
switch(config-if)# end
(Optional) switch# show ip dhcp relay
(Optional) switch# show hsrp brief
Purpose
Enters global configuration mode
Enables/Disables DHCP relay agent to use VIP globally.
Enters interface configuration mode.
Enables/Disables DHCP relay agent to use VIP at L3 interface level.
Returns to privileged EXEC mode.
Displays the DHCP relay configuration.
Displays the summary of Hot Standby Router
Protocol (HSRP) information.
The following example enables DHCP relay agent using VIP address: interface vlan 500 ip address 5.5.5.5/24 ip dhcp relay source-address hsrp ip dhcp relay address 100.100.100.100
hsrp 10
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
249 OL-30921-01
Configuring DHCP Snooping
Verifying the DHCP Snooping Configuration
ip 17.17.17.17/28 ip 15.15.15.20/28 secondary
Verifying the DHCP Snooping Configuration
To display DHCP snooping configuration information, perform one of the following tasks. For detailed information about the fields in the output from these commands, see the System Management Configuration
Guide for your Cisco Nexus device.
Command show running-config dhcp
Purpose
Displays the DHCP snooping configuration.
show ip dhcp relay
show ipv6 dhcp relay [interface interface]
show ip dhcp snooping
Displays the DHCP relay configuration.
Displays the DHCPv6 relay global or interface-level configuration.
Displays general information about
DHCP snooping.
Displaying DHCP Bindings
Use the show ip dhcp snooping binding command to display the DHCP static and dynamic binding table.
Use the show ip dhcp snooping binding dynamic to display the DHCP dynamic binding table.
For detailed information about the fields in the output from this command, see the System Management
Configuration Guide for your Cisco Nexus device.
This example shows how to create a static DHCP binding and then verify the binding using the show ip dhcp
snooping binding command.
switch# configuration terminal switch(config)#
ip source binding 10.20.30.40 0000.1111.2222 vlan 400 interface port-channel
500
switch(config)#
show ip dhcp snooping binding
MacAddress IpAddress LeaseSec Type VLAN Interface
--------------------------------------------------------------
00:00:11:11:22:22 10.20.30.40
infinite
static
400 port-channel500
Displaying and Clearing LDRA Information
To display Lightweight DHCPv6 Relay Agent (LDRA) information, use one of the commands in this table.
Command show ipv6 dhcp-ldra
Purpose
Displays the LDRA configuration details.
250
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Displaying and Clearing LDRA Information
OL-30921-01
Command show ipv6 dhcp-ldra statistics
show ipv6 dhcp-ldra statistics vlan vlan-id
Purpose
Displays LDRA configuration statistics before and after initiating a DHCP session.
Displays LDRA configuration statistics for the specified VLAN.
show ipv6 dhcp-ldra statistics interface interface-id Displays LDRA configuration statistics for the specified interface.
To clear the DHCPv6 LDRA-specific statistics, use the clear ipv6 dhcp-ldra statistics command.
Displaying LDRA Configuration Details
The following example shows the LDRA configuration details for a switch: switch(config)#
show ipv6 dhcp-ldra
DHCPv6 LDRA is Enabled.
DHCPv6 LDRA policy: client-facing-trusted
Target: Ethernet1/1
DHCPv6 LDRA policy: client-facing-untrusted
Target: vlan 102 vlan 103
DHCPv6 LDRA policy: server-facing
Target: port-channel101
Displaying the LDRA Statistics
The following example displays the LDRA statistics: switch(config)#
show ipv6 dhcp-ldra statistics
PACKET STATS:
---------------------------------------------------------
Message Type Rx Tx Drops |
---------------------------------------------------------
SOLICIT
ADVERTISE
REQUEST
CONFIRM
RENEW
REBIND
REPLY
RELEASE
DECLINE
RECONFIGURE
INFORMATION_REQUEST
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
|
|
0 |
0 |
0 |
|
|
|
|
|
|
RELAY_FORWARD
RELAY_REPLY
0
0
0
0
0 |
0 |
---------------------------------------------------------
Total 0 0 0 |
---------------------------------------------------------
CFS STATS:
---------------------------------------------------------
Message Type Rx Tx Drops |
---------------------------------------------------------
SOLICIT 0 0 0 |
ADVERTISE 0 0 0 |
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
251
Displaying and Clearing LDRA Information
REQUEST
CONFIRM
RENEW
REBIND
REPLY
0
0
0
0
0
0
0
0
0
0
0 |
0 |
0 |
0 |
0 |
RELEASE
DECLINE
RECONFIGURE
INFORMATION_REQUEST
0
0
0
0
0
0
0
0
0
0
0
0
|
|
|
|
RELAY_FORWARD
RELAY_REPLY
0
0
0
0
0
0
|
|
---------------------------------------------------------
Total 0 0 0 |
---------------------------------------------------------
Non-DHCPv6 LDRA Packets:
---------------------------------------------------------
Total Packets Received:
Total Packets Forwarded:
Total Packets Dropped:
0
0
0
---------------------------------------------------------
DHCPv6 LDRA DROPS
---------------------------------------------------------
Invalid Message Type:
Max hops exceeded:
Relay Forward Received on Untrusted port:
Packet received over MCT:
Invalid Message Type on Client facing port:
No Server Port Present:
0
0
0
0
0
0
The following example displays the LDRA statistics for the interface Ethernet1/1:
SWITCH(config)#
show ipv6 dhcp-ldra statistics interface e1/1
INTERFACE: Ethernet1/1
PACKET STATS:
---------------------------------------------------------
Message Type Rx Tx Drops |
---------------------------------------------------------
SOLICIT 0 0 0 |
ADVERTISE
REQUEST
CONFIRM
RENEW
REBIND
REPLY
0
0
0
0
0
0
0
0
0
0
0
0
0 |
0 |
0 |
0 |
0 |
0 |
RELEASE
DECLINE
RECONFIGURE
INFORMATION_REQUEST
RELAY_FORWARD
0
0
0
0
0
0
0
0
0
0
0
0
|
|
0 |
0 |
0 |
RELAY_REPLY 0 0 0 |
---------------------------------------------------------
Total 0 0 0 |
---------------------------------------------------------
CFS STATS:
---------------------------------------------------------
Message Type Rx Tx Drops |
---------------------------------------------------------
SOLICIT
ADVERTISE
REQUEST
CONFIRM
RENEW
0
0
0
0
0
0
0
0
0
0
0
0
|
|
0 |
0 |
0 |
REBIND
REPLY
RELEASE
DECLINE
RECONFIGURE
INFORMATION_REQUEST
0
0
0
0
0
0
0
0
0
0
0
0
0 |
0 |
0 |
0 |
0 |
0 |
RELAY_FORWARD
RELAY_REPLY
0
0
0
0
0
0
|
|
---------------------------------------------------------
Configuring DHCP Snooping
252
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Displaying and Clearing LDRA Information
Total 0 0 0 |
---------------------------------------------------------
Non-DHCPv6 LDRA Packets:
---------------------------------------------------------
Total Packets Received: 0
Total Packets Forwarded:
Total Packets Dropped:
0
0
---------------------------------------------------------
DHCPv6 LDRA DROPS
---------------------------------------------------------
Invalid Message Type: 0
Max hops exceeded:
Relay Forward Received on Untrusted port:
Packet received over MCT:
Invalid Message Type on Client facing port:
No Server Port Present:
0
0
0
0
0
The following example displays the LDRA statistics for the VLAN 101:
SWITCH(config)#
show ipv6 dhcp-ldra statistics vlan 101
VLAN: 101
PACKET STATS:
---------------------------------------------------------
Message Type Rx Tx Drops |
---------------------------------------------------------
SOLICIT 0 0 0 |
ADVERTISE
REQUEST
0
0
0
0
0
0
|
|
CONFIRM
RENEW
REBIND
0
0
0
0
0
0
0 |
0 |
0 |
REPLY
RELEASE
DECLINE
RECONFIGURE
0
0
0
0
0
0
0
0
0 |
0 |
0 |
0 |
INFORMATION_REQUEST
RELAY_FORWARD
RELAY_REPLY
0
0
0
0
0
0
0 |
0 |
0 |
---------------------------------------------------------
Total 0 0 0 |
---------------------------------------------------------
CFS STATS:
---------------------------------------------------------
Message Type Rx Tx Drops |
---------------------------------------------------------
SOLICIT
ADVERTISE
REQUEST
0
0
0
0
0
0
0 |
0 |
0 |
CONFIRM
RENEW
REBIND
REPLY
RELEASE
DECLINE
RECONFIGURE
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
|
|
|
|
|
|
|
INFORMATION_REQUEST
RELAY_FORWARD
0
0
0
0
0 |
0 |
RELAY_REPLY 0 0 0 |
---------------------------------------------------------
Total 0 0 0 |
---------------------------------------------------------
Non-DHCPv6 LDRA Packets:
---------------------------------------------------------
Total Packets Received: 0
Total Packets Forwarded:
Total Packets Dropped:
0
0
---------------------------------------------------------
DHCPv6 LDRA DROPS
---------------------------------------------------------
Invalid Message Type: 0
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
253
Configuring DHCP Snooping
Clearing the DHCP Snooping Binding Database
Max hops exceeded:
Relay Forward Received on Untrusted port:
Packet received over MCT:
Invalid Message Type on Client facing port:
No Server Port Present:
0
0
0
0
0
Clearing the DHCP Snooping Binding Database
You can remove entries from the DHCP snooping binding database, including a single entry, all entries associated with an interface, or all entries in the database.
Before You Begin
Ensure that DHCP snooping is enabled.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action Purpose clear ip dhcp snooping binding
(Optional)
Clears all entries from the DHCP snooping binding database.
Example:
switch# clear ip dhcp snooping binding
clear ip dhcp snooping binding interface ethernet
slot/port[.subinterface-number]
(Optional)
Clears entries associated with a specific
Ethernet interface from the DHCP snooping binding database.
Example:
switch# clear ip dhcp snooping binding interface ethernet 1/4
clear ip dhcp snooping binding interface
port-channel channel-number[.subchannel-number]
(Optional)
Clears entries associated with a specific port-channel interface from the DHCP snooping binding database.
Example:
switch# clear ip dhcp snooping binding interface port-channel 72
clear ip dhcp snooping binding vlan vlan-id mac
mac-address ip ip-address interface {ethernet
slot/port[.subinterface-number | port-channel
channel-number[.subchannel-number] }
(Optional)
Clears a single, specific entry from the
DHCP snooping binding database.
Step 5
Example:
switch# clear ip dhcp snooping binding vlan
23 mac 0060.3aeb.54f0 ip 10.34.54.9 interface ethernet 2/11
show ip dhcp snooping binding
Example:
switch# show ip dhcp snooping binding
(Optional)
Displays the DHCP snooping binding database.
254
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring DHCP Snooping
Clearing DHCP Relay Statistics
Clearing DHCP Relay Statistics
Use the clear ip dhcp relay statistics command to clear the global DHCP relay statistics.
Use the clear ip dhcp relay statistics interface interface command to clear the DHCP relay statistics for a particular interface.
Use the clear ip dhcp relay statistics interface interface serverip ip-address [use-vrf vrf-name] command to clear the DHCP relay statistics at the server level for a particular interface.
Clearing DHCPv6 Relay Statistics
Use the clear ipv6 dhcp relay statistics command to clear the global DHCPv6 relay statistics.
Use the clear ipv6 dhcp relay statistics interface interface command to clear the DHCPv6 relay statistics for a particular interface.
Use the clear ipv6 dhcp relay statistics interface interface server-ip ip-address [use-vrf vrf-name] command to clear the DHCPv6 relay statistics at the server level for a particular interface.
Monitoring DHCP
Use the show ip dhcp snooping statistics command to monitor DHCP snooping.
Use the show ip dhcp relay statistics [interface interface [serverip ip-address [use-vrf vrf-name]]] command to monitor DHCP relay statistics at the global, server, or interface level.
Use the (Optional) show ip dhcp snooping statistics vlan [vlan-id] interface [ethernet|port-channel][id] command to know the exact statistics about snooping statistics per interface under a vlan.
Use the show ipv6 dhcp relay statistics [interface interface [server-ip ip-address [use-vrf vrf-name]]] command to monitor DHCPv6 relay statistics at the global, server, or interface level.
Configuration Examples for DHCP Snooping
The following example shows how to enable DHCP snooping on two VLANs, with Option 82 support enabled and Ethernet interface 2/5 trusted because the DHCP server is connected to that interface: feature dhcp ip dhcp snooping ip dhcp snooping info option interface Ethernet 2/5 ip dhcp snooping trust ip dhcp snooping vlan 1 ip dhcp snooping vlan 50
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
255 OL-30921-01
Configuring DHCP Snooping
Configuration Examples for LDRA
Configuration Examples for LDRA
Configuring LDRA for an Interface
The following example shows how to enable LDRA and configure interface Ethernet 1/1 as client-facing and trusted: switch#
configure terminal
switch(config)#
ipv6 dhcp ldra
switch(config)#
interface ethernet 1/1
switch(config-if)#
switchport
switch(config-if)#
ipv6 dhcp-ldra client-facing-trusted
switch(config-if)#
exit
switch(config)#
interface ethernet 1/0
switch(config-if)#
switchport
switch(config-if)#
ipv6 dhcp-ldra attach-policy server-facing
switch(config-if)#
exit
Configuring LDRA for a VLAN
The following example shows how to enable LDRA and configure VLAN with VLAN ID 25 as client-facing and trusted: switch#
configure terminal
switch(config)#
ipv6 dhcp ldra
switch(config)#
ipv6 dhcp-ldra attach-policy vlan 25 client-facing-trusted
256
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
12
Configuring Dynamic ARP Inspection
This chapter contains the following sections:
•
Information About DAI, page 257
•
Licensing Requirements for DAI, page 261
•
Prerequisites for DAI, page 262
•
Guidelines and Limitations for DAI, page 262
•
Default Settings for DAI, page 263
•
•
Verifying the DAI Configuration, page 269
•
Monitoring and Clearing DAI Statistics, page 269
•
Configuration Examples for DAI, page 270
•
Configuring ARP ACLs, page 275
•
Verifying the ARP ACL Configuration, page 279
Information About DAI
ARP
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. For example, host B wants to send information to host A but does not have the MAC address of host A in its ARP cache. In ARP terms, host B is the sender and host A is the target.
To get the MAC address of host A, host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of host A. All hosts within the broadcast domain receive the ARP request, and host A responds with its MAC address.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
257 OL-30921-01
Configuring Dynamic ARP Inspection
ARP Spoofing Attacks
ARP Spoofing Attacks
ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a reply from a host even if an ARP request was not received. After the attack, all traffic from the device under attack flows through the attacker’s computer and then to the router, switch, or host.
An ARP spoofing attack can affect hosts, switches, and routers connected to your Layer 2 network by sending false information to the ARP caches of the devices connected to the subnet. Sending false information to an
ARP cache is known as ARP cache poisoning. Spoof attacks can also intercept traffic intended for other hosts on the subnet.
This figure shows an example of ARP cache poisoning.
Figure 14: ARP Cache Poisoning
Hosts A, B, and C are connected to the device on interfaces A, B, and C, which are on the same subnet. Their
IP and MAC addresses are shown in parentheses; for example, host A uses IP address IA and MAC address
MA. When host A needs to send IP data to host B, it broadcasts an ARP request for the MAC address associated with IP address IB. When the device and host B receive the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA; for example, IP address IA is bound to MAC address MA. When host B responds, the device and host A populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB.
