- enable Cert-DN-match
- enable
- enable secret
- enable user-server-group
- encryption decrypt type6
- encrypt pause-frame
- encryption delete type6
- encryption re-encrypt obfuscated
- enrollment terminal
- eou allow clientless
- eou default
- eou initialize
- eou logging
- eou max-retry
- eou port
- eou ratelimit
- eou revalidate (EXEC)
- eou revalidate (global configuration and interface configuration)
- eou timeout
- eq
E Commands
This chapter describes the Cisco NX-OS Security commands that begin with E.
enable Cert-DN-match
To enable LDAP users to login only if the user profile lists the subject-DN of the user certificate as authorized for login, use the enable Cert-DN-match command. To disable this configuration, use the no form of this command.
Syntax Description
Defaults
Command Modes
LDAP server group configuration
Command History
|
|
---|---|
Usage Guidelines
Examples
This example shows how to enable LDAP users to login only if the user profile lists the subject-DN of the user certificate as authorized for login:
Related Commands
|
|
---|---|
Creates an LDAP server group and enters the LDAP server group configuration mode for that group. |
|
Configures the LDAP server as a member of the LDAP server group. |
|
enable
To enable a user to move to a higher privilege level after being prompted for a secret password, use the enable command.
Syntax Description
Privilege level to which the user must log in. The only available level is 15. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
To use this command, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command.
Examples
This example shows how to enable the user to move to a higher privilege level after being prompted for a secret password:
Related Commands
|
|
---|---|
Enables the cumulative privilege of roles for command authorization on TACACS+ servers. |
|
Displays the current privilege level, username, and status of cumulative privilege support. |
|
enable secret
To enable a secret password for a specific privilege level, use the enable secret command. To disable the password, use the no form of this command.
enable secret [0 | 5] password [priv-lvl priv-lvl | all ]
no enable secret [0 | 5] password [priv-lvl priv-lvl | all ]
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
To use this command, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command.
Examples
This example shows how to enable a secret password for a specific privilege level:
Related Commands
enable user-server-group
To enable group validation for an LDAP server group, use the enable user-server-group command. To disable group validation, use the no form of this command.
Syntax Description
Defaults
Command Modes
LDAP server group configuration
Command History
|
|
---|---|
Usage Guidelines
To use this command, you must configure the LDAP server group name in the LDAP server.
Users can login through public-key authentication only if the username is listed as a member of this configured group in the LDAP server.
Examples
This example shows how to enable group validation for an LDAP server group:
Related Commands
encryption decrypt type6
To convert type-6 encrypted passwords back to their original state, use the encryption decrypt type6 command.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
This example shows how to convert type6 encrypted passwords back to their original state:
Related Commands
|
|
---|---|
Converts the existing obfuscated passwords to type6 encrypted passwords. |
|
encrypt pause-frame
To configure pause frame encryption for Cisco Trusted Security (Cisco TrustSec) on an M1 module interface, use the encrypt pause-frame command. To remove the pause frame encryption, use the no form of this command.
Syntax Description
Defaults
Enabled on the line cards that support the encryption of pause frames
Command Modes
Cisco TrustSec 802.1X configuration mode (config-if-cts-manual)
Cisco TrustSec manual configuration mode (config-if-cts-dotx1)
Command History
|
|
Usage Guidelines
You must enable flow control on the interface by using the flowcontrol {send | receive} command.
When you enter the no encrypt pause-frame command, the pause frames are sent as unencypted. When you enter the encrypt pause-frame command, pause frames are sent encrypted over the Cisco TrustSec link.
You cannot enable Cisco TrustSec on interfaces in half-duplex mode. Use the show interface command to determine if an interface is configured for half-duplex mode.
This command is only needed in the unlikely event global pause has been enable. While pause is used in FCoE environments, it is not needed in typical Ethernet deployments.
This command does not apply to the M132XP-12L module.
Note F1 Series modules, F2 Series modules, F2e Series modules, and the N7K-M132XP-12(L) module support only clear pause frames. All other M1 Series modules support both secure (encrypted and decrypted) and clear pause frames.
Examples
This example shows how to decrypt an interface:
Related Commands
encryption delete type6
To delete strongly encrypted passwords on the NX-OS device, use the encryption delete type6 command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to delete strongly encrypted passwords:
Related Commands
|
|
---|---|
Converts the existing obfuscated passwords to type-6 encrypted passwords |
|
encryption re-encrypt obfuscated
To convert the existing obfuscated passwords to type-6 encrypted passwords, use the encryption re-encrypt obfuscated command.
encryption re-encrypt obfuscated
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
When you use the encryption re-encrypt obfuscated command, the encrypted secrets such as, plain or weakly-encrypted passwords, are converted to type-6 encryption if the encryption service is enabled with a master key.
