- radius abort
- radius commit
- radius distribute
- radius-server deadtime
- radius-server directed-request
- radius-server host
- radius-server key
- radius-server retransmit
- radius-server test
- radius-server timeout
- range
- rate-limit cpu direction
- remark
- replay-protection
- resequence
- revocation-check
- role abort
- role commit
- role distribute
- role feature-group name
- role name
- rsakeypair
- rule
- sap modelist
- sap pmk
- send-lifetime
- server
- service dhcp
- service-policy input
- set cos
- set dscp (policy map class)
- set precedence (policy map class)
- source-interface
- ssh
- ssh key
- ssh login-attempts
- ssh server enable
- ssh6
- statistics per-entry
- storm-control level
- switchport port-security
- switchport port-security aging time
- switchport port-security aging type
- switchport port-security mac-address
- switchport port-security mac-address sticky
- switchport port-security maximum
- switchport port-security violation
- switchport port-security violation
R to S Commands
This chapter describes the Cisco NX-OS Security commands that begin with R to S.
radius abort
To discard a RADIUS Cisco Fabric Services distribution session in progress, use the radius abort command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to discard a RADIUS Cisco Fabric Services distribution session in progress:
Related Commands
|
|
---|---|
Displays the RADIUS Cisco Fabric Services distribution status and other details. |
radius commit
To apply the pending configuration pertaining to the RADIUS Cisco Fabric Services (CFS) distribution session in progress in the fabric, use the radius commit command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Before committing the RADIUS configuration to the fabric, all switches in the fabric must have distribution enabled using the radius distribute command.
CFS does not distribute the RADIUS server group configurations, periodic RADIUS server testing configurations, or server and global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.
Examples
This example shows how to initiate distribution of a RADIUS configuration to the switches in the fabric:
Related Commands
|
|
---|---|
Displays the RADIUS Cisco Fabric Services distribution status and other details. |
radius distribute
To enable Cisco Fabric Services distribution for RADIUS, use the radius distribute command. To disable this feature, use the no form of the command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
CFS does not distribute the RADIUS server group configurations, periodic RADIUS server testing configurations, or server and global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.
Examples
This example shows how to enable RADIUS fabric distribution:
This example shows how to disable RADIUS fabric distribution:
Related Commands
|
|
---|---|
Displays the RADIUS Cisco Fabric Services distribution status. |
radius-server deadtime
To configure the dead-time interval for all RADIUS servers on a Cisco NX-OS device, use the radius-server deadtime command. To revert to the default, use the no form of this command.
radius-server deadtime minutes
no radius-server deadtime minutes
Syntax Description
Number of minutes for the dead-time interval. The range is from 1 to 1440 minutes. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The dead-time interval is the number of minutes before the Cisco NX-OS device checks a RADIUS server that was previously unresponsive.
Note The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.
Examples
This example shows how to configure the global dead-time interval for all RADIUS servers to perform periodic monitoring:
This example shows how to revert to the default for the global dead-time interval for all RADIUS servers and disable periodic server monitoring:
Related Commands
|
|
---|---|
radius-server directed-request
To allow users to send authentication requests to a specific RADIUS server when logging in, use the radius-server directed request command. To revert to the default, use the no form of this command.
radius-server directed-request
no radius-server directed-request
Syntax Description
Defaults
Sends the authentication request to the configured RADIUS server group
Command Modes
Command History
|
|
Usage Guidelines
You can specify the username @ vrfname : hostname during login, where vrfname is the virtual routing and forwarding (VRF) instance to use and hostname is the name of a configured RADIUS server. The username is sent to the RADIUS server for authentication.
Examples
This example shows how to allow users to send authentication requests to a specific RADIUS serve when logging in:
This example shows how to disallow users to send authentication requests to a specific RADIUS server when logging in:
Related Commands
|
|
---|---|
radius-server host
To configure RADIUS server parameters, use the radius-server host command. To revert to the default, use the no form of this command.
radius-server host { hostname | ipv4-address | ipv6-address }
[ key [ 0 | 7 ] shared-secret [ pac ]] [ accounting ]
[ acct-port port-number ] [ auth-port port-number ] [ authentication ] [ retransmit count ]
[ test { idle-time time | password password | username name }]
[ timeout seconds [ retransmit count ]]
no radius-server host { hostname | ipv4-address | ipv6-address }
[ key [ 0 | 7 ] shared-secret [ pac ]] [ accounting ]
[ acct-port port-number ] [ auth-port port-number ] [ authentication ] [ retransmit count ]
[ test { idle-time time | password password | username name }]
[ timeout seconds [ retransmit count ]]
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.
Examples
This example shows how to configure RADIUS server authentication and accounting parameters:
Related Commands
|
|
---|---|
radius-server key
To configure a RADIUS shared secret key, use the radius-server key command. To remove a configured shared secret, use the no form of this command.
radius-server key [ 0 | 6 | 7 ] shared-secret
no radius-server key [ 0 | 6 | 7 ] shared-secret
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must configure the RADIUS preshared key to authenticate the switch to the RADIUS server. The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all RADIUS server configurations on the switch. You can override this global key assignment by using the key keyword in the radius-server host command.
Examples
This example shows how to provide various scenarios to configure RADIUS authentication:
Related Commands
|
|
---|---|
radius-server retransmit
To specify the number of times that the device should try a request with a RADIUS server, use the radius-server retransmit command. To revert to the default, use the no form of this command.
radius-server retransmit count
no radius-server retransmit count
Syntax Description
Number of times that the device tries to connect to a RADIUS server(s) before reverting to local authentication. The range is from 1 to 5 times. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to configure the number of retransmissions to RADIUS servers:
This example shows how to revert to the default number of retransmissions to RADIUS servers:
Related Commands
|
|
---|---|
radius-server test
To monitor the availability of all RADIUS servers without having to configure the test parameters for each server individually, use the radius-server test command. To disable this configuration, use the no form of this command.
radius-server test { idle-time time | password password | username name }
no radius-server test { idle-time time | password password | username name }
Syntax Description
Defaults
Server monitoring: Disabled
Idle time: 0 minutes
Test username: test
Test password: test
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable RADIUS authentication.
Any servers for which test parameters are not configured are monitored using the global level parameters.
Test parameters that are configured for individual servers take precedence over global test parameters.
When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.
Examples
This example shows how to configure the parameters for global RADIUS server monitoring:
Related Commands
|
|
---|---|
radius-server timeout
To specify the time between retransmissions to the RADIUS servers, use the radius-server timeout command. To revert to the default, use the no form of this command.
no radius-server timeout seconds
Syntax Description
Number of seconds between retransmissions to the RADIUS server. The range is from 1 to 60 seconds. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to configure the timeout interval:
This example shows how to revert to the default interval:
Related Commands
|
|
---|---|
range
To specify a range of ports as a group member in an IP port object group, use the range command. To remove a port range group member from port object group, use the no form of this command.
[ sequence-number ] range starting-port-number ending-port-number
no { sequence-number | range starting-port-number ending-port-number }
Syntax Description
Defaults
Command Modes
IP port object group configuration
Command History
|
|
Usage Guidelines
IP port object groups are not directional. Whether a range command matches a source or destination port or whether it applies to inbound or outbound traffic depends upon how you use the object group in an ACL.
Examples
This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 137 through port 139:
Related Commands
rate-limit cpu direction
To configure rate limits globally on the device for packets that reach the supervisor module, use the rate-limit cpu direction command. To remove the rate limit configuration, use the no form of this command.
rate-limit cpu direction {input | output | both} pps packets action log
no rate-limit cpu direction {input | output | both} pps packets action log
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
If the rate of incoming or outgoing packets exceeds the configured rate limit, the device logs a system message but does not drop any packets.
F1 Series modules support up to five rate limiters shared among all control traffic sent to the Supervisor module.
Examples
This example shows how to configure rate limits globally on the device for packets that reach the supervisor module:
This example shows how to remove the global rate limit configuration:
Related Commands
|
|
---|---|
Displays the inband and outband global rate limit configuration for packets that reach the supervisor module. |
remark
To enter a comment into an IPv4, IPv6, or MAC access control list (ACL), use the remark command. To remove a remark command, use the no form of this command.
[ sequence-number ] remark remark
no { sequence-number | remark remark }
Syntax Description
Defaults
Command Modes
IP access-list configuration
IPv6 access-list configuration
MAC access-list configuration
Command History
|
|
Support for the IPv6 access-list configuration mode was added. |
|
Usage Guidelines
This command does not require a license.
The remark argument can be up to 100 characters. If you enter more than 100 characters for the remark argument, the device accepts the first 100 characters and drops any additional characters.
Examples
This example shows how to create a remark in an IPv4 ACL and display the results:
Related Commands
|
|
---|---|
replay-protection
To enable the data-path replay protection feature for Cisco TrustSec authentication on an interface, use the replay-protection command. To disable the data-path replay protection feature, use the no form of this command.
Syntax Description
Defaults
Command Modes
Cisco TrustSec 802.1X configuration
Command History
|
|
Usage Guidelines
This command is not supported for F1 Series modules and F2 Series modules.
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown / no shutdown command sequence for the configuration to take effect.
Examples
This example shows how to enable data-path protect for Cisco TrustSec authentication on an interface:
This example shows how to disable data-path protect for Cisco TrustSec authentication on an interface:
Related Commands
|
|
---|---|
Enters Cisco TrustSec 802.1X configuration mode for an interface. |
|
resequence
To reassign sequence numbers to all rules in an access control list (ACL) or a time range, use the resequence command.
resequence access-list-type access-list access-list-name starting-sequence-number increment
resequence time-range time-range-name starting-sequence-number increment
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The resequence command allows you to reassign sequence numbers to the rules of an ACL or time range. The new sequence number for the first rule is determined by the starting-sequence-number argument. Each additional rule receives a new sequence number determined by the increment argument. If the highest sequence number would exceed the maximum possible sequence number, then no sequencing occurs and the following message appears:
Examples
This example shows how to resequence an IPv4 ACL named ip-acl-01 with a starting sequence number of 100 and an increment of 10, using the show ip access-lists command to verify sequence numbering before and after the use of the resequence command:
Related Commands
|
|
---|---|
revocation-check
To configure trustpoint revocation check methods, use the revocation-check command. To discard the revocation check configuration, use the no form of this command.
revocation-check { crl [ none ] | none }
no revocation-check { crl [ none ] | none }
Syntax Description
Specifies the locally stored certificate revocation list (CRL) as the place to check for revoked certificates. |
|
(Optional) Specifies that no checking is performed for revoked certificates. |
Defaults
By default, the revocation checking method for a trustpoint is CRL.
Command Modes
Command History
|
|
---|---|
Usage Guidelines
A revocation check can perform one or more of the methods which you specify as an ordered list. During peer certificate verification, each method is tried in the specified order until one method succeeds by providing the revocation status. When you specify none as the method, it means that there is no need to check the revocation status, and the peer certificate is not revoked. If none is the first method that you specify in the method list, you cannot specify subsequent methods because checking is not required.
Examples
This example shows how to check for revoked certificates in the locally stored CRL:
This example shows how to do no checking for revoked certificates:
Related Commands
|
|
---|---|
Configures a CRL or overwrites the existing one for the trustpoint CA. |
|
role abort
To discard a user role Cisco Fabric Services distribution session in progress, use the role abort command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to discard a user role Cisco Fabric Services distribution session in progress:
Related Commands
|
|
---|---|
Displays the user role Cisco Fabric Services distribution status and other details. |
role commit
To apply the pending configuration pertaining to the user role Cisco Fabric Services distribution session in progress in the fabric, use the role commit command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Before committing the user role configuration to the fabric, all switches in the fabric must have distribution enabled using the role distribute command.
Examples
This example shows how to initiate distribution of a user role configuration to the switches in the fabric:
Related Commands
|
|
---|---|
Displays the user role Cisco Fabric Services distribution status and other details. |
role distribute
To enable Cisco Fabric Services distribution for user roles, use the role distribute command. To disable this feature, use the no form of the command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to enable role fabric distribution:
This example shows how to disable role fabric distribution:
Related Commands
|
|
---|---|
role feature-group name
To create or specify a user role feature group and enter user role feature group configuration mode, use the role feature-group name command. To delete a user role feature group, use the no form of this command.
role feature-group name group-name
no role feature-group name group-name
Syntax Description
User role feature group name. The group-name has a maximum length of 32 characters and is a case-sensitive, alphanumeric character string. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The Cisco NX-OS software provides the default user role feature group L3 for Layer 3 features. You cannot modify or delete the L3 user role feature group.
Examples
This example shows how to create a user role feature group and enter user role feature group configuration mode:
This example shows how to remove a user role feature group:
Related Commands
|
|
---|---|
Specifies or creates a user role feature group and enters user role feature group configuration mode. |
|
role name
To create or modify a user role or privilege role and enter user role configuration mode, use the role name command. To delete a user role, use the no form of this command.
role name { role-name | priv- n }
no role name { role-name | priv- n }
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The Cisco NX-OS software provides four default user roles:
- network-admin—Complete read-and-write access to the entire Cisco NX-OS device (only available in the default VDC)
- network-operator—Complete read access to the entire Cisco NX-OS device (only available in the default VDC)
- vdc-admin—Read-and-write access limited to a VDC
- vdc-operator—Read access limited to a VDC
You cannot change or remove the default user roles.
You must follow these guidelines when changing the rules of privilege roles:
Examples
This example shows how to create a user role and enter user role configuration mode:
This example shows how to remove a user role:
This example shows how to enable privilege level 5 for users:
Related Commands
|
|
---|---|
Configure rules for a user role or for users of privilege roles. |
|
rsakeypair
To configure and associate the RSA key pair details to a trustpoint, use the rsakeypair command. To disassociate the RSA key pair from the trustpoint, use the no form of this command.
rsakeypair key-pair-label [ key-pair-size ]
no rsakeypair key-pair-label [ key-pair-size ]
Syntax Description
Name for the RSA key pair. The name is alphanumeric, case sensitive, and has a maximum of 64 characters. |
|
(Optional) Size for the RSA key pair. The size values are 512, 768, 1024, 1536, and 2048 bits. |
Defaults
The default key pair size is 512 if the key pair is not already generated.
Command Modes
Command History
|
|
---|---|
Usage Guidelines
You can associate only one RSA key pair with a trustpoint CA, even though you can associate the same key pair with many trustpoint CAs. This association must occur before you enroll with the CA to obtain an identity certificate. If the key pair was previously generated (using the crypto key generate command), then the key pair size, if specified, should be the same size as that was used during the generation. If the specified key pair is not yet generated, you can enter the crypto ca enroll command to generated the RSA key pair during the enrollment.
Note The no form of the rsakeypair command disassociates the key pair from the trustpoint. Before you enter the no rsakeypair command, first remove the identity certificate, if present, from the trustpoint CA to ensure that the association between the identity certificate and the key pair for a trustpoint is consistent.
Examples
This example shows how to associate an RSA key pair to a trustpoint:
This example shows how to disassociate an RSA key pair from a trustpoint:
Related Commands
|
|
---|---|
Requests certificates for the switch’s RSA key pair created for the trustpoint CA. |
|
rule
To configure rules for a user role or for users of privilege roles, use the rule command. To delete a rule, use the no form of this command.
rule number { deny | permit } { command command-string | { read | read-write } oid snmp_oid_name [ feature feature-name | feature-group group-name ]}
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You can configure up to 256 rules for each role.
The rule number that you specify determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.
Examples
This example shows how to add rules to a user role:
This example shows how to remove rule from a user role:
Related Commands
|
|
---|---|
Creates or specifies a user role name and enters user role configuration mode. |
|
sap modelist
To configure the Cisco TrustSec Security Association Protocol (SAP) operation mode, use the sap modelist command. To revert to the default, use the no form of this command.
sap modelist { gcm-encrypt | gmac | no-encap | none }
no sap modelist { gcm-encrypt | gmac | no-encap | none }
Syntax Description
Defaults
Command Modes
Cisco TrustSec 802.1X configuration
Command History
|
|
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown / no shutdown command sequence for the configuration to take effect.
Examples
This example shows how to configure Cisco TrustSec SAP operation mode on an interface:
This example shows how to revert to the default Cisco TrustSec SAP operation mode on an interface:
Related Commands
|
|
---|---|
Enters Cisco TrustSec 802.1X configuration mode for an interface. |
|
sap pmk
To manually configure the Cisco TrustSec Security Association Protocol (SAP) pairwise master key (PMK), use the sap pmk command. To remove the SAP configuration, use the no form of this command.
sap pmk [ key | [left-zero-padded] [display encrypt] | encrypted encrypted_pmk | use-dot1x } [ modelist { gcm-encrypt | gcm-encrypt-256 | gmac | no-encap | null }]
Syntax Description
Defaults
Command Modes
Cisco TrustSec manual configuration
Command History
|
|
This command was modified. The gcm-encrypt-256 keyword was added. |
|
The left-zero-padded, display encrypt and encrypted encrypted_pmk keywords and argument were added. |
|
Usage Guidelines
This command will be supported based on capability of the line card. Only M3 is currently capable and hence this will not be supported older generation line cards such as M1, M2, F1, F2, and F3. This command is not supported for F1 Series modules and F2 Series modules.
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown / no shutdown command sequence for the configuration to take effect.
Examples
This example shows how to manually configure Cisco TrustSec SAP on an interface:
This example shows how to remove a manual Cisco TrustSec SAP configuration from an interface:
Related Commands
|
|
---|---|
Enters Cisco TrustSec manual configuration mode for an interface. |
|
send-lifetime
To specify the time interval within which the device sends the key during key exchange with another device, use the send-lifetime command. To remove the time interval, use the no form of this command.
send-lifetime [ local ] start-time [ duration duration-value | infinite | end-time ]
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
This command does not require a license.
By default, the device interprets all time range rules as UTC.
By default, the time interval within which the device sends a key during key exchange with another device—the send lifetime—is infinite, which means that the key is always valid.
The start-time and end-time arguments both require time and date components, in the following format:
hour [: minute [: second ]] month day year
You specify the hour in 24-hour notation. For example, in 24-hour notation, 8:00 a.m. is 8:00 and 8:00 p.m. is 20:00. The minimum valid start-time is 00:00:00 Jan 1 1970, and the maximum valid start-time is 23:59:59 Dec 31 2037.
Examples
This example shows how to create a send lifetime that begins at midnight on June 13, 2008, and ends at 11:59:59 p.m. on August 12, 2008:
Related Commands
|
|
---|---|
server
To add a server to a RADIUS, TACACS+, or Lightweight Directory Access Protocol (LDAP) server group, use the server command. To delete a server from a server group, use the no form of this command.
server { ipv4-address | ipv6-address | hostname }
no server { ipv4-address | ipv6-address | hostname }
Syntax Description
Server name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters. |
Defaults
Command Modes
RADlUS server group configuration
TACACS+ server group configuration
LDAP server group configuration
Command History
|
|
Usage Guidelines
You can configure up to 64 servers in a server group.
Use the aaa group server radius command to enter RADIUS server group configuration mode, the aaa group server tacacs+ command to enter TACACS+ server group configuration mode, or the aaa group server ldap command to enter LDAP server group configuration mode.
If the server is not found, use the radius-server host command, tacacs-server host command, or ldap-server host command to configure the server.
Note You must use the feature tacacs+ command before you configure TACACS+ and the feature ldap command before you configure LDAP.
Examples
This example shows how to add a server to a RADIUS server group:
This example shows how to delete a server from a RADIUS server group:
This example shows how to add a server to a TACACS+ server group:
This example shows how to delete a server from a TACACS+ server group:
This example shows how to add a server to an LDAP server group:
This example shows how to delete a server from an LDAP server group:
Related Commands
|
|
---|---|
service dhcp
To enable the DHCP relay agent, use the service dhcp command. To disable the DHCP relay agent, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
This command was deprecated and replaced with the ip dhcp relay command. |
|
Usage Guidelines
Examples
This example shows how to globally enable DHCP snooping:
Related Commands
|
|
---|---|
Enables the insertion and removal of option-82 information from DHCP packets. |
|
Displays DHCP snooping configuration, including IP Source Guard configuration. |
service-policy input
To attach a control plane policy map to the control plane, use the service-policy input command. To remove a control plane policy map, use the no form of this command.
service-policy input policy-map-name
no service-policy input policy-map-name
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
You can assign only one control place policy map to the control plane. To assign a new control plane policy map to the control plane, you must remove the old control plane policy map.
Examples
This example shows how to assign a control plane policy map to the control plane:
This example shows how to remove a control plane policy map from the control plane:
Related Commands
|
|
---|---|
Specifies a control plane policy map and enters policy map configuration mode. |
|
Displays configuration information for control plane policy maps. |
set cos
To set the IEEE 802.1Q class of service (CoS) value for a control plane policy map, use the set cos command. To revert to the default, use the no form of this command.
no set cos [ inner ] cos-value
Syntax Description
(Optional) Specifies the inner 802.1Q in a Q-in-Q environment. |
|
Numerical value of CoS in the control plane policy map. The range is from 0 to 7. |
Defaults
Command Modes
Policy map class configuration
Command History
|
|
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
Examples
This example shows how to configure the CoS value for a control plane policy map:
This example shows how to revert to the default CoS value for a control plane policy map:
Related Commands
set dscp (policy map class)
To set the differentiated services code point (DSCP) value for IPv4 and IPv6 packets in a control plane policy map, use the set dscp command. To revert to the default, use the no form of this command.
set dscp [ tunnel ] { dscp-value | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | ef | default }
no set dscp [ tunnel ] { dscp-value | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | ef | default }
Syntax Description
Numerical value of CoS in the control plane policy map. The range is from 0 to63. |
|
Defaults
Command Modes
Policy map class configuration
Command History
|
|
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
Examples
This example shows how to configure the DSCP value for a control plane policy map:
This example shows how to revert to the default DSCP value for a control plane policy map:
Related Commands
set precedence (policy map class)
To set the precedence value for IPv4 and IPv6 packets in a control plane policy map, use the set precedence command. To revert to the default, use the no form of this command.
set precedence [ tunnel ] { prec-value | critical | flash | flash-override | immediate | internet | network | priority | routine }
no set precedence [ tunnel ] { prec-value | critical | flash | flash-override | immediate | internet | network | priority | routine }
Syntax Description
Numerical value for DSCP precedence in the control plane policy map. The range is from 0 to 7. |
|
Specifies flash override precedence equal to precedence value 4. |
|
Defaults
Command Modes
Policy map class configuration
Command History
|
|
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
Examples
This example shows how to configure the CoS value for a control plane policy map:
This example shows how to revert to the default CoS value for a control plane policy map:
Related Commands
source-interface
To assign a source interface for a specific RADIUS or TACACS+ server group, use the source-interface command. To revert to the default, use the no form of this command.
Syntax Description
Source interface. The supported interface types are ethernet, loopback, and mgmt 0. |
Defaults
Command Modes
RADIUS configuration
TACACS+ configuration
Command History
|
|
Usage Guidelines
The source-interface command to override the global source interface assigned by the ip radius source-interface command or ip tacacs source-interface command.
You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:
Related Commands
ssh
To create a Secure Shell (SSH) session on the Cisco NX-OS device, use the ssh command.
ssh [ username @ ]{ ipv4-address | hostname } [ vrf vrf-name ]
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The Cisco NX-OS software supports SSH version 2.
To use IPv6 addressing for an SSH session, use the ssh6 command.
The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.
If you are planning to create an SSH session to a remote device from the boot mode of a Cisco NX-OS device, you must obtain the hostname for the remote device, enable the SSH server on the remote device, and ensure that the Cisco NX-OS device is loaded with only the kickstart image.
Examples
This example shows how to start an SSH session using IPv4:
This example shows how to create an SSH session to a remote device from the boot mode of the Cisco NX-OS device:
Related Commands
|
|
---|---|
Copies a file from the Cisco NX-OS device to a remote device using the Secure Copy Protocol (SCP). |
|
ssh key
To create a Secure Shell (SSH) server key for a virtual device context (VDC), use the ssh key command. To remove the SSH server key, use the no form of this command.
ssh key { dsa [ force ] | rsa [ length [ force ]]}
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The Cisco NX-OS software supports SSH version 2.
If you want to remove or replace an SSH server key, you must first disable the SSH server using the no feature ssh command.
Examples
This example shows how to create an SSH server key using DSA:
This example shows how to create an SSH server key using RSA with the default key length:
This example shows how to create an SSH server key using RSA with a specified key length:
This example shows how to replace an SSH server key using DSA with the force option:
This example shows how to remove the DSA SSH server key:
This example shows how to remove all SSH server keys:
Related Commands
|
|
---|---|
ssh login-attempts
To configure the maximum number of times that a user can attempt to log in to a Secure Shell (SSH) session, use the ssh login-attempts command. To disable the configuration, use the no form of this command.
Syntax Description
Maximum number of login attempts. The range is from 1 to 10. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The total number of login attempts includes attempts through public-key authentication, certificate-based authentication, and password-based authentication.
This command does not require a license.
If the user exceeds the maximum number of permitted login attempts, the session disconnects.
Examples
This example shows how to configure the maximum number of times that a user can attempt to log in to an SSH session:
This example shows how to disable the SSH login attempt configuration:
Related Commands
|
|
---|---|
Displays the configured maximum number of SSH login attempts. |
ssh server enable
To enable the Secure Shell (SSH) server for a virtual device context (VDC), use the ssh server enable command. To disable the SSH server, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
This command was deprecated and replaced with the feature ssh command. |
|
Usage Guidelines
Examples
This example shows how to enable the SSH server:
This example shows how to disable the SSH server:
Related Commands
|
|
---|---|
ssh6
To create a Secure Shell (SSH) session using IPv6 on the Cisco NX-OS device, use the ssh6 command.
ssh6 [ username @ ]{ ipv6-address | hostname } [ vrf vrf-name ]
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The Cisco NX-OS software supports SSH version 2.
To use IPv4 addressing to start an SSH session, use the ssh command.
The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.
Examples
This example shows how to start an SSH session using IPv6:
Related Commands
|
|
---|---|
statistics per-entry
To start recording statistics for how many packets are permitted or denied by each entry in an IP, a MAC access control list (ACL), or a VLAN access-map entry, use the statistics per-entry command. To stop recording per-entry statistics, use the no form of this command.
Syntax Description
Defaults
Command Modes
IP access-list configuration
IPv6 access-list configuration
MAC access-list configuration
VLAN access-map configuration
Command History
|
|
Usage Guidelines
When the device determines that an IPv4, IPv6, MAC, or VLAN ACL applies to a packet, it tests the packet against the conditions of all entries in the ACLs. ACL entries are derived from the rules that you configure with the applicable permit and deny commands. The first matching rule determines whether the packet is permitted or denied. Enter the statistics per-entry command to start recording how many packets are permitted or denied by each entry in an ACL.
Statistics are not supported if the DHCP snooping feature is enabled.
The device does not record statistics for implicit rules. To record statistics for these rules, you must explicitly configure an identical rule for each implicit rule. For more information about implicit rules, see the following commands:
To view per-entry statistics, use the show access-lists command or the applicable following command:
To clear per-entry statistics, use the clear access-list counters command or the applicable following command:
Examples
This example shows how to start recording per-entry statistics for an IPv4 ACL named ip-acl-101:
This example shows how to stop recording per-entry statistics for an IPv4 ACL named ip-acl-101:
This example shows how to start recording per-entry statistics for the ACLs in entry 20 in a VLAN access-map named vlan-map-01:
This example shows how to stop recording per-entry statistics for the ACLs in entry 20 in a VLAN access-map named vlan-map-01:
Related Commands
|
|
---|---|
Clears per-entry statistics for all IPv4, IPv6, and MAC ACLs, or for a specific ACL. |
storm-control level
To set the suppression level for traffic storm control, use the storm-control level command. To turn off the suppression mode or revert to the default, use the no form of this command.
storm-control { broadcast | multicast | unicast } level percentage [. fraction ]
no storm-control { broadcast | multicast | unicast } level
Syntax Description
Percentage of the suppression level. The range is from 0 to 100 percent. |
|
(Optional) Fraction of the suppression level. The range is from 0 to 99. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Enter the storm-control level command to enable traffic storm control on the interface, configure the traffic storm-control level, and apply the traffic storm-control level to all traffic storm-control modes that are enabled on the interface.
Only one suppression level is shared by all three suppression modes. For example, if you set the broadcast level to 30 and set the multicast level to 40, both levels are enabled and set to 40.
The period (.) is required when you enter the fractional-suppression level.
The suppression level is a percentage of the total bandwidth. A threshold value of 100 percent means that no limit is placed on traffic. A threshold value of 0 or 0.0 (fractional) percent means that all specified traffic is blocked on a port.
Use the show interfaces counters broadcast command to display the discard count.
Use one of the follow methods to turn off suppression for the specified traffic type:
Examples
This example shows how to enable suppression of broadcast traffic and set the suppression threshold level:
This example shows how to disable the suppression mode for multicast traffic:
Related Commands
|
|
---|---|
Displays the storm-control suppression counters for an interface. |
|
switchport port-security
To enable port security on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security command. To remove port security configuration, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Per interface, port security is disabled by default.
You must configure the interface as a Layer 2 interface by using the switchport command before you can use the switchport port-security command.
You must enable port security by using the feature port-security command before you can use the switchport port-security command.
If port security is enabled on any member port of the Layer 2 port-channel interface, the device does not allow you to disable port security on the port-channel interface. To do so, remove all secure member ports from the port-channel interface first. After disabling port security on a member port, you can add it to the port-channel interface again, as needed.
Enabling port security on an interface also enables the default method for learning secure MAC addresses, which is the dynamic method. To enable the sticky learning method, use the switchport port-security mac-address sticky command.
Examples
This example shows how to enable port security on the Ethernet 2/1 interface:
This example shows how to enable port security on the port-channel 10 interface:
Related Commands
switchport port-security aging time
To configure the aging time for dynamically learned, secure MAC addresses, use the switchport port-security aging time command. To return to the default aging time of 1440 minutes, use the no form of this command.
switchport port-security aging time minutes
no switchport port-security aging time minutes
Syntax Description
Length of time that a dynamically learned, secure MAC address must age before the device drops the address. Valid values are from 1 to 1440. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The default aging time is 1440 minutes.
You must enable port security by using the feature port-security command before you can use the switchport port-security aging time command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
Examples
This example shows how to configure an aging time of 120 minutes on the Ethernet 2/1 interface:
Related Commands
switchport port-security aging type
To configure the aging type for dynamically learned, secure MAC addresses, use the switchport port-security aging type command. To return to the default aging type, which is absolute aging, use the no form of this command.
switchport port-security aging type { absolute | inactivity }
no switchport port-security aging type { absolute | inactivity }
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The default aging type is absolute aging.
You must enable port security by using the feature port-security command before you can use the switchport port-security aging type command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
Examples
This example shows how to configure the aging type to be “inactivity” on the Ethernet 2/1 interface:
Related Commands
switchport port-security mac-address
To configure a static, secure MAC address on an interface, use the switchport port-security mac-address command. To remove a static, secure MAC address from an interface, use the no form of this command.
switchport port-security mac-address address [ vlan vlan-ID ]
no switchport port-security mac-address address [ vlan vlan-ID ]
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
There are no default static, secure MAC addresses.
You must enable port security by using the feature port-security command before you can use the switchport port-security mac-address command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
Examples
This example shows how to configure 0019.D2D0.00AE as a static, secure MAC address on the Ethernet 2/1 interface:
Related Commands
switchport port-security mac-address sticky
To enable the sticky method for learning secure MAC addresses on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security mac-address sticky command. To disable the sticky method and return to the dynamic method, use the no form of this command.
switchport port-security mac-address sticky
no switchport port-security mac-address sticky
Syntax Description
Defaults
The sticky method of secure MAC address learning is disabled by default.
Command Modes
Command History
|
|
Usage Guidelines
You must enable port security by using the feature port-security command before you can use the switchport port-security mac-address sticky command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
Examples
This example shows how to enable the sticky method of learning secure MAC addresses on the Ethernet 2/1 interface:
Related Commands
switchport port-security maximum
To configure the interface maximum or a VLAN maximum of secure MAC addresses on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security maximum command. To remove port security configuration, use the no form of this command.
switchport port-security maximum number [ vlan vlan-ID ]
no switchport port-security maximum number [ vlan vlan-ID ]
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The default interface maximum is one secure MAC address.
Enabling port security on an interface also enables the default method for learning secure MAC addresses, which is the dynamic method. To enable the sticky learning method, use the switchport port-security mac-address sticky command.
You must enable port security by using the feature port-security command before you can use the switchport port-security maximum command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
There is no default VLAN maximum.
There is a system-wide, nonconfigurable maximum of 4096 secure MAC addresses.
This command does not require a license.
Maximums for Access Ports and Trunk Ports
For an interface used as an access port, we recommend that you use the default interface maximum of one secure MAC address.
For an interface used as a trunk port, set the interface maximum to a number that reflects the actual number of hosts that could use the interface.
Interface Maximums, VLAN Maximums, and the Device Maximum
The sum of all VLAN maximums that you configure on an interface cannot exceed the interface maximum. For example, if you configure a trunk-port interface with an interface maximum of 10 secure MAC addresses and a VLAN maximum of 5 secure MAC addresses for VLAN 1, the largest maximum number of secure MAC addresses that you can configure for VLAN 2 is also 5. If you tried to configure a maximum of 6 secure MAC addresses for VLAN 2, the device would not accept the command.
Examples
This example shows how to configure an interface maximum of 10 secure MAC addresses on the Ethernet 2/1 interface:
Related Commands
switchport port-security violation
To configure the action that the device takes when a security violation event occurs on an interface, use the switchport port-security violation command. To remove the port security violation action configuration, use the no form of this command.
switchport port-security violation { protect | restrict | shutdown }
no switchport port-security violation { protect | restrict | shutdown }
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The default security violation action is to shut down the interface.
You must enable port security by using the feature port-security command before you can use the switchport port-security violation command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
Port security triggers security violations when either of the two following events occur:
- Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses.
When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs when either maximum is exceeded. For example, consider the following on a single interface configured with port security:
– VLAN 1 has a maximum of 5 addresses
– The interface has a maximum of 10 addresses
The device detects a violation when any of the following occurs:
– The device has learned five addresses for VLAN 1 and inbound traffic from a sixth address arrives at the interface in VLAN 1.
– The device has learned 10 addresses on the interface and inbound traffic from an 11th address arrives at the interface.
- Ingress traffic from a secure MAC address arrives at a different interface in the same VLAN as the interface on which the address is secured.
Note After a secure MAC address is configured or learned on one secure port, the sequence of events that occurs when port security detects that secure MAC address on a different port in the same VLAN is known as a MAC move violation.
When a security violation occurs, the device takes the action specified by the port security configuration of the applicable interface. The possible actions are as follows:
- Shutdown—Shuts down the interface that received the packet triggering the violation. The interface is error disabled. This action is the default. After you reenable the interface, it retains its port security configuration, including its secure MAC addresses.
You can use the errdisable global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands.
- Restrict—Drops ingress traffic from any nonsecure MAC addresses. Address learning continues until 100 security violations have occurred on the interface. Traffic from addresses learned after the first security violation is dropped.
After 100 security violations occur, the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses. In addition, the device generates an SNMP trap for each security violation.
- Protect—Prevents further violations from occurring. The address that triggered the security violation is learned but any traffic from the address is dropped. Further address learning stops.
If a violation occurs because ingress traffic from a secure MAC address arrives at a different interface than the interface on which the address is secure, the device applies the action on the interface that received the traffic.
Examples
This example shows how to configure an interface to respond to a security violation event with the protect action:
Related Commands
switchport port-security violation
To configure the action that the device takes when a security violation event occurs on an interface, use the switchport port-security violation command. To remove the port security violation action configuration, use the no form of this command.
switchport port-security violation { protect | restrict | shutdown }
no switchport port-security violation { protect | restrict | shutdown }
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The default security violation action is to shut down the interface.
You must enable port security by using the feature port-security command before you can use the switchport port-security violation command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
Port security triggers security violations when either of the two following events occur:
- Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses.
When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs when either maximum is exceeded. For example, consider the following on a single interface configured with port security:
– VLAN 1 has a maximum of 5 addresses
– The interface has a maximum of 10 addresses
The device detects a violation when any of the following occurs:
– The device has learned five addresses for VLAN 1 and inbound traffic from a sixth address arrives at the interface in VLAN 1.
– The device has learned 10 addresses on the interface and inbound traffic from an 11th address arrives at the interface.
- Ingress traffic from a secure MAC address arrives at a different interface in the same VLAN as the interface on which the address is secured.
Note After a secure MAC address is configured or learned on one secure port, the sequence of events that occurs when port security detects that secure MAC address on a different port in the same VLAN is known as a MAC move violation.
When a security violation occurs, the device takes the action specified by the port security configuration of the applicable interface. The possible actions are as follows:
- Shutdown—Shuts down the interface that received the packet triggering the violation. The interface is error disabled. This action is the default. After you reenable the interface, it retains its port security configuration, including its secure MAC addresses.
You can use the errdisable global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands.
- Restrict—Drops ingress traffic from any nonsecure MAC addresses. Address learning continues until 100 security violations have occurred on the interface. Traffic from addresses learned after the first security violation is dropped.
After 100 security violations occur, the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses. In addition, the device generates an SNMP trap for each security violation.
- Protect—Prevents further violations from occurring. The address that triggered the security violation is learned but any traffic from the address is dropped. Further address learning stops.
If a violation occurs because ingress traffic from a secure MAC address arrives at a different interface than the interface on which the address is secure, the device applies the action on the interface that received the traffic.
Examples
This example shows how to configure an interface to respond to a security violation event with the protect action: