- feature (user role feature group)
- feature cts
- feature dhcp
- feature dot1x
- feature eou
- feature ldap
- feature password encryption aes
- feature port-security
- feature privilege
- feature scp-server
- feature sftp-server
- feature ssh
- feature tacacs+
- feature telnet
- filter
- fips mode enable
- fragments
- gt
- hardware access-list allow deny ace
- hardware access-list capture
- hardware access-list resource feature bank-mapping
- hardware access-list resource pooling
- hardware access-list update
- hardware rate-limiter
- host (IPv4)
- host (IPv6)
F to H Commands
This chapter describes the Cisco NX-OS Security commands that begin with F to H.
feature (user role feature group)
To configure a feature in a user role feature group, use the feature command. To delete a feature in a user role feature group, use the no form of this command.
Syntax Description
Cisco NX-OS feature name as listed in the show role feature command output. |
Defaults
Command Modes
User role feature group configuration
Command History
|
|
Usage Guidelines
Use the show role feature command to list the valid feature names to use in this command.
Examples
This example shows add features to a user role feature group:
This example shows how to remove a feature from user role feature group:
Related Commands
|
|
---|---|
feature cts
To enable the Cisco TrustSec feature, use the feature cts command. To revert to the default, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature dot1x command.
The users can enable feature cts command even without having any license installed.
Note The Cisco TrustSec feature does not have a license grace period. You must install the Advanced Services license to configure this feature.
Examples
This example shows how to enable the Cisco TrustSec feature:
This example shows how to disable the Cisco TrustSec feature:
Related Commands
|
|
---|---|
feature dhcp
To enable the DHCP snooping feature on the device, use the feature dhcp command. To disable the DHCP snooping feature and remove all configuration related to DHCP snooping, including DHCP relay, dynamic ARP inspection (DAI), and IP Source Guard configuration, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The DHCP snooping feature is disabled by default.
If you have not enabled the DHCP snooping feature, commands related to DCHP snooping are unavailable.
Dynamic ARP inspection and IP Source Guard depend upon the DHCP snooping feature.
If you disable the DHCP snooping feature, the device discards all configuration related to DHCP snooping configuration, including the following features:
If you want to turn off DHCP snooping and preserve configuration related to DHCP snooping, disable DHCP snooping globally with the no ip dhcp snooping command.
Access-control list (ACL) statistics are not supported if the DHCP snooping feature is enabled.
Examples
This example shows how to enable DHCP snooping:
Related Commands
|
|
---|---|
Displays DHCP snooping configuration, including IP Source Guard configuration. |
feature dot1x
To enable the 802.1X feature, use the feature dot1x command. To revert to the default, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature dot1x command before you configure 802.1X.
Note If you disable the 802.1X feature, all 802.1X configuration is lost. If you want to disable 802.1X authentication, use the no dot1x system-auth-control command.
Examples
This example shows how to enable 802.1X:
This example shows how to disable 802.1X:
Related Commands
|
|
---|---|
feature eou
To enable Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP), use the feature eou command. To disable EAPoUDP, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature eou command before you configure EAPoUDP.
Note When you disable EAPoUDP, the Cisco NX-OS software removes the EAPoUDP configuration.
Examples
This example shows how to enable EAPoUDP:
This example shows how to disable EAPoUDP:
Related Commands
|
|
---|---|
feature ldap
To enable Lightweight Directory Access Protocol (LDAP), use the feature ldap command. To disable LDAP, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature ldap command before you configure LDAP.
Note When you disable LDAP, the Cisco NX-OS software removes the LDAP configuration.
Examples
This example shows how to enable LDAP:
This example shows how to disable LDAP:
Related Commands
|
|
---|---|
Displays the LDAP configuration in the running configuration. |
|
Displays the LDAP configuration in the startup configuration. |
feature password encryption aes
To enable the Advanced Encryption Standard, (AES) password encryption feature, use the feature password encryption aes command. To disable the AES password encryption feature, use the no form of this command.
feature password encryption aes
no feature password encryption aes
Syntax Description
Defaults
Command Modes
Global configuration mode (config)
Command History
|
|
Usage Guidelines
You can enable the AES password encryption feature without a master key, but encryption starts only when a master key is present in the system. To configure a master key, use the key config-key command.
Examples
This example shows how to enable the AES password encryption feature:
Related Commands
|
|
---|---|
feature port-security
To enable the port security feature globally, use the feature port-security command. To disable the port security feature globally, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Port security is disabled globally by default.
