- Preface
- New and Changed Information
- Overview
- Configuring FIPS
- Configuring AAA
- Configuring RADIUS
- Configuring TACACS+
- Configuring LDAP
- Configuring SSH and Telnet
- Configuring PKI
- Configuring User Accounts and RBAC
- Configuring 802.1X
- Configuring IP ACLs
- Configuring MAC ACLs
- Configuring VLAN ACLs
- Configuring Port Security
- Configuring DHCP
- Configuring IPv6 First Hop Security
- Configuring Dynamic ARP Inspection
- Configuring IP Source Guard
- Configuring Password Encryption
- Configuring Keychain Management
- Configuring Traffic Storm Control
- Configuring Unicast RPF
- Configuring Switchport Blocking
- Configuring Control Plane Policing
- Configuring Rate Limits
- Configuring MACsec
- Index
Contents
* - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W
Index
*
***radius-server test {password} 18
802.1Xauthenticator PAEs 1configuring 1default settings 1description 1enabling feature 1example configuration 1guidelines 1limitations 1MAC authenication bypass 1multiple host support 1prerequisites 1single host support 1supported topologies 1verifying configuration 1802.1X authenticationauthorization states for ports 1enabling RADIUS accounting 1initiation 1802.1X reauthenticationsetting maximum retry count on interfaces 1802.1X supplicantsmanually reauthenticating 1A
aaa accounting default 1aaa accounting default group 1aaa accounting default local 1aaa accounting dot1x default group 1aaa authentication dot1x default group 1aaa authentication login ascii-authentication 1aaa authentication login chap enable 1aaa authentication login default 1aaa authentication login error-enable 1aaa authentication login {mschap | mschapv2} enable 1aaa authorization default 1aaa authorization ssh-certificate default 1aaa authorization {commands | config-commands} {console | default} {group} 1aaa authorization {group | local} 1aaa authorization {ssh-certificate | ssh-publickey} 1aaa group server ldap 1aaa group server radius 1aaa group server tacacs+ 1aaa user default-role 1absolute end 1absolute start 1accept-lifetime 1acllog match-log-level 1action {drop | forward | redirect} 1authentication802.1X 1authentication (bind-first | compare} 1authenticator PAEscreating on an interface 1description 1removing from an interface 1B
BGPusing with Unicast RPF 1C
CA trust pointscreating associations for PKI 1CAsauthenticating 1configuring 1deleting certificates 1description 1displaying configuration 1enrollment using cut-and-paste 1example configuration 1example of downloading certificate 1generating identity certificate requests 1identity 1installing identity certificates 1multiple 1multiple trust points 1peer certificates 1purpose 1certificate authorities. 1See CAs 1certificate revocation checkingconfiguring methods 1certificate revocation lists 1See CRLs 1certificatesexample of revoking 1chgrp 1chown 1cipher-suite 1class 1class class-default 1class insert-before 1class-map 1clear access-list ipsg stats 1clear accounting log 1clear copp statistics 1clear hardware rate-limiter module 1clear hardware rate-limiter {all | access-list-log | bfd | exception | fex | layer-3 glean | layer-3 multicast local-groups | span-egress} 1clear ip access-list counters 1clear ip arp inspection log 1clear ip arp inspection statistics 1clear ip dhcp global statistics 1clear ip dhcp relay statistics interface 1clear ip dhcp snooping binding interface ethernet 1clear ip dhcp snooping binding interface port-channel 1clear ip dhcp snooping binding vlan 1clear ip dhcp snooping statistics 1clear ip dhcp snooping statistics vlan 1clear ipv6 access-list counters 1clear ipv6 dhcp relay statistics interface 1clear ldap-server statistics 1clear mac access-list counters 1clear port-security dynamic 1clear port-security dynamic address 1clear radius-server statistics 1clear ssh hosts 1clear tacacs-server statistics 1conf-offset 1copp copy profile prefix | suffix} 1copp copy profile {strict | moderate | lenient| dense 1copp profile 1copp profile dense 1copp profile lenient 1copp profile moderate 1copp profile strict 1copy scp 1copy scp: 1copy sftp 1CRLsconfiguring 1description 1downloading 1generating 1importing example 1publishing 1crypto ca authenticate 1crypto ca crl request 1crypto ca trustpoint 1cryptographic-algorithm {HMAC-SHA-1 | HMAC-SHA-256 | HMAC-SHA-384 | HMAC-SHA-512 | MD5} 1D
deadtime 1deafult settingsport security 1default settings802.1X 1PKI 1denial-of-service attacksIP address spoofing, mitigating 1description 1device rolesdescription for 802.1X 1DHCP client relay on orphan portsdescription 1DHCP relay on VPC Legdescription 1DHCP relay on-stackdescription 1digital certificatesconfiguring 1exporting 1importing 1peers 1purpose 1DoS attacksUnicast RPF, deploying 1dot1x default 1dot1x host-mode {multi-host | single-host} 1dot1x max-req 1dot1x port-control {auto | force-authorized | forced-unauthorized} 1dot1x re-authentication 1dot1x timeout quiet-period 1dot1x timeout ratelimit-period 1dot1x timeout re-authperiod 1dot1x timeout server-timeout 1dot1x timeout supp-timeout 1dot1x timeout tx-period 1E
