Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release
`5.1(3)N1(1)
`First Published: December 05, 2011
`Last Modified: December 28, 2011
`
`Americas Headquarters
`Cisco Systems, Inc.
`170 West Tasman Drive
`San Jose, CA 95134-1706
`USA
`http://www.cisco.com
`Tel: 408 526-4000
` 800 553-NETS (6387)
`Fax: 408 527-0883
`
`Text Part Number: OL-25845-01
`
`Exhibit 2028
`IPR2016-00309
`
`

`
`THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
`INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
`EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
`
`THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
`THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
`CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
`
`The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
`of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
`
`NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
`CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
`MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
`
`IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
`LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
`HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
`
`Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
`topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
`and coincidental.
`Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
`www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
`relationship between Cisco and any other company. (1110R)
`
`© 2010 Cisco Systems, Inc. All rights reserved.
`
`

`
`C O N T E N T S
`
`P r e f a c e
`
`Preface xv
`Audience xv
`Document Conventions xv
`Documentation Feedback xvi
`Obtaining Documentation and Submitting a Service Request xvii
`
`C H A P T E R 1
`
`New and Changed Information 1
`New and Changed Information 1
`
`C H A P T E R 2
`
`C H A P T E R 3
`
`Overview 5
`Authentication, Authorization, and Accounting 5
`RADIUS and TACACS+ Security Protocols 6
`SSH and Telnet 6
`IP ACLs 7
`
`Configuring Authentication, Authorization, and Accounting 9
`Information About AAA 9
`AAA Security Services 9
`Benefits of Using AAA 10
`Remote AAA Services 10
`AAA Server Groups 10
`AAA Service Configuration Options 11
`Authentication and Authorization Process for User Logins 12
`Prerequisites for Remote AAA 13
`Guidelines and Limitations for AAA 14
`Configuring AAA 14
`Configuring Console Login Authentication Methods 14
`
` OL-25845-01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`iii
`
`

`
`Contents
`
`C H A P T E R 4
`
`Configuring Default Login Authentication Methods 15
`Enabling Login Authentication Failure Messages 16
`Configuring AAA Command Authorization 17
`Enabling MSCHAP Authentication 19
`Configuring AAA Accounting Default Methods 20
`Using AAA Server VSAs 21
`VSAs 21
`VSA Format
`22
`Specifying Switch User Roles and SNMPv3 Parameters on AAA Servers 22
`Monitoring and Clearing the Local AAA Accounting Log 23
`Verifying the AAA Configuration 23
`Configuration Examples for AAA 24
`Default AAA Settings 24
`
`Configuring RADIUS 25
`Configuring RADIUS 25
`Information About RADIUS 25
`RADIUS Network Environments 25
`Information About RADIUS Operations 26
`RADIUS Server Monitoring 26
`Vendor-Specific Attributes 27
`Prerequisites for RADIUS 28
`Guidelines and Limitations for RADIUS 28
`Configuring RADIUS Servers 28
`Configuring RADIUS Server Hosts 29
`Configuring RADIUS Global Preshared Keys 30
`Configuring RADIUS Server Preshared Keys 31
`Configuring RADIUS Server Groups 32
`Configuring the Global Source Interface for RADIUS Server Groups 33
`Allowing Users to Specify a RADIUS Server at Login 34
`Configuring the Global RADIUS Transmission Retry Count and Timeout Interval 35
`Configuring the RADIUS Transmission Retry Count and Timeout Interval for a
`Server 36
`Configuring Accounting and Authentication Attributes for RADIUS Servers 37
`Configuring Periodic RADIUS Server Monitoring 38
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`iv
`
`OL-25845-01
`
`

