I recently visited Perth Western Australia for a core switch upgrade project and it was cold and rainy during my stay there. After my project was done, I went to the Bell Tower (or Swan Bells) which is near the Swan River. The twelve bells (there's a total of eighteen) were donated by St Martin-in-the-Fields church in Trafalgar Square London and it was traced to have existed before the 14th century. I also took a tour of the Perth Mint which has the world's biggest gold coin, the Australian Kangaroo One Tonne Gold Coin, and I was able to watch a live gold pour held inside the museum.
I've downloaded the free Cisco Nexus Simulator and posted the basics functions. The simulator has limited support on most Nexus features such as TACACS+, SNMPv3, etc. So I've used Nexus Titanium in VirtualBox/GNS3 instead. The Nexus 7K series switch CLI command reference can be found on this link. The Nexus OS (NX-OS) CLI syntax have similarities with Catalyst IOS switch (i.e. hostname, ACL, etc) but here are some differences. Below are some "hardening" commands I’ve used on our Nexus switches.
NX-OS# show version
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_serie
s_home.html
Copyright (c) 2002-2010, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: version N/A
kickstart: version 5.1(2) [gdb]
system: version 5.1(2) [gdb]
kickstart image file is: bootflash:/titanium-d1-kickstart.5.1.2.gbin
kickstart compile time: 12/25/2020 12:00:00 [12/18/2010 09:53:29]
system image file is: bootflash:/titanium-d1.5.1.2.gbin
system compile time: 11/29/2010 12:00:00 [12/18/2010 11:47:03]
Hardware
cisco Unknown MDS Chassis ("Unknown Module")
Intel(R) Xeon(R) CPU with 2066696 kB of memory.
Processor Board ID T0027265940
Device name: NX-OS
bootflash: 0 kB
Kernel uptime is 0 day(s), 0 hour(s), 37 minute(s), 21 second(s)
plugin
Core Plugin, Ethernet Plugin
NX-OS# show run | inc username
username adminbackup password 5 ! role network-operator
username admin password 5 $1$ek7G4QLQ$YqLUwOCmeIaQFjFRPaznZ0 role network-admin
username all password 5 !! role network-operator
NX-OS#
NX-OS# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS(config)# username new-admin ?
<CR>
expire Expiry date for this user account(in YYYY-MM-DD format)
keypair Generate SSH User Keys
password Password for the user
role Role which the user is to be assigned to
ssh-cert-dn Update cert dn
sshkey Update ssh key for the user for ssh authentication
NX-OS(config)# username new-admin password ?
0 Indicates that the password that follows should be in clear text
5 Indicates that the password that follows should be encrypted
WORD Password for the user (clear text) (Max Size 64)
NX-OS(config)# username new-admin password cisco ?
<CR>
expire Expiry date for this user account(in YYYY-MM-DD format)
role Role which the user is to be assigned to
NX-OS(config)# username new-admin password cisco role ?
network-admin System configured role
network-operator System configured role
priv-0 Privilege role
priv-1 Privilege role
priv-10 Privilege role
priv-11 Privilege role
priv-12 Privilege role
priv-13 Privilege role
priv-14 Privilege role
priv-15 Privilege role
priv-2 Privilege role
priv-3 Privilege role
priv-4 Privilege role
priv-5 Privilege role
priv-6 Privilege role
priv-7 Privilege role
priv-8 Privilege role
priv-9 Privilege role
vdc-admin System configured role
vdc-operator System configured role
NX-OS(config)# username new-admin password cisco role network-admin
NX-OS(config)# username admin password cisco role network-admin
NX-OS(config)# no username admin // CAN'T DELETE admin; CAN ONLY CHANGE ITS PW
cannot delete user admin
NX-OS# show feature
Feature Name Instance State
-------------------- -------- --------
amt 1 disabled
bfd 1 disabled
bfd_app 1 disabled
bgp 1 disabled
cts 1 disabled
dhcp 1 disabled
dot1x 1 disabled
eigrp 1 disabled
eigrp 2 disabled
eigrp 3 disabled
eigrp 4 disabled
eou 1 disabled
eth_port_sec 1 disabled
fex 1 disabled
fipsm 1 disabled
glbp 1 disabled
hsrp_engine 1 enabled
interface-vlan 1 disabled
isis 1 disabled
isis 2 disabled
isis 3 disabled
isis 4 disabled
ldap 1 disabled
lisp 1 disabled
msdp 1 disabled
netflow 1 disabled
ospf 1 enabled (not-running)
ospf 2 enabled (not-running)
ospf 3 enabled (not-running)
ospf 4 enabled (not-running)
ospfv3 1 disabled
ospfv3 2 disabled
ospfv3 3 disabled
ospfv3 4 disabled
otv 1 disabled
pbr 1 disabled
pim 1 disabled
pim6 1 disabled
private-vlan 1 disabled
privilege 1 disabled
rip 1 disabled
rip 2 disabled
rip 3 disabled
rip 4 disabled
scheduler 1 disabled
scpServer 1 disabled
sftpServer 1 disabled
sshServer 1 enabled
tacacs 1 disabled
telnetServer 1 enabled
tunnel 1 disabled
udld 1 disabled
vpc 1 disabled
vrrp 1 disabled
vtp 1 enabled
wccp 1 disabled
NX-OS#
NX-OS# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS(config)# enable ?
^
% Invalid parameter detected at '^' marker.
NX-OS(config)# feature ?
bfd Bfd
bgp Enable/Disable Border Gateway Protocol (BGP)
cts Enable/Disable CTS
dhcp Enable/Disable DHCP Snooping
dot1x Enable/Disable dot1x
eigrp Enable/Disable Enhanced Interior Gateway Routing Protocol
(EIGRP)
eou Enable/Disables feature l2nac(eou)
fip-snooping Enable/Disable fip-snooping(FCoE Initializtion Protocol)
glbp Enable/Disable Gateway Load Balancing Protocol (GLBP)
hsrp Enable/Disable Hot Standby Router Protocol (HSRP)
interface-vlan Enable/Disable interface vlan
isis Enable/Disable IS-IS Unicast Routing Protocol (IS-IS)
lacp Enable/Disable LACP
ldap Enable/Disable ldap
lldp Enable/Disable LLDP
msdp Enable/Disable Multicast Source Discovery Protocol (MSDP)
netflow Enable/Disable NetFlow
ospf Enable/Disable Open Shortest Path First Protocol (OSPF)
ospfv3 Enable/Disable Open Shortest Path First Version 3 Protocol
(OSPFv3)
otv Enable/Disable Overlay Transport Virtualization (OTV)
pbr Enable/Disable Policy Based Routing(PBR)
pim Enable/Disable Protocol Independent Multicast (PIM)
pim6 Enable/Disable Protocol Independent Multicast (PIM) for IPv6
port-security Enable/Disable port-security
private-vlan Enable/Disable private-vlan
privilege Enable/Disable IOS type privilege level support
rip Enable/Disable Routing Information Protocol (RIP)
scheduler Enable/Disable scheduler
scp-server Enable/Disable SCP server
sftp-server Enable/Disable SFTP server
ssh Enable/Disable ssh
tacacs+ Enable/Disable tacacs+
telnet Enable/Disable telnet
tunnel Enable/Disable Tunnel Manager
udld Enable/Disable UDLD
vpc Enable/Disable VPC (Virtual Port Channel)
vrrp Enable/Disable Virtual Router Redundancy Protocol (VRRP)
vtp Enable/Disable VTP
wccp Enable/Disable Web Cache Communication Protocol (WCCP)
NX-OS(config)# feature privilege
NX-OS(config)# ?
aaa Configure aaa functions
access-list Configure access control list parameters
acllog Configure ACL logging
arp ARP access-list configuration commands
banner Configure banner message
boot Configure boot variables
callhome Enter the callhome configuration mode
cdp Configure CDP parameters
cfs CFS configuration commands
class-map Configure a class map
cli Configure CLI commands
clock Manage the system clock
control-plane Enter to control-plane sub-mode
copp Control-plane config
crypto Set crypto settings
cts Config commands for CTS
default Rollback to default configuration
enable Create secret for privilege escalation
errdisable Error disable
event Event Manager commands
fabricpath Fabricpath configuration
feature Command to enable/disable features
feature-set Enable feature-set
fips Enable/Disable FIPS mode
hardware Hardware Internal Information
hostname Configure system's host name
hsrp HSRP interface configuration commands
install Install a feature-set
interface Configure interfaces
ip Configure IP features
ipv4 Configure IP features
ipv6 Configure IPv6 features
key Key Management
l2 Layer2
l2protocol Layer 2 Protocol
l3vm Debug L3VM information
license Modify license features
line Configure a terminal line
logging Modify message logging facilities
m2rib Configure m2rib
mac MAC configuration commands
mac-list Build a mac list
no Negate a command or set its defaults
ntp NTP Configuration
object-group Configure ACL object groups
password Password for the user
policy-map Configure a policy map
port-channel Configure port channel parameters
port-profile Configure a port-profile
power Configure power supply
poweroff Power off a module in the switch
promiscuous-mode Turn ON promiscuous mode for all the interfaces
qos QoS Global Commands
radius Configure RADIUS configuration
radius-server Configure RADIUS related parameters
rate-limit Set packet per second rate limit
resequence Resequence a list with sequence numbers
rmon Remote Monitoring
role Configure roles
route-map Create route-map or enter route-map command mode
router Enable a routing process
snmp-server Configure snmp server
software-forwarding Software forwarding
spanning-tree Spanning Tree Subsystem
ssh SSH to another system
switchname Configure system's host name
system System configuration commands
table-map Configure a table map
terminal Configure terminal settings
this Shows info about current object (mode's instance)
time-range Define time range entries
track Object tracking configuration commands
username Configure user information.
vdc Manage Virtual Device Context
vlan Vlan commands
vrf Configure VRF parameters
vtp Configure global VTP state
xml Xml agent
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
NX-OS(config)# enable ?
secret Create secret for privilege escalation (defaults to highest priv-lvl 14/15)
NX-OS(config)# enable secret ?
0 Indicates that the secret that follows should be in clear text
5 Indicates that the secret that follows should be encrypted
WORD Secret for user privilege escalation (clear text) (Max Size 64)
NX-OS(config)# enable secret cisco
NX-OS(config)# show feature | inc ssh
sshServer 1 enabled
NX-OS# show ssh ?
key Show ssh keys
names Name of pre-established master ssh connections
server Show whether ssh server is enabled or not
NX-OS# show ssh server
ssh version 2 is enabled
NX-OS(config)# feature ?
bfd Bfd
bgp Enable/Disable Border Gateway Protocol (BGP)
cts Enable/Disable CTS
dhcp Enable/Disable DHCP Snooping
dot1x Enable/Disable dot1x
eigrp Enable/Disable Enhanced Interior Gateway Routing Protocol
(EIGRP)
eou Enable/Disables feature l2nac(eou)
fip-snooping Enable/Disable fip-snooping(FCoE Initializtion Protocol)
glbp Enable/Disable Gateway Load Balancing Protocol (GLBP)
hsrp Enable/Disable Hot Standby Router Protocol (HSRP)
interface-vlan Enable/Disable interface vlan
isis Enable/Disable IS-IS Unicast Routing Protocol (IS-IS)
lacp Enable/Disable LACP
ldap Enable/Disable ldap
lldp Enable/Disable LLDP
msdp Enable/Disable Multicast Source Discovery Protocol (MSDP)
netflow Enable/Disable NetFlow
ospf Enable/Disable Open Shortest Path First Protocol (OSPF)
ospfv3 Enable/Disable Open Shortest Path First Version 3 Protocol
(OSPFv3)
otv Enable/Disable Overlay Transport Virtualization (OTV)
pbr Enable/Disable Policy Based Routing(PBR)
pim Enable/Disable Protocol Independent Multicast (PIM)
pim6 Enable/Disable Protocol Independent Multicast (PIM) for IPv6
port-security Enable/Disable port-security
private-vlan Enable/Disable private-vlan
privilege Enable/Disable IOS type privilege level support
rip Enable/Disable Routing Information Protocol (RIP)
scheduler Enable/Disable scheduler
scp-server Enable/Disable SCP server
sftp-server Enable/Disable SFTP server
ssh Enable/Disable ssh
tacacs+ Enable/Disable tacacs+
telnet Enable/Disable telnet
tunnel Enable/Disable Tunnel Manager
udld Enable/Disable UDLD
vpc Enable/Disable VPC (Virtual Port Channel)
vrrp Enable/Disable Virtual Router Redundancy Protocol (VRRP)
vtp Enable/Disable VTP
wccp Enable/Disable Web Cache Communication Protocol (WCCP)
NX-OS(config)# feature ssh
NX-OS(config)# show feature | inc telnet
telnetServer 1 enabled
NX-OS(config)# no feature telnet // DISABLE TELNET (DISABLED BY DEFAULT)
NX-OS(config)# show feature | inc telnet
telnetServer 1 disabled
X-OS(config)# ssh ?
key Generate SSH Key
login-attempts Set maximum login attempts from ssh
NX-OS(config)# ssh key ?
dsa Generate DSA keys
rsa Generate RSA keys
NX-OS(config)# ssh key rsa ?
<CR>
<1024-2048> Enter number of bits (in multiples of 8)
NX-OS(config)# ssh key rsa 2048
rsa keys already present, use force option to overwrite them
NX-OS(config)# ssh key rsa 2048 ?
<CR>
force Force the generation of keys even if previous ones are present
NX-OS(config)# ssh key rsa 2048 force // GENERATE A 2048 RSA KEY
deleting old rsa key.....
NX-OS(config)# show feature | inc tacacs
tacacs 1 disabled
NX-OS(config)# feature ?
bfd Bfd
bgp Enable/Disable Border Gateway Protocol (BGP)
cts Enable/Disable CTS
dhcp Enable/Disable DHCP Snooping
dot1x Enable/Disable dot1x
eigrp Enable/Disable Enhanced Interior Gateway Routing Protocol
(EIGRP)
eou Enable/Disables feature l2nac(eou)
fip-snooping Enable/Disable fip-snooping(FCoE Initializtion Protocol)
glbp Enable/Disable Gateway Load Balancing Protocol (GLBP)
hsrp Enable/Disable Hot Standby Router Protocol (HSRP)
interface-vlan Enable/Disable interface vlan
isis Enable/Disable IS-IS Unicast Routing Protocol (IS-IS)
lacp Enable/Disable LACP
ldap Enable/Disable ldap
lldp Enable/Disable LLDP
msdp Enable/Disable Multicast Source Discovery Protocol (MSDP)
netflow Enable/Disable NetFlow
ospf Enable/Disable Open Shortest Path First Protocol (OSPF)
ospfv3 Enable/Disable Open Shortest Path First Version 3 Protocol
(OSPFv3)
otv Enable/Disable Overlay Transport Virtualization (OTV)
pbr Enable/Disable Policy Based Routing(PBR)
pim Enable/Disable Protocol Independent Multicast (PIM)
pim6 Enable/Disable Protocol Independent Multicast (PIM) for IPv6
port-security Enable/Disable port-security
private-vlan Enable/Disable private-vlan
privilege Enable/Disable IOS type privilege level support
rip Enable/Disable Routing Information Protocol (RIP)
scheduler Enable/Disable scheduler
scp-server Enable/Disable SCP server
sftp-server Enable/Disable SFTP server
ssh Enable/Disable ssh
tacacs+ Enable/Disable tacacs+
telnet Enable/Disable telnet
tunnel Enable/Disable Tunnel Manager
udld Enable/Disable UDLD
vpc Enable/Disable VPC (Virtual Port Channel)
vrrp Enable/Disable Virtual Router Redundancy Protocol (VRRP)
vtp Enable/Disable VTP
wccp Enable/Disable Web Cache Communication Protocol (WCCP)
NX-OS(config)# feature tacacs+
To configure TACACS+ server and key issue the tacacs-server <HOST> <KEY> in global config.
NX-OS(config)# tacacs-server ?
deadtime Duration for which non-reachable server is skipped
directed-request Enable direct authentication requests to server
host TACACS+ server's DNS name or its IP address
key Global TACACS+ server shared secret
test Parameters to send test packets
timeout Global TACACS+ server timeout period in seconds
NX-OS(config)# tacacs-server host ?
A.B.C.D|A:B::C:D|WORD IPV4/IPV6 address or DNS name
NX-OS(config)# tacacs-server host 192.168.1.100 ?
<CR>
key TACACS+ shared secret
port TACACS+ server port
test Parameters to send test packets
timeout TACACS+ server timeout period in seconds
NX-OS(config)# tacacs-server host 192.168.1.100 key ?
0 TACACS+ shared secret(clear text)
7 TACACS+ shared secret(encrypted)
WORD TACACS+ shared secret(clear text) (Max Size 63)
NX-OS(config)# tacacs-server host 192.168.1.100 key cisco
NX-OS(config)# access-list ?
cleanup-unused-policies Enable implicit cleanup of ACL policies on shutdown
ports
NX-OS(config)# ip access-list ?
WORD List name (Max Size 64)
match-local-traffic (no abbrev) Enable access-list matching for locally
generated traffic
NX-OS(config)# ip access-list VTY-ACL
NX-OS(config-acl)# ?
<1-4294967295> Sequence number
deny Specify packets to reject
fragments Optimize fragments rule installation
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment
statistics Enable per-entry statistics for the ACL
this Shows info about current object (mode's instance)
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
NX-OS(config-acl)# permit ?
<0-255> A protocol number
ahp Authentication header protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation security payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Group Management Protocol
ip Any IP protocol
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload compression protocol
pim Protocol independent multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
NX-OS(config-acl)# permit ip ?
A.B.C.D Source network address
A.B.C.D/LEN Source network prefix
addrgroup Source address group
any Any source address
host A single source host
NX-OS(config-acl)# permit ip host ?
A.B.C.D Source address
NX-OS(config-acl)# permit ip host 192.168.1.50 ?
A.B.C.D Destination network address
A.B.C.D/LEN Destination network prefix
addrgroup Destination address group
any Any destination address
host A single destination host
NX-OS(config-acl)# permit ip host 192.168.1.50 any
NX-OS(config-acl)# permit ip 10.1.100.0/24 any
There's no VTY line numbers in a Nexus switch. It still uses the access-class command to allow specific IPs on the VTY lines.
NX-OS(config)# snmp-server ?
aaa-user Set duration for which aaa-cached snmp user exists
community Set community string and access privs
contact Modify sysContact
context SNMP context to be mapped
counter Configure port counter configuration
enable Enable SNMP Traps
globalEnforcePriv Globally enforce privacy for all the users
host Specify hosts to receive SNMP notifications
location Modify sysLocation
mib Mib access parameters
protocol Snmp protocol operations
source-interface Source interface to be used for sending out SNMP
notifications
system-shutdown Configure snmp-server for reload(2)
tcp-session Enable one time authentication for snmp over tcp session.
user Define a user who can access the SNMP engine
NX-OS(config)# snmp-server user ?
WORD Name of the user (Max Size 28)
NX-OS(config)# snmp-server user admin ?
<CR>
WORD Group name (ignored for notif target user) (Max Size 28)
auth Authentication parameters for the user
NX-OS(config)# snmp-server user admin auth ?
md5 Use HMAC MD5 algorithm for authentication
sha Use HMAC SHA algorithm for authentication
NX-OS(config)# snmp-server user admin auth md5 ?
WORD Authentication password for user (Max Size 130)
NX-OS(config)# snmp-server user admin auth md5 cisco
user password must be atleast 8 characters
NX-OS(config)# snmp-server user admin auth md5 cisco123 // MINIMUM SNMP CONFIG FOR SNMPv3, NO ACL OPTION AVAILABLE
NX-OS(config)# snmp-server user admin auth md5 cisco123 ?
<CR>
engineID EngineID for configuring notif target user (for V3 informs)
localizedkey Specifies whether the passwords are in localized key format
priv Encryption parameters for the user
NX-OS(config)# snmp-server community ?
WORD SNMP community string (Max Size 32)
NX-OS(config)# snmp-server community cisco ?
<CR>
group Group to which the community belongs
ro Read-only access with this community string
rw Read-write access with this community string
use-acl Acl name to filter snmp requests
NX-OS(config)# snmp-server community cisco use-acl ? // SNMPv2c CAN USE ACL
WORD Acl name to filter snmp requests (Max Size 32)
Below is the diffence between the show interface brief and show interface status command output. There's no interface range command in a Nexus switch.
NX-OS# show interface ?
<CR>
> Redirect it to a file
>> Redirect it to a file in append mode
brief Show brief info of interface
capabilities Show interface capabilities information
counters Show interface counters
debounce Show interface debounce time information
description Show interface description
ethernet Ethernet IEEE 802.3z
flowcontrol Show interface flowcontrol information
loopback Loopback interface
mac-address Show interface MAC address
mgmt Management interface
port-channel Port Channel interface
priority-flow-control Show interface PFC information
pruning Show interface trunk VTP pruning information
snmp-ifindex Show snmp ifindex list
status Show interface line status
switchport Show interface switchport information
transceiver Show interface transceiver information
trunk Show interface trunk information
| Pipe command output to filter
NX-OS# show interface brief
--------------------------------------------------------------------------------
Port VRF Status IP Address Speed MTU
--------------------------------------------------------------------------------
mgmt0 -- up 192.168.1.101 100 1500
--------------------------------------------------------------------------------
Ethernet VLAN Type Mode Status Reason Speed Por
t
Interface Ch
#
--------------------------------------------------------------------------------
Eth2/1 -- eth routed down Administratively down auto(D) --
Eth2/2 -- eth routed down Administratively down auto(D) --
Eth2/3 -- eth routed down Administratively down auto(D) --
Eth2/4 -- eth routed down Administratively down auto(D) --
Eth2/5 -- eth routed down Administratively down auto(D) --
Eth2/6 -- eth routed down Administratively down auto(D) --
Eth2/7 -- eth routed down Administratively down auto(D) --
Eth2/8 -- eth routed down Administratively down auto(D) --
Eth2/9 -- eth routed down Administratively down auto(D) --
NX-OS# show interface status
--------------------------------------------------------------------------------
Port Name Status Vlan Duplex Speed Type
--------------------------------------------------------------------------------
mgmt0 -- connected routed full 100 --
Eth2/1 -- disabled routed auto auto
Eth2/2 -- disabled routed auto auto
Eth2/3 -- disabled routed auto auto
Eth2/4 -- disabled routed auto auto
Eth2/5 -- disabled routed auto auto
Eth2/6 -- disabled routed auto auto
Eth2/7 -- disabled routed auto auto
Eth2/8 -- disabled routed auto auto
Eth2/9 -- disabled routed auto auto
NX-OS# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS(config)# interface eth2/1-9 // NO RANGE COMMAND
NX-OS(config-if-range)# ?
bandwidth Set bandwidth informational parameter
beacon Disable/enable the beacon for an interface
cdp Configure CDP interface parameters
channel-group Configure port channel parameters
delay Specify interface throughput delay
description Enter description of maximum 80 characters
duplex Enter the port duplex mode
fabricpath Fabricpath configuration
fabricpath Data Center Intermediate System to Intermediate System
(L2MP-IS-IS)
flowcontrol Configure interface flowcontrol
hsrp HSRP interface configuration commands
inherit Inherit a port-profile
ip Configure IP features
ipv6 Configure IPv6 features
l2protocol Layer 2 Protocol
link Configure link
load-interval Specify interval for load calculation for an interface
logging Configure logging for interface
mac MAC configuration commands
mac-address Configure interface mac address
mdix Enable auto mdix mode
medium Configure Interface medium mode
mtu Configure mtu for the port
no Negate a command or set its defaults
priority-flow-control Enable/Disable PFC
rate-limit Set packet per second rate limit
rate-mode Enter the rate mode
service-policy Configure service policy for an interface
shutdown Enable/disable an interface
snmp Modify SNMP interface parameters
spanning-tree Spanning Tree Subsystem
speed Enter the port speed
storm-control Configure Interface storm control
switchport Configure switchport parameters
this Shows info about current object (mode's instance)
vrf Configure VRF parameters
vtp Enable VTP on this interface
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
I've downloaded the free Cisco Nexus Simulator and posted the basics functions. The simulator has limited support on most Nexus features such as TACACS+, SNMPv3, etc. So I've used Nexus Titanium in VirtualBox/GNS3 instead. The Nexus 7K series switch CLI command reference can be found on this link. The Nexus OS (NX-OS) CLI syntax have similarities with Catalyst IOS switch (i.e. hostname, ACL, etc) but here are some differences. Below are some "hardening" commands I’ve used on our Nexus switches.
NX-OS# show version
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_serie
s_home.html
Copyright (c) 2002-2010, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: version N/A
kickstart: version 5.1(2) [gdb]
system: version 5.1(2) [gdb]
kickstart image file is: bootflash:/titanium-d1-kickstart.5.1.2.gbin
kickstart compile time: 12/25/2020 12:00:00 [12/18/2010 09:53:29]
system image file is: bootflash:/titanium-d1.5.1.2.gbin
system compile time: 11/29/2010 12:00:00 [12/18/2010 11:47:03]
Hardware
cisco Unknown MDS Chassis ("Unknown Module")
Intel(R) Xeon(R) CPU with 2066696 kB of memory.
Processor Board ID T0027265940
Device name: NX-OS
bootflash: 0 kB
Kernel uptime is 0 day(s), 0 hour(s), 37 minute(s), 21 second(s)
plugin
Core Plugin, Ethernet Plugin
You assign a user role (RBAC) when configuring a local admin
account on a Nexus OS (NX-OS) switch. You can't delete the admin user account and can only change the password.
NX-OS# show run | inc username
username adminbackup password 5 ! role network-operator
username admin password 5 $1$ek7G4QLQ$YqLUwOCmeIaQFjFRPaznZ0 role network-admin
username all password 5 !! role network-operator
NX-OS#
NX-OS# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS(config)# username new-admin ?
<CR>
expire Expiry date for this user account(in YYYY-MM-DD format)
keypair Generate SSH User Keys
password Password for the user
role Role which the user is to be assigned to
ssh-cert-dn Update cert dn
sshkey Update ssh key for the user for ssh authentication
NX-OS(config)# username new-admin password ?
0 Indicates that the password that follows should be in clear text
5 Indicates that the password that follows should be encrypted
WORD Password for the user (clear text) (Max Size 64)
NX-OS(config)# username new-admin password cisco ?
<CR>
expire Expiry date for this user account(in YYYY-MM-DD format)
role Role which the user is to be assigned to
NX-OS(config)# username new-admin password cisco role ?
network-admin System configured role
network-operator System configured role
priv-0 Privilege role
priv-1 Privilege role
priv-10 Privilege role
priv-11 Privilege role
priv-12 Privilege role
priv-13 Privilege role
priv-14 Privilege role
priv-15 Privilege role
priv-2 Privilege role
priv-3 Privilege role
priv-4 Privilege role
priv-5 Privilege role
priv-6 Privilege role
priv-7 Privilege role
priv-8 Privilege role
priv-9 Privilege role
vdc-admin System configured role
vdc-operator System configured role
NX-OS(config)# username new-admin password cisco role network-admin
NX-OS(config)# username admin password cisco role network-admin
NX-OS(config)# no username admin // CAN'T DELETE admin; CAN ONLY CHANGE ITS PW
cannot delete user admin
You can enable or disable a feature on a Nexus switch. Issue
a show feature to list all supported
features. To configure enable secret on a Nexus switch you "enable" the feature privilege.
NX-OS# show feature
Feature Name Instance State
-------------------- -------- --------
amt 1 disabled
bfd 1 disabled
bfd_app 1 disabled
bgp 1 disabled
cts 1 disabled
dhcp 1 disabled
dot1x 1 disabled
eigrp 1 disabled
eigrp 2 disabled
eigrp 3 disabled
eigrp 4 disabled
eou 1 disabled
eth_port_sec 1 disabled
fex 1 disabled
fipsm 1 disabled
glbp 1 disabled
hsrp_engine 1 enabled
interface-vlan 1 disabled
isis 1 disabled
isis 2 disabled
isis 3 disabled
isis 4 disabled
ldap 1 disabled
lisp 1 disabled
msdp 1 disabled
netflow 1 disabled
ospf 1 enabled (not-running)
ospf 2 enabled (not-running)
ospf 3 enabled (not-running)
ospf 4 enabled (not-running)
ospfv3 1 disabled
ospfv3 2 disabled
ospfv3 3 disabled
ospfv3 4 disabled
otv 1 disabled
pbr 1 disabled
pim 1 disabled
pim6 1 disabled
private-vlan 1 disabled
privilege 1 disabled
rip 1 disabled
rip 2 disabled
rip 3 disabled
rip 4 disabled
scheduler 1 disabled
scpServer 1 disabled
sftpServer 1 disabled
sshServer 1 enabled
tacacs 1 disabled
telnetServer 1 enabled
tunnel 1 disabled
udld 1 disabled
vpc 1 disabled
vrrp 1 disabled
vtp 1 enabled
wccp 1 disabled
NX-OS#
NX-OS# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS(config)# enable ?
^
% Invalid parameter detected at '^' marker.
NX-OS(config)# feature ?
bfd Bfd
bgp Enable/Disable Border Gateway Protocol (BGP)
cts Enable/Disable CTS
dhcp Enable/Disable DHCP Snooping
dot1x Enable/Disable dot1x
eigrp Enable/Disable Enhanced Interior Gateway Routing Protocol
(EIGRP)
eou Enable/Disables feature l2nac(eou)
fip-snooping Enable/Disable fip-snooping(FCoE Initializtion Protocol)
glbp Enable/Disable Gateway Load Balancing Protocol (GLBP)
hsrp Enable/Disable Hot Standby Router Protocol (HSRP)
interface-vlan Enable/Disable interface vlan
isis Enable/Disable IS-IS Unicast Routing Protocol (IS-IS)
lacp Enable/Disable LACP
ldap Enable/Disable ldap
lldp Enable/Disable LLDP
msdp Enable/Disable Multicast Source Discovery Protocol (MSDP)
netflow Enable/Disable NetFlow
ospf Enable/Disable Open Shortest Path First Protocol (OSPF)
ospfv3 Enable/Disable Open Shortest Path First Version 3 Protocol
(OSPFv3)
otv Enable/Disable Overlay Transport Virtualization (OTV)
pbr Enable/Disable Policy Based Routing(PBR)
pim Enable/Disable Protocol Independent Multicast (PIM)
pim6 Enable/Disable Protocol Independent Multicast (PIM) for IPv6
port-security Enable/Disable port-security
private-vlan Enable/Disable private-vlan
privilege Enable/Disable IOS type privilege level support
rip Enable/Disable Routing Information Protocol (RIP)
scheduler Enable/Disable scheduler
scp-server Enable/Disable SCP server
sftp-server Enable/Disable SFTP server
ssh Enable/Disable ssh
tacacs+ Enable/Disable tacacs+
telnet Enable/Disable telnet
tunnel Enable/Disable Tunnel Manager
udld Enable/Disable UDLD
vpc Enable/Disable VPC (Virtual Port Channel)
vrrp Enable/Disable Virtual Router Redundancy Protocol (VRRP)
vtp Enable/Disable VTP
wccp Enable/Disable Web Cache Communication Protocol (WCCP)
NX-OS(config)# feature privilege
NX-OS(config)# ?
aaa Configure aaa functions
access-list Configure access control list parameters
acllog Configure ACL logging
arp ARP access-list configuration commands
banner Configure banner message
boot Configure boot variables
callhome Enter the callhome configuration mode
cdp Configure CDP parameters
cfs CFS configuration commands
class-map Configure a class map
cli Configure CLI commands
clock Manage the system clock
control-plane Enter to control-plane sub-mode
copp Control-plane config
crypto Set crypto settings
cts Config commands for CTS
default Rollback to default configuration
enable Create secret for privilege escalation
errdisable Error disable
event Event Manager commands
fabricpath Fabricpath configuration
feature Command to enable/disable features
feature-set Enable feature-set
fips Enable/Disable FIPS mode
hardware Hardware Internal Information
hostname Configure system's host name
hsrp HSRP interface configuration commands
install Install a feature-set
interface Configure interfaces
ip Configure IP features
ipv4 Configure IP features
ipv6 Configure IPv6 features
key Key Management
l2 Layer2
l2protocol Layer 2 Protocol
l3vm Debug L3VM information
license Modify license features
line Configure a terminal line
logging Modify message logging facilities
m2rib Configure m2rib
mac MAC configuration commands
mac-list Build a mac list
no Negate a command or set its defaults
ntp NTP Configuration
object-group Configure ACL object groups
password Password for the user
policy-map Configure a policy map
port-channel Configure port channel parameters
port-profile Configure a port-profile
power Configure power supply
poweroff Power off a module in the switch
promiscuous-mode Turn ON promiscuous mode for all the interfaces
qos QoS Global Commands
radius Configure RADIUS configuration
radius-server Configure RADIUS related parameters
rate-limit Set packet per second rate limit
resequence Resequence a list with sequence numbers
rmon Remote Monitoring
role Configure roles
route-map Create route-map or enter route-map command mode
router Enable a routing process
snmp-server Configure snmp server
software-forwarding Software forwarding
spanning-tree Spanning Tree Subsystem
ssh SSH to another system
switchname Configure system's host name
system System configuration commands
table-map Configure a table map
terminal Configure terminal settings
this Shows info about current object (mode's instance)
time-range Define time range entries
track Object tracking configuration commands
username Configure user information.
vdc Manage Virtual Device Context
vlan Vlan commands
vrf Configure VRF parameters
vtp Configure global VTP state
xml Xml agent
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
NX-OS(config)# enable ?
secret Create secret for privilege escalation (defaults to highest priv-lvl 14/15)
NX-OS(config)# enable secret ?
0 Indicates that the secret that follows should be in clear text
5 Indicates that the secret that follows should be encrypted
WORD Secret for user privilege escalation (clear text) (Max Size 64)
NX-OS(config)# enable secret cisco
Type q to “quit” displaying the output. You can issue show
commands from global config mode without the do at the beginning. SSH (sshServer) is
enabled by default on a Nexus switch while Telnet is disabled by default. If SSH was disabled, you can re-enable it by issuing the feature ssh in global config.
NX-OS(config)# show feature | inc ssh
sshServer 1 enabled
NX-OS# show ssh ?
key Show ssh keys
names Name of pre-established master ssh connections
server Show whether ssh server is enabled or not
NX-OS# show ssh server
ssh version 2 is enabled
NX-OS(config)# feature ?
bfd Bfd
bgp Enable/Disable Border Gateway Protocol (BGP)
cts Enable/Disable CTS
dhcp Enable/Disable DHCP Snooping
dot1x Enable/Disable dot1x
eigrp Enable/Disable Enhanced Interior Gateway Routing Protocol
(EIGRP)
eou Enable/Disables feature l2nac(eou)
fip-snooping Enable/Disable fip-snooping(FCoE Initializtion Protocol)
glbp Enable/Disable Gateway Load Balancing Protocol (GLBP)
hsrp Enable/Disable Hot Standby Router Protocol (HSRP)
interface-vlan Enable/Disable interface vlan
isis Enable/Disable IS-IS Unicast Routing Protocol (IS-IS)
lacp Enable/Disable LACP
ldap Enable/Disable ldap
lldp Enable/Disable LLDP
msdp Enable/Disable Multicast Source Discovery Protocol (MSDP)
netflow Enable/Disable NetFlow
ospf Enable/Disable Open Shortest Path First Protocol (OSPF)
ospfv3 Enable/Disable Open Shortest Path First Version 3 Protocol
(OSPFv3)
otv Enable/Disable Overlay Transport Virtualization (OTV)
pbr Enable/Disable Policy Based Routing(PBR)
pim Enable/Disable Protocol Independent Multicast (PIM)
pim6 Enable/Disable Protocol Independent Multicast (PIM) for IPv6
port-security Enable/Disable port-security
private-vlan Enable/Disable private-vlan
privilege Enable/Disable IOS type privilege level support
rip Enable/Disable Routing Information Protocol (RIP)
scheduler Enable/Disable scheduler
scp-server Enable/Disable SCP server
sftp-server Enable/Disable SFTP server
ssh Enable/Disable ssh
tacacs+ Enable/Disable tacacs+
telnet Enable/Disable telnet
tunnel Enable/Disable Tunnel Manager
udld Enable/Disable UDLD
vpc Enable/Disable VPC (Virtual Port Channel)
vrrp Enable/Disable Virtual Router Redundancy Protocol (VRRP)
vtp Enable/Disable VTP
wccp Enable/Disable Web Cache Communication Protocol (WCCP)
NX-OS(config)# feature ssh
NX-OS(config)# show feature | inc telnet
telnetServer 1 enabled
NX-OS(config)# no feature telnet // DISABLE TELNET (DISABLED BY DEFAULT)
NX-OS(config)# show feature | inc telnet
telnetServer 1 disabled
The Nexus switch uses a 1024 RSA key by default. To generate a stronger RSA modulus key, issue a ssh key rsa 2048 in global config.
NX-OS# show ssh key ?
<CR>
> Redirect it to a file
>> Redirect it to a file in append mode
dsa Show dsa ssh keys
rsa Show rsa ssh keys
| Pipe command output to filter
NX-OS# show ssh key rsa
**************************************
rsa Keys generated:Fri Jan 7 00:55:31 2011
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDlALbWtWUIpeG9bQ9+I2sj6j/zvaRcM8BTzBt8z35d
OAe5RvzuuvuUcDec0hi1ILjIPCNKLvCS/n145oSGMW+y7bA6k7DhyFJgriwMF9RpdCSTWrBwG+VvY3HL
Mas630XP9eeY8pkqSPWw3dXpnn5Wje5LkwH/0XCBAt34uqZMKQ==
bitcount:1024
fingerprint:
1d:b1:33:e7:e3:6d:54:2c:10:31:df:46:98:a6:78:1c
**************************************
NX-OS# show ssh key ?
<CR>
> Redirect it to a file
>> Redirect it to a file in append mode
dsa Show dsa ssh keys
rsa Show rsa ssh keys
| Pipe command output to filter
NX-OS# show ssh key rsa
**************************************
rsa Keys generated:Fri Jan 7 00:55:31 2011
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDlALbWtWUIpeG9bQ9+I2sj6j/zvaRcM8BTzBt8z35d
OAe5RvzuuvuUcDec0hi1ILjIPCNKLvCS/n145oSGMW+y7bA6k7DhyFJgriwMF9RpdCSTWrBwG+VvY3HL
Mas630XP9eeY8pkqSPWw3dXpnn5Wje5LkwH/0XCBAt34uqZMKQ==
bitcount:1024
fingerprint:
1d:b1:33:e7:e3:6d:54:2c:10:31:df:46:98:a6:78:1c
**************************************
X-OS(config)# ssh ?
key Generate SSH Key
login-attempts Set maximum login attempts from ssh
NX-OS(config)# ssh key ?
dsa Generate DSA keys
rsa Generate RSA keys
NX-OS(config)# ssh key rsa ?
<CR>
<1024-2048> Enter number of bits (in multiples of 8)
NX-OS(config)# ssh key rsa 2048
rsa keys already present, use force option to overwrite them
NX-OS(config)# ssh key rsa 2048 ?
<CR>
force Force the generation of keys even if previous ones are present
NX-OS(config)# ssh key rsa 2048 force // GENERATE A 2048 RSA KEY
deleting old rsa key.....
TACACS+ is disabled by default. Issue a feature tacacs in global configuration mode in order to
enable it.
NX-OS(config)# show feature | inc tacacs
tacacs 1 disabled
NX-OS(config)# feature ?
bfd Bfd
bgp Enable/Disable Border Gateway Protocol (BGP)
cts Enable/Disable CTS
dhcp Enable/Disable DHCP Snooping
dot1x Enable/Disable dot1x
eigrp Enable/Disable Enhanced Interior Gateway Routing Protocol
(EIGRP)
eou Enable/Disables feature l2nac(eou)
fip-snooping Enable/Disable fip-snooping(FCoE Initializtion Protocol)
glbp Enable/Disable Gateway Load Balancing Protocol (GLBP)
hsrp Enable/Disable Hot Standby Router Protocol (HSRP)
interface-vlan Enable/Disable interface vlan
isis Enable/Disable IS-IS Unicast Routing Protocol (IS-IS)
lacp Enable/Disable LACP
ldap Enable/Disable ldap
lldp Enable/Disable LLDP
msdp Enable/Disable Multicast Source Discovery Protocol (MSDP)
netflow Enable/Disable NetFlow
ospf Enable/Disable Open Shortest Path First Protocol (OSPF)
ospfv3 Enable/Disable Open Shortest Path First Version 3 Protocol
(OSPFv3)
otv Enable/Disable Overlay Transport Virtualization (OTV)
pbr Enable/Disable Policy Based Routing(PBR)
pim Enable/Disable Protocol Independent Multicast (PIM)
pim6 Enable/Disable Protocol Independent Multicast (PIM) for IPv6
port-security Enable/Disable port-security
private-vlan Enable/Disable private-vlan
privilege Enable/Disable IOS type privilege level support
rip Enable/Disable Routing Information Protocol (RIP)
scheduler Enable/Disable scheduler
scp-server Enable/Disable SCP server
sftp-server Enable/Disable SFTP server
ssh Enable/Disable ssh
tacacs+ Enable/Disable tacacs+
telnet Enable/Disable telnet
tunnel Enable/Disable Tunnel Manager
udld Enable/Disable UDLD
vpc Enable/Disable VPC (Virtual Port Channel)
vrrp Enable/Disable Virtual Router Redundancy Protocol (VRRP)
vtp Enable/Disable VTP
wccp Enable/Disable Web Cache Communication Protocol (WCCP)
NX-OS(config)# feature tacacs+
To configure TACACS+ server and key issue the tacacs-server <HOST> <KEY> in global config.
NX-OS(config)# tacacs-server ?
deadtime Duration for which non-reachable server is skipped
directed-request Enable direct authentication requests to server
host TACACS+ server's DNS name or its IP address
key Global TACACS+ server shared secret
test Parameters to send test packets
timeout Global TACACS+ server timeout period in seconds
NX-OS(config)# tacacs-server host ?
A.B.C.D|A:B::C:D|WORD IPV4/IPV6 address or DNS name
NX-OS(config)# tacacs-server host 192.168.1.100 ?
<CR>
key TACACS+ shared secret
port TACACS+ server port
test Parameters to send test packets
timeout TACACS+ server timeout period in seconds
NX-OS(config)# tacacs-server host 192.168.1.100 key ?
0 TACACS+ shared secret(clear text)
7 TACACS+ shared secret(encrypted)
WORD TACACS+ shared secret(clear text) (Max Size 63)
NX-OS(config)# tacacs-server host 192.168.1.100 key cisco
The ACL syntax on the Nexus switch is identical with a traditional IOS
switch. Nexus only support IP (Name) ACL and able to use the /nn subnet mask or prefix notation.
NX-OS(config)# access-list ?
cleanup-unused-policies Enable implicit cleanup of ACL policies on shutdown
ports
NX-OS(config)# ip access-list ?
WORD List name (Max Size 64)
match-local-traffic (no abbrev) Enable access-list matching for locally
generated traffic
NX-OS(config)# ip access-list VTY-ACL
NX-OS(config-acl)# ?
<1-4294967295> Sequence number
deny Specify packets to reject
fragments Optimize fragments rule installation
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment
statistics Enable per-entry statistics for the ACL
this Shows info about current object (mode's instance)
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
NX-OS(config-acl)# permit ?
<0-255> A protocol number
ahp Authentication header protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation security payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Group Management Protocol
ip Any IP protocol
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload compression protocol
pim Protocol independent multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
NX-OS(config-acl)# permit ip ?
A.B.C.D Source network address
A.B.C.D/LEN Source network prefix
addrgroup Source address group
any Any source address
host A single source host
NX-OS(config-acl)# permit ip host ?
A.B.C.D Source address
NX-OS(config-acl)# permit ip host 192.168.1.50 ?
A.B.C.D Destination network address
A.B.C.D/LEN Destination network prefix
addrgroup Destination address group
any Any destination address
host A single destination host
NX-OS(config-acl)# permit ip host 192.168.1.50 any
NX-OS(config-acl)# permit ip 10.1.100.0/24 any
There's no VTY line numbers in a Nexus switch. It still uses the access-class command to allow specific IPs on the VTY lines.
NX-OS(config)# line vty ?
<CR>
NX-OS(config)# line vty
NX-OS(config-line)# ?
absolute-timeout Configure absolute timeout
access-class Specify IPv4 access control for packets
exec-timeout Configure exec timeout
ip Configure IP features
ipv6 Configure IPv6 features
logout-warning Configure logout warning
no Negate a command or set its defaults
session-limit Set the max no of concurrent vsh sessions
this Shows info about current object (mode's instance)
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
NX-OS(config-line)# access-class ?
WORD List name (Max Size 64)
NX-OS(config-line)# access-class VTY-ACL ?
in Inbound packets
out Outbound packets
NX-OS(config-line)# access-class VTY-ACL in
There's only banner motd option in a Nexus switch.
NX-OS(config)# banner ?
motd Configure banner motd message
NX-OS(config)# banner motd ?
LINE Delimiter char (Very first char is delimiter char) followed by message
ending with delimiter
NX-OS(config)# banner motd $
Enter TEXT message. End with the character '$'.
> *** CISCO NEXUS LAB ***
> $
Can't send notification for banner change to other services.
Banner change may not be effective at other places.
NX-OS(config)#
NX-OS(config)# show run | beg banner
banner motd $
*** CISCO NEXUS LAB ***
$
<OUTPUT TRUNCATED>
<CR>
NX-OS(config)# line vty
NX-OS(config-line)# ?
absolute-timeout Configure absolute timeout
access-class Specify IPv4 access control for packets
exec-timeout Configure exec timeout
ip Configure IP features
ipv6 Configure IPv6 features
logout-warning Configure logout warning
no Negate a command or set its defaults
session-limit Set the max no of concurrent vsh sessions
this Shows info about current object (mode's instance)
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
NX-OS(config-line)# access-class ?
WORD List name (Max Size 64)
NX-OS(config-line)# access-class VTY-ACL ?
in Inbound packets
out Outbound packets
NX-OS(config-line)# access-class VTY-ACL in
There's only banner motd option in a Nexus switch.
NX-OS(config)# banner ?
motd Configure banner motd message
NX-OS(config)# banner motd ?
LINE Delimiter char (Very first char is delimiter char) followed by message
ending with delimiter
NX-OS(config)# banner motd $
Enter TEXT message. End with the character '$'.
> *** CISCO NEXUS LAB ***
> $
Can't send notification for banner change to other services.
Banner change may not be effective at other places.
NX-OS(config)#
NX-OS(config)# show run | beg banner
banner motd $
*** CISCO NEXUS LAB ***
$
<OUTPUT TRUNCATED>
Below is the minimum SNMP version3 configuration that I've used and worked with Solarwinds NPM.You can't use or bind an ACL to SNMPv3 but it's still supported in SNMP version 2 (v2c).
NX-OS(config)# snmp-server ?
aaa-user Set duration for which aaa-cached snmp user exists
community Set community string and access privs
contact Modify sysContact
context SNMP context to be mapped
counter Configure port counter configuration
enable Enable SNMP Traps
globalEnforcePriv Globally enforce privacy for all the users
host Specify hosts to receive SNMP notifications
location Modify sysLocation
mib Mib access parameters
protocol Snmp protocol operations
source-interface Source interface to be used for sending out SNMP
notifications
system-shutdown Configure snmp-server for reload(2)
tcp-session Enable one time authentication for snmp over tcp session.
user Define a user who can access the SNMP engine
NX-OS(config)# snmp-server user ?
WORD Name of the user (Max Size 28)
NX-OS(config)# snmp-server user admin ?
<CR>
WORD Group name (ignored for notif target user) (Max Size 28)
auth Authentication parameters for the user
NX-OS(config)# snmp-server user admin auth ?
md5 Use HMAC MD5 algorithm for authentication
sha Use HMAC SHA algorithm for authentication
NX-OS(config)# snmp-server user admin auth md5 ?
WORD Authentication password for user (Max Size 130)
NX-OS(config)# snmp-server user admin auth md5 cisco
user password must be atleast 8 characters
NX-OS(config)# snmp-server user admin auth md5 cisco123 // MINIMUM SNMP CONFIG FOR SNMPv3, NO ACL OPTION AVAILABLE
NX-OS(config)# snmp-server user admin auth md5 cisco123 ?
<CR>
engineID EngineID for configuring notif target user (for V3 informs)
localizedkey Specifies whether the passwords are in localized key format
priv Encryption parameters for the user
NX-OS(config)# snmp-server community ?
WORD SNMP community string (Max Size 32)
NX-OS(config)# snmp-server community cisco ?
<CR>
group Group to which the community belongs
ro Read-only access with this community string
rw Read-write access with this community string
use-acl Acl name to filter snmp requests
NX-OS(config)# snmp-server community cisco use-acl ? // SNMPv2c CAN USE ACL
WORD Acl name to filter snmp requests (Max Size 32)
Below is the diffence between the show interface brief and show interface status command output. There's no interface range command in a Nexus switch.
NX-OS# show interface ?
<CR>
> Redirect it to a file
>> Redirect it to a file in append mode
brief Show brief info of interface
capabilities Show interface capabilities information
counters Show interface counters
debounce Show interface debounce time information
description Show interface description
ethernet Ethernet IEEE 802.3z
flowcontrol Show interface flowcontrol information
loopback Loopback interface
mac-address Show interface MAC address
mgmt Management interface
port-channel Port Channel interface
priority-flow-control Show interface PFC information
pruning Show interface trunk VTP pruning information
snmp-ifindex Show snmp ifindex list
status Show interface line status
switchport Show interface switchport information
transceiver Show interface transceiver information
trunk Show interface trunk information
| Pipe command output to filter
NX-OS# show interface brief
--------------------------------------------------------------------------------
Port VRF Status IP Address Speed MTU
--------------------------------------------------------------------------------
mgmt0 -- up 192.168.1.101 100 1500
--------------------------------------------------------------------------------
Ethernet VLAN Type Mode Status Reason Speed Por
t
Interface Ch
#
--------------------------------------------------------------------------------
Eth2/1 -- eth routed down Administratively down auto(D) --
Eth2/2 -- eth routed down Administratively down auto(D) --
Eth2/3 -- eth routed down Administratively down auto(D) --
Eth2/4 -- eth routed down Administratively down auto(D) --
Eth2/5 -- eth routed down Administratively down auto(D) --
Eth2/6 -- eth routed down Administratively down auto(D) --
Eth2/7 -- eth routed down Administratively down auto(D) --
Eth2/8 -- eth routed down Administratively down auto(D) --
Eth2/9 -- eth routed down Administratively down auto(D) --
NX-OS# show interface status
--------------------------------------------------------------------------------
Port Name Status Vlan Duplex Speed Type
--------------------------------------------------------------------------------
mgmt0 -- connected routed full 100 --
Eth2/1 -- disabled routed auto auto
Eth2/2 -- disabled routed auto auto
Eth2/3 -- disabled routed auto auto
Eth2/4 -- disabled routed auto auto
Eth2/5 -- disabled routed auto auto
Eth2/6 -- disabled routed auto auto
Eth2/7 -- disabled routed auto auto
Eth2/8 -- disabled routed auto auto
Eth2/9 -- disabled routed auto auto
NX-OS# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
NX-OS(config)# interface eth2/1-9 // NO RANGE COMMAND
NX-OS(config-if-range)# ?
bandwidth Set bandwidth informational parameter
beacon Disable/enable the beacon for an interface
cdp Configure CDP interface parameters
channel-group Configure port channel parameters
delay Specify interface throughput delay
description Enter description of maximum 80 characters
duplex Enter the port duplex mode
fabricpath Fabricpath configuration
fabricpath Data Center Intermediate System to Intermediate System
(L2MP-IS-IS)
flowcontrol Configure interface flowcontrol
hsrp HSRP interface configuration commands
inherit Inherit a port-profile
ip Configure IP features
ipv6 Configure IPv6 features
l2protocol Layer 2 Protocol
link Configure link
load-interval Specify interval for load calculation for an interface
logging Configure logging for interface
mac MAC configuration commands
mac-address Configure interface mac address
mdix Enable auto mdix mode
medium Configure Interface medium mode
mtu Configure mtu for the port
no Negate a command or set its defaults
priority-flow-control Enable/Disable PFC
rate-limit Set packet per second rate limit
rate-mode Enter the rate mode
service-policy Configure service policy for an interface
shutdown Enable/disable an interface
snmp Modify SNMP interface parameters
spanning-tree Spanning Tree Subsystem
speed Enter the port speed
storm-control Configure Interface storm control
switchport Configure switchport parameters
this Shows info about current object (mode's instance)
vrf Configure VRF parameters
vtp Enable VTP on this interface
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
There’s no write
memory command on a Nexus switch. You use the copy run start command to save the configuration to NVRAM.
NX-OS# write ?
erase Destroys the configuration on persistent media
NX-OS# copy ?
bootflash: Select source filesystem
core: Select source filesystem
debug: Select source filesystem
ftp: Select source filesystem
licenses Backup license files
log: Select source filesystem
modflash: Select source filesystem
nvram: Select source filesystem
running-config Copy running configuration to destination
scp: Select source filesystem
sftp: Select source filesystem
startup-config Copy startup configuration to destination
system: Select source filesystem
tftp: Select source filesystem
volatile: Select source filesystem
NX-OS# copy running-config ?
bootflash: Select destination filesystem
ftp: Select destination filesystem
nvram: Select destination filesystem
scp: Select destination filesystem
sftp: Select destination filesystem
startup-config Copy from source to startup configuration
tftp: Select destination filesystem
volatile: Select destination filesystem
NX-OS# copy running-config startup-config
[########################################] 100%
Copy complete, now saving to disk (please wait)..
NX-OS# write ?
erase Destroys the configuration on persistent media
NX-OS# copy ?
bootflash: Select source filesystem
core: Select source filesystem
debug: Select source filesystem
ftp: Select source filesystem
licenses Backup license files
log: Select source filesystem
modflash: Select source filesystem
nvram: Select source filesystem
running-config Copy running configuration to destination
scp: Select source filesystem
sftp: Select source filesystem
startup-config Copy startup configuration to destination
system: Select source filesystem
tftp: Select source filesystem
volatile: Select source filesystem
NX-OS# copy running-config ?
bootflash: Select destination filesystem
ftp: Select destination filesystem
nvram: Select destination filesystem
scp: Select destination filesystem
sftp: Select destination filesystem
startup-config Copy from source to startup configuration
tftp: Select destination filesystem
volatile: Select destination filesystem
NX-OS# copy running-config startup-config
[########################################] 100%
Copy complete, now saving to disk (please wait)..
No comments:
Post a Comment