ebook img

PDF - Complete Book PDF

354 Pages·2016·4.66 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview PDF - Complete Book

CiscoNexus9000SeriesNX-OSSecurityConfigurationGuide,Release 6.x FirstPublished:2013-11-20 LastModified:2020-04-09 AmericasHeadquarters CiscoSystems,Inc. 170WestTasmanDrive SanJose,CA95134-1706 USA http://www.cisco.com Tel:408526-4000 800553-NETS(6387) Fax:408527-0883 THESPECIFICATIONSANDINFORMATIONREGARDINGTHEPRODUCTSINTHISMANUALARESUBJECTTOCHANGEWITHOUTNOTICE.ALLSTATEMENTS, INFORMATION,ANDRECOMMENDATIONSINTHISMANUALAREBELIEVEDTOBEACCURATEBUTAREPRESENTEDWITHOUTWARRANTYOFANYKIND, EXPRESSORIMPLIED.USERSMUSTTAKEFULLRESPONSIBILITYFORTHEIRAPPLICATIONOFANYPRODUCTS. THESOFTWARELICENSEANDLIMITEDWARRANTYFORTHEACCOMPANYINGPRODUCTARESETFORTHINTHEINFORMATIONPACKETTHATSHIPPEDWITH THEPRODUCTANDAREINCORPORATEDHEREINBYTHISREFERENCE.IFYOUAREUNABLETOLOCATETHESOFTWARELICENSEORLIMITEDWARRANTY, CONTACTYOURCISCOREPRESENTATIVEFORACOPY. TheCiscoimplementationofTCPheadercompressionisanadaptationofaprogramdevelopedbytheUniversityofCalifornia,Berkeley(UCB)aspartofUCB'spublicdomainversionof theUNIXoperatingsystem.Allrightsreserved.Copyright©1981,RegentsoftheUniversityofCalifornia. NOTWITHSTANDINGANYOTHERWARRANTYHEREIN,ALLDOCUMENTFILESANDSOFTWAREOFTHESESUPPLIERSAREPROVIDED“ASIS"WITHALLFAULTS. CISCOANDTHEABOVE-NAMEDSUPPLIERSDISCLAIMALLWARRANTIES,EXPRESSEDORIMPLIED,INCLUDING,WITHOUTLIMITATION,THOSEOF MERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE. INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUT LIMITATION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHISMANUAL,EVENIFCISCOORITSSUPPLIERS HAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES. AnyInternetProtocol(IP)addressesandphonenumbersusedinthisdocumentarenotintendedtobeactualaddressesandphonenumbers.Anyexamples,commanddisplayoutput,network topologydiagrams,andotherfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesorphonenumbersinillustrativecontentisunintentional andcoincidental. ThisproductincludescryptographicsoftwarewrittenbyEricYoung([email protected]). ThisproductincludessoftwaredevelopedbytheOpenSSLProjectforuseintheOpenSSLToolkit.(http://www.openssl.org/) ThisproductincludessoftwarewrittenbyTimHudson([email protected]). CiscoandtheCiscologoaretrademarksorregisteredtrademarksofCiscoand/oritsaffiliatesintheU.S.andothercountries.ToviewalistofCiscotrademarks,gotothisURL: http://www.cisco.com/go/trademarks.Third-partytrademarksmentionedarethepropertyoftheirrespectiveowners.Theuseofthewordpartnerdoesnotimplyapartnershiprelationship betweenCiscoandanyothercompany.