Table of Content

We will cover below topics in this Nexus OS Security Guide.

1. Setting up RADIUS
2. Setting up TACACS+
3. Setting up SSH
4. Setting up Cisco TrustSec
5. Setting up IP ACLs
6. Setting up MAC ACLs
7. Setting up VLAN ACLs
8. Setting up Port Security
9. Setting up DHCP Snooping
10. Setting up Dynamic ARP Inspection
11. Setting up IP Source Guard
12. Setting up Keychain Management
13. Setting up Traffic Storm Control
14. Setting up Unicast RPF
15. Setting up Control Plane Policing
16. Setting up Rate Limits
17. Configuring SNMPv3

Security is a frequently discussed and significant concern. Cisco NX-OS Software provides comprehensive security features that safeguard NX-OS switches, protecting the network against degradation, failure, and potential data loss or compromise due to deliberate attacks. This section covers various security features, emphasizing a defence-in-depth approach to deliver a scalable, resilient, and secure data centre solution.

Setting up RADIUS in NX-OS

Authentication, Authorization, and Accounting (AAA) services facilitate identity verification, access granting, and user activity tracking on a Cisco NX-OS device. Cisco NX-OS devices support either Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus (TACACS+) protocols.

Upon receiving a user ID and password combination, Cisco NX-OS devices execute local authentication or authorization using the local database or opt for remote authentication or authorization through one or more AAA servers. Security in communication between the Cisco NX-OS device and AAA servers is ensured through a preshared secret key. A common secret key can be configured for all AAA servers or specific ones.

AAA security encompasses the following services:

Authentication: This process involves verifying the identity of the person or device attempting to access the Cisco NX-OS device, based on the provided user ID and password combination. Cisco NX-OS devices support local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).

Authorization: Providing access control, AAA authorization assembles a set of attributes describing the user's authorized actions. In Cisco NX-OS software, authorization is accomplished through attributes downloaded from AAA servers. Remote servers like RADIUS and TACACS+ authorize users for specific rights by associating attribute-value (AV) pairs that define those rights.

Accounting: This service collects information, logs it locally, and sends it to the AAA server for billing, auditing, and reporting. The accounting feature maintains a log of every management session accessing the Cisco NX-OS device, which can be used for troubleshooting and auditing. The logs can be stored locally or sent to remote AAA servers.

AAA services offer advantages such as flexible and controlled access configuration, scalability, and centralized or distributed authentication methods like RADIUS and TACACS+.

A successful deployment of AAA services necessitates several prerequisites:

1. Verification of RADIUS or TACACS+ server reachability through IP, often conducted through a simple ping test.
2. Configuration of the Cisco NX-OS device as a client of the AAA servers.
3. Establishment of a secret key on both the Cisco NX-OS device and the remote AAA servers.
4. Verification of the remote server's response to AAA requests from the Cisco NX-OS device by specifying the correct source interface.

The TACACS+ protocol validates users attempting to access a Cisco NX-OS device centrally, maintaining services in a database on a TACACS+ daemon. TACACS+ offers separate authentication, authorization, and accounting facilities and uses TCP port 49 for transport communication. RADIUS, a client/server protocol, involves remote access servers communicating with a central server to authenticate users and authorize their access. RADIUS maintains user profiles centrally, ensuring a secure model for policy implementation at a single administered network point. Cisco Secure ACS 5.0 accepts authentication requests on port 1645 and port 1812, while RADIUS accounting packets are accepted on ports 1646 and 1813.

The following commands configure RADIUS authentication and accounting on a Cisco device:

Note: The provided note emphasizes that AAA configuration and operations are local to the virtual device context (VDC), except for default console methods and the AAA accounting log. AAA authentication methods for the console login apply only to the default VDC. To distribute RADIUS configuration using Cisco Fabric Services (CFS) on a Cisco NX-OS device, follow the provided instructions:

This command enables RADIUS configuration distribution through CFS. When you enable CFS distribution for a specific feature, your device becomes part of a CFS region, along with other devices in the network that have also been configured for CFS distribution for the same feature.

To apply the changes made to the RADIUS configuration in the temporary database to the running configuration and initiate the distribution of RADIUS, use the following command:

Note: It's important to be aware that RADIUS server and global keys, being unique, are not distributed through CFS sessions. Additionally, the RADIUS server group and AAA commands are not distributed via CFS.

How we can configure radius.

Let’s verifies configuration of radius delivered via CFS distribution.

Verify CFS configuration in

Impressum

Verlag: BookRix GmbH & Co. KG

Texte: Mamta Devi
Bildmaterialien: Mamta Devi
Cover: Rishabh Shukla
Lektorat: Dev Yadav
Korrektorat: Shiva Jain
Übersetzung: Kamta Dev
Satz: Mamta Devi
Tag der Veröffentlichung: 25.11.2023
ISBN: 978-3-7554-6207-1

Alle Rechte vorbehalten

Widmung:
This eBook is based on Cisco Nexus Operating System that has been collected from different sources and people. For more information about this ebook. Kindly write to mamtadevi775304@gmail.com. I will happy to help you. Copyright 2023 by Mamta Devi This eBook is a guide and serves as a next part of first guide. Previous Part Next-Generation switching OS configuration and management has already been published. This book has been written on the advice of many experts and sources who have good command over operating System, network an programming. They are listed at the end of this book. All images used in this book are taken from the LAB which is created by experts. All rights reserved, including the right to reproduce this book or portions thereof in any form whatsoever. For any query reach out to the author through email.