Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 9.3(x)

Contents

8 - A - B - C - D - E - F - G - H - I - L - M - N - P - R - S - T - U - V

Index

8

802.1X

authenticator PAEs 1

configuring 1

default settings 1

description 1

enabling feature 1

example configuration 1

licensing requirements 1

MAC authenication bypass 1

multiple host support 1

prerequisites 1

single host support 1

supported topologies 1

verifying configuration 1

802.1X authentication

authorization states for ports 1

enabling RADIUS accounting 1

initiation 1

802.1X reauthentication

setting maximum retry count on interfaces 1

802.1X supplicants

manually reauthenticating 1

A

AAA

accounting 1

authentication 1

benefits 1

configuring console login 1

configuring for RADIUS servers 1

default settings 1

description 1

enabling MSCHAP authentication 1

example configuration 1

guidelines 1

limitations 1

prerequisites 1

user login process 1

verifying configurations 1

AAA accounting

configuring default methods 1

aaa accounting dot1x default group 1

AAA accounting logs

clearing 1

displaying 1

aaa authentication dot1x default group 1

aaa authorization default 1

aaa authorization {group | local} 1

aaa authorization {ssh-certificate | ssh-publickey} 1

aaa group server ldap 1

AAA logins

enabling authentication failure messages 1

AAA protocols

RADIUS 1

TACACS+ 1

AAA server groups

description 1

AAA servers

specifying SNMPv3 parameters 1 2

specifying user roles 1

specifying user roles in VSAs 1

AAA services

configuration options 1

remote 1

accounting

description 1

ACL

processing order 1

sequence numbers 1

ACL implicit rules 1

ACL log match level, applying 1

ACL logging 1

ACL logging configuration, verifying 1

ACL logging to an interface, Applying 1

ACL TCAM regions

configuring 1

reverting to default sizes 1

acllog match-log-level 1

ACLs

applications 1

guidelines 1

identifying traffic by protocols 1

licensing 1

limitations 1

prerequisites 1

types 1

VLAN 1

Applying ACL logging to an interface 1

Applying the ACL log match level 1

authentication

802.1X 1

description 1

local 1

methods 1

remote 1

user login 1

authentication (bind-first | compare} 1

authenticator PAEs

creating on an interface 1

description 1

removing from an interface 1

authorization

user login 1

B

BGP

using with Unicast RPF 1

C

CA trust points

creating associations for PKI 1

CAs

authenticating 1

configuring 1

deleting certificates 1

description 1

displaying configuration 1

enrollment using cut-and-paste 1

example configuration 1

example of downloading certificate 1

generating identity certificate requests 1

identity 1

installing identity certificates 1

multiple 1

multiple trust points 1

peer certificates 1

purpose 1

certificate authorities. 1

See CAs 1

certificate revocation checking

configuring methods 1

certificate revocation lists 1

See CRLs 1

certificates

example of revoking 1

channel-group 1

channel-group force 1

channel-group mode 1

channel-group {on | active | passive} 1

Cisco

vendor ID 1 2

cisco-av-pair

specifying AAA user parameters 1 2

class maps

configuring for CoPP 1

CoPP 1

clear hardware rate-limiter module 1

clear hardware rate-limiter {all | span-egress} 1

clear ldap-server statistics 1

clear port-security dynamic 1

clear port-security dynamic address 1

clearing statistics

CoPP 1

configuration example 1

configuration examples

CoPP 1

configuration status

CoPP 1

Configuring the ACL logging cache 1

control plane class maps

verifying the configuration 1

control plane policy maps

verifying the configuration 1

control plane protection

CoPP 1

packet types 1

control plane protection, classification 1

control plane protection, CoPP

rate controlling mechanisms 1

control plane service policy, configuring

CoPP 1

CoPP 1

class maps 1

clearing statistics 1

configuration examples 1

configuration status 1

configuring class maps 1

configuring policy maps 1

control plane protection 1

control plane protection, classification 1

control plane service policy, configuring 1

default policy 1

disabling the rate limit 1

guidelines 1

information about 1

licensing 1

limitations 1

monitoring 1

policy templates 1

restrictions for management interfaces 1

upgrade guidelines 1

verifying the configuration 1

CoPP policy

layer 2 1

CoPP policy maps

configuring 1

CRLs

configuring 1

description 1

downloading 1

generating 1

importing example 1

publishing 1

crypto ca authentication 1

crypto ca crl request 1

crypto ca trustpoint 1

D

DAI

default settings 1

guidelines 1

limitations 1

deafult settings

port security 1

default CoPP policy 1

default settings

802.1X 1

AAA 1

DAI 1

PKI 1

denial-of-service attacks

IP address spoofing, mitigating 1

device roles

description for 802.1X 1

DHCP binding database 1

DHCP Option 82

enabling or disabling data insertion and removal 1

DHCP relay agent

enabling or disabling 1

enabling or disabling Option 82 1

DHCP relay statistics

clearing 1

DHCP server addresses

configuring 1

dhcp snooping

licensing 1

prerequisites 1

DHCP snooping

binding database 1

default settings 1

description 1

guidelines 1

limitations 1

overview 1

DHCP snooping binding database 1

described 1

description 1

entries 1

DHCPv6 relay

configuring the source interface 1

DHCPv6 relay agent

described 1

enabling or disabling 1

enabling or disabling VRF support 1

VRF support 1

DHCPv6 relay statistics

clearing 1

digital certificates

configuring 1

description 1 2

exporting 1

importing 1

peers 1

purpose 1

disabling the rate limit

CoPP 1

Displaying and clearing log files 1

DoS attacks

Unicast RPF, deploying 1

dot1x default 1

dot1x host-mode multi-host 1

dot1x host-mode {multi-host | single-host} 1

dot1x max-req 1

dot1x port-control auto 1

dot1x port-control {auto | force-authorized | forced-unauthorized} 1

dot1x re-authentication 1

dot1x timeout quiet-period 1

dot1x timeout ratelimit-period 1

dot1x timeout re-authperiod 1

dot1x timeout server-timeout 1

dot1x timeout supp-timeout 1

dot1x timeout tx-period 1

dynamic ARP inspection

ARP cache poisoning 1

ARP requests 1

ARP spoofing attack 1

DHCP snooping binding database 1

function of 1

interface trust states 1

logging of dropped packets 1

network security issues and interface trust states 1

Dynamic Host Configuration Protocol snooping 1

See DHCP snooping 1

E

enable Cert-DN-match 1

enable user-server-group 1

examples

AAA configurations 1

F

feature dot1x 1

feature ldap 1

feature port-security 1

feature ssh 1 2

FIPS

configuration example 1

disabling 1

enabling 1

self-tests 1

G

generate type7_encrypted_secret 1

guidelines

ACLs 1

CoPP 1

DAI 1

DHCP snooping 1

port security 1

H

hardware rate-limiter access-list-log 1

hardware rate-limiter span-egress 1

hostnames

configuring for PKI 1

I

identity certificates

deleting for PKI 1

generating requests 1

installing 1

IDs

Cisco vendor ID 1 2

ip access-group 1

IP ACL implicit rules 1

IP ACL statistics

clearing 1

monitoring 1

IP ACLs

applications 1

applying as a Router ACL 1

applying as port ACLs 1

changing 1

changing sequence numbers in 1

description 1

logical operation units 1

logical operators 1

removing 1

types 1

IP domain names

configuring for PKI 1

ip verify unicast source reachable-via 1

ipv6 verify unicast source reachable-via 1

L

layer 2

CoPP policy 1

ldap search-map 1

ldap-server deadtime 1 2

ldap-server host 1 2 3 4

ldap-server host idle-time 1

ldap-server host password 1 2

ldap-server host port 1 2

ldap-server host rootDN 1

ldap-server host test rootDN 1

ldap-server host timeout 1 2

ldap-server host username 1

ldap-server timeout 1

licensing

802.1X 1

ACLs 1

CoPP 1

dhcp snooping 1

PKI 1

Unicast RPF 1

limitations

ACLs 1

CoPP 1

DAI 1

DHCP snooping 1

port security 1

logging ip access-list cache entries 1

logging ip access-list cache interval 1

logging ip access-list cache threshold 1

logical operation units

IP ACLs 1

logical operators

***

IP ACLs 1

login

RADIUS servers 1

login on-failure log 1

login on-success log 1

LOU 1

See logical operation units 1

M

MAC ACL implicit rules 1

MAC addresses

learning 1

MAC authentication

bypass for 802.1X 1

management interfaces

CoPP restrictions 1

monitoring

CoPP 1

RADIUS 1

RADIUS servers 1

MSCHAP

enabling authentication 1

N

no dot1x system-auth-control 1

no feature dot1x 1

no feature ssh 1

P

PKI

certificate revocation checking 1

configuring hostnames 1

configuring IP domain names 1

default settings 1

description 1

displaying configuration 1

enrollment support 1

example configuration 1

generating RSA key pairs 1

guidelines 1

licensing 1

limitations 1

policy templates

description 1

port ACL 1

port security

default settings 1

guidelines 1

limitations 1

MAC address learning 1

MAC move 1

violations 1

ports

authorization states for 802.1X 1

prerequisites

dhcp snooping 1

preshared keys

TACACS+ 1

R

RADIUS

configuring servers 1

configuring timeout intervals 1

configuring transmission retry counts 1

default settings 1

description 1

example configurations 1

monitoring 1

network environments 1

operations 1

prerequisites 1

statistics, displaying 1

RADIUS accounting

enabling for 802.1X authentication 1

RADIUS server groups

global source interfaces 1

RADIUS server preshared keys 1

RADIUS servers

allowing users to specify at login 1

configuring AAA for 1

configuring timeout interval 1

configuring transmission retry count 1

deleting hosts 1

example configurations 1

manually monitoring 1

RADIUS statistics

clearing 1

RADIUS, global preshared keys 1

RADIUS, periodic server monitoring 1

RADIUS, server hosts

configuring 1

rate controlling mechanisms

control plane protection, CoPP 1

rate limits

guidelines 1

limitations 1

remote devices

connecting to using SSH 1

router ACLs 1

RSA key pairs

deleting from an Cisco NX-OS device 1

exporting 1

generating for PKI 1

importing 1

RSA key-pairs

description 1

displaying configuration 1

exporting 1

importing 1

multiple 1

rules

implicit 1

S

sample configuration 1

secure MAC addresses

learning 1

security

port

MAC address learning 1

server 1

server groups 1

servers

RADIUS 1

show aaa accounting 1

show aaa authorization 1

show crypto ca certificates 1

show crypto ca crl 1

show dot1x 1 2

show dot1x all 1 2 3 4 5 6

show dot1x interface ethernet 1

show dot1x {all | interface ethernet} 1

show hardware access-list tcam region 1

show hardware access-list tcam template 1

show hardware rate-limiter 1 2 3

show hardware rate-limiter module 1

show hardware rate-limiter span-egress 1 2

show ip access-lists 1

show ipv6 access-lists 1

show ldap-search-map 1 2

show ldap-server 1 2 3 4 5 6 7 8

show ldap-server groups 1 2

show ldap-server statistics 1 2 3

show logging ip access-list cache 1 2

show logging ip access-list status 1

show login on-failure log 1

show login on-successful log 1

show port-security 1 2

show port-security address 1 2

show port-security address interface 1

show port-security interface 1

show radius-server 1

show radius-server group 1

show running-config acllog 1

show running-config aclmgr 1

show running-config aclmgr all 1

show running-config ldap 1

show running-config port-security 1 2 3 4 5 6 7

show ssh key 1

show startup-config acllog 1

show startup-config aclmgr 1

show startup-config aclmgr all 1

show startup-config ldap 1

show user-account 1 2

show users 1

SNMPv3

specifying AAA parameters 1

specifying parameters for AAA servers 1

source interfaces

RADIUS server groups 1

TACACS+ server groups 1

SSH

description 1

SSH clients 1

SSH servers 1

SSH sessions

clearing 1

connecting to remote devices 1

statistics

clearing 1

monitoring 1

TACACS+ 1

switchport 1 2 3

switchport port-security 1

switchport port-security aging time 1

switchport port-security aging type 1

switchport port-security mac-address 1 2

switchport port-security mac-address sticky 1 2

switchport port-security maximum 1

switchport port-security violation 1

T

TACACS+

advantages over RADIUS 1

configuring 1

configuring global timeout interval 1

description 1 2

displaying statistics 1

example configurations 1

field descriptions 1

global preshared keys 1

limitations 1

prerequisites 1

preshared key 1

user login operation 1

TACACS+ server groups

global source interfaces 1

TACACS+ servers

configuring hosts 1

configuring TCP ports 1

configuring timeout interval 1

field descriptions 1

manually monitoring 1

TCAMs

configuring 1

reverting to default sizes 1

TCP ports

TACACS+ servers 1

Telnet

description 1

Telnet server

enabling 1

reenabling 1

Telnet servers 1

Telnet sessions

clearing 1

connecting to remote devices 1

trust points

description 1

multiple 1

saving configuration across reboots 1

U

Unicast RPF

BGP attributes 1

BOOTP and 1

default settings 1

deploying 1

description 1

DHCP and 1

example configurations 1

FIB 1

guidelines 1

implementation 1

licensing 1

limitations 1

loose mode 1

strict mode 1

tunneling and 1

verifying configuration 1

upgrade

guidelines for CoPP 1

use-vrf 1

user login

authentication process 1

authorization process 1

user roles

specifying on AAA servers 1 2

username password 1

V

vendor-specific attributes 1

verifying

RADUIS configuration 1

TACACS+ configuration 1

Verifying the ACL logging configuration 1

VLAN ACLs

information about 1

VSAs

format 1

protocol options 1

support description 1