Host C can poison the ARP caches of the device, host A, and host B by broadcasting two forged ARP responses with bindings: one for a host with an IP address of IA and a MAC address of MC and another for a host with the IP address of IB and a MAC address of MC. Host B and the device then use the MAC address MC as the destination MAC address for traffic intended for IA, which means that host C intercepts that traffic. Likewise, host A and the device use the MAC address MC as the destination MAC address for traffic intended for IB.
Because host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. This topology, in which host C has inserted itself into the traffic stream from host A to host B, is an example of a man-in-the middle attack.
DAI and ARP Spoofing Attacks
DAI ensures that only valid ARP requests and responses are relayed. When DAI is enabled and properly configured, a Cisco Nexus device performs these activities:
• Intercepts all ARP requests and responses on untrusted ports
• Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
• Drops invalid ARP packets
258
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Dynamic ARP Inspection
Interface Trust States and Network Security
DAI can determine the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a
Dynamic Host Configuration Protocol (DHCP) snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the device. It can also contain static entries that you create. If the ARP packet is received on a trusted interface, the device forwards the packet without any checks. On untrusted interfaces, the device forwards the packet only if it is valid.
You can configure DAI to drop ARP packets when the IP addresses in the packets are invalid or when the
MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header.
Related Topics
Applying ARP ACLs to VLANs for DAI Filtering, on page 265
Logging DAI Packets, on page 261
Enabling or Disabling Additional Validation, on page 266
Interface Trust States and Network Security
DAI associates a trust state with each interface on the device. Packets that arrive on trusted interfaces bypass all DAI validation checks, and packets that arrive on untrusted interfaces go through the DAI validation process.
In a typical network configuration, the guidelines for configuring the trust state of interfaces are as follows:
Untrusted
Interfaces that are connected to hosts
Trusted
Interfaces that are connected to devices
With this configuration, all ARP packets that enter the network from a device bypass the security check. No other validation is needed at any other place in the VLAN or in the network.
Caution
Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity.
The following figure, assume that both device A and device B are running DAI on the VLAN that includes host 1 and host 2. If host 1 and host 2 acquire their IP addresses from the DHCP server connected to device A, only device A binds the IP-to-MAC address of host 1. If the interface between device A and device B is untrusted, the ARP packets from host 1 are dropped by device B and connectivity between host 1 and host 2 is lost.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
259
Prioritizing ARP ACLs and DHCP Snooping Entries
Figure 15: ARP Packet Validation on a VLAN Enabled for DAI
Configuring Dynamic ARP Inspection
If you configure interfaces as trusted when they should be untrusted, you may open a security hole in a network.
If device A is not running DAI, host 1 can easily poison the ARP cache of device B (and host 2, if you configured the link between the devices as trusted). This condition can occur even though device B is running
DAI.
DAI ensures that hosts (on untrusted interfaces) connected to a device that runs DAI do not poison the ARP caches of other hosts in the network; however, DAI does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a device that runs DAI.
If some devices in a VLAN run DAI and other devices do not, the guidelines for configuring the trust state of interfaces on a device that runs DAI becomes the following:
Untrusted
Interfaces that are connected to hosts or to devices that are not running DAI
Trusted
Interfaces that are connected to devices that are running DAI
To validate the bindings of packets from devices that do not run DAI, configure ARP ACLs on the device that runs DAI. When you cannot determine the bindings, isolate at Layer 3 the devices that run DAI from devices that do not run DAI.
Note
Depending on your network setup, you may not be able to validate a given ARP packet on all devices in the VLAN.
Related Topics
Configuring the DAI Trust State of a Layer 2 Interface, on page 264
Prioritizing ARP ACLs and DHCP Snooping Entries
By default, DAI filters DAI traffic by comparing DAI packets to IP-MAC address bindings in the DHCP snooping database.
260
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Dynamic ARP Inspection
Logging DAI Packets
When DAI is applied, it takes precedence over ARP ACLs and VACLs. The device denies or permits the packet based on whether a valid IP-MAC binding exists in the DHCP snooping database irrespective of any user-configured ARP ACLs or VACLs.
If you apply a VACL and an ARP ACL to a VLAN and you configured the VACL to act on ARP traffic, the device permits or denies ARP traffic as determined by the VACL, not the ARP ACL.
Related Topics
Applying ARP ACLs to VLANs for DAI Filtering, on page 265
Configuring ARP ACLs, on page 275
Session Manager Support for ARP ACLs, on page 275
Creating an ARP ACL, on page 275
Changing an ARP ACL, on page 276
Removing an ARP ACL, on page 277
Changing Sequence Numbers in an ARP ACL, on page 278
Logging DAI Packets
Cisco NX-OS maintains a buffer of log entries about DAI packets processed. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
You can also specify the type of packets that are logged. By default, aCisco Nexus device logs only packets that DAI drops.
If the log buffer overflows, the device overwrites the oldest DAI log entries with newer entries. You can configure the maximum number of entries in the buffer.
Note
Cisco NX-OS does not generate system messages about DAI packets that are logged.
Related Topics
Configuring the DAI Logging Buffer Size, on page 267
Configuring DAI Log Filtering, on page 268
Licensing Requirements for DAI
This table shows the licensing requirements for DAI.
Product
Cisco NX-OS
License Requirement
DAI requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
261 OL-30921-01
Configuring Dynamic ARP Inspection
Prerequisites for DAI
Prerequisites for DAI
• You must enable the DHCP feature before you can configure DAI.
Guidelines and Limitations for DAI
DAI has the following configuration guidelines and limitations:
• DAI is an ingress security feature; it does not perform any egress checking.
• DAI is not effective for hosts connected to devices that do not support DAI or that do not have this feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast domain, you should separate the domain with DAI from domains without DAI. This separation secures the ARP caches of hosts in the domain with DAI.
• DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. If you want DAI to use static IP-MAC address bindings to determine if ARP packets are valid, DHCP snooping needs only to be enabled. If you want
DAI to use dynamic IP-MAC address bindings to determine if ARP packets are valid, you must configure
DHCP snooping on the same VLANs on which you configure DAI.
• When you use the feature dhcp command to enable the DHCP feature, there is a delay of approximately
30 seconds before the I/O modules receive the DHCP or DAI configuration. This delay occurs regardless of the method that you use to change from a configuration with the DHCP feature disabled to a configuration with the DHCP feature enabled. For example, if you use the Rollback feature to revert to a configuration that enables the DHCP feature, the I/O modules receive the DHCP and DAI configuration approximately 30 seconds after you complete the rollback.
• DAI is supported on access ports, trunk ports, port-channel ports, and private VLAN ports.
• The DAI trust configuration of a port channel determines the trust state of all physical ports that you assign to the port channel. For example, if you have configured a physical port as a trusted interface and then you add that physical port to a port channel that is an untrusted interface, the physical port becomes untrusted.
• When you remove a physical port from a port channel, the physical port does not retain the DAI trust state configuration of the port channel.
• When you change the trust state on the port channel, the device configures a new trust state on all the physical ports that comprise the channel.
• If you want DAI to use static IP-MAC address bindings to determine if ARP packets are valid, ensure that DHCP snooping is enabled and that you have configured the static IP-MAC address bindings.
• If you want DAI to use dynamic IP-MAC address bindings to determine if ARP packets are valid, ensure that DHCP snooping is enabled.
• ARP ACLs can be used to perform SPAN on ACL.
• ARP ACLs can be used for ACL-based classification for QoS policies, but cannot be used for policies that are FEX offloaded.
• DAI takes precedence over VACL and ARP ACL, and VACL takes precedence over ARP ACL.
262
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Dynamic ARP Inspection
Default Settings for DAI
• The maximum number of match criteria in an ARP ACLs is limited by the free space in the TCAM for the VACL region. For the Cisco Nexus device, each match criteria typically takes 2 entries as the ARP keytype is a wide entry.
Default Settings for DAI
This table lists the default settings for DAI parameters.
Table 19: Default DAI Parameters
Parameters
DAI
Interface trust state
Default
Disabled on all VLANs.
All interfaces are untrusted.
Validation checks
Log buffer
Per-VLAN logging
No checks are performed.
When DAI is enabled, all denied or dropped ARP packets are logged.
The number of entries in the log is 32.
The number of system messages is limited to 5 per second.
The logging-rate interval is 1 second.
All denied or dropped ARP packets are logged.
Configuring DAI
Enabling or Disabling DAI on VLANs
You can enable or disable DAI on VLANs. By default, DAI is disabled on all VLANs.
Before You Begin
If you are enabling DAI, ensure the following:
• Ensure that the DHCP feature is enabled.
• The VLANs on which you want to enable DAI are configured.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
263 OL-30921-01
Configuring Dynamic ARP Inspection
Configuring the DAI Trust State of a Layer 2 Interface
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
[no] ip arp inspection vlan list
Example:
switch(config)# ip arp inspection vlan 13
Enables DAI for the specified list of VLANs.
The no option disables DAI for the specified
VLANs.
show ip arp inspection vlan list (Optional)
Shows the DAI status for the specified list of
VLANs.
Example:
switch(config)# show ip arp inspection vlan 13
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Configuring the DAI Trust State of a Layer 2 Interface
You can configure the DAI interface trust state of a Layer 2 interface. By default, all interfaces are untrusted.
A device forwards ARP packets that it receives on a trusted Layer 2 interface but does not check them.
On untrusted interfaces, the device intercepts all ARP requests and responses and verifies that the intercepted packets have valid IP-MAC address bindings before updating the local cache and forwarding the packet to the appropriate destination. If the device determines that packets have invalid bindings, it drops the packets and logs them according to the logging configuration.
Before You Begin
If you are enabling DAI, ensure that the DHCP feature is enabled.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
264
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Dynamic ARP Inspection
Applying ARP ACLs to VLANs for DAI Filtering
Step 2
Step 3
Step 4
Step 5
Command or Action
interface type number / slot
Purpose
Enters interface configuration mode.
Example:
switch(config)# interface ethernet 2/1 switch(config-if)#
[no] ip arp inspection trust
Example:
switch(config-if)# ip arp inspection trust
Configures the interface as a trusted ARP interface. The no option configures the interface as an untrusted ARP interface.
show ip arp inspection interface type number /
slot
(Optional)
Displays the trust state and the ARP packet rate for the specified interface.
Example:
switch(config-if)# show ip arp inspection interface ethernet 2/1
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config-if)# copy running-config startup-config
Related Topics
Interface Trust States and Network Security, on page 259
Configuring DAI Log Filtering, on page 268
Applying ARP ACLs to VLANs for DAI Filtering
You can apply an ARP ACL to one or more VLANs. The device permits packets only if the ACL permits them. By default, no VLANs have an ARP ACL applied.
Before You Begin
Ensure that the ARP ACL that you want to apply is correctly configured.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
265
Configuring Dynamic ARP Inspection
Enabling or Disabling Additional Validation
Step 2
Step 3
Step 4
Command or Action Purpose
[no] ip arp inspection filter acl-name vlan
list
Applies the ARP ACL to the list of VLANs, or if you use the no option, removes the ARP
ACL from the list of VLANs.
Example:
switch(config)# ip arp inspection filter arp-acl-01 vlan 100
show ip arp inspection vlan list
Example:
switch(config)# show ip arp inspection vlan 100
copy running-config startup-config
(Optional)
Shows the DAI status for the specified list of
VLANs, including whether an ARP ACL is applied.
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Related Topics
Configuring ARP ACLs, on page 275
Session Manager Support for ARP ACLs, on page 275
Creating an ARP ACL, on page 275
Changing an ARP ACL, on page 276
Removing an ARP ACL, on page 277
Changing Sequence Numbers in an ARP ACL, on page 278
Enabling or Disabling Additional Validation
You can enable or disable additional validation of ARP packets. By default, no additional validation of ARP packets is enabled. When no additional validation is configured, the source MAC address and the source IP address check against the IP-to-MAC binding entry for ARP packets are done by using the Ethernet source
MAC address (not the ARP sender MAC address) and the ARP sender IP address.
DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can enable additional validation on the destination MAC address, the sender and target IP addresses, and the source MAC address.
You can use the following keywords with the ip arp inspection validate command to implement additional validations:
dst-mac
Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
266
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Dynamic ARP Inspection
Configuring the DAI Logging Buffer Size ip
Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0,
255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses.
src-mac
Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
When enabling additional validation, follow these guidelines:
• You must specify at least one of the keywords. You can specify one, two, or all three keywords.
• Each ip arp inspection validate command that you enter replaces the configuration from any previous commands. If you enter an ip arp inspection validate command to enable src-mac and dst-mac validations, and a second ip arp inspection validate command to enable ip validation, the src-mac and dst-mac validations are disabled when you enter the second command.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
[no] ip arp inspection validate {[src-mac]
[dst-mac] [ip]}
Enables additional DAI validation, or if you use the no option, disables additional DAI validation.
Example:
switch(config)# ip arp inspection validate src-mac dst-mac ip
show running-config dhcp
(Optional)
Displays the DHCP snooping configuration, including the DAI configuration.
Example:
switch(config)# show running-config dhcp
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Configuring the DAI Logging Buffer Size
You can configure the DAI logging buffer size. The default buffer size is 32 messages.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
267
Configuring Dynamic ARP Inspection
Configuring DAI Log Filtering
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
[no] ip arp inspection log-buffer entries
number
Configures the DAI logging buffer size. The no option reverts to the default buffer size, which is 32 messages. The buffer size can be between
1 and 1024 messages.
Example:
switch(config)# ip arp inspection log-buffer entries 64
show running-config dhcp
Example:
switch(config)# show running-config dhcp
(Optional)
Displays the DHCP snooping configuration, including the DAI configuration.
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Configuring DAI Log Filtering
You can configure how the device determines whether to log a DAI packet. By default, the device logs DAI packets that are dropped.
Procedure
Step 1
Command or Action configure terminal
Step 2
Example:
switch# configure terminal switch(config)#
Enter one of the following commands:
• ip arp inspection vlan vlan-list logging
dhcp-bindings all
• ip arp inspection vlan vlan-list logging
dhcp-bindings none
Purpose
Enters global configuration mode.
Configures DAI log filtering, as follows. The
no option removes DAI log filtering.
• Logs all packets that match DHCP bindings.
• Does not log packets that match DHCP bindings.
268
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Dynamic ARP Inspection
Verifying the DAI Configuration
Command or Action
• ip arp inspection vlan vlan-list logging
dhcp-bindingspermit
• no ip arp inspection vlan vlan-list logging
dhcp-bindings {all | none | permit}
Purpose
• Logs packets permitted by DHCP bindings.
• Removes DAI log filtering.
Step 3
Step 4
Example:
switch(config)# ip arp inspection vlan 100 dhcp-bindings permit
show running-config dhcp
(Optional)
Displays the DHCP snooping configuration, including the DAI configuration.
Example:
switch(config)# show running-config dhcp
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Verifying the DAI Configuration
To display the DAI configuration information, perform one of the following tasks.
Command show ip arp inspection
Purpose
Displays the status of DAI.
show ip arp inspection interface ethernet show ip arp inspection vlan show arp access-lists show ip arp inspection log
Displays the trust state.
Displays the DAI configuration for a specific VLAN.
Displays ARP ACLs.
Displays the DAI log configuration.
Monitoring and Clearing DAI Statistics
To monitor and clear DAI statistics, use the commands in this table. For more information about these commands, see the Security Command Reference for your Cisco Nexus device.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
269 OL-30921-01
Configuring Dynamic ARP Inspection
Configuration Examples for DAI
Command show ip arp inspection statistics clear ip arp inspection statistics vlan <id>
Purpose
Displays DAI statistics.
Clears DAI statistics.
Configuration Examples for DAI
Example 1-Two Devices Support DAI
These procedures show how to configure DAI when two devices support DAI.
The following figure shows the network configuration for this example. Host 1 is connected to device A, and
Host 2 is connected to device B. Both devices are running DAI on VLAN 1 where the hosts are located. A
DHCP server is connected to device A. Both hosts acquire their IP addresses from the same DHCP server.
Device A has the bindings for Host 1 and Host 2, and device B has the binding for Host 2. Device A Ethernet interface 2/3 is connected to the device B Ethernet interface 1/4.
Figure 16: Two Devices Supporting DAI
DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically-assigned IP addresses.
• This configuration does not work if the DHCP server is moved from device A to a different location.
• To ensure that this configuration does not compromise security, configure Ethernet interface 2/3 on device A and Ethernet interface 1/4 on device B as trusted.
Configuring Device A
To enable DAI and configure Ethernet interface 2/3 on device A as trusted, follow these steps:
270
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Dynamic ARP Inspection
Example 1-Two Devices Support DAI
OL-30921-01
Procedure
Step 1
While logged into device A, verify the connection between device A and device B.
switchA#
show cdp neighbors
Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge
Device ID switchB switchA#
S - Switch, H - Host, I - IGMP, r - Repeater,
V - VoIP-Phone, D - Remotely-Managed-Device, s - Supports-STP-Dispute
Local Intrfce
Ethernet2/3
Hldtme
177
Capability
R S I
Platform Port ID
WS-C2960-24TC Ethernet1/4
Step 2
Enable DAI on VLAN 1 and verify the configuration.
switchA#
config t
switchA(config)#
ip arp inspection vlan 1
switchA(config)#
show ip arp inspection vlan 1
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan : 1
-----------
Configuration : Enabled
Operation State : Active switchA(config)#
Step 3
Configure Ethernet interface 2/3 as trusted.
switchA(config)#
interface ethernet 2/3
switchA(config-if)#
ip arp inspection trust
switchA(config-if)#
exit
switchA(config)#
exit
switchA#
show ip arp inspection interface ethernet 2/3
Interface Trust State Rate (pps) Burst Interval
-------------
Ethernet2/3
-----------
Trusted
----------
15
--------------
5
Step 4
Verify the bindings.
switchA#
show ip dhcp snooping binding
MacAddress IpAddress LeaseSec Type VLAN Interface
-----------------------------------------------------------------
00:60:0b:00:12:89 10.0.0.1
switchA#
0 dhcp-snooping 1 Ethernet2/3
Step 5
Check the statistics before and after DAI processes any packets.
switchA#
show ip arp inspection statistics vlan 1
Vlan : 1
-----------
ARP Req Forwarded = 0
ARP Res Forwarded = 0
ARP Req Dropped
ARP Res Dropped
DHCP Drops
DHCP Permits
= 0
= 0
= 0
= 0
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
271
Configuring Dynamic ARP Inspection
Example 1-Two Devices Support DAI
SMAC Fails-ARP Req = 0
SMAC Fails-ARP Res = 0
DMAC Fails-ARP Res = 0
IP Fails-ARP Req = 0
IP Fails-ARP Res = 0 switchA#
If host 1 sends out two ARP requests with an IP address of 10.0.0.1 and a MAC address of 0002.0002.0002, both requests are permitted, and are shown as follows: switchA#
show ip arp inspection statistics vlan 1
Vlan : 1
-----------
ARP Req Forwarded = 2
ARP Res Forwarded = 0
ARP Req Dropped
ARP Res Dropped
DHCP Drops
DHCP Permits
= 0
= 0
= 0
= 2
SMAC Fails-ARP Req = 0
SMAC Fails-ARP Res = 0
DMAC Fails-ARP Res = 0
IP Fails-ARP Req = 0
IP Fails-ARP Res = 0
If host 1 tries to send an ARP request with an IP address of 10.0.0.3, the packet is dropped and an error message is logged.
00:12:08: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Ethernet2/3, vlan
1.([0002.0002.0002/10.0.0.3/0000.0000.0000/0.0.0.0/02:42:35 UTC Fri Jul 13 2008])
The statistics display as follows: switchA#
show ip arp inspection statistics vlan 1
switchA#
Vlan : 1
-----------
ARP Req Forwarded = 2
ARP Res Forwarded = 0
ARP Req Dropped
ARP Res Dropped
DHCP Drops
DHCP Permits
= 2
= 0
= 2
= 2
SMAC Fails-ARP Req = 0
SMAC Fails-ARP Res = 0
DMAC Fails-ARP Res = 0
IP Fails-ARP Req = 0
IP Fails-ARP Res = 0 switchA#
272
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Dynamic ARP Inspection
Example 1-Two Devices Support DAI
Configuring Device B
To enable DAI and configure Ethernet interface 1/4 on device B as trusted, follow these steps:
Procedure
Step 1
While logged into device B, verify the connection between device B and device A.
switchB#
show cdp neighbors
Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
Device ID switchA switchB#
V - VoIP-Phone, D - Remotely-Managed-Device, s - Supports-STP-Dispute
Local Intrfce Hldtme Capability Platform
Ethernet1/4 120 R S I
Port ID
WS-C2960-24TC Ethernet2/3
Step 2
Enable DAI on VLAN 1, and verify the configuration.
switchB#
config t
switchB(config)#
ip arp inspection vlan 1
switchB(config)#
show ip arp inspection vlan 1
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan : 1
-----------
Configuration : Enabled
Operation State : Active switchB(config)#
Step 3
Configure Ethernet interface 1/4 as trusted.
switchB(config)#
interface ethernet 1/4
switchB(config-if)#
ip arp inspection trust
switchB(config-if)#
exit
switchB(config)#
exit
switchB#
show ip arp inspection interface ethernet 1/4
Interface
-------------
Ethernet1/4 switchB#
Trust State
-----------
Trusted
Rate (pps)
----------
15
Burst Interval
--------------
5
Step 4
Verify the list of DHCP snooping bindings.
switchB#
show ip dhcp snooping binding
MacAddress IpAddress LeaseSec Type VLAN Interface
-----------------------------------------------------------------
00:01:00:01:00:01 10.0.0.2
switchB#
4995 dhcp-snooping 1 Ethernet1/4
Step 5
Check the statistics before and after DAI processes any packets.
switchB#
show ip arp inspection statistics vlan 1
Vlan : 1
-----------
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
273
Configuring Dynamic ARP Inspection
Example 1-Two Devices Support DAI
ARP Req Forwarded = 0
ARP Res Forwarded = 0
ARP Req Dropped
ARP Res Dropped
DHCP Drops
DHCP Permits
= 0
= 0
= 0
= 0
SMAC Fails-ARP Req = 0
SMAC Fails-ARP Res = 0
DMAC Fails-ARP Res = 0
IP Fails-ARP Req = 0
IP Fails-ARP Res = 0 switchB#
If Host 2 sends out an ARP request with the IP address 10.0.0.2 and the MAC address 0001.0001.0001, the packet is forwarded and the statistics are updated.
switchB#
show ip arp inspection statistics vlan 1
Vlan : 1
-----------
ARP Req Forwarded = 1
ARP Res Forwarded = 0
ARP Req Dropped
ARP Res Dropped
= 0
= 0
DHCP Drops
DHCP Permits
= 0
= 1
SMAC Fails-ARP Req = 0
SMAC Fails-ARP Res = 0
DMAC Fails-ARP Res = 0
IP Fails-ARP Req = 0
IP Fails-ARP Res = 0 switchB#
If Host 2 attempts to send an ARP request with the IP address 10.0.0.1, DAI drops the request and logs the following system message:
00:18:08: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Ethernet1/4, vlan
1.([0001.0001.0001/10.0.0.1/0000.0000.0000/0.0.0.0/01:53:21 UTC Fri Jun 13 2008])
The statistics display as follows: switchB#
show ip arp inspection statistics vlan 1
Vlan : 1
-----------
ARP Req Forwarded = 1
ARP Res Forwarded = 0
ARP Req Dropped = 1
ARP Res Dropped
DHCP Drops
= 0
= 1
DHCP Permits = 1
SMAC Fails-ARP Req = 0
SMAC Fails-ARP Res = 0
DMAC Fails-ARP Res = 0
IP Fails-ARP Req = 0
IP Fails-ARP Res = 0
274
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Dynamic ARP Inspection
Configuring ARP ACLs
switchB#
Configuring ARP ACLs
Session Manager Support for ARP ACLs
.
Session Manager supports the configuration of ARP ACLs. This feature allows you to create a configuration session and verify your ARP ACL configuration changes prior to committing them to the running configuration.
Creating an ARP ACL
You can create an ARP ACL on the device and add rules to it.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Step 3
Step 4
Example:
switch#
configure terminal
switch(config)#
arp access-list name Creates the ARP ACL and enters ARP ACL configuration mode.
Example:
switch(config)#
arp access-list arp-acl-01
switch(config-arp-acl)#
[sequence-number] {permit | deny} ip {any | host
sender-IP | sender-IP sender-IP-mask} mac {any
| host sender-MAC | sender-MAC
sender-MAC-mask}
Example:
switch(config-arp-acl)#
permit ip
192.168.2.0 255.2555.255.0 mac
00C0.4F00.0000 ffff.ff00.0000
Creates a rule that permits or denies any ARP message based upon the IP address and MAC address of the sender of the message. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules.
[sequence-number] {permit | deny} request ip
{any | host sender-IP | sender-IP sender-IP-mask}
mac {any | host sender-MAC | sender-MAC
sender-MAC-mask}
Creates a rule that permits or denies ARP request messages based upon the IP address and MAC address of the sender of the message. Using a sequence number allows you to specify a position for the rule in the ACL. Without a
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
275 OL-30921-01
Configuring Dynamic ARP Inspection
Changing an ARP ACL
Step 5
Step 6
Step 7
Command or Action Purpose
Example:
switch(config-arp-acl)#
permit request ip
192.168.102.0 0.0.0.255 mac any
sequence number, the rule is added to the end of the rules.
[sequence-number] {permit | deny} response ip
{any | host sender-IP | sender-IP sender-IP-mask}
[any | host target-IP | target-IP target-IP-mask]]
mac {any | host sender-MAC | sender-MAC
sender-MAC-mask} [any | host target-MAC |
target-MAC target-MAC-mask]
Creates a rule that permits or denies ARP response messages based upon the IPv4 address and MAC address of the sender and the target of the message. Using a sequence number allows you to specify a position for the rule in the ACL.
Without a sequence number, the rule is added to the end of the rules.
Example:
switch(config-arp-acl)#
permit response ip host 192.168.202.32 any mac host
00C0.4FA9.BCF3 any
show arp access-lists acl-name
(Optional)
Shows the ARP ACL configuration.
Example:
switch(config-arp-acl)#
show arp access-lists arp-acl-01 copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config-arp-acl)#
copy running-config startup-config
Changing an ARP ACL
You can change and remove rules in an existing ARP ACL. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.
If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers.
Procedure
Step 1
Command or Action configure terminal
Example:
switch# configure terminal switch(config)#
Purpose
Enters global configuration mode.
276
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Dynamic ARP Inspection
Removing an ARP ACL
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action Purpose
arp access-list name Enters ARP ACL configuration mode for the
ACL that you specify by name.
Example:
switch(config)# arp access-list arp-acl-01 switch(config-acl)#
[sequence-number] {permit | deny} [request |
response] ip IP-data mac MAC-data
(Optional)
Creates a rule.
Example:
switch(config-arp-acl)# 100 permit request ip 192.168.132.0 255.2555.255.0 mac any
Using a sequence number allows you to specify a position for the rule in the ACL.
Without a sequence number, the rule is added to the end of the rules.
no {sequence-number | {permit | deny} [request
| response] ip IP-data mac MAC-data
(Optional)
Removes the rule that you specified from the
ARP ACL.
Example:
switch(config-arp-acl)# no 80
show arp access-lists
Displays the ARP ACL configuration.
Example:
switch(config-arp-acl)# show arp access-lists
copy running-config startup-config
Example:
switch(config-arp-acl)# copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Related Topics
Creating an ARP ACL, on page 275
Changing Sequence Numbers in an ARP ACL, on page 278
Removing an ARP ACL
You can remove an ARP ACL from the device.
Before You Begin
Ensure that you know whether the ACL is applied to a VLAN. The device allows you to remove ACLs that are currently applied. Removing an ACL does not affect the configuration of VLANs where you have applied the ACL. Instead, the device considers the removed ACL to be empty.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
277
Configuring Dynamic ARP Inspection
Changing Sequence Numbers in an ARP ACL
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Example:
switch# configure terminal switch(config)#
no arp access-list name
Example:
switch(config)# no arp access-list arp-acl-01
show arp access-lists
Example:
switch(config)# show arp access-lists
copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
Purpose
Enters global configuration mode.
Removes the ARP ACL you specified by name from running configuration.
Displays the ARP ACL configuration.
(Optional)
Copies the running configuration to the startup configuration.
Changing Sequence Numbers in an ARP ACL
You can change all the sequence numbers assigned to rules in an ARP ACL.
Procedure
Step 1
Step 2
Command or Action configure terminal
Example:
switch# configure terminal switch(config)#
resequence arp access-list name
starting-sequence-number increment
Example:
switch(config)# resequence arp access-list arp-acl-01 100 10 switch(config)#
Purpose
Enters global configuration mode.
Assigns sequence numbers to the rules contained in the ACL, where the first rule receives the starting sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment that you specify.
278
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Dynamic ARP Inspection
Verifying the ARP ACL Configuration
Step 3
Step 4
Command or Action Purpose
show arp access-lists name Displays the ARP ACL configuration for the ACL specified by the name argument.
Example:
switch(config)# show arp access-lists arp-acl-01
copy running-config startup-config
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Verifying the ARP ACL Configuration
To display ARP ACL configuration information, use the commands in this table.
Command show arp access-lists
Purpose
Displays the ARP ACL configuration.
show running-config aclmgr
Displays ACLs in the running configuration.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
279
Verifying the ARP ACL Configuration
Configuring Dynamic ARP Inspection
280
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
13
Configuring IP Source Guard
This chapter includes the following sections:
•
Information About IP Source Guard, page 281
•
Licensing Requirements for IP Source Guard, page 282
•
Prerequisites for IP Source Guard, page 282
•
Guidelines and Limitations for IP Source Guard, page 282
•
Default Settings for IP Source Guard, page 282
•
Configuring IP Source Guard, page 283
•
Displaying IP Source Guard Bindings, page 285
•
Configuration Example for IP Source Guard, page 285
•
Additional References for IP Source Guard, page 285
Information About IP Source Guard
IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches one of two sources of IP and MAC address bindings:
• Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table.
• Static IP source entries that you configure.
Filtering on trusted IP and MAC address bindings helps prevent spoofing attacks, in which an attacker uses the IP address of a valid host to gain unauthorized network access. To circumvent IP Source Guard, an attacker would have to spoof both the IP address and the MAC address of a valid host.
You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping. IP Source
Guard supports interfaces that are configured to operate in access mode and trunk mode. When you initially enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:
• DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results of inspecting the packet.
• IP traffic from static IP source entries that you have configured in the Cisco NX-OS device.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
281 OL-30921-01
Configuring IP Source Guard
Licensing Requirements for IP Source Guard
The device permits the IP traffic when DHCP snooping adds a binding table entry for the IP address and MAC address of an IP packet or when you have configured a static IP source entry.
The device drops IP packets when the IP address and MAC address of the packet do not have a binding table entry or a static IP source entry. For example, assume that the show ip dhcp snooping binding command displays the following binding table entry:
MacAddress
----------
IpAddress LeaseSec Type
-----------------------
00:02:B3:3F:3B:99 10.5.5.2
6943 dhcp-snooping
VLAN
-------
10
Interface
---------
Ethernet2/3
If the device receives an IP packet with an IP address of 10.5.5.2, IP Source Guard forwards the packet only if the MAC address of the packet is 00:02:B3:3F:3B:99.
Licensing Requirements for IP Source Guard
This table shows the licensing requirements for IP Source Guard.
Product
Cisco NX-OS
License Requirement
IP Source Guard requires no license. Any feature not included in a license package is bundled with the
Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco
NX-OS licensing scheme, see the Cisco NX-OS
Licensing Guide.
Prerequisites for IP Source Guard
IP Source Guard has the following prerequisite:
• You must enable the DHCP feature.
Guidelines and Limitations for IP Source Guard
IP Source Guard has the following configuration guidelines and limitations:
• IP Source Guard limits IP traffic on an interface to only those sources that have an IP-MAC address binding table entry or static IP source entry. When you first enable IP Source Guard on an interface, you may experience disruption in IP traffic until the hosts on the interface receive a new IP address from a DHCP server.
• IP Source Guard is dependent upon DHCP snooping to build and maintain the IP-MAC address binding table or upon manual maintenance of static IP source entries.
Default Settings for IP Source Guard
This table lists the default settings for IP Source Guard parameters.
282
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring IP Source Guard
Configuring IP Source Guard
Table 20: Default IP Source Guard Parameters
Parameters
IP Source Guard
IP source entries
Default
Disabled on each interface.
None. No static or default IP source entries exist by default.
Configuring IP Source Guard
Enabling or Disabling IP Source Guard on a Layer 2 Interface
You can enable or disable IP Source Guard on a Layer 2 interface. By default, IP Source Guard is disabled on all interfaces.
Before You Begin
Ensure that the DHCP feature is enabled.
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Purpose
Enters global configuration mode.
Example:
switch# configure terminal switch(config)#
interface ethernet slot/port
Enters interface configuration mode for the specified interface.
Example:
switch(config)# interface ethernet 2/3 switch(config-if)#
[no] ip verify source dhcp-snooping-vlan Enables IP Source Guard on the interface. The
no option disables IP Source Guard on the interface.
Example:
switch(config-if)# ip verify source dhcp-snooping vlan
show running-config dhcp
Example:
switch(config-if)# show running-config dhcp
(Optional)
Displays the running configuration for DHCP snooping, including the IP Source Guard configuration.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
283 OL-30921-01
Configuring IP Source Guard
Adding or Removing a Static IP Source Entry
Step 5
Command or Action copy running-config startup-config
Example:
switch(config-if)# copy running-config startup-config
Purpose
(Optional)
Copies the running configuration to the startup configuration.
Related Topics
Adding or Removing a Static IP Source Entry, on page 284
Adding or Removing a Static IP Source Entry
You can add or remove a static IP source entry on a device. By default, there are no static IP source entries on a device.
Procedure
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
Step 2
Step 3
Step 4
Example:
switch# configure terminal switch(config)#
[no] ip source binding IP-address MAC-address
vlan vlan-ID interface ethernet slot/port
Creates a static IP source entry for the current interface, or if you use the no option, removes a static IP source entry.
Example:
switch(config)# ip source binding
10.5.22.17 001f.28bd.0013 vlan 100 interface ethernet 2/3
show ip dhcp snooping binding [interface
ethernet slot/port]
Example:
switch(config)# show ip dhcp snooping binding interface ethernet 2/3
copy running-config startup-config
(Optional)
Displays IP-MAC address bindings for the interface specified, including static IP source entries. Static entries appear with the term in the Type column.
(Optional)
Copies the running configuration to the startup configuration.
Example:
switch(config)# copy running-config startup-config
Related Topics
Enabling or Disabling IP Source Guard on a Layer 2 Interface, on page 283
284
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring IP Source Guard
Displaying IP Source Guard Bindings
Displaying IP Source Guard Bindings, on page 285
Displaying IP Source Guard Bindings
Use the show ip verify source command to display IP-MAC address bindings.
Configuration Example for IP Source Guard
This example shows how to create a static IP source entry and then how to enable IP Source Guard on an interface.
ip source binding 10.5.22.17 001f.28bd.0013 vlan 100 interface ethernet 2/3 interface ethernet 2/3 no shutdown ip verify source dhcp-snooping-vlan
Additional References for IP Source Guard
Related Documents
Related Topic
IP Source Guard commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples
Document Title
Standards
Standards Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
285
Additional References for IP Source Guard
Configuring IP Source Guard
286
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
14
Configuring Control Plane Policing
This chapter contains the following sections:
•
Information About CoPP, page 287
•
Control Plane Protection, page 289
•
CoPP Policy Templates, page 293
•
CoPP and the Management Interface, page 297
•
Licensing Requirements for CoPP, page 297
•
Guidelines and Limitations for CoPP, page 298
•
Default Settings for CoPP, page 298
•
•
Verifying the CoPP Configuration, page 301
•
Displaying the CoPP Configuration Status, page 302
•
•
Monitoring CoPP with SNMP, page 303
•
Clearing the CoPP Statistics, page 303
•
Additional References for CoPP, page 303
Information About CoPP
Control Plane Policing (CoPP) protects the control plane and separates it from the data plane, which ensures network stability, reachability, and packet delivery.
This feature allows a policy map to be applied to the control plane. This policy map looks like a normal QoS policy and is applied to all traffic entering the switch from a non-management port. A common attack vector for network devices is the denial-of-service (DoS) attack, where excessive traffic is directed at the device interfaces.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
287 OL-30921-01
Configuring Control Plane Policing
Information About CoPP
The Cisco NX-OS device provides CoPP to prevent DoS attacks from impacting performance. Such attacks, which can be perpetrated either inadvertently or maliciously, typically involve high rates of traffic destined to the supervisor module or CPU itself.
The supervisor module divides the traffic that it manages into three functional components or planes:
Data plane
Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from one interface to another. The packets that are not meant for the switch itself are called the transit packets.
These packets are handled by the data plane.
Control plane
Handles all routing protocol control traffic. These protocols, such as the Border Gateway Protocol
(BGP) and the Open Shortest Path First (OSPF) Protocol, send control packets between devices. These packets are destined to router addresses and are called control plane packets.
Management plane
Runs the components meant for Cisco NX-OS device management purposes such as the command-line interface (CLI) and Simple Network Management Protocol (SNMP).
The supervisor module has both the management plane and control plane and is critical to the operation of the network. Any disruption or attacks to the supervisor module will result in serious network outages. For example, excessive traffic to the supervisor module could overload and slow down the performance of the entire Cisco NX-OS device. Another example is a DoS attack on the supervisor module that could generate
IP traffic streams to the control plane at a very high rate, forcing the control plane to spend a large amount of time in handling these packets and preventing the control plane from processing genuine traffic.
Examples of DoS attacks are as follows:
• Internet Control Message Protocol (ICMP) echo requests
• IP fragments
• TCP SYN flooding
These attacks can impact the device performance and have the following negative effects:
• Reduced service quality (such as poor voice, video, or critical applications traffic)
• High route processor or switch processor CPU utilization
• Route flaps due to loss of routing protocol updates or keepalives
• Unstable Layer 2 topology
• Slow or unresponsive interactive sessions with the CLI
• Processor resource exhaustion, such as the memory and buffers
• Indiscriminate drops of incoming packets
Caution
It is important to ensure that you protect the supervisor module from accidental or malicious attacks by configuring control plane protection.
288
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Control Plane Policing
Control Plane Protection
Control Plane Protection
To protect the control plane, the Cisco NX-OS device segregates different packets destined for the control plane into different classes. Once these classes are identified, the Cisco NX-OS device polices the packets, which ensures that the supervisor module is not overwhelmed.
Control Plane Packet Types
Different types of packets can reach the control plane:
Receive packets
Packets that have the destination address of a router. The destination address can be a Layer 2 address
(such as a router MAC address) or a Layer 3 address (such as the IP address of a router interface). These packets include router updates and keepalive messages. Multicast packets can also be in this category where packets are sent to multicast addresses that are used by a router.
Exception packets
Packets that need special handling by the supervisor module. For example, if a destination address is not present in the Forwarding Information Base (FIB) and results in a miss, the supervisor module sends an ICMP unreachable packet back to the sender. Another example is a packet with IP options set.
Redirected packets
Packets that are redirected to the supervisor module. Features such as Dynamic Host Configuration
Protocol (DHCP) snooping or dynamic Address Resolution Protocol (ARP) inspection redirect some packets to the supervisor module.
Glean packets
If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module receives the packet and sends an ARP request to the host.
All of these different packets could be maliciously used to attack the control plane and overwhelm the Cisco
NX-OS device. CoPP classifies these packets to different classes and provides a mechanism to individually control the rate at which the supervisor module receives these packets.
Classification for CoPP
For effective protection, the Cisco NX-OS device classifies the packets that reach the supervisor modules to allow you to apply different rate controlling policies based on the type of the packet. For example, you might want to be less strict with a protocol packet such as Hello messages but more strict with a packet that is sent to the supervisor module because the IP option is set.
Rate Controlling Mechanisms
Once the packets are classified, the Cisco NX-OS device has two different mechanisms to control the rate at which packets arrive at the supervisor module: policing and rate limiting.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
289 OL-30921-01
Configuring Control Plane Policing
CoPP Extended Rate
Using hardware policers, you can define separate actions for traffic that conforms to or violates certain conditions. These actions can transmit the packet, mark down the packet, or drop the packet.
You can configure the following parameters for policing:
Committed information rate (CIR)
Desired bandwidth, specified as a bit rate.
Committed burst (BC)
Size of a traffic burst that can exceed the CIR within a given unit of time and not impact scheduling.
CoPP Extended Rate
Beginning with Cisco NX-OS Release 7.1(1)N1(1), you can configure an extended CoPP committed information rate (CIR) limit of up to 61,440 Kbps for each customized CoPP profile.
CoPP Class Maps
The following table shows the available class maps and their configurations.
Table 21: Class Map Configurations and Descriptions
Class Map
class-map type control-plane match-any copp-system-class-arp
Configuration
match protocol arp match protocol nd
Description
Class matches all ARP packets.
Class matches all ARP packets and
ND (NA, NS, RA, and RS) packets.
Class matches all BGP packets.
class-map type control-plane match-any copp-system-class-bgp match protocol bgp class-map type control-plane match-any copp-system-class-bridging match protocol bridging class-map type control-plane match-any copp-system-class-cdp match protocol cdp class-map type control-plane match-any copp-system-class-default match protocol default class-map type control-plane match-any copp-system-class-dhcp match protocol dhcp
Class matches all STP and RSTP frames.
Class matches all CDP frames.
Class matches all frames. Used for the default policer.
Class matches all IPv4 DHCP packets
Class matches all both IPv4 DHCP packets.
290
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Control Plane Policing
CoPP Class Maps
Class Map
class-map type control-plane match-any copp-system-class-eigrp class-map type control-plane match-any copp-system-class-exception class-map type control-plane match-any copp-system-class-excp-ip-frag class-map type control-plane match-any copp-system-class-excp-same-if class-map type control-plane match-any copp-system-class-excp-ttl
Configuration
match protocol eigrp match protocol eigrp6 match protocol exception match protocol ip_frag match protocol same-if match protocol ttl class-map type control-plane match-any copp-system-class-fip match protocol fip class-map type control-plane match-any copp-system-class-glean match protocol glean class-map type control-plane match-any copp-system-class-hsrp-vrrp match protocol hsrp_vrrp match protocol hsrp6 class-map type control-plane match-any copp-system-class-icmp-echo match protocol icmp_echo
Description
Class matches all IPv4 EIGRP packets.
Class matches both IPv4 and IPv6
EIGRP packets.
Class matches all IP packets that are treated as exception packets
(except TTL exception, IP
Fragment exception and Same
Interface exception packets) for IP routing purposes, such as packets with a Martian destination address or with an MTU failure.
Class matches all IP packets that are fragments. (These packets are treated as exception packets from an IP routing perspective).
Class matches all IP packets that are treated as exception packets for
IP routing. The packets are matched because they are received from the interface where their destination is supposed to be.
Class matches all packets that are treated as TTL exception packets
(when TTL is 0) from a IP routing perspective.
Class matches all packets belonging to the FCoE
Initialization Protocol.
Class matches all IP packets that cannot be routed to the next hop because the destination MAC information is unavailable.
Class matches HSRP and VRRP packets.
Class matches IPv4 HSRP, VRRP and IPv6 HSRP packets
Class matches all ICMP Echo
(Ping) packets.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
291
CoPP Class Maps
Configuring Control Plane Policing
Class Map Configuration
class-map type control-plane match-any copp-system-class-igmp match protocol igmp class-map type control-plane match-any copp-system-class-isis match protocol isis_dce class-map type control-plane match-any copp-system-class-msdp match protocol msdp class-map type control-plane match-any copp-system-class-ospf match protocol ospf match protocol ospfv3 class-map type control-plane match-any copp-system-class-pim-hello match protocol pim class-map type control-plane match-any copp-system-class-pim-register match protocol reg class-map type control-plane match-any copp-system-class-rip match protocol rip
Description
Class matches all IGMP packets.
class-map type control-plane match-any copp-system-class-l3dest-miss match protocol unicast class-map type control-plane match-any copp-system-class-lacp match protocol lacp class-map type control-plane match-any copp-system-class-lldp match protocol lldp_dcx class-map type control-plane match-any-copp-system-class-mcast-last-hop match protocol mcast_last_hop class-map type control-plane match-any copp-system-class-mcast-miss match protocol multicast class-map type control-plane match-any copp-system-class-mgmt match protocol mgmt
Class matches Fabricpath ISIS packets and ignores router ISIS packets.
Class matches all unicast routed packets that did not find a destination in the FIB.
Class matches all Link Aggregation
Control Protocol (LACP) frames.
Class matches all LLDP frames.
Class matches all IP multicast last hop packets.
Class matches all IP multicast frames that could not be routed because they did not have an entry in the FIB.
Class matches all management-related frames, such as SNMP, HTTP, NTP, Telnet, and
SSH.
Class matches MSDP packets.
Class matches OSPF and OSPFv3
Protocol packets.
Class matches all PIM Hello packets.
Class matches all PIM Register packets.
Class matches all RIP packets.
292
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Control Plane Policing
CoPP Policy Templates
Class Map
class-map type control-plane match-any copp-system-class-rpf-fail
Configuration
match protocol rpf_fail class-map type control-plane match-any copp-system-class-udld match protocol udld
Description
Class matches all RPF failure packets.
Class matches all UDLD frames.
CoPP Policy Templates
When you bring up your Cisco NX-OS device for the first time, the Cisco NX-OS software installs the default copp-system-policy to protect the supervisor module from DoS attacks. You can choose the CoPP policy template for your deployment scenario by specifying CoPP policy options from the initial setup utility:
• Default CoPP Policy (copp-system-policy-default)
• Scaled Layer 2 CoPP Policy (copp-system-policy-scaled-l2)
• Scaled Layer 3 CoPP Policy (copp-system-policy-scaled-l3)
• Customized CoPP Policy (copp-system-policy-customized)
If you do not select an option or choose not to execute the setup utility, the Cisco NX-OS software applies the Default policing. Cisco recommends starting with the default policy and later modifying the CoPP policies as required.
The default copp-system-policy-default policy has optimized values suitable for basic device operations.
You can change which CoPP policy is used by using the service-policy input policy-name command in the control plane configuration mode.
Default CoPP Policy
The copp-system-policy-default policy is applied to the switch by default. It has the classes with policer rates that should suit most network installations. You cannot modify this policy or the class maps associated with it. In addition, you cannot modify the class map configurations in this policy.
This policy has the following configuration: policy-map type control-plane copp-system-policy-default class copp-system-class-igmp police cir 1024 kbps bc 65535 bytes class copp-system-class-pim-hello police cir 1024 kbps bc 4800000 bytes class copp-system-class-bridging police cir 20000 kbps bc 4800000 bytes class copp-system-class-arp police cir 1024 kbps bc 3600000 bytes class copp-system-class-dhcp police cir 1024 kbps bc 4800000 bytes class copp-system-class-mgmt police cir 12000 kbps bc 4800000 bytes class copp-system-class-lacp police cir 1024 kbps bc 4800000 bytes
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
293 OL-30921-01
Configuring Control Plane Policing
Scaled Layer 2 CoPP Policy
class copp-system-class-lldp police cir 2048 kbps bc 4800000 bytes class copp-system-class-udld police cir 2048 kbps bc 4800000 bytes class copp-system-class-isis police cir 1024 kbps bc 4800000 bytes class copp-system-class-msdp police cir 9600 kbps bc 4800000 bytes class copp-system-class-cdp police cir 1024 kbps bc 4800000 bytes class copp-system-class-fip police cir 1024 kbps bc 4800000 bytes class copp-system-class-bgp police cir 9600 kbps bc 4800000 bytes class copp-system-class-eigrp police cir 9600 kbps bc 4800000 bytes class copp-system-class-exception police cir 64 kbps bc 4800000 bytes class copp-system-class-glean police cir 1024 kbps bc 4800000 bytes class copp-system-class-hsrp-vrrp police cir 1024 kbps bc 256000 bytes class copp-system-class-icmp-echo police cir 64 kbps bc 3600000 bytes class copp-system-class-ospf police cir 9600 kbps bc 4800000 bytes class copp-system-class-pim-register police cir 9600 kbps bc 4800000 bytes class copp-system-class-rip police cir 9600 kbps bc 4800000 bytes class copp-system-class-l3dest-miss police cir 64 kbps bc 256000 bytes class copp-system-class-mcast-miss police cir 256 kbps bc 3200000 bytes class copp-system-class-excp-ip-frag police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-same-if police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-ttl police cir 64 kbps bc 3200000 bytes class copp-system-class-default police cir 512 kbps bc 6400000 bytes
Scaled Layer 2 CoPP Policy
The copp-system-policy-scaled policy has most classes with policer rates that are same as the default policy.
However, it has higher policer rates for IGMP and ISIS. You cannot modify this policy or the class maps associated with it. In addition, you cannot modify the class map configurations in this policy.
This policy has the following configuration: policy-map type control-plane copp-system-policy-scaled-l2 class copp-system-class-igmp police cir 4096 kbps bc 264000 bytes class copp-system-class-pim-hello police cir 1024 kbps bc 4800000 bytes class copp-system-class-bridging police cir 20000 kbps bc 4800000 bytes class copp-system-class-arp police cir 1024 kbps bc 3600000 bytes class copp-system-class-dhcp police cir 1024 kbps bc 4800000 bytes class copp-system-class-mgmt police cir 12000 kbps bc 4800000 bytes class copp-system-class-lacp police cir 1024 kbps bc 4800000 bytes class copp-system-class-lldp police cir 2048 kbps bc 4800000 bytes
294
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Control Plane Policing
Scaled Layer 3 CoPP Policy
class copp-system-class-udld police cir 2048 kbps bc 4800000 bytes class copp-system-class-isis police cir 2048 kbps bc 4800000 bytes class copp-system-class-msdp police cir 9600 kbps bc 4800000 bytes class copp-system-class-cdp police cir 1024 kbps bc 4800000 bytes class copp-system-class-fip police cir 1024 kbps bc 4800000 bytes class copp-system-class-bgp police cir 9600 kbps bc 4800000 bytes class copp-system-class-eigrp police cir 9600 kbps bc 4800000 bytes class copp-system-class-exception police cir 64 kbps bc 4800000 bytes class copp-system-class-glean police cir 1024 kbps bc 4800000 bytes class copp-system-class-hsrp-vrrp police cir 1024 kbps bc 4800000 bytes class copp-system-class-icmp-echo police cir 64 kbps bc 3600000 bytes class copp-system-class-ospf police cir 9600 kbps bc 4800000 bytes class copp-system-class-pim-register police cir 9600 kbps bc 4800000 bytes class copp-system-class-rip police cir 9600 kbps bc 4800000 bytes class copp-system-class-l3dest-miss police cir 64 kbps bc 3200000 bytes class copp-system-class-mcast-miss police cir 256 kbps bc 3200000 bytes class copp-system-class-excp-ip-frag police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-same-if police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-ttl police cir 64 kbps bc 3200000 bytes class copp-system-class-default police cir 512 kbps bc 6400000 bytes
Scaled Layer 3 CoPP Policy
The copp-system-policy-scaled-l3 policy has most classes with policer rates that are same as the default policy.
However, it has higher policer rates for IGMP, ICMP Echo, ISIS, Mcast-miss, and Glean related classes. You cannot modify this policy or the class maps associated with it. In addition, you cannot modify the class map configurations in this policy.
This policy has the following configuration: policy-map type control-plane copp-system-policy-scaled-l3 class copp-system-class-igmp police cir 4096 kbps bc 264000 bytes class copp-system-class-pim-hello police cir 1024 kbps bc 4800000 bytes class copp-system-class-bridging police cir 20000 kbps bc 4800000 bytes class copp-system-class-arp police cir 4000 kbps bc 3600000 bytes class copp-system-class-dhcp police cir 1024 kbps bc 4800000 bytes class copp-system-class-mgmt police cir 12000 kbps bc 4800000 bytes class copp-system-class-lacp police cir 1024 kbps bc 4800000 bytes class copp-system-class-lldp police cir 2048 kbps bc 4800000 bytes class copp-system-class-udld
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
295
Configuring Control Plane Policing
Customizable CoPP Policy
police cir 2048 kbps bc 4800000 bytes class copp-system-class-isis police cir 2048 kbps bc 4800000 bytes class copp-system-class-msdp police cir 9600 kbps bc 4800000 bytes class copp-system-class-cdp police cir 1024 kbps bc 4800000 bytes class copp-system-class-fip police cir 1024 kbps bc 4800000 bytes class copp-system-class-bgp police cir 9600 kbps bc 4800000 bytes class copp-system-class-eigrp police cir 9600 kbps bc 4800000 bytes class copp-system-class-exception police cir 64 kbps bc 4800000 bytes class copp-system-class-glean police cir 4000 kbps bc 4800000 bytes class copp-system-class-hsrp-vrrp police cir 1024 kbps bc 4800000 bytes class copp-system-class-icmp-echo police cir 4000 kbps bc 3600000 bytes class copp-system-class-ospf police cir 9600 kbps bc 4800000 bytes class copp-system-class-pim-register police cir 9600 kbps bc 4800000 bytes class copp-system-class-rip police cir 9600 kbps bc 4800000 bytes class copp-system-class-l3dest-miss police cir 64 kbps bc 3200000 bytes class copp-system-class-mcast-miss police cir 4000 kbps bc 3200000 bytes class copp-system-class-excp-ip-frag police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-same-if police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-ttl police cir 64 kbps bc 3200000 bytes class copp-system-class-default police cir 512 kbps bc 6400000 bytes
Customizable CoPP Policy
The copp-system-policy-customized policy is configured identically to the default policy, but can be customized for different class map information rates and burst sizes.
You cannot add or delete any of the class maps configured in this policy.
Important
This policy is meant for advanced users. We recommend that you use extreme caution when configuring this policy and test it extensively before deploying it in your production network.
This policy has the following configuration: policy-map type control-plane copp-system-policy-customized class copp-system-class-igmp police cir 1024 kbps bc 65535 bytes class copp-system-class-pim-hello police cir 1024 kbps bc 4800000 bytes class copp-system-class-bridging police cir 20000 kbps bc 4800000 bytes class copp-system-class-arp police cir 1024 kbps bc 3600000 bytes class copp-system-class-dhcp police cir 1024 kbps bc 4800000 bytes class copp-system-class-mgmt police cir 12000 kbps bc 4800000 bytes
296
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Control Plane Policing
CoPP and the Management Interface
class copp-system-class-lacp police cir 1024 kbps bc 4800000 bytes class copp-system-class-lldp police cir 2048 kbps bc 4800000 bytes class copp-system-class-udld police cir 2048 kbps bc 4800000 bytes class copp-system-class-isis police cir 1024 kbps bc 4800000 bytes class copp-system-class-msdp police cir 9600 kbps bc 4800000 bytes class copp-system-class-cdp police cir 1024 kbps bc 4800000 bytes class copp-system-class-fip police cir 1024 kbps bc 4800000 bytes class copp-system-class-bgp police cir 9600 kbps bc 4800000 bytes class copp-system-class-eigrp police cir 9600 kbps bc 4800000 bytes class copp-system-class-exception police cir 64 kbps bc 4800000 bytes class copp-system-class-glean police cir 1024 kbps bc 4800000 bytes class copp-system-class-hsrp-vrrp police cir 1024 kbps bc 4800000 bytes class copp-system-class-icmp-echo police cir 64 kbps bc 3600000 bytes class copp-system-class-ospf police cir 9600 kbps bc 4800000 bytes class copp-system-class-pim-register police cir 9600 kbps bc 4800000 bytes class copp-system-class-rip police cir 9600 kbps bc 4800000 bytes class copp-system-class-l3dest-miss police cir 64 kbps bc 3200000 bytes class copp-system-class-mcast-miss police cir 256 kbps bc 3200000 bytes class copp-system-class-excp-ip-frag police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-same-if police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-ttl police cir 64 kbps bc 3200000 bytes class copp-system-class-default police cir 512 kbps bc 6400000 bytes
CoPP and the Management Interface
The Cisco NX-OS device supports only hardware-based CoPP which does not support the management interface (mgmt0). The out-of-band mgmt0 interface connects directly to the CPU and does not pass through the in-band traffic hardware where CoPP is implemented.
On the mgmt0 interface, ACLs can be configured to give or deny access to a particular type of traffic.
Licensing Requirements for CoPP
This feature does not require a license. Any feature not included in a license package is bundled with the Cisco
NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco
NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
297 OL-30921-01
Configuring Control Plane Policing
Guidelines and Limitations for CoPP
Guidelines and Limitations for CoPP
CoPP is a feature that is enabled by default in the switch. You cannot enable or disable CoPP.
• Only one control-plane policy can be applied at a time.
• Removing a CoPP policy applies the default CoPP policy. In this way, a CoPP policy is always applied.
• You cannot add or delete any classes or policies.
• You cannot change the order of the classes or remove a class from any policy.
• You cannot modify the default, the Scaled Layer-2, or the Scaled Layer 3 policies. However, you can modify the information rate and burst size of the classes in the customized policy.
• The customized policy configuration is the same as the default policy configuration, unless the customized policy has been modified.
• When upgrading from a previous release, the default CoPP policy is enabled by default on the switch.
• After modifying the customized policy or changing the applied policy, the statistical counters are reset.
• After you perform an ISSU, the statistical counters are reset.
• Cisco recommends that you use the default CoPP policy initially and then later determine which of the
CoPP policies to use based on the data center and application requirements.
• Customizing CoPP is an ongoing process. CoPP must be configured according to the protocols and features used in your specific environment as well as the supervisor features that are required by the server environment. As these protocols and features change, CoPP must be modified.
• Cisco recommends that you continuously monitor CoPP. If drops occur, determine if CoPP dropped traffic unintentionally or in response to a malfunction or attack. In either event, analyze the situation and evaluate the need to use a different CoPP policy or modify the customized CoPP policy.
• All the traffic that you do not specify in the other class maps is put into the last class, the default class.
• The Cisco NX-OS software does not support egress CoPP or silent mode. CoPP is supported only on ingress (you cannot use the service-policy output copp command to the control plane interface).
Note
If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.
Default Settings for CoPP
This table lists the default settings for CoPP parameters.
Table 22: Default CoPP Parameters Settings
Parameters
Default policy
Default
copp-system-policy-default
298
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Control Plane Policing
Configuring CoPP
Parameters
Default policy
Scale factor value
Default
9 policy entries
Note
The maximum number of supported policies with associated class maps is 128.
1.00
Configuring CoPP
Applying a CoPP Policy to the Switch
You can apply one of the following CoPP policies to the switch:
• Default CoPP Policy (copp-system-policy-default).
• Scaled Layer 2 CoPP Policy (copp-system-policy-scaled-l2).
• Scaled Layer 3 CoPP Policy (copp-system-policy-scaled-l3).
• Customized CoPP Policy (copp-system-policy-customized).
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action
switch# configure terminal switch(config) # control-plane switch(config-cp) # service-policy
input policy-map-name switch(config-cp) # copy
running-config startup-config
Purpose
Enters global configuration mode.
Enters control-plane mode.
Applies the specified CoPP policy map. The
policy-map-name can be copp-system-policy-default, copp-system-policy-scaled-l2, copp-system-policy-scaled-l3, or copp-system-policy-customized.
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
This example shows how to apply a CoPP policy to the device: switch#
configure terminal
switch(config)#
control-plane
switch(config-cp) #
service-policy input copp-system-policy-default
switch(config-cp) #
copy running-config startup-config
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
299 OL-30921-01
Configuring Control Plane Policing
Modifying the Customized CoPP Policy
Modifying the Customized CoPP Policy
You can only modify the information rates and burst sizes of the class maps configured in this policy.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
switch# configure terminal switch(config)# policy-map type
control-plane copp-system-policy-customized
switch(config-pmap)# class
class-map-name
switch(config-pmap-c)# police cir
rate-value kbps bc buffer-size bytes switch(config-pmap-c) # copy
running-config startup-config
Purpose
Enters global configuration mode.
Enters configuration mode for the customized CoPP policy.
Specifies one of the 28 predefined class-maps listed in any CoPP predefined policy.
Configures the committed information rate (CIR) and committed burst size (BC). The range for cir is from 1 to 20480. The range for bc is from 1500 to
6400000.
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
This example shows how to modify the customized CoPP policy: switch(config)#
policy-map type control-plane copp-system-policy-customized
switch(config-pmap)#
class copp-system-class-bridging
switch(config-pmap-c)#
police cir 10000 kbps bc 2400000 bytes
Configuring CoPP Extended Rate
Procedure
Step 1
Step 2
Step 3
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# control-plane Enters control-plane mode.
switch(config-cp)# service-policy input
copp-system-policy-customized
(Optional)
Applies the customized CoPP system policy map.
Note
Use this command if the CoPP profile is not customized.
300
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Control Plane Policing
Verifying the CoPP Configuration
Step 5
Step 6
Step 7
Step 4
Step 8
Command or Action
switch(config-cp)# ingress-copp switch(config-cp)# policy-map type
control-plane copp-system-policy-customized
switch(config-pmap)# class
class-map-name
switch(config-pmap-c)# police cir
rate-value kbps bc buffer-size bytes switch(config-pmap-c)# copy
running-config startup-config
Purpose
Allows CoPP extended CIR configuration.
Note
Use the no form of the command to remove the extended CIR.
Enters configuration mode for the customized CoPP policy.
Specifies one of the 28 predefined class-maps listed in any CoPP predefined policy.
Configures the committed information rate (CIR) and committed burst size (BC). The range for extended
CIR is from 1 to 61,440 Kbps. The range for BC is from 1500 to 6400000.
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
This example shows how to configure CoPP Extended Rate: switch(config)#
control-plane
switch(config-cp)#
ingress-copp
switch(config-cp)#
policy-map type control-plane copp-system-policy-customized
switch(config-pmap)#
class copp-system-class-lacp
switch(config-pmap-c)#
police cir 51200 kbps bc 4800000 bytes
Verifying the CoPP Configuration
Use one of the following commands to verify the configuration:
Command
show policy-map type control-plane [expand]
[name policy-map-name]
Purpose
Displays the control plane policy map with associated class maps.
show policy-map interface control-plane show class-map type control-plane
[class-map-name]
Displays the policy values with associated class maps and drops per policy or class map.
Displays the control plane class map configuration, including the ACLs that are bound to this class map.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
301 OL-30921-01
Configuring Control Plane Policing
Displaying the CoPP Configuration Status
Displaying the CoPP Configuration Status
Procedure
Step 1
Command or Action
switch# show copp status
Purpose
Displays the configuration status for the CoPP feature.
This example shows how to display the CoPP configuration status: switch#
show copp status
Monitoring CoPP
Procedure
Step 1
Command or Action
switch# show policy-map
interface control-plane
Purpose
Displays packet-level statistics for all classes that are part of the applied CoPP policy. For example, Conformed and Violated packet counters.
Statistics are specified in terms of OutPackets (packets admitted to the control plane) and DropPackets (packets dropped because of rate limiting).
This example shows how to monitor CoPP: switch#
show policy-map interface control-plane
Control Plane service-policy input: copp-system-policy-default class-map copp-system-class-igmp (match-any) match protocol igmp police cir 1024 kbps , bc 65535 bytes conformed 0 bytes; action: transmit violated 0 bytes; class-map copp-system-class-pim-hello (match-any) match protocol pim police cir 1024 kbps , bc 4800000 bytes conformed 0 bytes; action: transmit violated 0 bytes;
....
302
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring Control Plane Policing
Monitoring CoPP with SNMP
Monitoring CoPP with SNMP
Beginning with Cisco NX-OS Release 7.1(1)N1(1), CoPP supports the Cisco class-based QoS MIB
(cbQoSMIB). All of the CoPP elements can now be monitored (but not modified) using SNMP. This feature applies only to policies and their subelements (such as classes, match rules, and set actions) that are attached to the control plane. Elements of policies that are not in service on the control plane are not visible through
SNMP.
The following cbQoSMIB tables are supported:
• cbQosPolicyMapCfg
• cbQosClassMapCfg
• cbQosMatchStmtCfg
• cbQosPoliceCfg
• cbQosSetCfg
• cbQosPoliceStat
More detailed information on cbQoSMIB tables and elements is available at the following urls:
• http://tools.cisco.com/Support/SNMP/do/
BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.166
• http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus6000/sw/system_management/7x/ b_6k_System_Mgmt_Config_7x/b_6k_System_Mgmt_Config_7x_chapter_010110.html
Clearing the CoPP Statistics
Procedure
Step 1
Command or Action
switch# show policy-map interface
control-plane
Step 2
switch# clear copp statistics
Purpose
(Optional)
Displays the currently applied CoPP policy and per-class statistics.
Clears the CoPP statistics.
This example shows how to clear the CoPP statistics for your installation: switch#
show policy-map interface control-plane
switch#
clear copp statistics
Additional References for CoPP
This section provides additional information related to implementing CoPP.
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
303 OL-30921-01
Additional References for CoPP
Related Documents
Related Topic
Licensing
Command reference
Configuring Control Plane Policing
Document Title
Cisco NX-OS Licensing Guide
304
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
C H A P T E R
15
Configuring TCAM Carving
This chapter contains the following sections:
•
Information About TCAM Carving, page 305
•
Information About User-Defined Templates, page 305
•
Creating a User-Defined Template, page 308
•
Modifying a User Defined Template, page 308
•
Committing a User-Defined Template, page 308
•
•
Verifying the TCAM Carving Configuration, page 310
Information About TCAM Carving
The Ternary Content-Addressable Memory (TCAM) carving feature uses a template-based approach that enables you to modify the default region sizes of the TCAM. When the switch boots up, you see this default template, unless you have configured any other template. This table lists the types and sizes of various regions in a template.
Information About User-Defined Templates
In addition to the default template, you can create a maximum of 16 templates (which means that you can have 17 templates at one time). You can specify whatever sizes of ternary content addressable memory (TCAM) regions you want.
You can apply the following operations on each template:
• Create
• Modify
• Delete
• Commit
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
305 OL-30921-01
Configuring TCAM Carving
Information About User-Defined Templates
Each template can be in one of the following states:
• Saved
• Committed
Create
When you create a template, the size of the TCAM regions are initialized to the default values. When a template is created, the template is in the saved state by default. Once you create a template, you can modify it to change the size of any TCAM region. You should configure the size of the region in multiples of 64 because the size of each TCAM block is 64 entries. If you enter a value that is not a multiple of 64, an error message asks you to enter the value again.
Modify
You can modify any saved template to change the size of any TCAM region but you cannot modify the size of any region in the TCAM to 0. During the modification, the software checks that the size that you entered is on a 64 boundary. When you modify a template, the combined size of all the TCAM regions might have fewer than 4096 entries. During a modification, the software does not check that you have fewer than 4096 entries.
You can modify a template only when it is in the saved state. After a template is committed, you cannot modify it.
A user-defined committed template can be changed to the created state by servicing another user-defined template or default template.
To service another user-defined template, enter the following command:
hardware profile tcam resource service-template user-defined-template
To service a default template, enter the following command:
no hardware profile tcam resource service-template currently-committed- template
Delete
You can delete any saved template. After you delete a template, all information about the template is lost. A committed template cannot be deleted.
A user-defined committed template can be changed to the created state by servicing another user-defined template or default template.
To service another user-defined template, enter the following command:
hardware profile tcam resource service-template user-defined-template
To service a default template, enter the following command:
no hardware profile tcam resource service-template currently-committed- template
Commit
You can commit any of your user-defined templates or the default template that is provided by the software.
To commit a template, enter the commit command and perform a reboot of the switch. When you enter the
commit command, the software validates the template. If the validation is successful, the software prompts you to reboot the switch. The template (user defined or default) is applied after the reboot. If you did not choose to reboot, no changes are made to the TCAM regions and no template is committed.
306
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring TCAM Carving
Information About User-Defined Templates
After you commit a template, the system does not automatically reboot but a message is displayed in the
commit command output asking you to reboot the switch for the committed template to take effect. After you agree to reboot, the following occurs:
• The committed template is saved in the startup configuration.
• The switch is rebooted.
• The committed template is used by the software.
• The template goes to the running state.
After the switch reboots, the committed template is applied to all ASICs on the Cisco Nexus device. You cannot commit different templates to different ASICs on the Cisco Nexus device. All saved templates and committed templates along with the size of each region of each template are displayed in the running configuration.
When a template is committed, the software checks the following:
1
The combined size of all regions in the TCAM is 4096 entries.
2
The size of each region fits within the TCAM. At any point of time, there is always a running size for the
TCAM region. This running size (the current size in the hardware TCAM) is defined by either the default or a user-defined template that was committed and is currently being used as the running template. If you increase the size of a region in a template that is currently being committed, from the current running size, the software checks if there are enough free entries outside the current region (entries that are not allocated to any other region) that can be used to increase the size of the region. If you decrease the size of a region in a template that is currently being committed from the current running size, the software checks to determine if there are enough free entries within the region that can be freed up to reduce the size of the
TCAM region. All changes that reduce the sizes of the regions within the template are done before the changes to increase the sizes of regions within the template.
3
The hardware does not support more than 256 entries in the sup-region and span regions. This check is done during validation.
If all these checks pass, you can commit he template and you are prompted to apply the template by rebooting.
If these checks fail, the commit fails and the template goes back to the saved state. If the commit fails, the
commit command output displays the reasons that it failed.
You cannot modify or delete the default template. You can only move this template from saved to committed or committed to saved. If the default template is committed, it is not displayed in the running configuration.
To apply the default template, enter the no commit command using the currently running template. Entering this command executes the same validation checks that were performed when you committed the template.
If all validations succeed, the software prompts you to reboot the switch. If you agree to reboot, the template is saved in the startup configuration and the system is rebooted. After the reboot, the default template is applied. The startup configuration has the committed template that you committed before rebooting. After rebooting, the template in the startup configuration is used. If there is no committed template in the startup configuration, the default template is used.
You create and manage the TCAM carving templates by entering the template manager commands. The template-based TCAM carving CLI is supported in config-sync. Only template creation is supported inside config-sync. Template commit should be performed separately on each switch outside the config-sync context.
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
307
Configuring TCAM Carving
Creating a User-Defined Template
Creating a User-Defined Template
Procedure
Step 1
Step 2
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# hardware profile tcam
resource template template-name
Creates a new template with the default region sizes.
A maximum of 16 templates (plus the default) can be created. The template-name argument can be a maximum of 64 characters.
This example shows how to create a user-defined template named qos-template: switch#
configure terminal
switch(config)#
hardware profile tcam resource template qos-template
Modifying a User Defined Template
Procedure
Step 1
Step 2
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# hardware profile tcam
resource template template-name
Creates a new template with the default region sizes.
A maximum of 16 templates (plus the default) can be created. Use this command to enter template mode.
This example shows how to modify a user-defined qos template.
switch#
configure terminal
switch(config)#
hardware profile tcam resource template qos-template
switch(config-tmpl)
qos 64
Committing a User-Defined Template
You can commit a user-defined template.
308
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Configuring TCAM Carving
Deleting a Template
Procedure
Step 1
Step 2
Step 3
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# hardware profile tcam
resource service-template template-name
Commits a previously defined template in the running image.
switch(config)# copy running-config
startup-config
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.
This example show how to commit a user-defined template: switch#
configure terminal
switch(config)#
hardware profile tcam resource service-template qos-template
Details of qos-template:
Region Features Size-allocated Current-usage Available/free
---------------------------------------------------------------------------vacl vacl svi racl
1024 1024 0
1024 ifacl qos pacl l3 racl interface qos vlan qos system qos cts interface span
2048
256
1024
256 rbacl span
64
512
32
512 sup vlan span sup rdt 192 192 copp switch(config)#
copy running-config startup-config
0
32
0
0
What to Do Next
Reboot the system.
Deleting a Template
After creating a template, the template can be deleted. Deleting removes all the information about the template from the software.
Procedure
Step 1
Step 2
Command or Action
switch# configure terminal
Purpose
Enters global configuration mode.
switch(config)# no hardware
profile tcam resource template
template-name
Deletes a user-defined template.
Only saved templates can be deleted. Templates that are committed/running cannot be deleted. A template that is in the running configuration (same as the startup configuration) cannot be deleted. Any other user-defined template that is in
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
309 OL-30921-01
Configuring TCAM Carving
Verifying the TCAM Carving Configuration
Command or Action Purpose
a saved state can be deleted. The default template cannot be deleted.
This example shows how to delete a template: switch#
configure terminal
switch(config)#
no hardware profile tcam resource template qos-template
Verifying the TCAM Carving Configuration
To display TCAM carving configuration information, enter one of the following commands:
Command show hardware profile tcam resource template
Purpose
Displays all templates.
Displays a user-defined template.
show hardware profile tcam resource template
name template-name
show hardware profile tcam resource template default
Displays a default template.
310
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
I N D E X
802.1X
87, 90, 91, 93, 94, 95, 96, 97, 98, 99, 101, 104, 109, 110, 111, 112,
authenticator PAEs
configuration process
configuring
configuring AAA accounting methods
configuring AAA authentication methods
configuring on member ports
controlling on interfaces
default settings
description
disabling authentication
disabling feature
enabling feature
enabling MAC authentication bypass
enabling mulitple hosts mode
enabling periodic reauthentication on interfaces
enabling single host mode
example configuration
guidelines
licensing requirements
limitations
MAC authenication bypass
monitoring
multiple host support
prerequisites
setting interface maximum retransmission retry count
single host support
supported topologies
verifying configuration
802.1X authentication
authorization states for ports
changing timers on interfaces
enabling RADIUS accounting
initiation
manually initializing
802.1X reauthentication
setting maximum retry count on interfaces
802.1X supplicants
manually reauthenticating
A
AAA
3, 7, 8, 10, 11, 12, 17, 18, 46, 98, 135, 137
accounting
authentication
benefits
configuring authentication methods for 802.1X
Configuring Console Authorization Commands
configuring console login
configuring for Cisco TrustSec
configuring for RADIUS servers
configuring nonseed device for Cisco TrustSec
configuring seed device for Cisco TrustSec
default settings
description
enabling MSCHAP authentication
guidelines
limitations
prerequisites
user login process
AAA accounting
configuring default methods
configuring methods for 802.1X
AAA accounting logs
clearing
displaying
AAA authorization
configuring on TACACS+ servers
AAA logins
enabling authentication failure messages
AAA protocols
RADIUS
TACACS+
AAA server groups
description
AAA servers
specifying SNMPv3 parameters
specifying user roles
specifying user roles in VSAs
AAA services
configuration options
remote
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
IN-1
Index
accounting
description
ACL
processing order
sequence numbers
ACL implicit rules
ACLs
applications
creating log entries for
guidelines
identifying traffic by protocols
licensing
limitations
prerequisites
types
VLAN
ARP ACLs
description
priority of ARP ACLs and DHCP snooping entries
authentication
802.1X
Cisco TrustSec
configuring for Cisco TrustSec
description
local
methods
remote
user login
authenticator PAEs
creating on an interface
description
removing from an interface
authorization
user login
verifying commands
C
changed information
description
Cisco
vendor ID
Cisco TrustSec
121, 126, 129, 130, 131, 132, 133, 134, 135, 137, 148, 150,
architecture
authorization
configuring
configuring AAA on nonseed device
configuring AAA on seed device
configuring device credentials
configuring pause frame encryption and decryption on interfaces
Cisco TrustSec (continued) default values
description
enabling
enabling (example)
environment data download
example configurations
guidelines
licensing
limitations
manually configuring SXP
policy acquisition
prerequisites
RADIUS relay
SGACLs
SGTs
verifying configuration
Cisco TrustSec authentication
123, 124, 125, 135, 138, 139, 146, 170
802.1X role selection description
configuration process
configuring
configuring in manual mode
description
EAP-FAST enhancements
manual mode configuration examples
summary
Cisco TrustSec authorization
configuration process
configuring
Cisco TrustSec device credentials
description
Cisco TrustSec device identities
description
Cisco TrustSec environment data
download
Cisco TrustSec policies
example enforcement configuration
Cisco TrustSec seed devices
description
example configuration
Cisco TrustSec user credentials
description
cisco-av-pair
specifying AAA user parameters
class maps
CoPP
clearing statistics
CoPP
commands
disabing authorization verification
enabing authorization verification
committing
user defined template
IN-2
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Index
configuration status
CoPP
control plane
policies
applying
control plane class maps
verifying the configuration
control plane policy maps
verifying the configuration
control plane protection
CoPP
packet types
control plane protection, classification
control plane protection, CoPP
rate controlling mechanisms
CoPP
287, 289, 290, 293, 297, 298, 301, 302, 303
class maps
clearing statistics
configuration status
control plane protection
control plane protection, classification
default settings
guidelines
information about
licensing
limitations
monitoring
monitoring with SNMP
policy templates
restrictions for management interfaces
verifying the configuration
CoPP policies
applying
customized
default
scaled Layer 2
scaled Layer 3
CoPP policy
customized
modifying
creating
user defined template
CTS, See
customized CoPP policy
modifying
D
DAI
default settings
guidelines
limitations
OL-30921-01
deafult settings
port security
default CoPP policy
default settings
802.1X
AAA
CoPP
DAI
IP Source Guard
device roles
description for 802.1X
DHCP binding database, See
DHCP snooping binding database
DHCP Option 82
description
DHCP relay agent
described
enabling or disabling
enabling or disabling Option 82
enabling or disabling subnet broadcast support on a Layer 3
Interface
enabling or disabling VRF support
VRF support
DHCP relay binding database
description
DHCP relay statistics
clearing
DHCP snooping
binding database
default settings
description
guidelines
in a vPC environment
limitations
message exchange process
Option 82
overview
DHCP snooping binding database
See also
DHCP snooping binding database
described
description
entries
See also
DHCP snooping binding database
DHCPv6 relay
configuring the source interface
DHCPv6 relay agent
described
enabling or disabling
enabling or disabling VRF support
VRF support
DHCPv6 relay statistics
clearing
dynamic ARP inspection
ARP cache poisoning
ARP requests
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
IN-3
Index
dynamic ARP inspection (continued)
ARP spoofing attack
DHCP snooping binding database
function of
interface trust states
logging of dropped packets
network security issues and interface trust states
priority of ARP ACLs and DHCP snooping entries
Dynamic Host Configuration Protocol snooping, See
E
examples
AAA configurations
G
guidelines
ACLs
CoPP
DAI
DHCP snooping
port security
L
LDRA
described
licensing
802.1X
ACLs
Cisco TrustSec
CoPP
Lightweight DHCPv6 relay agent
described
guidelines and limitations
limitations
ACLs
CoPP
DAI
DHCP snooping
port security
logging
creating ACL for
logical operation units
IP ACLs
logical operators
IP ACLs
login
RADIUS servers
LOU, See
I
IDs
Cisco vendor ID
information about
default template
user-defined templates
IP ACL implicit rules
IP ACLs
4, 175, 179, 184, 185, 186, 188, 189
applications
applying as a Router ACL
applying as port ACLs
changing
changing sequence numbers in
description
logical operation units
logical operators
removing
types
IP Source Guard
default settings
M
MAC ACL implicit rules
MAC ACLs
ACLs
MAC
creating
creating
MAC addresses
learning
MAC authentication
bypass for 802.1X
enabling bypass in 802.1X
management interfaces
CoPP restrictions
modifying
user defined template
monitoring
CoPP
RADIUS
RADIUS servers
MSCHAP
enabling authentication
IN-4
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Index
N
new information
description
P
policy templates
description
port ACL
port security
default settings
guidelines
limitations
MAC address learning
MAC move
violations
ports
authorization states for 802.1X
preshared keys
TACACS+
privilege level support for TACACS+ authorization
configuring
privilege roles
permitting or denying commands for
R
RADIUS
4, 35, 36, 38, 44, 50, 51, 130
configuring servers
configuring timeout intervals
configuring transmission retry counts
default settings
description
example configurations
monitoring
network environments
operations
prerequisites
relay for Cisco TrustSec
statistics, displaying
RADIUS accounting
enabling for 802.1X authentication
RADIUS server groups
global source interfaces
RADIUS server preshared keys
RADIUS servers
allowing users to specify at login
configuring AAA for
configuring timeout interval
configuring transmission retry count
OL-30921-01
RADIUS servers (continued) deleting hosts
example configurations
manually monitoring
RADIUS statistics
clearing
RADIUS, global preshared keys
RADIUS, periodic server monitoring
RADIUS, server hosts
configuring
rate controlling mechanisms
control plane protection, CoPP
RBACL
clearing statistics
displaying statistics
enabling statistics
RBACL logging
enabling
remote devices
connecting to using SSH
router ACLs
rules
implicit
S
SAP
configuring modes on interfaces
SAP keys
regenerating on interfaces
scaled Layer 2 CoPP policy
scaled Layer 3 CoPP policy
secure MAC addresses
learning
security
policies
applying
port
MAC address learning
security group access lists, See
security group tag, See SGT server groups
servers
RADIUS
SGACL policies
clearing
displaying downloaded policies
manually configuring
SGACL policy enforcement
enabling on VLANs
enabling on VRF instances
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
IN-5
Index
SGACLs
configuring
description
example manual configuration
example SGT mapping configuration
SGACLs policies
acquisition
refreshing downloaded policies
SGT Exchange Protocol, See
SGTs
description
example mapping configuration
manually configuring
manually configuring address-to-SGACL mapping
propagation with SXP
SNMP
monitoring CoPP
SNMPv3
specifying AAA parameters
specifying parameters for AAA servers
source interfaces
RADIUS server groups
TACACS+ server groups
SSH
description
SSH clients
SSH server keys
SSH servers
SSH sessions
clearing
connecting to remote devices
statistics
for RBACL
TACACS+
SXP
128, 161, 162, 163, 164, 165, 166, 167
changing reconcile periods
changing retry periods
configuration process
configuring default passwords
configuring default source IP addresses
configuring manually
configuring peer connections
enabling
SGT propagation
SXP connections
example manual configuration
TACACS+ (continued) configuring global timeout interval
description
displaying statistics
example configurations
field descriptions
global preshared keys
limitations
prerequisites
preshared key
user login operation
verifying command authorization
TACACS+ command authorization
configuring
testing
TACACS+ server groups
global source interfaces
TACACS+ servers
configuring hosts
configuring TCP ports
configuring timeout interval
field descriptions
manually monitoring
TCP ports
TACACS+ servers
Telnet
description
Telnet server
enabling
reenabling
Telnet servers
Telnet sessions
clearing
connecting to remote devices
U
user defined template
committing
creating
modifying
user login
authentication process
authorization process
user roles
specifying on AAA servers
user-defined templates
information about
T
TACACS+
4, 53, 54, 55, 56, 57, 66, 69, 73, 74
advantages over RADIUS
configuring
IN-6
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
Index
V
vendor-specific attributes
verifying
AAA configuration
RADUIS configuration
TACACS+ configuration
TCAM carving configuration
VLAN ACLs
information about
vPCs
and DHCP snooping
VSAs
format
protocol options
support description
OL-30921-01
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
IN-7
Index
IN-8
Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
OL-30921-01
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 1 Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x
- 3 Contents
- 19 Preface
- 19 Audience
- 19 Document Conventions
- 21 Related Documentation for Cisco Nexus 5600 Series NX-OS Software
- 22 Documentation Feedback
- 22 Obtaining Documentation and Submitting a Service Request
- 23 New and Changed Information
- 23 New and Changed Information
- 25 Overview
- 25 Authentication, Authorization, and Accounting
- 26 RADIUS and TACACS+ Security Protocols
- 26 SSH and Telnet
- 26 IP ACLs
- 29 Configuring Authentication, Authorization, and Accounting
- 29 Information About AAA
- 29 AAA Security Services
- 30 Benefits of Using AAA
- 30 Remote AAA Services
- 30 AAA Server Groups
- 31 AAA Service Configuration Options
- 32 Authentication and Authorization Process for User Logins
- 33 Prerequisites for Remote AAA
- 34 Guidelines and Limitations for AAA
- 34 Default AAA Settings
- 34 Configuring AAA
- 34 Configuring Console Login Authentication Methods
- 36 Configuring Default Login Authentication Methods
- 36 Enabling Login Authentication Failure Messages
- 37 Configuring AAA Command Authorization
- 39 Configuring Console Authorization Commands
- 40 Enabling MSCHAP Authentication
- 41 Configuring AAA Accounting Default Methods
- 42 Using AAA Server VSAs
- 42 VSAs
- 42 VSA Format
- 43 Specifying Switch User Roles and SNMPv3 Parameters on AAA Servers
- 43 Secure Login Enhancements
- 43 Configuring Login Parameters
- 44 Configuration Examples for Login Parameters
- 45 Configuring Login Block Per User
- 46 Configuration Examples for Login Block Per User
- 47 Restricting Sessions Per User—Per User Per Login
- 47 Configuring Passphrase Length
- 48 Configuring Passphrase Time Values
- 51 Locking User Accounts
- 51 Logging Invalid Usernames
- 52 Changing Password
- 53 Enabling the Password Prompt for User Name
- 54 Support over SHA-256 Algorithm for Verifying OS Integrity
- 54 Configuring Share Key Value for using RADIUS/TACACS+
- 55 Monitoring and Clearing the Local AAA Accounting Log
- 55 Verifying the AAA Configuration
- 55 Configuration Examples for AAA
- 57 Configuring RADIUS
- 57 Information About RADIUS
- 57 RADIUS Network Environments
- 58 Information About RADIUS Operations
- 58 RADIUS Server Monitoring
- 59 Vendor-Specific Attributes
- 60 Prerequisites for RADIUS
- 60 Guidelines and Limitations for RADIUS
- 60 Default Settings for RADIUS
- 61 Configuring RADIUS Servers
- 61 Configuring RADIUS Server Hosts
- 62 Configuring RADIUS Global Preshared Keys
- 63 Configuring RADIUS Server Preshared Keys
- 64 Configuring RADIUS Server Groups
- 65 Configuring the Global Source Interface for RADIUS Server Groups
- 66 Allowing Users to Specify a RADIUS Server at Login
- 66 Configuring the Global RADIUS Transmission Retry Count and Timeout Interval
- 67 Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server
- 68 Configuring Accounting and Authentication Attributes for RADIUS Servers
- 69 Configuring Periodic RADIUS Server Monitoring
- 70 Configuring the Dead-Time Interval
- 71 Manually Monitoring RADIUS Servers or Groups
- 72 Verifying the RADIUS Configuration
- 72 Displaying RADIUS Server Statistics
- 72 Clearing RADIUS Server Statistics
- 73 Configuration Examples for RADIUS
- 75 Configuring TACACS+
- 75 Information About Configuring TACACS+
- 75 TACACS+ Advantages
- 76 User Login with TACACS+
- 77 Default TACACS+ Server Encryption Type and Preshared Key
- 77 Command Authorization Support for TACACS+ Servers
- 77 TACACS+ Server Monitoring
- 78 Prerequisites for TACACS+
- 78 Guidelines and Limitations for TACACS+
- 78 Default Settings for TACACS+
- 79 Configuring TACACS+
- 79 TACACS+ Server Configuration Process
- 79 Enabling TACACS+
- 80 Configuring TACACS+ Server Hosts
- 80 Configuring TACACS+ Global Preshared Keys
- 81 Configuring TACACS+ Server Preshared Keys
- 82 Configuring TACACS+ Server Groups
- 83 Configuring the Global Source Interface for TACACS+ Server Groups
- 84 Specifying a TACACS+ Server at Login
- 85 Configuring AAA Authorization on TACACS+ Servers
- 86 Configuring Command Authorization on TACACS+ Servers
- 87 Testing Command Authorization on TACACS+ Servers
- 88 Enabling and Disabling Command Authorization Verification
- 88 Configuring Privilege Level Support for Authorization on TACACS+ Servers
- 90 Permitting or Denying Commands for Users of Privilege Roles
- 91 Configuring the Global TACACS+ Timeout Interval
- 91 Configuring the Timeout Interval for a Server
- 92 Configuring TCP Ports
- 93 Configuring Periodic TACACS+ Server Monitoring
- 94 Configuring the Dead-Time Interval
- 94 Manually Monitoring TACACS+ Servers or Groups
- 95 Disabling TACACS+
- 95 Displaying TACACS+ Statistics
- 96 Verifying the TACACS+ Configuration
- 96 Configuration Examples for TACACS+
- 97 Configuring SSH and Telnet
- 97 Information About SSH and Telnet
- 97 SSH Server
- 97 SSH Client
- 98 SSH Server Keys
- 98 Telnet Server
- 98 Guidelines and Limitations for SSH
- 98 Default Settings for SSH
- 99 Configuring SSH
- 99 Generating SSH Server Keys
- 100 Specifying the SSH Public Keys for User Accounts
- 100 Specifying the SSH Public Keys in Open SSH Format
- 100 Specifying the SSH Public Keys in IETF SECSH Format
- 101 Specifying the SSH Public Keys in PEM-Formatted Public Key Certificate Form
- 102 Starting SSH Sessions to Remote Devices
- 102 Clearing SSH Hosts
- 102 Disabling the SSH Server
- 103 Deleting SSH Server Keys
- 103 Clearing SSH Sessions
- 104 Configuration Examples for SSH
- 105 Configuring Telnet
- 105 Enabling the Telnet Server
- 105 Reenabling the Telnet Server
- 105 Starting Telnet Sessions to Remote Devices
- 106 Clearing Telnet Sessions
- 106 Verifying the SSH and Telnet Configuration
- 109 Configuring 802.1X
- 109 Information About 802.1X
- 109 Device Roles
- 111 Authentication Initiation and Message Exchange
- 112 Authenticator PAE Status for Interfaces
- 112 Ports in Authorized and Unauthorized States
- 113 MAC Authentication Bypass
- 114 802.1X and Port Security
- 115 Dynamic VLAN Assignment based on MAC-Based Authentication (MAB)
- 115 VLAN Assignment from RADIUS
- 115 Single Host and Multiple Hosts Support
- 116 Supported Topologies
- 117 Licensing Requirements for 802.1X
- 117 Prerequisites for 802.1X
- 117 802.1X Guidelines and Limitations
- 118 Default Settings for 802.1X
- 119 Configuring 802.1X
- 119 Process for Configuring 802.1X
- 120 Enabling the 802.1X Feature
- 120 Configuring AAA Authentication Methods for 802.1X
- 121 Controlling 802.1X Authentication on an Interface
- 123 Configuring 802.1X Authentication on Member Ports
- 125 Creating or Removing an Authenticator PAE on an Interface
- 126 Enabling Periodic Reauthentication for an Interface
- 127 Manually Reauthenticating Supplicants
- 128 Manually Initializing 802.1X Authentication
- 128 Changing 802.1X Authentication Timers for an Interface
- 131 Enabling Single Host or Multiple Hosts Mode
- 131 Enabling MAC Authentication Bypass
- 132 Disabling 802.1X Authentication on the Cisco NX-OS Device
- 133 Disabling the 802.1X Feature
- 134 Setting the Maximum Authenticator-to-Supplicant Frame Retransmission Retry Count for an Interface
- 135 Enabling RADIUS Accounting for 802.1X Authentication
- 136 Configuring AAA Accounting Methods for 802.1X
- 137 Setting the Maximum Reauthentication Retry Count on an Interface
- 138 Configuring Guest VLAN
- 138 Verifying the 802.1X Configuration
- 139 Monitoring 802.1X
- 139 Configuration Example for 802.1X
- 140 Additional References for 802.1X
- 141 Feature History for 802.1X
- 143 Configuring Cisco TrustSec
- 143 Information About Cisco TrustSec
- 143 Cisco TrustSec Architecture
- 145 Authentication
- 145 Cisco TrustSec and Authentication
- 146 Cisco TrustSec Enhancements to EAP-FAST
- 147 802.1X Role Selection
- 147 Cisco TrustSec Authentication Summary
- 148 Device Identities
- 148 Device Credentials
- 148 User Credentials
- 148 SGACLs and SGTs
- 150 Determining the Source Security Group
- 150 Determining the Destination Security Group
- 150 SXP for SGT Propagation Across Legacy Access Networks
- 151 Authorization and Policy Acquisition
- 152 Environment Data Download
- 152 RADIUS Relay Functionality
- 153 Licensing Requirements for Cisco TrustSec
- 153 Prerequisites for Cisco TrustSec
- 153 Guidelines and Limitations for Cisco TrustSec
- 154 Default Settings for Cisco TrustSec Parameters
- 155 Configuring Cisco TrustSec
- 155 Enabling the Cisco TrustSec Feature
- 156 Configuring Cisco TrustSec Device Credentials
- 157 Configuring AAA for Cisco TrustSec
- 157 Configuring AAA on the Cisco TrustSec Cisco NX-OS Devices
- 159 Configuring AAA on Cisco TrustSec Nonseed Cisco NX-OS Devices
- 160 Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path Security
- 160 Cisco TrustSec Configuration Process for Cisco TrustSec Authentication and Authorization
- 161 Enabling Cisco TrustSec Authentication
- 163 Configuring Data-Path Replay Protection for Cisco TrustSec on Interfaces
- 164 Configuring SAP Operation Modes for Cisco TrustSec on Interfaces
- 166 Configuring SGT Propagation for Cisco TrustSec on Interfaces
- 168 Regenerating SAP Keys on an Interface
- 168 Configuring Cisco TrustSec Authentication in Manual Mode
- 170 Configuring Pause Frame Encryption or Decryption for Cisco TrustSec on Interfaces
- 172 Configuring SGACL Policies
- 172 SGACL Policy Configuration Process
- 173 Enabling SGACL Policy Enforcement on VLANs
- 174 Enabling SGACL Policy Enforcement on VRF Instances
- 175 Manually Configuring Cisco TrustSec SGTs
- 176 Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VLAN
- 177 Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VRF Instance
- 178 Manually Configuring SGACL Policies
- 180 Displaying the Downloaded SGACL Policies
- 181 Refreshing the Downloaded SGACL Policies
- 181 Enabling Statistics for RBACL
- 182 Clearing Cisco TrustSec SGACL Policies
- 183 Manually Configuring SXP
- 183 Cisco TrustSec SXP Configuration Process
- 184 Enabling Cisco TrustSec SXP
- 185 Configuring Cisco TrustSec SXP Peer Connections
- 186 Configuring the Default SXP Password
- 187 Configuring the Default SXP Source IPv4 Address
- 188 Changing the SXP Reconcile Period
- 189 Changing the SXP Retry Period
- 190 Verifying the Cisco TrustSec Configuration
- 191 Configuration Examples for Cisco TrustSec
- 191 Enabling Cisco TrustSec
- 192 Configuring AAA for Cisco TrustSec on a Cisco NX-OS Device
- 192 Enabling Cisco TrustSec Authentication on an Interface
- 192 Configuring Cisco TrustSec Authentication in Manual Mode
- 192 Configuring Cisco TrustSec Role-Based Policy Enforcement for the Default VRF Instance
- 193 Configuring Cisco TrustSec Role-Based Policy Enforcement for a Nondefault VRF
- 193 Configuring Cisco TrustSec Role-Based Policy Enforcement for a VLAN
- 193 Configuring IPv4 Address to SGACL SGT Mapping for the Default VRF Instance
- 193 Configuring IPv4 Address to SGACL SGT Mapping for a Nondefault VRF Instance
- 193 Configuring IPv4 Address to SGACL SGT Mapping for a VLAN
- 194 Manually Configuring Cisco TrustSec SGACLs
- 194 Manually Configuring SXP Peer Connections
- 195 Additional References for Cisco TrustSec
- 195 Feature History for Cisco TrustSec
- 197 Configuring Access Control Lists
- 197 Information About ACLs
- 197 IP ACL Types and Applications
- 198 Application Order
- 199 Rules
- 199 Source and Destination
- 199 Protocols
- 199 Implicit Rules
- 199 Additional Filtering Options
- 200 Sequence Numbers
- 201 Logical Operators and Logical Operation Units
- 201 ACL Resource Management
- 202 Statistics and ACLs
- 203 Licensing Requirements for ACLs
- 203 Prerequisites for ACLs
- 203 Guidelines and Limitations for ACLs
- 204 Default ACL Settings
- 205 Configuring IP ACLs
- 205 Creating an IP ACL
- 206 Changing an IP ACL
- 207 Removing an IP ACL
- 208 Changing Sequence Numbers in an IP ACL
- 208 Configuring ACLs with Logging
- 209 Applying an IP ACL to mgmt0
- 210 Applying an IP ACL as a Router ACL
- 211 Applying an IP ACL as a Port ACL
- 212 Verifying IP ACL Configurations
- 212 Monitoring and Clearing IP ACL Statistics
- 213 Configuring MAC ACLs
- 213 Creating a MAC ACL
- 214 Changing a MAC ACL
- 215 Removing a MAC ACL
- 215 Changing Sequence Numbers in a MAC ACL
- 216 Applying a MAC ACL as a Port ACL
- 216 Verifying MAC ACL Configurations
- 217 Displaying and Clearing MAC ACL Statistics
- 217 Example Configuration for MAC ACLs
- 217 Information About VLAN ACLs
- 217 VACLs and Access Maps
- 218 VACLs and Actions
- 218 Statistics
- 218 Configuring VACLs
- 218 Creating or Changing a VACL
- 219 Removing a VACL
- 220 Applying a VACL to a VLAN
- 220 Verifying the VACL Configuration
- 220 Displaying and Clearing VACL Statistics
- 221 Configuration Examples for VACL
- 221 Configuring ACLs on Virtual Terminal Lines
- 222 Verifying ACLs on VTY Lines
- 223 Configuration Examples for ACLs on VTY Lines
- 224 Configuring the ACL Resource Usage Threshold
- 225 Configuring Port Security
- 225 Information About Port Security
- 226 Secure MAC Address Learning
- 226 Static Method
- 226 Dynamic Method
- 226 Sticky Method
- 227 Dynamic Address Aging
- 227 Secure MAC Address Maximums
- 228 Security Violations and Actions
- 230 Port Type Changes
- 230 Licensing Requirements for Port Security
- 230 Prerequisites for Port Security
- 231 Guidelines and Limitations for Port Security
- 231 Guidelines and Limitations for Port Security on vPCs
- 232 Default Settings for Port Security
- 232 Configuring Port Security
- 232 Enabling or Disabling Port Security Globally
- 233 Enabling or Disabling Port Security on a Layer 2 Interface
- 234 Enabling or Disabling Sticky MAC Address Learning
- 235 Adding a Static Secure MAC Address on an Interface
- 236 Removing a Static Secure MAC Address on an Interface
- 237 Removing a Dynamic Secure MAC Address
- 238 Configuring a Maximum Number of MAC Addresses
- 239 Configuring an Address Aging Type and Time
- 241 Configuring a Security Violation Action
- 242 Verifying the Port Security Configuration
- 242 Displaying Secure MAC Addresses
- 242 Configuration Example for Port Security
- 243 Configuration Example of Port Security in a vPC Domain
- 243 Additional References for Port Security
- 245 Configuring DHCP Snooping
- 246 Information About DHCP Snooping
- 246 Feature Enabled and Globally Enabled
- 247 Trusted and Untrusted Sources
- 247 DHCP Snooping Binding Database
- 247 DHCP Snooping Option 82 Data Insertion
- 249 DHCP Snooping in a vPC Environment
- 249 Synchronizing DHCP Snooping Binding Entries
- 250 Packet Validation
- 250 Information About the DHCP Relay Agent
- 250 DHCP Relay Agent
- 251 VRF Support for the DHCP Relay Agent
- 251 DHCP Relay Binding Database
- 252 Information about the DHCPv6 Relay Agent
- 252 DHCPv6 Relay Agent
- 252 VRF Support for the DHCPv6 Relay Agent
- 252 Information About the Lightweight DHCPv6 Relay Agent
- 252 Lightweight DHCPv6 Relay Agent
- 252 LDRA for VLANs and Interfaces
- 253 Guidelines and Limitations for Lightweight DHCPv6 Relay Agent
- 253 vIP HSRP Enhancement
- 253 Guidelines and Limitations for DHCP Snooping
- 254 Guidelines and Limitations for the vIP HSRP Enhancement
- 255 Default Settings for DHCP Snooping
- 255 Configuring DHCP Snooping
- 255 Minimum DHCP Snooping Configuration
- 256 Enabling or Disabling the DHCP Snooping Feature
- 257 Enabling or Disabling DHCP Snooping Globally
- 257 Enabling or Disabling DHCP Snooping on a VLAN
- 258 Enabling or Disabling Option 82 Data Insertion and Removal
- 259 Enabling or Disabling Strict DHCP Packet Validation
- 260 Configuring an Interface as Trusted or Untrusted
- 261 Enabling or Disabling the DHCP Relay Agent
- 262 Enabling or Disabling Option 82 for the DHCP Relay Agent
- 263 Enabling or Disabling VRF Support for the DHCP Relay Agent
- 264 Enabling or Disabling Subnet Broadcast Support for the DHCP Relay Agent on a Layer 3 Interface
- 265 Creating a DHCP Static Binding
- 266 Configuring the DHCPv6 Relay Agent
- 266 Enabling or Disabling the DHCPv6 Relay Agent
- 267 Enabling or Disabling VRF Support for the DHCPv6 Relay Agent
- 268 Configuring the DHCPv6 Relay Source Interface
- 269 Configuring Lightweight DHCPv6 Relay Agent
- 269 Configuring Lightweight DHCPv6 Relay Agent for an Interface
- 270 Configuring Lightweight DHCPv6 Relay Agent for a VLAN
- 271 Enabling DHCP Relay Agent using VIP Address
- 272 Verifying the DHCP Snooping Configuration
- 272 Displaying DHCP Bindings
- 272 Displaying and Clearing LDRA Information
- 276 Clearing the DHCP Snooping Binding Database
- 277 Clearing DHCP Relay Statistics
- 277 Clearing DHCPv6 Relay Statistics
- 277 Monitoring DHCP
- 277 Configuration Examples for DHCP Snooping
- 278 Configuration Examples for LDRA
- 279 Configuring Dynamic ARP Inspection
- 279 Information About DAI
- 279 ARP
- 280 ARP Spoofing Attacks
- 280 DAI and ARP Spoofing Attacks
- 281 Interface Trust States and Network Security
- 282 Prioritizing ARP ACLs and DHCP Snooping Entries
- 283 Logging DAI Packets
- 283 Licensing Requirements for DAI
- 284 Prerequisites for DAI
- 284 Guidelines and Limitations for DAI
- 285 Default Settings for DAI
- 285 Configuring DAI
- 285 Enabling or Disabling DAI on VLANs
- 286 Configuring the DAI Trust State of a Layer 2 Interface
- 287 Applying ARP ACLs to VLANs for DAI Filtering
- 288 Enabling or Disabling Additional Validation
- 289 Configuring the DAI Logging Buffer Size
- 290 Configuring DAI Log Filtering
- 291 Verifying the DAI Configuration
- 291 Monitoring and Clearing DAI Statistics
- 292 Configuration Examples for DAI
- 292 Example 1-Two Devices Support DAI
- 292 Configuring Device A
- 295 Configuring Device B
- 297 Configuring ARP ACLs
- 297 Session Manager Support for ARP ACLs
- 297 Creating an ARP ACL
- 298 Changing an ARP ACL
- 299 Removing an ARP ACL
- 300 Changing Sequence Numbers in an ARP ACL
- 301 Verifying the ARP ACL Configuration
- 303 Configuring IP Source Guard
- 303 Information About IP Source Guard
- 304 Licensing Requirements for IP Source Guard
- 304 Prerequisites for IP Source Guard
- 304 Guidelines and Limitations for IP Source Guard
- 304 Default Settings for IP Source Guard
- 305 Configuring IP Source Guard
- 305 Enabling or Disabling IP Source Guard on a Layer 2 Interface
- 306 Adding or Removing a Static IP Source Entry
- 307 Displaying IP Source Guard Bindings
- 307 Configuration Example for IP Source Guard
- 307 Additional References for IP Source Guard
- 309 Configuring Control Plane Policing
- 309 Information About CoPP
- 311 Control Plane Protection
- 311 Control Plane Packet Types
- 311 Classification for CoPP
- 311 Rate Controlling Mechanisms
- 312 CoPP Extended Rate
- 312 CoPP Class Maps
- 315 CoPP Policy Templates
- 315 Default CoPP Policy
- 316 Scaled Layer 2 CoPP Policy
- 317 Scaled Layer 3 CoPP Policy
- 318 Customizable CoPP Policy
- 319 CoPP and the Management Interface
- 319 Licensing Requirements for CoPP
- 320 Guidelines and Limitations for CoPP
- 320 Default Settings for CoPP
- 321 Configuring CoPP
- 321 Applying a CoPP Policy to the Switch
- 322 Modifying the Customized CoPP Policy
- 322 Configuring CoPP Extended Rate
- 323 Verifying the CoPP Configuration
- 324 Displaying the CoPP Configuration Status
- 324 Monitoring CoPP
- 325 Monitoring CoPP with SNMP
- 325 Clearing the CoPP Statistics
- 325 Additional References for CoPP
- 327 Configuring TCAM Carving
- 327 Information About TCAM Carving
- 327 Information About User-Defined Templates
- 330 Creating a User-Defined Template
- 330 Modifying a User Defined Template
- 330 Committing a User-Defined Template
- 331 Deleting a Template
- 332 Verifying the TCAM Carving Configuration
- 333 INDEX