Port security is local to each virtual device context (VDC). If necessary, switch to the correct VDC before using this command.
This command does not require a license.
If you enable port security globally, all other commands related to port security become available.
If you are reenabling port security, no port security configuration is restored from the last time that port security was enabled.
If you disable port security globally, all port security configuration is removed, including any interface configuration for port security and all secured MAC addresses, regardless of the method by which the device learned the addresses.
Examples
This example shows how to enable port security globally:
Related Commands
|
|
---|---|
feature privilege
To enable the cumulative privilege of roles for command authorization on TACACS+ servers, use the feature privilege command. To disable the cumulative privilege of roles, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
This command does not require a license.
When the feature privilege command is enabled, privilege roles inherit the permissions of lower level privilege roles.
Examples
This example shows how to enable the cumulative privilege of roles:
This example shows how to disable the cumulative privilege of roles:
Related Commands
|
|
---|---|
Displays the current privilege level, username, and status of cumulative privilege support. |
|
feature scp-server
To configure a secure copy (SCP) server on the Cisco NX-OS device in order to copy files to and from a remote device, use the feature scp-server command. To disable an SCP server, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
After you enable the SCP server, you can execute an SCP command on the remote device to copy the files to or from the Cisco NX-OS device.
The arcfour and blowfish cipher options are not supported for the SCP server.
Examples
This example shows how to enable the SCP server on the Cisco NX-OS device:
This example shows how to disable the SCP server on the Cisco NX-OS device:
Related Commands
|
|
---|---|
feature sftp-server
To configure a secure FTP (SFTP) server on the Cisco NX-OS device in order to copy files to and from a remote device, use the feature sftp-server command. To disable an SFTP server, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
After you enable the SFTP server, you can execute an SFTP command on the remote device to copy the files to or from the Cisco NX-OS device.
Examples
This example shows how to enable the SFTP server on the Cisco NX-OS device:
This example shows how to disable the SFTP server on the Cisco NX-OS device:
Related Commands
|
|
---|---|
feature ssh
To enable the Secure Shell (SSH) server for a virtual device context (VDC), use the feature ssh command. To disable the SSH server, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
This command was introduced to replace the ssh server enable command. |
Usage Guidelines
Examples
This example shows how to enable the SSH server:
This example shows how to disable the SSH server:
Related Commands
|
|
---|---|
feature tacacs+
To enable TACACS+, use the feature tacacs+ command. To disable TACACS+, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
Note When you disable TACACS+, the Cisco NX-OS software removes the TACACS+ configuration.
Examples
This example shows how to enable TACACS+:
This example shows how to disable TACACS+:
Related Commands
|
|
---|---|
feature telnet
To enable the Telnet server for a virtual device context (VDC), use the feature telnet command. To disable the Telnet server, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
This command was introduced to replace the telnet server enable command. |
Usage Guidelines
Examples
This example shows how to enable the Telnet server:
This example shows how to disable the Telnet server:
Related Commands
|
|
---|---|
filter
To configure one or more certificate mapping filters within the filter map, use the filter command.
filter [ subject-name subject-name | altname-email e-mail-ID | altname-upn user-principal-name ]
Syntax Description
Defaults
Command Modes
Certificate mapping filter configuration
Command History
|
|
Usage Guidelines
To use this command, you must create a new filter map.
The validation passes if the certificate passes all of the filters configured in the map.
Examples
This example shows how to configure a certificate mapping filter within the filter map:
Related Commands
|
|
---|---|
fips mode enable
To enable Federal Information Processing Standards (FIPS) mode, use the fips mode enable command. To disable FIPS mode, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Before enabling FIPS mode, ensure that you are in the default virtual device context (VDC).
FIPS has the following prerequisites:
- Disable Telnet. Users should log in using Secure Shell (SSH) only.
- Disable SNMPv1 and v2. Any existing user accounts on the device that have been configured for SNMPv3 should be configured only with SHA for authentication and AES/3DES for privacy.
- Delete all SSH server RSA1 key-pairs.
- Enable HMAC-SHA1 message integrity checking (MIC) for use during the Cisco TrustSec Security Association Protocol (SAP) negotiation. To do so, enter the sap hash-algorithm HMAC-SHA-1 command from the cts-manual or cts-dot1x mode.
Examples
This example shows how to enable FIPS mode:
This example shows how to disable FIPS mode:
Related Commands
|
|
---|---|
Displays the status of Federal Information Processing Standard (FIPS) mode. |
fragments
To optimize whether an IPv4 or IPv6 ACL permits or denies noninitial fragments that do not match an explicit permit or deny command in the ACL, use the fragments command. To disable fragment optimization, use the no form of this command.
fragments { deny-all | permit-all }
no fragments { deny-all | permit-all }
Syntax Description
Defaults
Command Modes
IPv4 ACL configuration
IPv6 ACL configuration
Command History
|
|
Usage Guidelines
The fragments command allows you to simplify the configuration of an IP ACL when you want to permit or deny noninitial fragments that do not match an explicit permit or deny command in the ACL. Instead of controlling noninitial fragment handling by using many permit or deny commands that specify the fragments keyword, you can use the fragments command instead.
When a device applies to traffic an ACL that contains the fragments command, it only matches noninitial fragments that do not match any explicit permit or deny commands in the ACL.
Examples
This example shows how to enable fragment optimization in an IPv4 ACL named lab-acl. The permit-all keyword means that the ACL permits any noninitial fragment that does not match a deny command that includes the fragments keyword.
This example shows the lab-acl IPv4 ACL, which includes the fragments command. The fragments command appears at the beginning of the ACL for convenience, but the device permits noninitial fragments only after they do not match all other explicit rules in the ACL.
Related Commands
|
|
---|---|
gt
To specify a greater-than group member for an IP port object group, use the gt command. A greater-than group member matches port numbers that are greater than (and not equal to) the port number specified in the member. To remove a greater-than group member from the port-object group, use the no form of this command.
[ sequence-number ] gt port-number
no { sequence-number | gt port-number }
Syntax Description
Defaults
Command Modes
IP port object group configuration
Command History
|
|
Usage Guidelines
IP port object groups are not directional. Whether a gt command matches a source or destination port or whether it applies to inbound or outbound traffic depends upon how you use the object group in an ACL.
Examples
This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 49152 through port 65535:
Related Commands
hardware access-list allow deny ace
To enable deny ace support for seq based feature, use the hardware access-list allow deny ace command. To disable this feature, use the no form of the command.
hardware access-list allow deny ace
no hardware access-list allow deny ace
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
This command does not require a license.
Note Deny ace feature is not supported on F1 module.
This example shows how to enable deny ace feature:
This example shows how to disable deny ace feature:
Related Commands
|
|
---|---|
Configures how a supervisor module updates an I/O module with changes to an ACL. |
hardware access-list capture
To enable access control list (ACL) capture on all virtual device contexts (VDCs), use the hardware access-list capture command. To disable ACL capture, use the no form of the command.
no hardware access-list capture
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Only M Series modules support ACL capture.
ACL capture is a -assisted feature and is not supported for the management interface or for control packets originating in the supervisor. It is also not supported for software ACLs such as SNMP community ACLs and virtual teletype (VTY) ACLs.
Enabling ACL capture disables ACL logging for all VDCs and the rate limiter for ACL logging.
Only one ACL capture session can be active at any given time in the system across VDCs.
Examples
This example shows how to enable ACL capture on all VDCs:
Related Commands
|
|
---|---|
Configures how a supervisor module updates an I/O module with changes to an ACL. |
hardware access-list resource feature bank-mapping
To enable access control list (ACL) ternary control address memory (TCAM) bank mapping for feature groups and classes, use the hardware access-list resource feature bank-mapping command. To disable ACL TCAM bank mapping, use the no form of the command.
hardware access-list resource feature bank-mapping
no hardware access-list resource feature bank-mapping
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
This command is available only in the default virtual device context (VDC) but applies to all VDCs.
F1 Series modules do not support ACL TCAM bank mapping. Resource pooling and ACL TCAM bank mapping cannot be enabled at the same time.
Examples
This example shows how to enable ACL TCAM bank mapping for feature groups and classes:
Related Commands
|
|
---|---|
Displays the ACL TCAM bank mapping feature group and class combination tables. |
hardware access-list resource pooling
To allow ACL-based features to use more than one TCAM bank on one or more I/O modules, use the hardware access-list resource pooling command. You can also enable flexible TCAM bank chaining feature with PORT-VLAN or VLAN-VLAN modes. To restrict ACL-based features to using one TCAM bank on an I/O module, use the no form of this command.
hardware access-list resource pooling [ port-vlan | vlan-vlan ] module { module-number | all }
no hardware access-list resource pooling [ port-vlan | vlan-vlan ] module { module-number | all }
Syntax Description
Defaults
Command Modes
Command History
|
|
This command was modified to support flexible bank chaining feature with VLAN-VLAN and PORT-VLAN modes. |
|
The hyphen was removed between the resource and pooling keywords. |
|
Usage Guidelines
By default, each ACL-based feature can use one TCAM bank on an I/O module. This default behavior limits each feature to 16,000 TCAM entries. If you have very large security ACLs, you may encounter this limit. The command allows you to make more than 16,000 TCAM entries available to ACL-based features.
If you want to enable bank chaining for the entire system, Cisco recommends adding the configuration for the entire module range, even if a module is not present, using the module range command, as described in the Examples section.
Examples
This example shows how to enable ACL programming across TCAM banks on the I/O module in slot 1:
This example shows how to enable bank chaining for all modules in a 10-slot chassis (excluding supervisor slots 5 and 6):
When a new module is inserted, bank chaining is enabled automatically for that module, without you having to remember to enter the command.
This example shows how to enable VLAN-VLAN mode for the module 3:
Related Commands
hardware access-list update
To configure how a supervisor module updates an I/O module with changes to an access-control list (ACL), use the hardware access-list update command in the default virtual device context (VDC). To disable atomic updates, use the no form of this command.
hardware access-list update { atomic | default-result permit }
no hardware access-list update { atomic | default-result permit }
Syntax Description
Defaults
Command Modes
Command History
|
|
This command was introduced to replace the platform access-list update command. |
Usage Guidelines
In Cisco NX-OS Release 4.1(4) and later releases, the hardware access-list update command is available in the default VDC only and affects all VDCs.
By default, when a supervisor module of a Cisco Nexus 7000 Series device updates an I/O module with changes to an ACL, it performs an atomic ACL update. An atomic update does not disrupt traffic that the updated ACL applies to; however, an atomic update requires that an I/O module that receives an ACL update has enough available resources to store each updated ACL entry in addition to all preexisting entries in the affected ACL. After the update occurs, the additional resources used for the update are freed. If the I/O module lacks the required resources, the device generates an error message and the ACL update to the I/O module fails.
If an I/O module lacks the resources required for an atomic update, you can disable atomic updates by using the no hardware access-list update atomic command in the default VDC; however, during the brief time required for the device to remove the preexisting ACL and implement the updated ACL, traffic that the ACL applies to is dropped by default.
If you want to permit all traffic that an ACL applies to while it receives a nonatomic update, use the hardware access-list update default-result permit command in the default VDC.
Examples
Note In Cisco NX-OS Release 4.1(4) and later releases, the hardware access-list update command is available in the default VDC only. To verify that the current VDC is the VDC 1 (the default VDC), use the show vdc current-vdc command.
This example shows how to disable atomic ACL updates:
This example shows how to permit affected traffic during a nonatomic ACL update:
This example shows how to revert to the atomic update method:
Related Commands
|
|
---|---|
Displays the running configuration, including the default configuration. |
hardware rate-limiter
To configure rate limits in packets per second on supervisor-bound traffic, use the hardware rate-limiter command. To revert to the default, use the no form of this command.
hardware rate-limiter { access-list-log { packets | disable } [ module module [ port start end ]] | copy { packets | disable } [ module module [ port start end ]] | f1 { rl-1 { packets | disable } [ module module [ port start end ]] | rl-2 { packets | disable } [ module module [ port start end ]] | rl-3 { packets | disable } [ module module [ port start end ]] | rl-4 { packets | disable } [ module module [ port start end ]] | rl-5 { packets | disable } [ module module [ port start end ]]} | layer-2 { l2pt { packets | disable } [ module module [ port start end ]] | mcast-snooping { packets | disable } [ module module [ port start end ]] | port-security { packets | disable } [ module module [ port start end ]] | storm-control { packets | disable } [ module module [ port start end ]] | vpc-low { packets | disable } [ module module [ port start end ]]} | layer-3 { control { packets | disable } [ module module [ port start end ]] | glean { packets | disable } [ module module [ port start end ]] | glean-fast { packets | disable } [ module module [ port start end] ] | mtu { packets | disable } [ module module [ port start end ]] | multicast { packets | disable } [ module module [ port start end ]] | ttl { packets | disable } [ module module [ port start end ]]} | receive { packets | disable } [ module module [ port start end ]] | [ portgroup-multiplier multiplier module module ]
no hardware rate-limiter { access-list-log { packets | disable } [ module module [ port start end ]] || copy { packets | disable } [ module module [ port start end ]] | f1 { rl-1 { packets | disable } [ module module [ port start end ]] | rl-2 { packets | disable } [ module module [ port start end ]] | rl-3 { packets | disable } [ module module [ port start end ]] | rl-4 { packets | disable } [ module module [ port start end ]] | rl-5 { packets | disable } [ module module [ port start end ]]} | layer-2 { l2pt { packets | disable } [ module module [ port start end ]] | mcast-snooping { packets | disable } [ module module [ port start end ]] | port-security { packets | disable } [ module module [ port start end ]] | storm-control { packets | disable } [ module module [ port start end ]] | vpc-low { packets | disable } [ module module [ port start end ]]} | layer-3 { control { packets | disable } [ module module [ port start end ]] | glean { packets | disable } [ module module [ port start end ]] | glean-fast { packets | disable } [ module module [ port start end] ] | mtu { packets | disable } [ module module [ port start end ]] | multicast { packets | disable } [ module module [ port start end ]] | ttl { packets | disable } [ module module [ port start end ]]} | receive { packets | disable } [ module module [ port start end ]] | [ portgroup-multiplier multiplier module module ]
Syntax Description
Defaults
See the Syntax Description for the default rate limits.