(1110R) ©2013–2020CiscoSystems,Inc.Allrightsreserved. CONTEN TS PREFACE Preface xvii Audience xvii DocumentConventions xvii RelatedDocumentationforCiscoNexus9000SeriesSwitches xviii DocumentationFeedback xviii ObtainingDocumentationandSubmittingaServiceRequest xviii CHAPTER 1 NewandChangedInformation 1 NewandChangedInformation 1 CHAPTER 2 Overview 3 Authentication,Authorization,andAccounting 3 RADIUSandTACACS+SecurityProtocols 4 LDAP 5 SSHandTelnet 5 UserAccountsandRoles 5 IPACLs 5 MACACLs 6 VACLs 6 DHCPSnooping 6 DynamicARPInspection 6 IPSourceGuard 7 PasswordEncryption 7 KeychainManagement 7 ControlPlanePolicing 7 RateLimits 8 CiscoNexus9000SeriesNX-OSSecurityConfigurationGuide,Release6.x iii Contents SoftwareImage 8 VirtualDeviceContexts 8 CHAPTER 3 ConfiguringAAA 9 AboutAAA 9 AAASecurityServices 9 BenefitsofUsingAAA 10 RemoteAAAServices 10 AAAServerGroups 11 AAAServiceConfigurationOptions 11 AuthenticationandAuthorizationProcessforUserLogin 12 AESPasswordEncryptionandMasterEncryptionKeys 13 LicensingRequirementsforAAA 13 PrerequisitesforAAA 14 GuidelinesandLimitationsforAAA 14 DefaultSettingsforAAA 14 ConfiguringAAA 15 ProcessforConfiguringAAA 15 ConfiguringConsoleLoginAuthenticationMethods 15 ConfiguringDefaultLoginAuthenticationMethods 17 DisablingFallbacktoLocalAuthentication 19 EnablingtheDefaultUserRoleforAAAAuthentication 20 EnablingLoginAuthenticationFailureMessages 21 EnablingCHAPAuthentication 22 EnablingMSCHAPorMSCHAPV2Authentication 23 ConfiguringAAAAccountingDefaultMethods 25 UsingAAAServerVSAswithCiscoNX-OSDevices 26 AboutVSAs 26 VSAFormat 27 SpecifyingCiscoNX-OSUserRolesandSNMPv3ParametersonAAAServers 28 MonitoringandClearingtheLocalAAAAccountingLog 28 VerifyingtheAAAConfiguration 28 ConfigurationExamplesforAAA 29 AdditionalReferencesforAAA 29 CiscoNexus9000SeriesNX-OSSecurityConfigurationGuide,Release6.x iv Contents CHAPTER 4 ConfiguringRADIUS 31 AboutRADIUS 31 RADIUSNetworkEnvironments 31 RADIUSOperation 32 RADIUSServerMonitoring 32 Vendor-SpecificAttributes 33 LicensingRequirementsforRADIUS 34 PrerequisitesforRADIUS 34 GuidelinesandLimitationsforRADIUS 34 DefaultSettingsforRADIUS 35 ConfiguringRADIUSServers 35 RADIUSServerConfigurationProcess 36 ConfiguringRADIUSServerHosts 36 ConfiguringGlobalRADIUSKeys 38 ConfiguringaKeyforaSpecificRADIUSServer 39 ConfiguringRADIUSServerGroups 40 ConfiguringtheGlobalSourceInterfaceforRADIUSServerGroups 42 AllowingUserstoSpecifyaRADIUSServeratLogin 42 ConfiguringtheGlobalRADIUSTransmissionRetryCountandTimeoutInterval 44 ConfiguringtheRADIUSTransmissionRetryCountandTimeoutIntervalforaServer 45 ConfiguringAccountingandAuthenticationAttributesforRADIUSServers 47 ConfiguringGlobalPeriodicRADIUSServerMonitoring 48 ConfiguringPeriodicRADIUSServerMonitoringonIndividualServers 50 ConfiguringtheRADIUSDead-TimeInterval 51 ConfiguringOne-TimePasswords 53 ManuallyMonitoringRADIUSServersorGroups 53 VerifyingtheRADIUSConfiguration 54 MonitoringRADIUSServers 54 ClearingRADIUSServerStatistics 55 ConfigurationExampleforRADIUS 55 WheretoGoNext 56 AdditionalReferencesforRADIUS 56 CiscoNexus9000SeriesNX-OSSecurityConfigurationGuide,Release6.x v Contents CHAPTER 5 ConfiguringTACACS+ 57 AboutTACACS+ 57 TACACS+Advantages 57 TACACS+OperationforUserLogin 58 DefaultTACACS+ServerEncryptionTypeandSecretKey 59 CommandAuthorizationSupportforTACACS+Servers 59 TACACS+ServerMonitoring 59 Vendor-SpecificAttributesforTACACS+ 60 CiscoVSAFormatforTACACS+ 60 LicensingRequirementsforTACACS+ 61 PrerequisitesforTACACS+ 61 GuidelinesandLimitationsforTACACS+ 61 DefaultSettingsforTACACS+ 61 ConfiguringTACACS+ 62 TACACS+ServerConfigurationProcess 62 EnablingTACACS+ 62 ConfiguringTACACS+ServerHosts 63 ConfiguringGlobalTACACS+Keys 65 ConfiguringaKeyforaSpecificTACACS+Server 66 ConfiguringTACACS+ServerGroups 67 ConfiguringtheGlobalSourceInterfaceforTACACS+ServerGroups 68 AllowingUserstoSpecifyaTACACS+ServeratLogin 69 ConfiguringtheTimeoutIntervalforaTACACS+Server 70 ConfiguringTCPPorts 72 ConfiguringGlobalPeriodicTACACS+ServerMonitoring 73 ConfiguringPeriodicTACACS+ServerMonitoringonIndividualServers 75 ConfiguringtheTACACS+Dead-TimeInterval 76 ConfiguringASCIIAuthentication 77 ConfiguringAAAAuthorizationonTACACS+Servers 79 ConfiguringCommandAuthorizationonTACACS+Servers 80 TestingCommandAuthorizationonTACACS+Servers 82 EnablingandDisablingCommandAuthorizationVerification 83 ConfiguringPrivilegeLevelSupportforAuthorizationonTACACS+Servers 83 CiscoNexus9000SeriesNX-OSSecurityConfigurationGuide,Release6.x vi Contents PermittingorDenyingCommandsforUsersofPrivilegeRoles 85 ManuallyMonitoringTACACS+ServersorGroups 87 DisablingTACACS+ 87 MonitoringTACACS+Servers 88 ClearingTACACS+ServerStatistics 89 VerifyingtheTACACS+Configuration 89 ConfigurationExamplesforTACACS+ 90 WheretoGoNext 92 AdditionalReferencesforTACACS+ 92 CHAPTER 6 ConfiguringLDAP 93 AboutLDAP 93 LDAPAuthenticationandAuthorization 94 LDAPOperationforUserLogin 94 LDAPServerMonitoring 95 Vendor-SpecificAttributesforLDAP 95 CiscoVSAFormatforLDAP 96 VirtualizationSupportforLDAP 96 LicensingRequirementsforLDAP 96 PrerequisitesforLDAP 96 GuidelinesandLimitationsforLDAP 96 DefaultSettingsforLDAP 97 ConfiguringLDAP 97 LDAPServerConfigurationProcess 97 EnablingorDisablingLDAP 98 ConfiguringLDAPServerHosts 99 ConfiguringtheRootDNforanLDAPServer 100 ConfiguringLDAPServerGroups 101 ConfiguringtheGlobalLDAPTimeoutInterval 103 ConfiguringtheTimeoutIntervalforanLDAPServer 104 ConfiguringTCPPorts 105 ConfiguringLDAPSearchMaps 106 ConfiguringPeriodicLDAPServerMonitoring 107 ConfiguringtheLDAPDead-TimeInterval 108 CiscoNexus9000SeriesNX-OSSecurityConfigurationGuide,Release6.x vii Contents ConfiguringAAAAuthorizationonLDAPServers 109 MonitoringLDAPServers 110 ClearingLDAPServerStatistics 111 VerifyingtheLDAPConfiguration 112 ConfigurationExamplesforLDAP 112 WheretoGoNext 113 AdditionalReferencesforLDAP 113 CHAPTER 7 ConfiguringSSHandTelnet 115 AboutSSHandTelnet 115 SSHServer 115 SSHClient 115 SSHServerKeys 116 SSHAuthenticationUsingDigitalCertificates 116 TelnetServer 117 LicensingRequirementsforSSHandTelnet 117 PrerequisitesforSSHandTelnet 117 GuidelinesandLimitationsforSSHandTelnet 117 DefaultSettingsforSSHandTelnet 118 ConfiguringSSH 118 GeneratingSSHServerKeys 118 SpecifyingtheSSHPublicKeysforUserAccounts 119 SpecifyingtheSSHPublicKeysinIETFSECSHFormat 119 SpecifyingtheSSHPublicKeysinOpenSSHFormat 120 ConfiguringaMaximumNumberofSSHLoginAttempts 121 StartingSSHSessions 122 StartingSSHSessionsfromBootMode 123 ConfiguringSSHPasswordlessFileCopy 124 ConfiguringSCPandSFTPServers 125 ClearingSSHHosts 127 DisablingtheSSHServer 127 DeletingSSHServerKeys 128 ClearingSSHSessions 129 ConfiguringTelnet 129 CiscoNexus9000SeriesNX-OSSecurityConfigurationGuide,Release6.x viii Contents EnablingtheTelnetServer 129 StartingTelnetSessionstoRemoteDevices 130 ClearingTelnetSessions 131 VerifyingtheSSHandTelnetConfiguration 131 ConfigurationExampleforSSH 132 ConfigurationExampleforSSHPasswordlessFileCopy 133 AdditionalReferencesforSSHandTelnet 135 CHAPTER 8 ConfiguringUserAccountsandRBAC 137 AboutUserAccountsandRBAC 137 UserAccounts 137 CharacteristicsofStrongPasswords 138 UserRoles 138 UserRoleRules 139 LicensingRequirementsforUserAccountsandRBAC 140 GuidelinesandLimitationsforUserAccountsandRBAC 140 DefaultSettingsforUserAccountsandRBAC 141 EnablingPassword-StrengthChecking 141 ConfiguringUserAccounts 142 ConfiguringRoles 144 CreatingUserRolesandRules 144 CreatingFeatureGroups 147 ChangingUserRoleInterfacePolicies 148 ChangingUserRoleVLANPolicies 150 ChangingUserRoleVRFPolicies 151 VerifyingUserAccountsandRBACConfiguration 153 ConfigurationExamplesforUserAccountsandRBAC 153 AdditionalReferencesforUserAccountsandRBAC 155 CHAPTER 9 ConfiguringIPACLs 157 AboutACLs 157 ACLTypesandApplications 157 OrderofACLApplication 159 AboutRules 160 CiscoNexus9000SeriesNX-OSSecurityConfigurationGuide,Release6.x ix Contents ProtocolsforIPACLsandMACACLs 160 SourceandDestination 160 ImplicitRulesforIPandMACACLs 160 AdditionalFilteringOptions 161 SequenceNumbers 162 LogicalOperatorsandLogicalOperationUnits 163 IPv4ACLLogging 163 TimeRanges 163 Policy-BasedACLs 165 StatisticsandACLs 165 AtomicACLUpdates 166 SessionManagerSupportforIPACLs 166 ACLTCAMRegions 166 MaximumLabelSizesSupportedforACLTypes 170 LicensingRequirementsforIPACLs 170 PrerequisitesforIPACLs 170 GuidelinesandLimitationsforIPACLs 171 DefaultSettingsforIPACLs 173 ConfiguringIPACLs 173 CreatinganIPACL 173 ChanginganIPACL 175 CreatingaVTYACL 177 ChangingSequenceNumbersinanIPACL 178 RemovinganIPACL 179 ConfiguringACLTCAMRegionSizes 180 ConfiguringTCAMCarving 186 ConfiguringTCAMCarving-ForCiscoNX-OSRelease6.1(2)I1(1) 190 ApplyinganIPACLasaRouterACL 192 ApplyinganIPACLasaPortACL 194 ApplyinganIPACLasaVACL 195 ConfiguringIPv4ACLLogging 195 VerifyingtheIPACLConfiguration 197 MonitoringandClearingIPACLStatistics 199 ConfigurationExamplesforIPACLs 199 CiscoNexus9000SeriesNX-OSSecurityConfigurationGuide,Release6.x x

Description:
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 6.x. Applying an IP ACL as a Router ACL 195 . indicate a required choice.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.