Examples
This example shows how to convert the existing obfuscated passwords to type-6 encrypted passwords:
Related Commands
|
|
---|---|
Converts type6 encrypted passwords back to their original state. |
enrollment terminal
To enable manual cut-and-paste certificate enrollment through the switch console, use the enrollment terminal command. To revert to the default certificate enrollment process, use the no form of this command.
Syntax Description
Defaults
The default is the manual cut-and-paste method, which is the only enrollment method that the Cisco NX-OS software supports.
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
This example shows how to configure trustpoint enrollment through the switch console:
This example shows how to discard a trustpoint enrollment through the switch console:
Related Commands
|
|
---|---|
eou allow clientless
To enable Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) posture validation of clientless endpoint devices, use the eou allow clientless command. To disable posture validation of clientless endpoint devices, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature eou command before you configure EAPoUDP.
Examples
This example shows how to allow EAPoUDP posture validation of clientless endpoint devices:
This example shows how to prevent EAPoUDP posture validation of clientless endpoint devices:
Related Commands
|
|
---|---|
eou default
To revert to the default global or interface configuration values for Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP), use the eou default command.
Syntax Description
Defaults
Command Modes
Global configuration
Interface configuration
Command History
|
|
Usage Guidelines
You must use the feature eou command before you configure EAPoUDP.
Examples
This example shows how to change the global EAPoUDP configuration to the default:
This example shows how to change the EAPoUDP configuration for an interface to the default:
Related Commands
|
|
---|---|
eou initialize
To initialize Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) sessions, use the eou initialize command.
eou initialize { all | authentication { clientless | eap | static } | interface ethernet slot / port | ip-address ipv4-address | mac-address mac-address | posturetoken name }
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature eou command before you configure EAPoUDP.
Examples
This example shows how to initialize all the EAPoUDP sessions:
This example shows how to initialize the EAPoUDP sessions that were statically authenticated:
This example shows how to initialize the EAPoUDP sessions for an interface:
This example shows how to initialize the EAPoUDP sessions for an IP address:
This example shows how to initialize all the EAPoUDP sessions for a MAC address:
This example shows how to initialize all the EAPoUDP sessions for a posture token:
Related Commands
|
|
---|---|
eou logging
To enable Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) logging, use the eou logging command. To disable EAPoUDP logging, use the no form of this command.
Syntax Description
Defaults
Command Modes
Global configuration
Interface configuration
Command History
|
|
Usage Guidelines
The setting for EAPoUDP logging on an interface overrides the global setting.
You must use the feature eou command before you configure EAPoUDP.
Examples
This example shows how to enable global EAPoUDP logging:
This example shows how to disable global EAPoUDP logging:
This example shows how to enable EAPoUDP logging for an interface:
This example shows how to disable EAPoUDP logging for an interface:
Related Commands
|
|
---|---|
eou max-retry
To configure the maximum number of attempts for Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) globally or for an interface, use the eou max-retry command. To revert to the default, use the no form of this command.
Syntax Description
Defaults
Command Modes
Global configuration
Interface configuration
Command History
|
|
Usage Guidelines
The maximum retries for an interface takes precedence over the globally configured value.
You must use the feature eou command before you configure EAPoUDP.
Examples
This example shows how to change the global maximum number of EAPoUDP retry attempts:
This example shows how to revert to the default global maximum number of EAPoUDP retry attempts:
This example shows how to change the maximum number of EAPoUDP retry attempts for an interface:
This example shows how to revert to the maximum number of EAPoUDP retry attempts for an interface:
Related Commands
|
|
---|---|
eou port
To configure the User Datagram Protocol (UDP) port number for Extensible Authentication Protocol over UDP (EAPoUDP), use the eou port command. To revert to the default, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature eou command before you configure EAPoUDP.
Examples
This example shows how to change the UDP port number for EAPoUDP:
This example shows how to revert to the default UDP port number for EAPoUDP:
Related Commands
|
|
---|---|
eou ratelimit
To configure the number of simultaneous posture validation sessions for Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP), use the eou ratelimit command. To revert to the default, use the no form of this command.
Syntax Description
Maximum number of simultaneous EAPoUDP posture validation sessions. The range is from 0 to 200. |
Defaults
Command Modes
Global configuration
Interface configuration
Command History
|
|
Usage Guidelines
Setting the EAPoUDP rate limit to zero (0) allows no simultaneous posture validation sessions.