`
`Contents
`
`C H A P T E R 5
`
`Configuring the Dead-Time Interval 39
`Manually Monitoring RADIUS Servers or Groups 40
`Verifying the RADIUS Configuration 41
`Displaying RADIUS Server Statistics 41
`Clearing RADIUS Server Statistics 41
`Configuration Examples for RADIUS 42
`Default Settings for RADIUS 42
`
`Configuring TACACS+ 45
`About Configuring TACACS+ 45
`Information About Configuring TACACS+ 45
`TACACS+ Advantages 45
`User Login with TACACS+ 46
`Default TACACS+ Server Encryption Type and Preshared Key 46
`Command Authorization Support for TACACS+ Servers 47
`TACACS+ Server Monitoring 47
`Prerequisites for TACACS+ 47
`Guidelines and Limitations for TACACS+ 48
`Configuring TACACS+ 48
`TACACS+ Server Configuration Process 48
`Enabling TACACS+ 49
`Configuring TACACS+ Server Hosts 49
`Configuring TACACS+ Global Preshared Keys 50
`Configuring TACACS+ Server Preshared Keys 51
`Configuring TACACS+ Server Groups 52
`Configuring the Global Source Interface for TACACS+ Server Groups 54
`Specifying a TACACS+ Server at Login 55
`Configuring AAA Authorization on TACACS+ Servers 55
`Configuring Command Authorization on TACACS+ Servers 57
`Testing Command Authorization on TACACS+ Servers 58
`Enabling and Disabling Command Authorization Verification 59
`Configuring Privilege Level Support for Authorization on TACACS+ Servers 59
`Permitting or Denying Commands for Users of Privilege Roles 61
`Configuring the Global TACACS+ Timeout Interval 63
`Configuring the Timeout Interval for a Server 63
`
` OL-25845-01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`v
`
`

`
`Contents
`
`C H A P T E R 6
`
`Configuring TCP Ports 64
`Configuring Periodic TACACS+ Server Monitoring 65
`Configuring the Dead-Time Interval 66
`Manually Monitoring TACACS+ Servers or Groups 67
`Disabling TACACS+ 68
`Displaying TACACS+ Statistics 68
`Verifying the TACACS+ Configuration 69
`Configuration Examples for TACACS+ 69
`Default Settings for TACACS+ 70
`
`Configuring SSH and Telnet 71
`Configuring SSH and Telnet 71
`Information About SSH and Telnet 71
`SSH Server 71
`SSH Client 71
`SSH Server Keys 71
`Telnet Server 72
`Guidelines and Limitations for SSH 72
`Configuring SSH 72
`Generating SSH Server Keys 72
`Specifying the SSH Public Keys for User Accounts 73
`Specifying the SSH Public Keys in Open SSH Format 73
`Specifying the SSH Public Keys in IETF SECSH Format 74
`Specifying the SSH Public Keys in PEM-Formatted Public Key Certificate Form
`
`75
`Starting SSH Sessions to Remote Devices 76
`Clearing SSH Hosts 76
`Disabling the SSH Server 77
`Deleting SSH Server Keys 77
`Clearing SSH Sessions 78
`Configuration Examples for SSH 79
`Configuring Telnet 80
`Enabling the Telnet Server 80
`Reenabling the Telnet Server 80
`Starting Telnet Sessions to Remote Devices 81
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`vi
`
`OL-25845-01
`
`