enable Cert-DN-match 1enable user-server-group 1encryption decrypt type6 1encryption delete type6 1F
feature 1feature dhcp 1feature dot1x 1feature ldap 1feature port-security 1feature scp-server 1feature sftp-server 1feature tacacs+ 1feature telnet 1FIPSconfiguration example 1disabling 1enabling 1self-tests 1G
guidelinesport security 1H
hardware profile tcam resource service-template 1hardware profile tcam resource template 1hardware rate-limiter bfd 1hardware rate-limiter exception 1hardware rate-limiter fex 1hardware rate-limiter layer-3 glean 1hardware rate-limiter layer-3 multicast local-groups 1hardware rate-limiter span-egress 1hostnamesconfiguring for PKI 1I
identity certificatesdeleting for PKI 1generating requests 1installing 1interface policy dent 1ip access-class 1ip arp inspection log-buffer entries 1ip arp inspection trust 1ip arp inspection validate 1ip arp inspection validate dst-mac 1ip arp inspection validate ip 1ip arp inspection validate src-mac 1ip dhcp relay address 1ip dhcp relay address use-vrf 1ip dhcp relay information option 1ip dhcp relay information option server-id-override-disable 1ip dhcp relay information option trust 1ip dhcp relay information option vpn 1ip dhcp relay information trust-all 1ip dhcp relay information trusted 1ip dhcp relay source-interface 1ip dhcp relay sub-option circuit-id customized 1ip dhcp relay sub-option circuit-id format-type string 1ip dhcp relay sub-option type cisco 1ip dhcp smart-relay 1ip dhcp smart-relay global 1ip dhcp snooping information option 1ip dhcp snooping ipsg-excluded vlan 1ip dhcp snooping trust 1ip dhcp snooping verify mac-address 1ip dhcp snooping vlan 1IP domain namesconfiguring for PKI 1ip port access group 1ip radius source-interface 1ip source binding 1ip tacacs source-interface 1ip verify source dhcp-snooping-vlan 1ip verify unicast source reachable-via 1ip verify unicast source reachable-via any 1ipv6 access-class 1ipv6 address use-link-local-only 1ipv6 dhcp relay 1ipv6 dhcp relay address 1ipv6 dhcp relay option type cisco 1ipv6 dhcp relay option vpn 1ipv6 dhcp relay source-interface 1ipv6 dhcp smart-relay 1ipv6 dhcp smart-relay global 1ipv6 port traffic-filter 1ipv6 traffic-filter 1ipv6 verify unicast source reachable-via 1ipv6 verify unicast source reachable-via any 1K
key-chain macsec-psk no-show 1key-octet-string 1key-server-priority 1key-string 1L
ldap search-map 1ldap-server host idle-time 1ldap-server host rootDN 1ldap-server host test rootDN 1ldap-server host username 1ldap-server timeout 1limitationsport security 1line vty 1logging drop threshold 1logging ip access-list cache entries 1logging ip access-list cache interval 1logging ip access-list cache threshold 1logging ip access-list detailed 1login block-for 1login block-for attempts 1login on-failure log 1login on-success log 1login quiet-mode access-class 1M
MAC addresseslearning 1MAC authenticationbypass for 802.1X 1mac packet-classify 1macsec policy 1match exception {ip | ipv6} icmp redirect 1match exception {ip | ipv6} icmp unreachable 1match exception {ip | ipv6} option 1match mac address 1match protocol arp 1match {ip | ipv6} address 1N
no dot1x system-auth-control 1no feature dot1x 1no feature tacacs+ 1no ip access-list 1no ipv6 access-list 1no key chain 1no mac access-list 1no object-group {ip address | ipv6 address | ip port} 1no ssh key dsa 1no ssh key rsa 1no time-range 1no vlan access-map 1no {periodic | absolute} 1O
object-group ip address 1object-group ip port 1object-group ipv6 address 1P
password prompt username 1password strength-check 1per-user DACLguidelines 1limitations 1periodic 1permit http-method 1permit interface 1permit ip 1permit mac 1permit udf 1permit vlan 1permit vrf 1permit | deny 1PKIcertificate revocation checking 1configuring hostnames 1configuring IP domain names 1default settings 1description 1displaying configuration 1enrollment support 1example configuration 1generating RSA key pairs 1guidelines 1limitations 1policy-map 1policy-map type control-plane 1port securitydefault settings 1description 1guidelines 1limitations 1MAC address learning 1MAC move 1violations 1portsauthorization states for 802.1X 1R
RADIUS accountingenabling for 802.1X authentication 1radius-server directed-request 1radius-server host accounting 1radius-server host acct-port 1radius-server host auth-port 1radius-server host authentication 1radius-server host idle-time 1radius-server host password 1radius-server host retransmit 1radius-server host test 1radius-server host timeout 1radius-server host username 1radius-server retransmit 1radius-server test {idle-time} 1radius-server test {username} 1radius-server timeout 1resequence mac access-list 1resequence time-range 1resequence {ip | ipv6} access-list 1role feature-group name 1role name priv 1RSA key pairsdeleting from an Cisco NX-OS device 1exporting 1generating for PKI 1importing 1RSA key-pairsdescription 1displaying configuration 1exporting 1importing 1multiple 1rule {deny | permit ) command 1rule {deny | permit} command 1rule {deny | permit} {read | read-write} 1rule {deny | permit} {read | read-write} feature 1rule {deny | permit} {read | read-write} feature-group 1rule {deny | permit} {read | read-write} oid 1S