The EAPoUDP rate limit for an interface overrides the globally EAPoUDP rate limit setting.
You must use the feature eou command before you configure EAPoUDP.
Examples
This example shows how to change the global maximum number of simultaneous EAPoUDP posture-validation sessions:
This example shows how to revert to the default global maximum number of simultaneous EAPoUDP posture-validation sessions:
This example shows how to change the maximum number of simultaneous EAPoUDP posture-validation sessions for an interface:
This example shows how to revert to the default maximum number of simultaneous EAPoUDP posture-validation sessions for an interface:
Related Commands
|
|
---|---|
eou revalidate (EXEC)
To revalidate Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) sessions, use the eou revalidate command.
eou revalidate { all | authentication { clientless | eap | static } | interface ethernet slot / port | ip-address ipv4-address | mac-address mac-address | posturetoken name }
Syntax Description
Defaults
Command Modes
Note The Cisco NX-OS software supports an eou revalidate command in global configuration mode. To use an EXEC-level eou revalidate command in global configuration mode, include the required keywords.
Command History
|
|
Usage Guidelines
You must use the feature eou command before you configure EAPoUDP.
Examples
This example shows how to revalidate all the EAPoUDP sessions:
This example shows how to revalidate all the EAPoUDP sessions:
This example shows how to revalidate all the EAPoUDP sessions:
This example shows how to revalidate all the EAPoUDP sessions:
This example shows how to revalidate all the EAPoUDP sessions:
This example shows how to revalidate all the EAPoUDP sessions:
Related Commands
|
|
---|---|
eou revalidate (global configuration and interface configuration)
To enable automatic periodic revalidation of Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) sessions globally or for a specific interface, use the eou revalidate command. To revert to the default, use the no form of this command.
Syntax Description
Defaults
Command Modes
Global configuration
Interface configuration
Command History
|
|
Usage Guidelines
The automatic revalidation setting for an interface overrides the global setting for automatic revalidation.
Note The Cisco NX-OS software supports an eou revalidate command in EXEC configuration mode. To use an EXEC-level eou revalidate command in global configuration mode, include the required keywords.
You must use the feature eou command before you configure EAPoUDP.
Examples
This example shows how to disable global automatic revalidation of EAPoUDP sessions:
This example shows how to enable global automatic revalidation of EAPoUDP sessions:
This example shows how to disable automatic revalidation of EAPoUDP sessions for an interface:
This example shows how to enable automatic revalidation of EAPoUDP sessions for an interface:
Related Commands
|
|
---|---|
Configures the timeout interval for EAPoUDP automatic periodic validation. |
|
eou timeout
To configure timeout intervals for the global Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) timers or for the EAPoUDP timers for an interface, use the eou timeout command. To revert to the default, use the no form of this command.
eou timeout { aaa seconds | hold-period seconds | retransmit seconds | revalidation seconds | status-query seconds }
no eou timeout { aaa | hold-period | retransmit | revalidation | status-query }
Syntax Description
Defaults
Global AAA timeout interval: 60 seconds (1 minute)
Global hold-period timeout: 180 seconds (3 minutes)
Global retransmit timeout interval: 3 seconds
Global revalidation timeout interval: 36000 seconds (10 hours)
Global status query timeout interval: 300 seconds (5 minutes)
Command Modes
Global configuration
Interface configuration
Command History
|
|
Usage Guidelines
The timeout interval values for the interface timers override the global timeout values.
You must use the feature eou command before you configure EAPoUDP.
Examples
This example shows how to change the global AAA timeout interval:
This example shows how to change the AAA timeout interval for an interface:
This example shows how to change the global hold-period timeout interval:
This example shows how to change the hold-period timeout interval for an interface:
This example shows how to change the global retransmit timeout interval:
This example shows how to change the retransmit timeout interval for an interface:
This example shows how to change the global revalidation timeout interval:
This example shows how to change the revalidation timeout interval for an interface:
This example shows how to change the global status-query timeout interval:
This example shows how to change the status-query timeout interval for an interface:
Related Commands
|
|
---|---|
Enables periodic automatic revalidation of endpoint devices. |
|
eq
To specify a single port as a group member in an IP port object group, use the eq command. To remove a single port group member from the port object group, use the no form of this command.
[ sequence-number ] eq port-number
no { sequence-number | eq port-number }
Syntax Description
Defaults
Command Modes
IP port object group configuration
Command History
|
|
Usage Guidelines
IP port object groups are not directional. Whether an eq command matches a source or destination port or whether it applies to inbound or outbound traffic depends upon how you use the object group in an ACL.
Examples
This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 443: