Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release
`6.x
`First Published: July 27, 2012
`Last Modified: April 16, 2014
`
`Americas Headquarters
`Cisco Systems, Inc.
`170 West Tasman Drive
`San Jose, CA 95134-1706
`USA
`http://www.cisco.com
`Tel: 408 526-4000
` 800 553-NETS (6387)
`Fax: 408 527-0883
`
`Text Part Number: OL-25776-03
`
`Exhibit 2017
`IPR2016-00309
`
`

`
`THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
`INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
`EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
`
`THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
`THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
`CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
`
`The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
`of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
`
`NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
`CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
`MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
`
`IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
`LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
`HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
`
`Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
`topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
`and coincidental.
`Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
`www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
`relationship between Cisco and any other company. (1110R)
`
`© 2014 Cisco Systems, Inc. All rights reserved.
`
`

`
`C O N T E N T S
`
`P r e f a c e
`
`Preface xxix
`Audience xxix
`Document Conventions xxix
`Related Documentation for Cisco Nexus 7000 Series NX-OS Software xxx
`Documentation Feedback xxxii
`Obtaining Documentation and Submitting a Service Request xxxiii
`
`C H A P T E R 1
`
`New and Changed Information 1
`New and Changed Information 1
`
`C H A P T E R 2
`
`Overview 9
`Authentication, Authorization, and Accounting 10
`RADIUS and TACACS+ Security Protocols 10
`LDAP 11
`SSH and Telnet 11
`PKI 11
`User Accounts and Roles 12
`802.1X 12
`NAC 12
`Cisco TrustSec 12
`IP ACLs 13
`MAC ACLs 13
`VACLs 13
`Port Security 14
`DHCP Snooping 14
`Dynamic ARP Inspection 14
`IP Source Guard 15
`
` OL-25776-03
`
`Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`iii
`
`

`
`Contents
`
`C H A P T E R 3
`
`Password Encryption 15
`Keychain Management 15
`Unicast RPF 15
`Traffic Storm Control 16
`Control Plane Policing 16
`Rate Limits 16
`
`Configuring FIPS 17
`Information About FIPS 17
`FIPS Self-Tests 18
`FIPS Error State 18
`RADIUS Keywrap 18
`Virtualization Support for FIPS 19
`Licensing Requirements for FIPS 19
`Prerequisites for FIPS 19
`Guidelines and Limitations for FIPS 20
`Default Settings for FIPS 20
`Configuring FIPS 20
`Enabling FIPS Mode 21
`Disabling FIPS Mode 22
`Verifying the FIPS Configuration 23
`Configuration Example for FIPS 23
`Additional References for FIPS 24
`Feature History for FIPS 24
`
`C H A P T E R 4
`
`Configuring AAA 25
`Information About AAA 25
`AAA Security Services 25
`Benefits of Using AAA 26
`Remote AAA Services 26
`AAA Server Groups 27
`AAA Service Configuration Options 27
`Authentication and Authorization Process for User Login 29
`AES Password Encryption and Master Encryption Keys 30
`Virtualization Support for AAA 31
`
` Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`iv
`
`OL-25776-03
`
`

`
`Contents
`
`Licensing Requirements for AAA 31
`Prerequisites for AAA 31
`Guidelines and Limitations for AAA 31
`Default Settings for AAA 32
`Configuring AAA 32
`Process for Configuring AAA 32
`Configuring Console Login Authentication Methods 33
`Configuring Default Login Authentication Methods 34
`Disabling Fallback to Local Authentication 36
`Enabling the Default User Role for AAA Authentication 37
`Enabling Login Authentication Failure Messages 39
`Enabling CHAP Authentication 40
`Enabling MSCHAP or MSCHAP V2 Authentication 41
`Configuring a Master Key and Enabling the AES Password Encryption Feature 43
`Converting Existing Passwords to Type-6 Encrypted Passwords 44
`Converting Type-6 Encrypted Passwords Back to Their Original States 45
`Deleting Type-6 Encrypted Passwords 45
`Configuring AAA Accounting Default Methods 46
`Using AAA Server VSAs with Cisco NX-OS Devices 47
`About VSAs 48
`VSA Format
`48
`Specifying Cisco NX-OS User Roles and SNMPv3 Parameters on AAA Servers 49
`Monitoring and Clearing the Local AAA Accounting Log 49
`Verifying the AAA Configuration 50
`Configuration Examples for AAA 50
`Additional References for AAA 50
`Feature History for AAA 51
`
`C H A P T E R 5
`
`Configuring RADIUS 53
`Information About RADIUS 53
`RADIUS Network Environments 54
`RADIUS Operation 54
`RADIUS Server Monitoring 55
`RADIUS Configuration Distribution 55
`Vendor-Specific Attributes 56
`
` OL-25776-03
`
`Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`v
`
`

`
`Contents
`
`Virtualization Support for RADIUS 57
`Licensing Requirements for RADIUS 57
`Prerequisites for RADIUS 58
`Guidelines and Limitations for RADIUS 58
`Default Settings for RADIUS 58
`Configuring RADIUS Servers 59
`RADIUS Server Configuration Process 59
`Enabling RADIUS Configuration Distribution 60
`Configuring RADIUS Server Hosts 61
`Configuring Global RADIUS Keys 62
`Configuring a Key for a Specific RADIUS Server 64
`Configuring RADIUS Server Groups 65
`Configuring the Global Source Interface for RADIUS Server Groups 67
`Allowing Users to Specify a RADIUS Server at Login 68
`Configuring the Global RADIUS Transmission Retry Count and Timeout Interval 69
`Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server 71
`Configuring Accounting and Authentication Attributes for RADIUS Servers 73
`Configuring Global Periodic RADIUS Server Monitoring 75
`Configuring Periodic RADIUS Server Monitoring on Individual Servers 76
`Configuring the RADIUS Dead-Time Interval 78
`Configuring One-Time Passwords 80
`Committing the RADIUS Distribution 80
`Discarding the RADIUS Distribution Session 81
`Clearing the RADIUS Distribution Session 82
`Manually Monitoring RADIUS Servers or Groups 83
`Verifying the RADIUS Configuration 83
`Monitoring RADIUS Servers 84
`Clearing RADIUS Server Statistics 85
`Configuration Example for RADIUS 85
`Where to Go Next
`85
`Additional References for RADIUS 86
`Feature History for RADIUS 86
`
`C H A P T E R 6
`
`Configuring TACACS+ 89
`Information About TACACS+ 89
`
` Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`vi
`
`OL-25776-03
`
`

`
`Contents
`
`TACACS+ Advantages 90
`TACACS+ Operation for User Login 90
`Default TACACS+ Server Encryption Type and Secret Key 91
`Command Authorization Support for TACACS+ Servers 91
`TACACS+ Server Monitoring 91
`TACACS+ Configuration Distribution 92
`Vendor-Specific Attributes for TACACS+ 93
`Cisco VSA Format for TACACS+ 93
`Virtualization Support for TACACS+ 94
`Licensing Requirements for TACACS+ 94
`Prerequisites for TACACS+ 95
`Guidelines and Limitations for TACACS+ 95
`Default Settings for TACACS+ 95
`Configuring TACACS+ 96
`TACACS+ Server Configuration Process 96
`Enabling TACACS+ 96
`Configuring TACACS+ Server Hosts 97
`Configuring Global TACACS+ Keys 99
`Configuring a Key for a Specific TACACS+ Server 100
`Configuring TACACS+ Server Groups 102
`Configuring the Global Source Interface for TACACS+ Server Groups 103
`Allowing Users to Specify a TACACS+ Server at Login 104
`Configuring the Global TACACS+ Timeout Interval 106
`Configuring the Timeout Interval for a TACACS+ Server 107
`Configuring TCP Ports 108
`Configuring Global Periodic TACACS+ Server Monitoring 110
`Configuring Periodic TACACS+ Server Monitoring on Individual Servers 112
`Configuring the TACACS+ Dead-Time Interval 114
`Configuring ASCII Authentication 115
`Configuring AAA Authorization on TACACS+ Servers 116
`Configuring Command Authorization on TACACS+ Servers 118
`Testing Command Authorization on TACACS+ Servers 120
`Enabling and Disabling Command Authorization Verification 121
`Configuring Privilege Level Support for Authorization on TACACS+ Servers 121
`Permitting or Denying Commands for Users of Privilege Roles 124
`
` OL-25776-03
`
`Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`vii
`
`

`
`Contents
`
`C H A P T E R 7
`
`Enabling TACACS+ Configuration Distribution 125
`Committing the TACACS+ Configuration to Distribution 126
`Discarding the TACACS+ Distribution Session 127
`Clearing the TACACS+ Distribution Session 128
`Manually Monitoring TACACS+ Servers or Groups 129
`Disabling TACACS+ 130
`Monitoring TACACS+ Servers 131
`Clearing TACACS+ Server Statistics 131
`Verifying the TACACS+ Configuration 132
`Configuration Examples for TACACS+ 133
`Where to Go Next
`134
`Additional References for TACACS+ 134
`Feature History for TACACS+ 135
`
`Configuring LDAP 137
`Information About LDAP 137
`LDAP Authentication and Authorization 138
`LDAP Operation for User Login 138
`LDAP Server Monitoring 139
`Vendor-Specific Attributes for LDAP 140
`Cisco VSA Format for LDAP 140
`Virtualization Support for LDAP 141
`Licensing Requirements for LDAP 141
`Prerequisites for LDAP 141
`Guidelines and Limitations for LDAP 142
`Default Settings for LDAP 142
`Configuring LDAP 142
`LDAP Server Configuration Process 143
`Enabling LDAP 143
`Configuring LDAP Server Hosts 144
`Configuring the RootDN for an LDAP Server 146
`Configuring LDAP Server Groups 147
`Configuring the Global LDAP Timeout Interval 149
`Configuring the Timeout Interval for an LDAP Server 150
`Configuring the Global LDAP Server Port 151
`
` Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`viii
`
`OL-25776-03
`
`

`
`Contents
`
`C H A P T E R 8
`
`Configuring TCP Ports 152
`Configuring LDAP Search Maps 154
`Configuring Periodic LDAP Server Monitoring 155
`Configuring the LDAP Dead-Time Interval 156
`Configuring AAA Authorization on LDAP Servers 158
`Disabling LDAP 159
`Monitoring LDAP Servers 160
`Clearing LDAP Server Statistics 160
`Verifying the LDAP Configuration 161
`Configuration Examples for LDAP 162
`Where to Go Next
`162
`Additional References for LDAP 162
`Feature History for LDAP 163
`
`Configuring SSH and Telnet 165
`Information About SSH and Telnet 165
`SSH Server 165
`SSH Client 166
`SSH Server Keys 166
`SSH Authentication Using Digital Certificates 166
`Telnet Server 167
`Virtualization Support for SSH and Telnet 167
`Licensing Requirements for SSH and Telnet 167
`Prerequisites for SSH and Telnet 167
`Guidelines and Limitations for SSH and Telnet 167
`Default Settings for SSH and Telnet 168
`Configuring SSH 168
`Generating SSH Server Keys 169
`Specifying the SSH Public Keys for User Accounts 170
`Specifying the SSH Public Keys in IETF SECSH Format 170
`Specifying the SSH Public Keys in OpenSSH Format 171
`Configuring a Maximum Number of SSH Login Attempts 172
`Starting SSH Sessions 173
`Starting SSH Sessions from Boot Mode 174
`Configuring SSH Passwordless File Copy 175
`
` OL-25776-03
`
`Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`ix
`
`

`
`Contents
`
`C H A P T E R 9
`
`Configuring SCP and SFTP Servers 177
`Clearing SSH Hosts 178
`Disabling the SSH Server 178
`Deleting SSH Server Keys 179
`Clearing SSH Sessions 180
`Configuring Telnet 181
`Enabling the Telnet Server 181
`Starting Telnet Sessions to Remote Devices 182
`Clearing Telnet Sessions 183
`Verifying the SSH and Telnet Configuration 183
`Configuration Example for SSH 184
`Configuration Example for SSH Passwordless File Copy 185
`Additional References for SSH and Telnet 187
`Feature History for SSH and Telnet 187
`
`Configuring PKI 189
`Information About PKI 189
`CAs and Digital Certificates 189
`Trust Model, Trust Points, and Identity CAs 190
`RSA Key Pairs and Identity Certificates 190
`Multiple Trusted CA Support 191
`PKI Enrollment Support 191
`Manual Enrollment Using Cut-and-Paste 192
`Multiple RSA Key Pair and Identity CA Support 192
`Peer Certificate Verification 192
`Certificate Revocation Checking 193
`CRL Support 193
`Import and Export Support for Certificates and Associated Key Pairs 193
`Virtualization Support for PKI 193
`Licensing Requirements for PKI 193
`Guidelines and Limitations for PKI 194
`Default Settings for PKI 194
`Configuring CAs and Digital Certificates 195
`Configuring the Hostname and IP Domain Name 195
`Generating an RSA Key Pair 196
`
` Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`x
`
`OL-25776-03
`
`

`
`Contents
`
`Creating a Trust Point CA Association 197
`Configuring the Cert-Store for Certificate Authentication 199
`Configuring Certificate Mapping Filters 200
`Authenticating the CA 202
`Configuring Certificate Revocation Checking Methods 204
`Generating Certificate Requests 205
`Installing Identity Certificates 207
`Ensuring Trust Point Configurations Persist Across Reboots 208
`Exporting Identity Information in PKCS 12 Format 209
`Importing Identity Information in PKCS 12 Format 210
`Configuring a CRL 212
`Deleting Certificates from the CA Configuration 213
`Deleting RSA Key Pairs from a Cisco NX-OS Device 214
`Verifying the PKI Configuration 215
`Configuration Examples for PKI 216
`Configuring Certificates on a Cisco NX-OS Device 216
`Configuring the Cert-Store and Certificate Mapping Filters 219
`Downloading a CA Certificate 221
`Requesting an Identity Certificate 225
`Revoking a Certificate 233
`Generating and Publishing the CRL 235
`Downloading the CRL 236
`Importing the CRL 239
`Additional References for PKI 241
`Related Documents for PKI 241
`Standards for PKI 242
`Feature History for PKI 242
`
`C H A P T E R 1 0
`
`Configuring User Accounts and RBAC 243
`Information About User Accounts and RBAC 243
`User Accounts 243
`Characteristics of Strong Passwords 244
`User Roles 245
`User Role Rules 245
`User Role Configuration Distribution 246
`
` OL-25776-03
`
`Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`xi
`
`

`
`Contents
`
`C H A P T E R 1 1
`
`Virtualization Support for RBAC 247
`Licensing Requirements for User Accounts and RBAC 247
`Guidelines and Limitations for User Accounts and RBAC 248
`Default Settings for User Accounts and RBAC 248
`Enabling Password-Strength Checking 249
`Configuring User Accounts 250
`Configuring Roles 252
`Enabling User Role Configuration Distribution 252
`Creating User Roles and Rules 253
`Creating Feature Groups 256
`Changing User Role Interface Policies 257
`Changing User Role VLAN Policies 259
`Changing User Role VRF Policies 261
`Committing the User Role Configuration to Distribution 262
`Discarding the User Role Distribution Session 264
`Clearing the User Role Distribution Session 265
`Verifying User Accounts and RBAC Configuration 265
`Configuration Examples for User Accounts and RBAC 266
`Additional References for User Accounts and RBAC 267
`Related Documents for User Accounts and RBAC 268
`Standards for User Accounts and RBAC 269
`MIBs for User Accounts and RBAC 269
`Feature History for User Accounts and RBAC 269
`
`Configuring 802.1X 271
`Information About 802.1X 271
`Device Roles 271
`Authentication Initiation and Message Exchange 273
`Authenticator PAE Status for Interfaces 274
`Ports in Authorized and Unauthorized States 274
`MAC Authentication Bypass 275
`802.1X and Port Security 276
`Single Host and Multiple Hosts Support 277
`Supported Topologies 277
`Virtualization Support for 802.1X 278
`
` Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`xii
`
`OL-25776-03
`
`

`
`Contents
`
`Licensing Requirements for 802.1X 278
`Prerequisites for 802.1X 278
`802.1X Guidelines and Limitations 279
`Default Settings for 802.1X 280
`Configuring 802.1X 281
`Process for Configuring 802.1X 281
`Enabling the 802.1X Feature 281
`Configuring AAA Authentication Methods for 802.1X 282
`Controlling 802.1X Authentication on an Interface 283
`Configuring 802.1X Authentication on Member Ports 285
`Creating or Removing an Authenticator PAE on an Interface 287
`Enabling Global Periodic Reauthentication 288
`Enabling Periodic Reauthentication for an Interface 290
`Manually Reauthenticating Supplicants
`291
`Manually Initializing 802.1X Authentication 292
`Changing Global 802.1X Authentication Timers 292
`Changing 802.1X Authentication Timers for an Interface 294
`Enabling Single Host or Multiple Hosts Mode 297
`Enabling MAC Authentication Bypass 298
`Disabling 802.1X Authentication on the Cisco NX-OS Device 299
`Disabling the 802.1X Feature 300
`Resetting the 802.1X Global Configuration to the Default Values 301
`Resetting the 802.1X Interface Configuration to the Default Values 302
`Setting the Global Maximum Authenticator-to-Supplicant Frame Retransmission Retry
`Count 303
`Setting the Maximum Authenticator-to-Supplicant Frame Retransmission Retry Count for an
`Interface 304
`Enabling RADIUS Accounting for 802.1X Authentication 306
`Configuring AAA Accounting Methods for 802.1X 307
`Setting the Maximum Reauthentication Retry Count on an Interface 308
`Verifying the 802.1X Configuration 309
`Monitoring 802.1X 309
`Configuration Example for 802.1X 310
`Additional References for 802.1X 310
`Feature History for 802.1X 311
`
` OL-25776-03
`
`Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`xiii
`
`

`
`Contents
`
`C H A P T E R 1 2
`
`Configuring NAC 313
`Information About NAC 313
`NAC Device Roles 313
`NAC Posture Validation 316
`IP Device Tracking 317
`NAC LPIP 318
`Posture Validation 318
`Admission Triggers 319
`Posture Validation Methods 319
`Exception Lists 319
`EAPoUDP 319
`Policy Enforcement Using ACLs 320
`Audit Servers and Nonresponsive Hosts 321
`NAC Timers 321
`Hold Timer 321
`AAA Timer 322
`Retransmit Timer 322
`Revalidation Timer 322
`Status-Query Timer 323
`NAC Posture Validation and Redundant Supervisor Modules
`LPIP Validation and Other Security Features 323
`802.1X 323
`Port Security 323
`DHCP Snooping 323
`Dynamic ARP Inspection 323
`IP Source Guard 324
`Posture Host-Specific ACEs 324
`Active PACLs 324
`VACLs 325
`Virtualization Support for NAC 325
`Licensing Requirements for NAC 325
`Prerequisites for NAC 325
`NAC Guidelines and Limitations 325
`LPIP Limitations 325
`
`323
`
` Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`xiv
`
`OL-25776-03
`
`

`
`Contents
`
`Default Settings for NAC 326
`Configuring NAC 327
`Process for Configuring NAC 327
`Enabling EAPoUDP 327
`Enabling the Default AAA Authenication Method for EAPoUDP 328
`Applying PACLs to Interfaces 330
`Enabling NAC on an Interface 331
`Configuring Identity Policies and Identity Profile Entries 332
`Allowing Clientless Endpoint Devices 334
`Enabling Logging for EAPoUDP 335
`Changing the Global EAPoUDP Maximum Retry Value 336
`Changing the EAPoUDP Maximum Retry Value for an Interface 338
`Changing the UDP Port for EAPoUDP 339
`Configuring Rate Limiting of Simultaneous EAPoUDP Posture Validation Sessions 340
`Configuring Global Automatic Posture Revalidation 341
`Configuring Automatic Posture Revalidation for an Interface 343
`Changing the Global EAPoUDP Timers 344
`Changing the EAPoUDP Timers for an Interface 346
`Resetting the EAPoUDP Global Configuration to the Default Values 348
`Resetting the EAPoUDP Interface Configuration to the Default Values 350
`Configuring IP Device Tracking 351
`Clearing IP Device Tracking Information 353
`Manually Initializing EAPoUDP Sessions 354
`Manually Revalidating EAPoUDP Sessions 355
`Clearing EAPoUDP Sessions 357
`Disabling the EAPoUDP Feature 358
`Verifying the NAC Configuration 359
`Configuration Example for NAC 360
`Additional References for NAC 360
`Feature History for NAC 360
`
`C H A P T E R 1 3
`
`Configuring Cisco TrustSec 361
`Information About Cisco TrustSec 361
`Cisco TrustSec Architecture 361
`Authentication 364
`
` OL-25776-03
`
`Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`xv
`
`

`
`Contents
`
`367
`
`367
`
`367
`
`369
`
`Cisco TrustSec and Authentication 364
`Cisco TrustSec Enhancements to EAP-FAST 365
`802.1X Role Selection 366
`Cisco TrustSec Authentication Summary 366
`Device Identities
`Device Credentials
`User Credentials
`SGACLs and SGTs
`367
`Determining the Source Security Group 369
`Determining the Destination Security Group 369
`SXP for SGT Propagation Across Legacy Access Networks
`Authorization and Policy Acquisition 370
`Environment Data Download 371
`RADIUS Relay Functionality 371
`Virtualization Support for Cisco TrustSec 372
`Licensing Requirements for Cisco TrustSec 372
`Prerequisites for Cisco TrustSec 372
`Guidelines and Limitations for Cisco TrustSec 373
`Default Settings For Cisco TrustSec 374
`Configuring Cisco TrustSec 374
`Enabling the Cisco TrustSec Feature 374
`Configuring Cisco TrustSec Device Credentials
`Configuring AAA for Cisco TrustSec 377
`Configuring AAA on the Cisco TrustSec Seed Cisco NX-OS Devices
`Configuring AAA on Cisco TrustSec Nonseed Cisco NX-OS Devices
`380
`Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path Security
`
`376
`
`377
`
`381
`Cisco TrustSec Configuration Process for Cisco TrustSec Authentication and
`Authorization 381
`Enabling Cisco TrustSec Authentication 382
`Configuring Data-Path Replay Protection for Cisco TrustSec on Interfaces
`Configuring SAP Operation Modes for Cisco TrustSec on Interfaces
`Configuring SGT Propagation for Cisco TrustSec on Interfaces
`Regenerating SAP Keys on an Interface 390
`Configuring Cisco TrustSec Authentication in Manual Mode 390
`
`386
`
`388
`
`384
`
` Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`xvi
`
`OL-25776-03
`
`

`
`Contents
`
`406
`
`407
`
`Configuring Pause Frame Encryption or Decryption for Cisco TrustSec on Interfaces 393
`Configuring SGACL Policies
`395
`SGACL Policy Configuration Process
`396
`Enabling SGACL Batch Programming 396
`Enabling SGACL Policy Enforcement on VLANs
`396
`Enabling SGACL Policy Enforcement on VRF Instances 398
`Manually Configuring Cisco TrustSec SGTs 399
`Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VLAN 400
`Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VRF Instance 401
`Configuring VLAN to SGT Mapping 403
`Manually Configuring SGACL Policies 404
`Displaying the Downloaded SGACL Policies
`Refreshing the Downloaded SGACL Policies
`Refreshing the Environment Data 408
`Enabling Statistics for RBACL 408
`Clearing Cisco TrustSec SGACL Policies
`Manually Configuring SXP 410
`Cisco TrustSec SXP Configuration Process
`Enabling Cisco TrustSec SXP 411
`Configuring Cisco TrustSec SXP Peer Connections 412
`Configuring the Default SXP Password 414
`Configuring the Default SXP Source IPv4 Address
`Changing the SXP Reconcile Period 416
`Changing the SXP Retry Period 417
`Verifying the Cisco TrustSec Configuration 418
`Configuration Examples for Cisco TrustSec 419
`Enabling Cisco TrustSec 419
`Configuring AAA for Cisco TrustSec on a Seed Cisco NX-OS Device 420
`Enabling Cisco TrustSec Authentication on an Interface 420
`Configuring Cisco TrustSec Authentication in Manual Mode 420
`Configuring Cisco TrustSec Role-Based Policy Enforcement for the Default VRF Instance 421
`Configuring Cisco TrustSec Role-Based Policy Enforcement for a Nondefault VRF 421
`Configuring Cisco TrustSec Role-Based Policy Enforcement for a VLAN 421
`Configuring IPv4 Address to SGACL SGT Mapping for the Default VRF Instance 421
`Configuring IPv4 Address to SGACL SGT Mapping for a Nondefault VRF Instance 421
`
`410
`
`410
`
`415
`
` OL-25776-03
`
`Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`xvii
`
`

`
`Contents
`
`C H A P T E R 1 4
`
`Configuring IPv4 Address to SGACL SGT Mapping for a VLAN 422
`Manually Configuring Cisco TrustSec SGACLs 422
`Manually Configuring SXP Peer Connections 422
`Additional References for Cisco TrustSec 423
`Feature History for Cisco TrustSec 424
`
`Configuring IP ACLs 427
`Information About ACLs 428
`ACL Types and Applications 428
`Order of ACL Application 430
`About Rules 431
`Protocols for IP ACLs 431
`Source and Destination 432
`Implicit Rules for IP and MAC ACLs 432
`Additional Filtering Options 432
`Sequence Numbers 434
`Logical Operators and Logical Operation Units 434
`Logging 435
`ACL Capture 435
`Time Ranges 436
`Policy-Based ACLs 438
`Statistics and ACLs 438
`Atomic ACL Updates 439
`Planning for Atomic ACL Updates 440
`ACL TCAM Bank Mapping 440
`Session Manager Support for IP ACLs 440
`Virtualization Support for IP ACLs 441
`Licensing Requirements for IP ACLs 441
`Prerequisites for IP ACLs 441
`Guidelines and Limitations for IP ACLs 441
`Default Settings for IP ACLs 445
`Configuring IP ACLs 445
`Creating an IP ACL 445
`Changing an IP ACL 447
`Creating a VTY ACL 449
`
` Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`xviii
`
`OL-25776-03
`
`

`
`Contents
`
`Changing Sequence Numbers in an IP ACL 451
`Removing an IP ACL 452
`Applying an IP ACL as a Router ACL 454
`Applying an IP ACL as a Port ACL 455
`Applying an IP ACL as a VACL 457
`Configuring ACL TCAM Bank Mapping 457
`Enabling or Disabling ACL Capture 458
`Configuring an ACL Capture Session 459
`Applying an ACL with Capture Session ACEs to an Interface 461
`Applying a Whole ACL Capture Session to an Interface 462
`Verifying the IP ACL Configuration 464
`Monitoring and Clearing IP ACL Statistics 465
`Configuration Examples for IP ACLs 466
`Configuring Object Groups 467
`Session Manager Support for Object Groups 467
`Creating and Changing an IPv4 Address Object Group 467
`Creating and Changing an IPv6 Address Object Group 469
`Creating and Changing a Protocol Port Object Group 471
`Removing an Object Group 472
`Verifying the Object-Group Configuration 473
`Configuring Time Ranges 473
`Session Manager Support for Time Ranges 473
`Creating a Time Range 473
`Changing a Time Range 475
`Removing a Time Range 477
`Changing Sequence Numbers in a Time Range 478
`Verifying the Time-Range Configuration 479
`Additional References for IP ACLs 479
`Feature History for IP ACLs 480
`
`C H A P T E R 1 5
`
`Configuring MAC ACLs 483
`Information About MAC ACLs 483
`MAC Packet Classification 483
`Licensing Requirements for MAC ACLs 484
`Prerequisites for MAC ACLs 484
`
` OL-25776-03
`
`Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`xix
`
`

`
`Contents
`
`C H A P T E R 1 6
`
`Guidelines and Limitations for MAC ACLs 484
`Default Settings for MAC ACLs 485
`Configuring MAC ACLs 485
`Creating a MAC ACL 485
`Changing a MAC ACL 487
`Changing Sequence Numbers in a MAC ACL 488
`Removing a MAC ACL 489
`Applying a MAC ACL as a Port ACL 490
`Applying a MAC ACL as a VACL 491
`Enabling or Disabling MAC Packet Classification 491
`Verifying the MAC ACL Configuration 493
`Monitoring and Clearing MAC ACL Statistics 494
`Configuration Example for MAC ACLs 494
`Additional References for MAC ACLs 494
`Feature History for MAC ACLs 495
`
`Configuring VLAN ACLs 497
`Information About VLAN ACLs 497
`VLAN Access Maps and Entries 498
`VACLs and Actions 498
`VACL Statistics 498
`Session Manager Support for VACLs 498
`Virtualization Support for VACLs 499
`Licensing Requirements for VACLs 499
`Prerequisites for VACLs 499
`Guidelines and Limitations for VACLs 499
`Default Settings for VACLs 500
`Configuring VACLs 500
`Creating a VACL or Adding a VACL Entry 500
`Removing a VACL or a VACL Entry 502
`Applying a VACL to a VLAN 503
`Configuring Deny ACE Support 504
`Verifying the VACL Configuration 505
`Monitoring and Clearing VACL Statistics 506
`Configuration Example for VACLs 506
`
` Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`xx
`
`OL-25776-03
`
`

`
`Contents
`
`C H A P T E R 1 7
`
`Additional References for VACLs 506
`Feature History for VLAN ACLs 507
`
`Configuring Port Security 509
`Information About Port Security 509
`Secure MAC Address Learning 510
`Static Method 510
`Dynamic Method 510
`Sticky Method 511
`Dynamic Address Aging 511
`Secure MAC Address Maximums 511
`Security Violations and Actions 512
`Port Security and Port Types 514
`Port Security and Port-Channel Interfaces 514
`Port Type Changes 516
`802.1X and Port Security 517
`Virtualization Support for Port Security 518
`Licensing Requirements for Port Security 518
`Prerequisites for Port Security 518
`Default Settings for Port Security 518
`Guidelines and Limitations for Port Security 519
`Configuring Port Security 519
`Enabling or Disabling Port Security Globally 519
`Enabling or Disabling Port Security on a Layer 2 Interface 520
`Enabling or Disabling Sticky MAC Address Learning 522
`Adding a Static Secure MAC Address on an Interface 523
`Removing a Static Secure MAC Address on an Interface 525
`Removing a Sticky Secure MAC Address 526
`Removing a Dynamic Secure MAC Address 527
`Configuring a Maximum Number of MAC Addresses 528
`Configuring an Address Aging Type and Time 530
`Configuring a Security Violation Action 531
`Verifying the Port Security Configuration 533
`Displaying Secure MAC Addresses 533
`Configuration Example for Port Security 533
`
` OL-25776-03
`
`Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`xxi
`
`

`
`Contents
`
`C H A P T E R 1 8
`
`Additional References for Port Security 533
`Feature History for Port Security 534
`
`Configuring DHCP 535
`Information About DHCP Snooping 536
`Trusted and Untrusted Sources 536
`DHCP Snooping Binding Database 536
`DHCP Snooping in a vPC Environment 537
`Synchronizing DHCP Snooping Binding Entries 537
`Packet Validation 537
`DHCP Snooping Option 82 Data Insertion 538
`Information About the DHCP Relay Agent 540
`DHCP Relay Agent 540
`DHCP Relay Agent Option 82 540
`VRF Support for the DHCP Relay Agent 542
`DHCP Smart Relay Agent 542
`Information About the DHCPv6 Relay Agent 543
`DHCPv6 Relay Agent 543
`VRF Support for the DHCPv6 Relay Agent 543
`Virtualization Support for DHCP 543
`Licensing Requirements for DHCP 543
`Prerequisites for DHCP 544
`Guidelines and Limitations for DHCP 544
`Default Settings for DHCP 545
`Configuring DHCP 546
`Minimum DHCP Configuration 546
`Enabling or Disabling the DHCP Feature 546
`Enabling or Disabling DHCP Snooping Globally 547
`Enabling or Disabling DHCP Snooping on a VLAN 548
`Enabling or Disabling DHCP Snooping MAC Address Verification 549
`Enabling or Disabling Option 82 Data Insertion and Removal 550
`Enabling or Disabling Strict DHCP Packet Validation 552
`Configuring an Interface as Trusted or Untrusted 552
`Enabling or Disabling the DHCP Relay Agent 554
`Enabling or Disabling Option 82 for the DHCP Relay Agent 555
`
` Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`xxii
`
`OL-25776-03
`
`

`
`Contents
`
`Enabling or Disabling VRF Support for the DHCP Relay Agent 556
`Enabling or Disabling Subnet Broadcast Support for the DHCP Relay Agent on a Layer 3
`Interface 557
`Configuring DHCP Server Addresses on an Interface 559
`Enabling or Disabling DHCP Smart Relay Globally 561
`Enabling or Disabling DHCP Smart Relay on a Layer 3 Interface 562
`Configuring DHCPv6 563
`Enabling or Disabling the DHCPv6 Relay Agent 563
`Enabling or Disabling VRF Support for the DHCPv6 Relay Agent 564
`Configuring DHCPv6 Server Addresses on an Interface 565
`Configuring the DHCPv6 Relay Source Interface 567
`Verifying the DHCP Configuration 568
`Displaying DHCP Bindings 569
`Clearing the DHCP Snooping Binding Database 569
`Clearing DHCP Relay Statistics 570
`Clearing DHCPv6 Relay Statistics 570
`Monitoring DHCP 570
`Configuration Examples for DHCP 571
`Additional References for DHCP 571
`Feature History for DHCP 572
`
`C H A P T E R 1 9
`
`Configuring Dynamic ARP Inspection 575
`Information About DAI 575
`ARP 575
`ARP Spoofing Attacks 576
`DAI and ARP Spoofing Attacks 576
`Interface Trust States and Network Security 577
`Prioritizing ARP ACLs and DHCP Snooping Entries 579
`Logging DAI Packets 579
`Virtualization Support for DAI 579
`Licensing Requirements for DAI 580
`Prerequisites for DAI 580
`Guidelines and Limitations for DAI 580
`Default Settings for DAI 581
`Configuring DAI 582
`
` OL-25776-03
`
`Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
`
`xxiii
`
`

`
`Contents
`
`Enabling or Disabling DAI on VLANs 582
`Configuring the DAI Trust State of a Layer