`
`Contents
`
`C H A P T E R 7
`
`Clearing Telnet Sessions 81
`Verifying the SSH and Telnet Configuration 82
`Default Settings for SSH 82
`
`85
`
`85
`
`85
`
`87
`
`Configuring Cisco TrustSec 83
`Information About Cisco TrustSec 83
`Cisco TrustSec Architecture 83
`Authentication 85
`Device Identities
`Device Credentials
`User Credentials
`SGACLs and SGTs
`85
`Determining the Source Security Group 87
`Determining the Destination Security Group 87
`SXP for SGT Propagation Across Legacy Access Networks
`Environment Data Download 88
`Licensing Requirements for Cisco TrustSec 89
`Prerequisites for Cisco TrustSec 89
`Guidelines and Limitations for Cisco TrustSec 89
`Default Settings For Cisco TrustSec 90
`Configuring Cisco TrustSec 91
`Enabling the Cisco TrustSec Feature 91
`Configuring Cisco TrustSec Device Credentials
`Configuring AAA for Cisco TrustSec 94
`Configuring AAA on the Cisco TrustSec Cisco NX-OS Devices
`Configuring Cisco TrustSec Authentication in Manual Mode 96
`Configuring SGACL Policies
`99
`SGACL Policy Configuration Process
`99
`Enabling SGACL Policy Enforcement on VLANs
`Manually Configuring Cisco TrustSec SGTs 100
`Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VLAN 101
`Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VRF Instance 103
`Manually Configuring SGACL Policies 104
`Displaying the Downloaded SGACL Policies
`Refreshing the Downloaded SGACL Policies
`
`92
`
`94
`
`99
`
`107
`
`107
`
` OL-25845-01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`vii
`
`

`
`Contents
`
`109
`
`110
`
`Enabling Statistics for RBACL 108
`Clearing Cisco TrustSec SGACL Policies
`Manually Configuring SXP 110
`Cisco TrustSec SXP Configuration Process
`Enabling Cisco TrustSec SXP 111
`Configuring Cisco TrustSec SXP Peer Connections 112
`Configuring the Default SXP Password 114
`Configuring the Default SXP Source IPv4 Address
`Changing the SXP Retry Period 116
`Verifying the Cisco TrustSec Configuration 118
`Configuration Examples for Cisco TrustSec 118
`Enabling Cisco TrustSec 118
`Configuring AAA for Cisco TrustSec on a Cisco NX-OS Device 119
`Configuring Cisco TrustSec Authentication in Manual Mode 119
`Configuring Cisco TrustSec Role-Based Policy Enforcement for a VLAN 119
`Configuring IPv4 Address to SGACL SGT Mapping for the Default VRF Instance 119
`Configuring IPv4 Address to SGACL SGT Mapping for a VLAN 119
`Manually Configuring Cisco TrustSec SGACLs 120
`Manually Configuring SXP Peer Connections 120
`Additional References for Cisco TrustSec 121
`Feature History for Cisco TrustSec 121
`
`115
`
`C H A P T E R 8
`
`Configuring Access Control Lists 123
`Information About ACLs 123
`IP ACL Types and Applications 123
`Application Order 124
`Rules 125
`Source and Destination 125
`Protocols 125
`Implicit Rules 125
`Additional Filtering Options 125
`Sequence Numbers 126
`Logical Operators and Logical Operation Units 127
`Statistics and ACLs 127
`Licensing Requirements for ACLs 128
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`viii
`
`OL-25845-01
`
`

`
`Contents
`
`Prerequisites for ACLs 128
`Guidelines and Limitations for ACLs 128
`Default ACL Settings 129
`Configuring IP ACLs 130
`Creating an IP ACL 130
`Changing an IP ACL 131
`Removing an IP ACL 132
`Changing Sequence Numbers in an IP ACL 133
`Configuring ACLs with Logging 134
`Applying an IP ACL to mgmt0 135
`Applying an IP ACL as a Router ACL 136
`Applying an IP ACL as a Port ACL 138
`Verifying IP ACL Configurations 139
`Monitoring and Clearing IP ACL Statistics 139
`Configuring MAC ACLs 140
`Creating a MAC ACL 140
`Changing a MAC ACL 141
`Removing a MAC ACL 142
`Changing Sequence Numbers in a MAC ACL 143
`Applying a MAC ACL as a Port ACL 143
`Verifying MAC ACL Configurations 144
`Displaying and Clearing MAC ACL Statistics 145
`Example Configuration for MAC ACLs 145
`Information About VLAN ACLs 145
`VACLs and Access Maps 145
`VACLs and Actions 145
`Statistics 145
`Configuring VACLs 146
`Creating or Changing a VACL 146
`Removing a VACL 147
`Applying a VACL to a VLAN 148
`Verifying VACL Configuration 148
`Displaying and Clearing VACL Statistics 148
`Configuration Examples for VACL 149
`Configuring ACLs on Virtual Terminal Lines 149
`
` OL-25845-01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`ix
`
`

`
`Contents
`
`C H A P T E R 9
`
`Verifying ACLs on VTY Lines 150
`Configuration Examples for ACLs on VTY Lines 151
`
`Configuring Port Security 153
`Information About Port Security 153
`Secure MAC Address Learning 154
`Static Method 154
`Dynamic Method 154
`Sticky Method 155
`Dynamic Address Aging 155
`Secure MAC Address Maximums 155
`Security Violations and Actions 156
`Port Type Changes 158
`Licensing Requirements for Port Security 159
`Prerequisites for Port Security 159
`Guidelines and Limitations for Port Security 159
`Guidelines and Limitations for Port Security on vPCs 160
`Configuring Port Security 160
`Enabling or Disabling Port Security Globally 160
`Enabling or Disabling Port Security on a Layer 2 Interface 161
`Enabling or Disabling Sticky MAC Address Learning 163
`Adding a Static Secure MAC Address on an Interface 164
`Removing a Static Secure MAC Address on an Interface 166
`Removing a Dynamic Secure MAC Address 167
`Configuring a Maximum Number of MAC Addresses 168
`Configuring an Address Aging Type and Time 170
`Configuring a Security Violation Action 171
`Verifying the Port Security Configuration 172
`Displaying Secure MAC Addresses 173
`Configuration Example for Port Security 173
`Configuration Example of Port Security in a vPC Domain 173
`Default Settings for Port Security 174
`Additional References for Port Security 174
`Feature History for Port Security 175
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`x
`
`OL-25845-01
`
`

`
`Contents
`
`C H A P T E R 1 0
`
`Configuring DHCP Snooping 177
`Information About DHCP Snooping 177
`Feature Enabled and Globally Enabled 177
`Trusted and Untrusted Sources 178
`DHCP Snooping Binding Database 179
`DHCP Snooping Option 82 Data Insertion 179
`DHCP Snooping in a vPC Environment 181
`Synchronizing DHCP Snooping Binding Entries 181
`Packet Validation 181
`Information About the DHCP Relay Agent 182
`DHCP Relay Agent 182
`VRF Support for the DHCP Relay Agent 182
`DHCP Relay Binding Database 183
`Guidelines and Limitations for DHCP Snooping 183
`Default Settings for DHCP Snooping 184
`Configuring DHCP Snooping 185
`Minimum DHCP Snooping Configuration 185
`Enabling or Disabling the DHCP Snooping Feature 185
`Enabling or Disabling DHCP Snooping Globally 186
`Enabling or Disabling DHCP Snooping on a VLAN 187
`Enabling or Disabling Option 82 Data Insertion and Removal 188
`Enabling or Disabling Strict DHCP Packet Validation 189
`Configuring an Interface as Trusted or Untrusted 190
`Enabling or Disabling the DHCP Relay Agent 191
`Enabling or Disabling Option 82 for the DHCP Relay Agent 192
`Enabling or Disabling VRF Support for the DHCP Relay Agent 194
`Creating a DHCP Static Binding 195
`Verifying the DHCP Snooping Configuration 196
`Displaying DHCP Bindings 196
`Clearing the DHCP Snooping Binding Database 197
`Configuration Examples for DHCP Snooping 198
`
`C H A P T E R 1 1
`
`Configuring Dynamic ARP Inspection 199
`Information About DAI 199
`
` OL-25845-01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`xi
`
`

`
`Contents
`
`C H A P T E R 1 2
`
`ARP 199
`ARP Spoofing Attacks 200
`DAI and ARP Spoofing Attacks 200
`Interface Trust States and Network Security 201
`Logging DAI Packets 203
`Licensing Requirements for DAI 203
`Prerequisites for DAI 203
`Guidelines and Limitations for DAI 203
`Default Settings for DAI 204
`Configuring DAI 205
`Enabling or Disabling DAI on VLANs 205
`Configuring the DAI Trust State of a Layer 2 Interface 206
`Enabling or Disabling Additional Validation 207
`Configuring the DAI Logging Buffer Size 209
`Configuring DAI Log Filtering 209
`Verifying the DAI Configuration 211
`Monitoring and Clearing DAI Statistics 211
`Configuration Examples for DAI 211
`Example 1-Two Devices Support DAI 211
`Configuring Device A 212
`Configuring Device B 214
`
`Configuring IP Source Guard 217
`Finding Feature Information 217
`Information About IP Source Guard 217
`Licensing Requirements for IP Source Guard 218
`Prerequisites for IP Source Guard 218
`Guidelines and Limitations for IP Source Guard 218
`Default Settings for IP Source Guard 219
`Configuring IP Source Guard 219
`Enabling or Disabling IP Source Guard on a Layer 2 Interface 219
`Adding or Removing a Static IP Source Entry 220
`Displaying IP Source Guard Bindings 221
`Configuration Example for IP Source Guard 221
`Additional References for IP Source Guard 222
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`xii
`
`OL-25845-01
`
`

`
`Contents
`
`C H A P T E R 1 3
`
`Configuring Control Plane Policing 223
`Information About CoPP 223
`Control Plane Protection 225
`Control Plane Packet Types 225
`Classification for CoPP 225
`Rate Controlling Mechanisms 225
`CoPP Class Maps 226
`CoPP Policy Templates 229
`Default CoPP Policy 229
`Scaled Layer 2 CoPP Policy 230
`Scaled Layer 3 CoPP Policy 231
`Customizable CoPP Policy 232
`CoPP and the Management Interface 233
`Licensing Requirements for CoPP 233
`Guidelines and Limitations for CoPP 233
`Default Settings for CoPP 234
`Configuring CoPP 235
`Applying a CoPP Policy to the Switch 235
`Modifying the Customized CoPP Policy 235
`Verifying the CoPP Configuration 236
`Displaying the CoPP Configuration Status 237
`Monitoring CoPP 237
`Clearing the CoPP Statistics 238
`Additional References for CoPP 238
`Feature History for CoPP 239
`
` OL-25845-01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`xiii
`
`

`
`Contents
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`xiv
`
`OL-25845-01
`
`

`
`Preface
`
`The Preface contains the following sections:
`
`• Audience, page xv
`• Document Conventions, page xv
`• Documentation Feedback, page xvi
`• Obtaining Documentation and Submitting a Service Request, page xvii
`
`Audience
`
`This publication is for network administrators who configure and maintain Cisco Nexus devices and Cisco
`Nexus 2000 Series Fabric Extenders.
`
`Document Conventions
`Command descriptions use the following conventions:
`
`Convention
`bold
`
`Italic
`
`[x]
`
`[x | y]
`
`{x | y}
`
`Description
`Bold text indicates the commands and keywords that you enter literally
`as shown.
`
`Italic text indicates arguments for which the user supplies the values.
`
`Square brackets enclose an optional element (keyword or argument).
`
`Square brackets enclosing keywords or arguments separated by a vertical
`bar indicate an optional choice.
`
`Braces enclosing keywords or arguments separated by a vertical bar
`indicate a required choice.
`
` OL-25845-01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`xv
`
`

`
`Documentation Feedback
`
`Preface
`
`Convention
`[x {y | z}]
`
`variable
`
`string
`
`Description
`Nested set of square brackets or braces indicate optional or required
`choices within optional or required elements. Braces and a vertical bar
`within square brackets indicate a required choice within an optional
`element.
`
`Indicates a variable for which you supply values, in context where italics
`cannot be used.
`
`A nonquoted set of characters. Do not use quotation marks around the
`string or the string will include the quotation marks.
`
`Examples use the following conventions:
`
`Convention
`screen font
`
`Description
`Terminal sessions and information the switch displays are in screen font.
`
`boldface screen font
`
`Information you must enter is in boldface screen font.
`
`italic screen font
`
`Arguments for which you supply values are in italic screen font.
`
`< >
`
`[ ]
`
`!, #
`
`Nonprinting characters, such as passwords, are in angle brackets.
`
`Default responses to system prompts are in square brackets.
`
`An exclamation point (!) or a pound sign (#) at the beginning of a line
`of code indicates a comment line.
`
`This document uses the following conventions:
`
`Note
`
`Means reader take note. Notes contain helpful suggestions or references to material not covered in the
`manual.
`
`Caution
`
`Means reader be careful. In this situation, you might do something that could result in equipment damage
`or loss of data.
`
`Documentation Feedback
`To provide technical feedback on this document, or to report an error or omission, please send your comments
`to: ciscodfa-docfeedback@cisco.com.
`We appreciate your feedback.
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`xvi
`
`OL-25845-01
`
`

`
`Preface
`
`Obtaining Documentation and Submitting a Service Request
`
`Obtaining Documentation and Submitting a Service Request
`For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service
`request, and gathering additional information, see What's New in Cisco Product Documentation, at: http://
`www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
`Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical
`documentation as an RSS feed and delivers content directly to your desktop using a reader application. The
`RSS feeds are a free service.
`
` OL-25845-01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`xvii
`
`

`
`Obtaining Documentation and Submitting a Service Request
`
`Preface
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`xviii
`
`OL-25845-01
`
`

`
`C H A P T E R 1
`
`New and Changed Information
`
`This chapter contains the following sections:
`
`• New and Changed Information, page 1
`
`New and Changed Information
`This chapter provides release-specific information for each new and changed feature in the Cisco Nexus 5000
`Series NX-OS Security Configuration Guide.
`The latest version of this document is available at the following Cisco website:
`http://www.cisco.com/en/US/products/ps9670/products_installation_and_configuration_guides_list.html
`To check for the latest information about Cisco NX-OS for the Cisco Nexus 5000 Series switch, see the Cisco
`Nexus 5000 Series and Nexus 2000 Series NX-OS Release Notes available at the following Cisco website:
`http://www.cisco.com/en/US/products/ps9670/prod_release_notes_list.html
`This table summarizes the new and changed features documented in the Cisco Nexus 5000 Series NX-OS
`Security Configuration Guide, Release 5.1(3)N1(1), and tells you where they are documented.
`
`Table 1: New and Changed Security Features for Cisco NX-OS Release 5.1(3)N1(1)
`
`Feature
`
`Description
`
`Cisco TrustSec
`
`Added information to configure the Cisco
`TrustSec feature.
`
`Changed
`in
`Release
`5.1(3)N1(1)
`
`Where Documented
`
`Configuring Cisco
`TrustSec
`
`CoPP
`
`Port Security
`
`Added information to configure the Control
`Plane Policing (CoPP) feature.
`
`5.1(3)N1(1)
`
`Configuring CoPP
`
`Added information to configure the Port
`Security feature.
`
`5.1(3)N1(1)
`
`Configuring Port
`Security
`
` OL-25845-01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`1
`
`

`
`New and Changed Information
`
`New and Changed Information
`
`This table summarizes the new and changed features documented in the Cisco Nexus 5000 Series NX-OS
`Security Configuration Guide, Release 5.0(3)N1(1), and tells you where they are documented.
`
`Table 2: New and Changed Security Features for Cisco NX-OS Release 5.0(3)N1(1)
`
`Feature
`
`Description
`
`Dynamic ARP
`Inspection
`
`Added information to configure Dynamic ARP
`Inspections.
`
`Changed
`in
`Release
`5.0(3)N1(1)
`
`Where Documented
`
`Configuring Dynamic
`ARP Inspection
`
`IP Source Guard
`
`Added information to configure IP Source
`Guard.
`
`5.0(3)N1(1)
`
`Configuring IP Source
`Guard
`
`This table summarizes the new and changed features documented in the Cisco Nexus 5000 Series NX-OS
`Security Configuration Guide, Release 5.0(2)N2(1), and tells you where they are documented.
`
`Table 3: New and Changed Security Features for Cisco NX-OS Release 5.0(2)N2(1)
`
`Feature
`
`Description
`
`DHCP Snooping with
`Option 82
`
`Added information about the support for
`optimized DHCP snooping in a vPC
`environment.
`
`Changed
`in
`Release
`5.0(2)N2(1)
`
`Where Documented
`
`Configuring DHCP
`Snooping
`
`This table summarizes the new and changed features documented in the Cisco Nexus 5000 Series NX-OS
`Security Configuration Guide, Release 5.0(2)N1(1), and tells you where they are documented.
`
`Table 4: New and Changed Security Features for Cisco NX-OS Release 5.0(2)N1(1)
`
`Feature
`
`Description
`
`Command
`Authorization Support
`for TACACS+ Servers
`ACLs on VTY lines
`
`Allows you to verify authorized commands for
`authenticated users using TACACS+
`
`Allows you to restrict incoming and outgoing
`connections between a VTY line (into a Cisco
`Nexus 5000 Series switch) and the addresses
`in an access list,
`
`Changed
`in
`Release
`5.0(2)N1(1)
`
`Where Documented
`
`Configuring
`TACACS+
`
`5.0(2)N1(1)
`
`Configuring Access
`Control Lists
`
`This table summarizes the new and changed features documented in the Cisco Nexus 5000 Series NX-OS
`Security Configuration Guide, and tells you where they are documented.
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`2
`
`OL-25845-01
`
`

`
`New and Changed Information
`
`New and Changed Information
`
`Table 5: New and Changed Security Features for Cisco NX-OS Release 4.2(1)N1(1)
`
`Feature
`
`Description
`
`AAA Command
`Authorization
`
`Allows you to authorize every command that
`a user can execute.
`
`Changed
`in
`Release
`4.2(1)N1(1)
`
`Where Documented
`
`Configuring AAA
`
`This table summarizes the new and changed features documented in the Cisco Nexus 5000 Series NX-OS
`Security Configuration Guide, and tells you where they are documented.
`
`Table 6: New and Changed Security Features for Cisco NX-OS Release 4.1(3)N2(1)
`
`Feature
`
`Description
`
`IP ACL to mgmt0
`
`Allows you to apply an IP ACL to the mgmt0
`interface.
`
`Changed
`in
`Release
`4.1(3)N2(1)
`
`Where Documented
`
`Configuring Access
`Control Lists
`
`Global source
`interface for
`TACACS+
`
`Allows you to configure the global source
`interface for all TACACS+ server groups that
`are configured on the device.
`
`4.1(3)N2(1)
`
`Configuring
`TACACS+
`
`Global source
`interface for RADIUS
`
`Allows you to configure the global source
`interface for all RADUS server groups that are
`configured on the device.
`
`4.1(3)N2(1)
`
`Configuring RADIUS
`
`Documentation Organization
`As of Cisco NX-OS Release 4.1(3)N2(1), the Nexus 5000 Series configuration information is available in
`new feature-specific configuration guides for the following information:
`• System Management
`• Layer 2 Switching
`• SAN Switching
`• Fibre Channel over Ethernet
`• Security
`• Quality of Service
`
`The information in these new guides previously existed in the Cisco Nexus 5000 Series CLI Configuration
`Guide which remains available on Cisco.com and should be used for all software releases prior to Cisco Nexus
`5000 NX-OS Software Rel 4.1(3). Each new configuration guide addresses the features that are introduced
`in or are available in a particular release. Select and view the configuration guide that pertains to the software
`installed in your switch.
`
` OL-25845-01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`3
`
`

`
`New and Changed Information
`
`New and Changed Information
`
`The information in the new Cisco Nexus 5000 Series NX-OS Security Configuration Guide previously existed
`in Part 3: Switch Security Features of the Cisco Nexus 5000 Series CLI Configuration Guide.
`For a complete list of Nexus 5000 Series document titles, see the list of Related Documentation in the "Preface."
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`4
`
`OL-25845-01
`
`

`
`C H A P T E R 2
`
`Overview
`
`The Cisco NX-OS software supports security features that can protect your network against degradation or
`failure and also against data loss or compromise resulting from intentional attacks and from unintended but
`damaging mistakes by well-meaning network users.
`
`• Authentication, Authorization, and Accounting, page 5
`• RADIUS and TACACS+ Security Protocols, page 6
`• SSH and Telnet, page 6
`• IP ACLs, page 7
`
`Authentication, Authorization, and Accounting
`Authentication, authorization, and accounting (AAA) is an architectural framework for configuring a set of
`three independent security functions in a consistent, modular manner.
`Authentication
`Provides the method of identifying users, including login and password dialog, challenge and response,
`messaging support, and, depending on the security protocol that you select, encryption. Authentication
`is the way a user is identified prior to being allowed access to the network and network services. You
`configure AAA authentication by defining a named list of authentication methods and then applying
`that list to various interfaces.
`Authorization
`Provides the method for remote access control, including one-time authorization or authorization for
`each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and
`Telnet.
`Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by
`associating attribute-value (AV) pairs, which define those rights, with the appropriate user. AAA
`authorization works by assembling a set of attributes that describe what the user is authorized to perform.
`These attributes are compared with the information contained in a database for a given user, and the
`result is returned to AAA to determine the user’s actual capabilities and restrictions.
`
` OL-25845-01
`
`Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`5
`
`

`
`RADIUS and TACACS+ Security Protocols
`
`Overview
`
`Accounting
`Provides the method for collecting and sending security server information used for billing, auditing,
`and reporting, such as user identities, start and stop times, executed commands (such as PPP), number
`of packets, and number of bytes. Accounting enables you to track the services that users are accessing,
`as well as the amount of network resources that they are consuming.
`
`Note
`
`You can configure authentication outside of AAA. However, you must configure AAA if you want to use
`RADIUS or TACACS+, or if you want to configure a backup authentication method.
`
`Related Topics
`
`RADIUS and TACACS+ Security Protocols
`AAA uses security protocols to administer its security functions. If your router or access server is acting as
`a network access server, AAA is the means through which you establish communication between your network
`access server and your RADIUS or TACACS+ security server.
`The chapters in this guide describe how to configure the following security server protocols:
`RADIUS
`A distributed client/server system implemented through AAA that secures networks against unauthorized
`access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication
`requests to a central RADIUS server that contains all user authentication and network service access
`information.
`TACACS+
`A security application implemented through AAA that provides a centralized validation of users who
`are attempting to gain access to a router or network access server. TACACS+ services are maintained
`in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation.
`TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.
`
`Related Topics
`
`SSH and Telnet
`You can use the Secure Shell (SSH) server to enable an SSH client to make a secure, encrypted connection
`to a Cisco NX-OS device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS
`software can interoperate with publicly and commercially available SSH clients.
`The SSH client in the Cisco NX-OS software works with publicly and commercially available SSH servers.
`The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP
`connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet
`can accept either an IP address or a domain name as the remote device address.
`
` Cisco Nexus 5000 Series NX-OS Security Configuration Guide, Release 5.1(3)N1(1)
`
`6
`
`OL-25845-01
`
`

`
`Overview
`
`IP ACLs
`
`Related Topics
`
`IP ACLs
`
`IP ACLs are ordered sets of rules that you can use to filter traffic based on IPv4 information in the Layer 3
`header of packets. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When
`the Cisco NX-OS software determines that an IP ACL applies to a packet, it tests the packet against the
`conditions of all rules. The first match determines whether a packet is permitted or denied, or if there is no
`match, the Cisco NX-OS software applies the applicable