sak-expiry-time 1scale-factor 1secure MAC addresseslearning 1securityportMAC address learning 1security-policy 1service-policy 1service-policy input 1set cos 1show aa accounting 1show aaa authentication login chap 1show aaa authentication login {ascii-authentication | chap | error-enable | mschap | mschapv2} 1show aaa authentication login {mschap | mschapv2} 1show aaa authorization all 1show aaa groups 1show aaa user default-role 1show accounting log 1show cli syntax roles network-admin 1show cli syntax roles network-operator 1show copp profile 1show dot1x interface ethernet 1show dot1x {all | interface ethernet} 1show hardware access-list interface input entries detail 1show incompatibility nxos bootflash: 1show interface ethernet counters storm-control 1show interface port-channel counters storm-control 1show interface port-channel counters storm-control multi-threshold 1show interface port-channel counters storm-control multi-threshold broadcast 1show interface port-channel counters storm-control multi-threshold multicast 1show interface port-channel counters storm-control multi-threshold unicast 1show ip access-lists summary 1show ip arp inspection 1show ip arp inspection interface 1show ip arp inspection interfaces 1show ip arp inspection log 1show ip arp inspection statistics 1show ip dhcp relay address 1show ip dhcp relay statistics 1show ip interface 1show ipv6 access-lists summary 1show ipv6 dhcp relay interface 1show ipv6 dhcp relay statistics 1show logging ip access-list status 1show login failures 1show login on-failure log 1show login on-successful log 1show macsec mka session 1show macsec mka statistics 1show macsec mka summary 1show macsec secy statistics 1show password strength-check 1show policy-map type control-plane expand 1show policy-map type control-plane name 1show port-security address interface 1show port-security interface 1show radius {status | pending | pending-diff} 1show radius-server directed-request 1show radius-server group 1show radius-server groups 1show role feature 1show run interface 1show running-config aaa 1show running-config acllog 1show running-config copp all 1show running-config interface mgmt 0 1show running-config interface vlan 1show running-config ip 1show running-config ipv6 1show running-config ldap 1show running-config macsec 1show running-config radius 1show running-config tacacs 1show running-config tacacs all 1show ssh key dsa 1show ssh key md5 1show ssh key rsa 1show startup-config aaa 1show startup-config acllog 1show startup-config dhcp 1show startup-config dhcp all 1show startup-config interface ethernet 1show startup-config ip 1show startup-config ldap 1show startup-config radius 1show startup-config security 1show startup-config tacacs 1show system login 1show system login failures 1show tacacs+ {status | pending | pending-diff} 1show tacacs-server sorted 1show username 1show username keypair 1show vlan access-map 1show vlan filter 1show {ip | ipv6 | access-lists} 1ssh 1ssh key 1ssh key force 1ssh key rsa 1ssh login-attempts 1ssh vrf 1ssh6 1ssh6 vrf 1storm-control multi unicast 1storm-control {broadcast | multicast | unicast} 1storm-control-cpu arp rate 1switchport block {multicast | unicast} 1switchport port-security 1switchport port-security aging time 1switchport port-security aging type 1switchport port-security maximum 1switchport port-security violation 1system login block-for 1system login block-for attempts 1system login block-for within 1system login quiet-mode access-class 1T
tacacs-server deadtime 1tacacs-server directed-request 1tacacs-server host port 1tacacs-server host timeout 1tacacs-server test 1tacacs-server test idle-time 1tacacs-server test username 1telnet 1telnet vrf 1telnet6 1telnet6 vrf 1terminal no verify-only 1terminal no verify-only username 1terminal verify-only 1terminal verify-only username 1test aaa authorization command-type {commands | config-commands} user command 1test aaa server radius 1test aaa server radius vrf 1test aaa server tacacs+ 1time-range 1trust pointsdescription 1multiple 1saving configuration across reboots 1U
Unicast RPFBGP attributes 1BOOTP and 1default settings 1deploying 1description 1DHCP and 1example configurations 1FIB 1guidelines 1implementation 1limitations 1tunneling and 1verifying configuration 1user max-logins 1username 1username keypair export 1username keypair export {rsa | dsa} 1username keypair generate 1username keypair import 1username keypair import (rsa | dsa} 1username sshkey 1username sshkey file bootflash 1userpassphrase max-length 1userpassphrase min-length 1V
vlan access-map 1vlan filter 1vlan policy deny 1vPC First Hop Security Configurationdescription 1vrf policy deny 1W
window-size 1