Command Modes
Command History
Usage Guidelines
Glean fast-path is enabled by default. If glean fast-path programming does not occur due to adjacency resource exhaustion, the system falls back to regular glean programming.
The hardware rate-limiter layer-3 glean-fast { packets | disable } [ module module [ port start end ]] command sends packets to the supervisor from F2e, M1, or M2 Series modules.
The hardware rate-limiter portgroup-multiplier multiplier module module command applies the multiplier to the rate limit. For example, if you configured the ttl rate-limiter as 1000 pps and the multiplier value was 0.5, each ASIC instance would be programmed with 500 pps.
Examples
This example shows how to configure a rate limit for control packets:
This example shows how to revert to the default rate limit for control packets:
Related Commands
|
|
---|---|
host (IPv4)
To specify a host or a subnet as a member of an IPv4-address object group, use the host command. To remove a group member from an IPv4-address object group, use the no form of this command.
[ sequence-number ] host IPv4-address
no { sequence-number | host IPv4-address }
[ sequence-number ] IPv4-address network-wildcard
no IPv4-address network-wildcard
[ sequence-number ] IPv4-address / prefix-len
Syntax Description
Defaults
Command Modes
IPv4 address object group configuration
Command History
|
|
Usage Guidelines
To specify a subnet as a group member, use either of the following forms of this command:
[ sequence-number ] IPv4-address network-wildcard
[ sequence-number ] IPv4-address / prefix-len
Regardless of the command form that you use to specify a subnet, the device shows the IP-address / prefix-len form of the group member when you use the show object-group command.
To specify a single IPv4 address as a group member, use any of the following forms of this command:
[ sequence-number ] host IPv4-address
[ sequence-number ] IPv4-address 0.0.0.0
[ sequence-number ] IPv4-address /32
Regardless of the command form that you use to specify a single IPv4 address, the device shows the host IP-address form of the group member when you use the show object-group command.
Examples
This example shows how to configure an IPv4-address object group named ipv4-addr-group-13 with two group members that are specific IPv4 addresses and one group member that is the 10.23.176.0 subnet:
Related Commands
|
|
---|---|
host (IPv6)
To specify a host or a subnet as a member of an IPv6-address object group, use the host command. To remove a group member from an IPv6-address object group, use the no form of this command.
[ sequence-number ] host IPv6-address
no { sequence-number | host IPv6-address }
[ sequence-number ] IPv6-address / network-prefix
no IPv6-address / network-prefix
Syntax Description
Defaults
Command Modes
IPv6 address object group configuration
Command History
|
|
Usage Guidelines
To specify a subnet as a group member, use the following form of this command:
[ sequence-number ] IPv6-address / network-prefix
To specify a single IP address as a group member, use any of the following forms of this command:
[ sequence-number ] host IPv6-address
[ sequence-number ] IPv6-address /128
Regardless of the command form that you use to specify a single IPv6 address, the device shows the host IPv6-address form of the group member when you use the show object-group command.
Examples
This example shows how to configure an IPv6-address object group named ipv6-addr-group-A7 with two group members that are specific IPv6 addresses and one group member that is the 2001:db8:0:3ab7:: subnet:
Related Commands
|
|
---|---|