Security

aaa accounting

To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.

aaa accounting { auth-proxy | system | network | exec | connections | commands level} { default | list-name} { start-stop | stop-only | none} [ broadcast] group group-name

no aaa accounting { auth-proxy | system | network | exec | connections | commands level} { default | list-name} { start-stop | stop-only | none} [ broadcast] group group-name

Syntax Description

auth-proxy Provides information about all authenticated-proxy user events.
system Performs accounting for all system-level events not associated with users, such as reloads.
network Runs accounting for all network-related service requests.
exec

Runs accounting for EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command.

connection

Provides information about all outbound connections made from the network access server.

commands level

Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.

default

Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.

list-name

Character string used to name the list of at least one of the accounting methods described in

start-stop

Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.

stop-only

Sends a "stop" accounting notice at the end of the requested user process.

none

Disables accounting services on this line or interface.

broadcast

(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group.

group groupname

At least one of the keywords described in the AAA Accounting Methods table.

Command Default

AAA accounting is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the aaa accounting command to enable accounting and to create named method lists defining specific accounting methods on a per-line or per-interface basis.

Table 1. AAA Accounting Methods

Keyword

Description

group radius

Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.

group tacacs+

Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.

group group-name

Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name.

In AAA Accounting Methods table, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius server and tacacs server commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.

Cisco IOS XE software supports the following two methods of accounting:

  • RADIUS—The network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

  • TACACS+—The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method , where list-name is any character string used to name this list (excluding the names of methods, such as radius or tacacs+) and method identifies the methods to be tried in sequence as given.

If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.


Note


System accounting does not use named accounting lists; you can only define the default list for system accounting.


For minimal accounting, include the stop-only keyword to send a stop record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.

When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server.


Note


This command cannot be used with TACACS or extended TACACS.


Examples

This example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction:

Device> enable
Device# configure terminal
Device(config)# aaa accounting commands 15 default stop-only group TACACS+
Device(config)# exit

This example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a stop-only restriction. The aaa accounting commands activates authentication proxy accounting.

Device> enable
Device# configure terminal
Device(config)# aaa new model
Device(config)# aaa authentication login default group TACACS+
Device(config)# aaa authorization auth-proxy default group TACACS+
Device(config)# aaa accounting auth-proxy default start-stop group TACACS+
Device(config)# exit

aaa accounting dot1x

To enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions, use the aaa accounting dot1x command in global configuration mode. To disable IEEE 802.1x accounting, use the no form of this command.

aaa accounting dot1x { name | default } start-stop { broadcast group { name | radius } [ group { name | radius } ... ] | group { name | radius } [ group { name | radius } ... ]}

no aaa accounting dot1x { name | default }

Syntax Description

name

Name of a server group. This is optional when you enter it after the broadcast group and group keywords.

default

Specifies the accounting methods that follow as the default list for accounting services.

start-stop

Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting notice was received by the accounting server.

broadcast

Enables accounting records to be sent to multiple AAA servers and sends accounting records to the first server in each group. If the first server is unavailable, the device uses the list of backup servers to identify the first server.

group

Specifies the server group to be used for accounting services. These are valid server group names:

  • name — Name of a server group.

  • radius — Lists of all RADIUS hosts.

  • tacacs+ — Lists of all TACACS+ hosts.

The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword.

radius

(Optional) Enables RADIUS accounting.

Command Default

AAA accounting is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

This command requires access to a RADIUS server.

We recommend that you enter the dot1x reauthentication interface configuration command before configuring IEEE 802.1x RADIUS accounting on an interface.

Examples

This example shows how to configure IEEE 802.1x accounting:


Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa accounting dot1x default start-stop group radius
Device(config)# exit

aaa accounting identity

To enable authentication, authorization, and accounting (AAA) accounting for IEEE 802.1x, MAC authentication bypass (MAB), and web authentication sessions, use the aaa accounting identity command in global configuration mode. To disable IEEE 802.1x accounting, use the no form of this command.

aaa accounting identity { name | default } start-stop { broadcast group { name | radius | tacacs+} [ group { name | radius | tacacs+} ... ] | group { name | radius | tacacs+} [ group { name | radius | tacacs+} ... ]}

no aaa accounting identity { name | default }

Syntax Description

name

Name of a server group. This is optional when you enter it after the broadcast group and group keywords.

default

Uses the accounting methods that follow as the default list for accounting services.

start-stop

Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested-user process begins regardless of whether or not the start accounting notice was received by the accounting server.

broadcast

Enables accounting records to be sent to multiple AAA servers and send accounting records to the first server in each group. If the first server is unavailable, the switch uses the list of backup servers to identify the first server.

group

Specifies the server group to be used for accounting services. These are valid server group names:

  • name — Name of a server group.

  • radius — Lists of all RADIUS hosts.

  • tacacs+ — Lists of all TACACS+ hosts.

The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword.

radius

(Optional) Enables RADIUS authorization.

tacacs+

(Optional) Enables TACACS+ accounting.

Command Default

AAA accounting is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

To enable AAA accounting identity, you need to enable policy mode. To enable policy mode, enter the authentication display new-style command in privileged EXEC mode.

Examples

This example shows how to configure IEEE 802.1x accounting identity:


Device# authentication display new-style

Please note that while you can revert to legacy style
configuration at any time unless you have explicitly
entered new-style configuration, the following caveats
should be carefully read and understood.

(1) If you save the config in this mode, it will be written
    to NVRAM in NEW-style config, and if you subsequently
    reload the router without reverting to legacy config and
    saving that, you will no longer be able to revert.

(2) In this and legacy mode, Webauth is not IPv6-capable. It
    will only become IPv6-capable once you have entered new-
    style config manually, or have reloaded with config saved
    in 'authentication display new' mode.

Device# configure terminal
Device(config)# aaa accounting identity default start-stop group radius
Device(config)# exit

aaa authentication dot1x

To specify one or more authentication, authorization, and accounting (AAA) methods for use on interfaces running IEEE 802.1x, use the aaa authentication dot1x command in global configuration mode. To disable authentication, use the no form of this command

aaa authentication dot1x { default | listname } method1 [ method2 . . . ]

no aaa authentication dot1x { default | listname } method1 [ method2 . . . ]

Syntax Description

default

Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.

listname

Character string used to name the list of authentication methods tried when a user logs in.

method1 [method2... ]

A method can be least one of these keywords:

  • enable : Uses the enable password for authentication.

  • group radius : Uses the list of all the RADIUS servers for authentication.

  • line : Uses the line password for authentication.

  • local : Uses the local username database for authentication.

  • local-case : Uses the case-sensitive local username database for authentication.

  • none : Uses no authentication. The client is automatically authenticated by the device without using the information supplied by the client.

  • group radius-server-group-name : Uses the group RADIUS server for authentication.

  • cache radius-server-group-name : Uses the cache RADIUS server for authentication.

Note

 

You must configure the AAA authentication method list with both group radius-server-group-name and cache radius-server-group-name to use AAA cache-based authentication. For more information, see "Updating Authorization and Authentication Method Lists to Specify How Cache Information is Used" procedure of the "Configuring AAA Authorization and Authentication Cache" configuration guide.

Command Default

No authentication is performed.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Cisco IOS XE Cupertino 17.7.1

This command was modified. The cache keyword was introduced.

Usage Guidelines

The method argument identifies the list of methods that the authentication algorithm runs in the given sequence to validate the password provided by the client. The only method that is truly 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server. The remaining methods enable AAA to authenticate the client by using locally configured data. For example, the local and local-case methods use the username and password that are saved in the Cisco IOS configuration file. The enable and line methods use the enable and line passwords for authentication.

If you specify group radius , you must configure the RADIUS server by entering the radius server server-name global configuration command. If you are not using a RADIUS server, you can use the local or local-case methods, which access the local username database to perform authentication. By specifying the enable or line methods, you can supply the client with a password to provide access to the device.

Use the show running-config privileged EXEC command to display the configured lists of authentication methods.

Examples

The following example shows how to enable AAA and how to create an authentication list for 802.1x:


Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa group server radius RASERV
Device(config)# server name RASERV-1
Device(config)# aaa authentication dot1x default group RASERV

aaa common-criteria policy

To configure the AAA common criteria security policies, use the aaa common-criteria policy command in global configuration mode. To disable the AAA common criteria policies, use the no form of this command.

aaa common-criteria policy policy-name

no aaa common-criteria policy policy-name

Syntax Description

policy-name

Name of the AAA common criteria security policy.

Command Default

The common criteria security policy is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Cisco IOS XE Dublin 17.10.1

This command was modified. The character-repetition and restrict-consecutive-letters keywords were introduced.

Usage Guidelines

Use the aaa common-criteria policy command to enter the common criteria configuration policy mode. To check the available options in this mode, type ? after entering into common criteria configuration policy mode (config-cc-policy).

The following options are available:

  • char-change : Change the number of characters between the old and new passwords. The range is from 1 to 64, and the default value is 4.

  • copy : Copy the common criteria policy parameters from an existing policy.

  • exit : Exit from common criteria configuration mode.

  • lifetime : Configure the maximum lifetime of a password by providing the configurable value, in years, months, days, hours, minutes, and seconds. If the lifetime parameter is not configured, the password will never expire.


    Note


    The lifetime option of the AAA common criteria policy is not supported for the enable password command.


  • lower-case : Number of lowercase characters. The range is from 0 to 64.

  • upper-case : Number of uppercase characters. The range is from 0 to 64.

  • min-length : Minimum length of the password. The range is from 1 to 64, and the default value is 1.

  • max-length : Maximum length of the password. The range is from 1 to 127, and the default value is 127.

  • numeric-count : Number of numeric characters. The range is from 0 to 64.

  • special-case : Number of special characters. The range is from 0 to 64.

  • character-repetition : Maximum number of times a character can repeat consecutively in password. The range is from 2 to 5.

  • restrict-consecutive-letters : Prohibit consecutive 4 characters or numbers from the keyboard sequentially in either directions.


Note


When you use the aaa password restriction command, the security checks require your password to have atleast one of the four classes. The classes are categorised by uppercase, lowercase, numeric and special character. When you use both aaa password restriction and aaa common-criteria policy commands together, all the checks are run for the aaa password restriction command first and then the common criteria validation takes place.

The character repetition functionality configured under aaa common-criteria policy command takes precedence over the aaa password restriction command when both are configured together. The character repetition option allows you to choose the count value when you configure under the aaa common-criteria policy command.

The login password-reuse-interval command cannot store old passwords across device reboots. Using common criteria policy command helps to store five recently changed passwords across device reboots.


Examples

The following example shows how to create a common criteria security policy:

Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa common-criteria policy policy1
Device(config-cc-policy)# end

aaa new-model

To enable the authentication, authorization, and accounting (AAA) access control model, issue the aaa new-model command in global configuration mode. To disable the AAA access control model, use the no form of this command.

aaa new-model

no aaa new-model

Syntax Description

This command has no arguments or keywords.

Command Default

AAA is not enabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

This command enables the AAA access control system.

If the login local command is configured for a virtual terminal line (VTY), and the aaa new-model command is removed, you must reload the switch to get the default configuration or the login command. If the switch is not reloaded, the switch defaults to the login local command under the VTY.


Note


We do not recommend removing the aaa new-model command. This command is required for dot1x.

Examples

The following example initializes AAA:

Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# exit

The following example shows a VTY configured and the aaa new-model command removed:
Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# line vty 0 15
Device(config-line)# login local
Device(config-line)# exit
Device(config)# no aaa new-model
Device(config)# exit 
Device# show running-config | b line vty

line vty 0 4
 login local  !<=== Login local instead of "login"
line vty 5 15
 login local
!

access-session host-mode multi-host

To allow hosts to gain access to a controlled port only after the first client is authenticated, use the access-session host-mode multi-host command in interface configuration mode. To return to the default value, use the no form of this command.

access-session host-mode multi-host [ peer ]

no access-session host-mode multi-host [ peer ]

Syntax Description

peer

Specifies that only a peer device can be authenticated first.

Command Default

Access to a port is multi-auth, wherein multiple clients can be authenticated on the port.

Command Modes

Interface Configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Cisco IOS XE Cupertino 17.7.1

The keyword peer was added.

Usage Guidelines

Before you use this command, you must enable the access-session port-control auto command.

In multi-host mode, only one of the attached hosts has to be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (reauthentication fails or an Extensible Authentication Protocol over LAN (EAPOL) logoff message is received), all attached clients are denied access to the network.

Starting Cisco IOS XE Release 17.7.1, you can enable a peer device to be authenticated first, using the access-session host-mode multi-host peer command. While this command is especially useful in SD-Access networks, it is also applicable to non-SD-Access environments.

Consider a Cisco SD-Access fabric network where an extended node and its clients have to be securely onboarded. We must ensure that until the extended node is authenticated, the clients connected to it do not have access to the network. In such a case, use the access-session host-mode multi-host peer command to authenticate the extended node first. (The extended node is the peer device that is connected to the authenticator port.) Cisco ISE pushes this CLI through an interface template that is applied to the fabric edge node for IEEE 802.1X authentication. A change in the host mode clears all the existing sessions on the fabric edge. We recommend enabling the access-session interface-template sticky timer command in the global configuration mode to avoid the template from getting unbound from the edge node port. The sticky timer value should be a minimum of 60 seconds to avoid the bind–unbind loop issues. The interface template is unbound after the sticky timer expires.

Similarly, in cases where trunk ports are connected to the access device, use the access-session host-mode multi-host peer command to authenticate only the peer MAC. This avoids authenticating all the MAC addresses learnt.


Note


  • The keyword peer is supported only in the fabric edge mode. It is not supported in the legacy mode.

  • The peer configuration clears all the existing sessions on the authenticator port.

  • A session will not be established by the device unless it receives CDP, LLDP, or EAPOL packets from the peer.


You can use the show access-session interface command to verify the port setting.

Examples

The following example shows how to enable authorization of only the peer device on port1/0/2.

Device# configure terminal
 Device(config)# interface GigabitEthernet 1/0/2
 Device(config-if)# access-session host-mode multi-host peer
 Device(config-if)# access-session closed
 Device(config-if)# access-session port-control auto

authentication host-mode

To set the authorization manager mode on a port, use the authentication host-mode command in interface configuration mode. To return to the default setting, use the no form of this command.

authentication host-mode { multi-auth | multi-domain | multi-host | single-host}

no authentication host-mode

Syntax Description

multi-auth

Enables multiple-authorization mode (multi-auth mode) on the port.

multi-domain

Enables multiple-domain mode on the port.

multi-host

Enables multiple-host mode on the port.

single-host

Enables single-host mode on the port.

Command Default

Single host mode is enabled.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Single-host mode should be configured if only one data host is connected. Do not connect a voice device to authenticate on a single-host port. Voice device authorization fails if no voice VLAN is configured on the port.

Multi-domain mode should be configured if data host is connected through an IP phone to the port. Multi-domain mode should be configured if the voice device needs to be authenticated.

Multi-auth mode should be configured to allow devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.

Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.

Examples

This example shows how to enable multi-auth mode on a port:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication host-mode multi-auth
Device(config-if)# end

This example shows how to enable multi-domain mode on a port:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication host-mode multi-domain
Device(config-if)# end

This example shows how to enable multi-host mode on a port:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication host-mode multi-host
Device(config-if)# end

This example shows how to enable single-host mode on a port:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication host-mode single-host
Device(config-if)# end

You can verify your settings by entering the show authentication sessions interface interface details privileged EXEC command.

authentication logging verbose

To filter detailed information from authentication system messages, use the authentication logging verbose command in global configuration mode on the switch stack or on a standalone switch.

authentication logging verbose

no authentication logging verbose

Syntax Description

This command has no arguments or keywords.

Command Default

Detailed logging of system messages is not enabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

This command filters details, such as anticipated success, from authentication system messages. Failure messages are not filtered.

Examples

To filter verbose authentication system messages:

Device> enable
Device# configure terminal
Device(config)# authentication logging verbose
Device(config)# exit

You can verify your settings by entering the show running-config privileged EXEC command.

authentication mac-move permit

To enable MAC move on a device, use the authentication mac-move permit command in global configuration mode. To disable MAC move, use the no form of this command.

authentication mac-move permit

no authentication mac-move permit

Syntax Description

This command has no arguments or keywords.

Command Default

MAC move is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The command enables authenticated hosts to move between any authentication-enabled ports (MAC authentication bypass [MAB], 802.1x, or Web-auth) on a device. For example, if there is a device between an authenticated host and port, and that host moves to another port, the authentication session is deleted from the first port, and the host is reauthenticated on the new port.

If MAC move is disabled, and an authenticated host moves to another port, it is not reauthenticated, and a violation error occurs.

Examples

This example shows how to enable MAC move on a device:

Device> enable
Device# configure terminal
Device(config)# authentication mac-move permit
Device(config)# exit

authentication priority

To add an authentication method to the port-priority list, use the authentication priority command in interface configuration mode. To return to the default, use the no form of this command.

authentication priority [ dot1x | mab] { webauth}

no authentication priority [ dot1x | mab] { webauth}

Syntax Description

dot1x

(Optional) Adds 802.1x to the order of authentication methods.

mab

(Optional) Adds MAC authentication bypass (MAB) to the order of authentication methods.

webauth

Adds web authentication to the order of authentication methods.

Command Default

The default priority is 802.1x authentication, followed by MAC authentication bypass and web authentication.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Ordering sets the order of methods that the device attempts when trying to authenticate a new device is connected to a port.

When configuring multiple fallback methods on a port, set web authentication (webauth) last.

Assigning priorities to different authentication methods allows a higher-priority method to interrupt an in-progress authentication method with a lower priority.


Note


If a client is already authenticated, it might be reauthenticated if an interruption from a higher-priority method occurs.


The default priority of an authentication method is equivalent to its position in execution-list order: 802.1x authentication, MAC authentication bypass (MAB), and web authentication. Use the dot1x , mab , and webauth keywords to change this default order.

Examples

This example shows how to set 802.1x as the first authentication method and web authentication as the second authentication method:


Device(config-if)# authentication priority dot1x webauth

This example shows how to set MAB as the first authentication method and web authentication as the second authentication method:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 0/1/2
Device(config-if)# authentication priority mab webauth
Device(config-if)# end

authentication timer reauthenticate

To specify the period of time between which the Auth Manager attempts to reauthenticate authorized ports, use the authentication timer reauthenticate command in interface configuration or template configuration mode. To reset the reauthentication interval to the default, use the no form of this command.

authentication timer reauthenticate { seconds | server }

no authentication timer reauthenticate

Syntax Description

seconds

The number of seconds between reauthentication attempts. The range is from 1 to 1073741823. The default is 3600 seconds.

server

Specifies that the interval between reauthentication attempts is defined by the Session-Timeout value (RADIUS Attribute 27) on the authentication, authorization, and accounting (AAA) server.

Command Default

The automatic reauthentication interval is set to 3600 seconds.

Command Modes

Interface configuration (config-if)

Command History

Release Modification
Cisco IOS XE Everest 16.5.1a

This command was introduced

Cisco IOS XE Bengaluru 17.5.1

The supported time-out range was increased from 65535 seconds to 1073741823 seconds

Usage Guidelines

Use the command authentication timer reauthenticate command to set the automatic reauthentication interval of an authorized port. If you use the authentication timer inactivity command to configure an inactivity interval, configure the reauthentication interval to be longer than the inactivity interval.

In releases prior to Cisco IOS XE Bengaluru 17.5.1, the supported timeout range is 1 to 65535 seconds. While downgrading from or releases after Cisco IOS XE Bengaluru 17.5.1 set the configuration timeout to supported values to avoid ISSD breakage.

Examples

The following example shows how to set the reauthentication interval on a port to 1800 seconds:


Device >enable
Device #configure terminal
Device(config)#interface gigabitethernet2/0/1
Device(config-if)#authentication timer reauthenticate 1800
Device(config-if)#end

authentication violation

To configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port, use the authentication violation command in interface configuration mode.

authentication violation{ protect| replace| restrict| shutdown }

no authentication violation{ protect| replace| restrict| shutdown }

Syntax Description

protect

Drops unexpected incoming MAC addresses. No syslog errors are generated.

replace

Removes the current session and initiates authentication with the new host.

restrict

Generates a syslog error when a violation error occurs.

shutdown

Error-disables the port or the virtual port on which an unexpected MAC address occurs.

Command Default

Authentication violation shutdown mode is enabled.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the authentication violation command to specify the action to be taken when a security violation occurs on a port.

Examples

This example shows how to configure an IEEE 802.1x-enabled port as error-disabled and to shut down when a new device connects it:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication violation shutdown
Device(config-if)# end

This example shows how to configure an 802.1x-enabled port to generate a system error message and to change the port to restricted mode when a new device connects to it:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication violation restrict
Device(config-if)# end

This example shows how to configure an 802.1x-enabled port to ignore a new device when it connects to the port:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication violation protect
Device(config-if)# end

This example shows how to configure an 802.1x-enabled port to remove the current session and initiate authentication with a new device when it connects to the port:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication violation replace
Device(config-if)# end

You can verify your settings by entering the show running-config interface interface-name command.

cisp enable

To enable Client Information Signaling Protocol (CISP) on a device so that it acts as an authenticator to a supplicant device and a supplicant to an authenticator device, use the cisp enable global configuration command.

cisp enable

no cisp enable

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The link between the authenticator and supplicant device is a trunk. When you enable VTP on both devices, the VTP domain name must be the same, and the VTP mode must be server.

To avoid the MD5 checksum mismatch error when you configure VTP mode, verify that:

  • VLANs are not configured on two different devices, which can be caused by two VTP servers in the same domain.

  • Both devices have different configuration revision numbers.

Examples

This example shows how to enable CISP:

Device> enable
Device# configure terminal
Device(config)# cisp enable 
Device(config)# exit

clear aaa cache group

To clear an individual entry or all entries in the cache, use the clear aaa cache group command in privileged EXEC mode.

clear aaa cache group name { profile name | all }

Syntax Description

name

Text string representing the name of a cache server group.

profile name

Specifies the name of an individual profile entry that must be cleared.

all

Specifies that all the profiles in the named cache group be cleared.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

To update an old record with profile cache settings and to remove an old record from the cache, clear the cache for the profile.

Examples

The following example shows how to clear all the cache entries in the localusers group:


Device# clear aaa cache group localusers all

clear device-tracking database

To delete device-tracking database (binding table) entries, and clear counters, events, and messages, enter the clear device-tracking command in privileged EXEC mode.

clear device-tracking { counters [ interface inteface_type_no | vlan vlan_id ] | database [ address { hostname | all } [ interface inteface_type_no | policy policy_name | vlan vlan_id ] | interface inteface_type_no [ vlan vlan_id ] | mac mac_address [ interface inteface_type_no | policy policy_name | vlan vlan_id ] | policy policy_name | prefix { prefix | all } [ interface inteface_type_no | policy policy_name | vlan vlan_id ] | vlanid vlan_id ] | events | messages }

Syntax Description

counters

Clears device-tracking counters for the specified interface or VLAN.

Counters are displayed in the show device-tracking counters all privileged EXEC command.

interface inteface_type_no

Enter an interface type and number. Use the question mark (?) online help function to display the types of interfaces available on the device.

The clear action is performed for the interface you specify.

vlan vlan_id

Enter a VLAN ID. The clear action is performed for the VLAN ID you specify.

The valid value range is from 1 to 4095.

database

Clears dynamic entries in the binding table.

Note

 
Static entries configured by using the device-tracking binding vlan vlan_id command are not deleted.

You can delete all the dynamic entries in the table, or optionally, you can specify one or more IP addresses, MAC addresses, IPv6 prefixes, entries on a particular interface or VLAN, or a policy.

hostname

Enter the hostname or IP address on which you want to perform the clear action.

all

Performs the clear action on all IP addresses or IPv6 prefixes.

policy policy_name

Performs the clear action on the specified policy. Enter the policy name.

mac mac_address

Performs the clear action on the specified MAC address. Enter the MAC address.

prefix prefix

Performs the clear action on the specified IPv6 prefix. Enter a prefix or enter all to indicate all prefixes.

events

Clears the device-tracking events history.

Events are displayed in the show device-tracking events privileged EXEC command.

messages

Clears the device-tracking message history.

Events are displayed in the show device-tracking messages privileged EXEC command.

Command Default

Database entries go through their binding entry lifecycle.

Counters: Each counter is a nonnegative 32-bit integer and it wraps-around when the limit is reached.

Events and messages: After the limit of 255 is reached, starting with the oldest, events and messages are overwritten.

Command Modes

Privileged EXEC (#)

Command History

Release Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Examples

The following example shows you how to clear all entries from the binding table.
Device# show device-tracking database Binding Table has 25 entries, 25 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    Network Layer Address                    Link Layer Address     Interface  vlan       prlvl      age        state      Time left       
ARP 192.0.9.49                               001d.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  699 s           
ARP 192.0.9.48                               001d.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  691 s           
ARP 192.0.9.47                               001d.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  687 s           
ARP 192.0.9.46                               001d.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  714 s           
ARP 192.0.9.45                               001d.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  692 s           
ARP 192.0.9.44                               001d.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  702 s           
ARP 192.0.9.43                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  680 s           
ARP 192.0.9.42                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  708 s           
ARP 192.0.9.41                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  683 s           
ARP 192.0.9.40                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  708 s           
ARP 192.0.9.39                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  710 s           
ARP 192.0.9.38                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  697 s           
ARP 192.0.9.37                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  707 s           
ARP 192.0.9.36                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  695 s           
ARP 192.0.9.35                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  708 s           
ARP 192.0.9.34                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  706 s           
ARP 192.0.9.33                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  683 s           
ARP 192.0.9.32                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  697 s           
ARP 192.0.9.31                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  683 s           
ARP 192.0.9.30                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  678 s           
ARP 192.0.9.29                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  696 s           
ARP 192.0.9.28                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  704 s           
ARP 192.0.9.27                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  713 s           
ARP 192.0.9.26                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  695 s           
ARP 192.0.9.25                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  686 s           

Device# clear device-tracking database

*Dec 13 15:10:22.837: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.49 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.838: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.48 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.838: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.47 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.838: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.46 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.839: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.45 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.839: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.44 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.839: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.43 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.839: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.42 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.840: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.41 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.840: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.40 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.840: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.39 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.841: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.38 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.841: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.37 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.841: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.36 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.842: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.35 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.842: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.34 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.842: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.33 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.842: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.32 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.843: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.31 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.843: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.30 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.843: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.29 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.844: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.28 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.844: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.27 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.844: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.26 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.844: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.25 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF

Device# show device-tracking database 
<no output; binding table cleared>

clear errdisable interface vlan

To reenable a VLAN that was error-disabled, use the clear errdisable interface command in privileged EXEC mode.

clear errdisable interface interface-id vlan [ vlan-list]

Syntax Description

interface-id

Specifies an interface.

vlan list

(Optional) Specifies a list of VLANs to be reenabled. If a VLAN list is not specified, then all VLANs are reenabled.

Command Default

No default behavior or values.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You can reenable a port by using the shutdown and no shutdown interface configuration commands, or you can clear error-disable for VLANs by using the clear errdisable interface command.

Examples

This example shows how to reenable all VLANs that were error-disabled on Gigabit Ethernet port 4/0/2:


Device# clear errdisable interface gigabitethernet4/0/2 vlan

clear fqdn

To clear the fully qualified domain name (FQDN) local cache entries, use the clear fqdn command in privileged EXEC mode.

clear fqdn { database { all | fqdn name [ ipv4 address | ipv6 address ] } | packet statistics }

Syntax Description

database all

Clears all the FQDN local cache entries.

database fqdn name

Clears the specified FQDN local cache entry.

ipv4 address

Clears a particular IP binding matched to the FQDN name.

ipv6 address

Clears a particular IPv6 binding matched to the FQDN name.

packet statistics

Resets all the FQDN packet statistics counters to 0.

Command Default

No default behavior or values.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Bengaluru 17.5.1

This command was introduced.

Cisco IOS XE Bengaluru 17.6.1

This command was modified. The ipv6 keyword was introduced.

Examples

The following example shows how to clear all the FQDN local cache entries:

Device> enable
Device# clear fqdn database all

The following example shows how to clear a particular IPv4 binding matched to an FQDN name:

Device> enable
Device# clear fqdn database fqdn 123.cisco.com ipv4 10.102.103.10

The following example shows how to clear a particular IPv6 binding matched to an FQDN name:

Device> enable
Device# clear fqdn database fqdn 123.cisco.com ipv6 2001:DB8::1

clear mac address-table

To delete from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, all dynamic addresses on stack members, or all dynamic addresses on a particular VLAN, use the clear mac address-table command in privileged EXEC mode. This command also clears the MAC address notification global counters.

clear mac address-table { dynamic [ address mac-addr | interface interface-id | vlan vlan-id] | move update | notification}

Syntax Description

dynamic

Deletes all dynamic MAC addresses.

address mac-addr

(Optional) Deletes the specified dynamic MAC address.

interface interface-id

(Optional) Deletes all dynamic MAC addresses on the specified physical port or port channel.

vlan vlan-id

(Optional) Deletes all dynamic MAC addresses for the specified VLAN. The range is 1 to 4094.

move update

Clears the MAC address table move-update counters.

notification

Clears the notifications in the history table and reset the counters.

Command Default

No default behavior or values.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You can verify that the information was deleted by entering the show mac address-table command.

Examples

This example shows how to remove a specific MAC address from the dynamic address table:

Device> enable
Device# clear mac address-table dynamic address 0008.0070.0007

confidentiality-offset

To enable MACsec Key Agreement protocol (MKA) to set the confidentiality offset for MACsec operations, use the confidentiality-offset command in MKA-policy configuration mode. To disable confidentiality offset, use the no form of this command.

confidentiality-offset

no confidentiality-offset

Syntax Description

This command has no arguments or keywords.

Command Default

Confidentiality offset is disabled.

Command Modes

MKA-policy configuration (config-mka-policy)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Examples

The following example shows how to enable the confidentiality offset:
Device> enable
Device# configure terminal
Device(config)# mka policy 2
Device(config-mka-policy)# confidentiality-offset

debug aaa cache group

To debug the caching mechanism and ensure that caching entries are cached from AAA server responses and found when queried, use the debug aaa cache group command in privileged EXEC mode.

debug aaa cache group

Syntax Description

This command has no arguments or keywords.

Command Default

Debug information for all the cached entries is displayed.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use this command to display debug information about cached entries.

Examples

The following example displays the debug information about all the cached entries:

Device# debug aaa cache group

debug aaa dead-criteria transaction

To display authentication, authorization, and accounting (AAA) dead-criteria transaction values, use the debugaaadead-criteriatransaction command in privileged EXEC mode. To disable dead-criteria debugging, use the no form of this command.

debug aaa dead-criteria transaction

no debug aaa dead-criteria transaction

Syntax Description

This command has no arguments or keywords.

Command Default

If the command is not configured, debugging is not turned on.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Dead-criteria transaction values may change with every AAA transaction. Some of the values that can be displayed are estimated outstanding transaction, retransmit tries, and dead-detect intervals. These values are explained in the table below.

Examples

The following example shows dead-criteria transaction information for a particular server group:

Device> enable
Device# debug aaa dead-criteria transaction

AAA Transaction debugs debugging is on
*Nov 14 23:44:17.403: AAA/SG/TRANSAC: Computed Retransmit Tries: 10, Current Tries: 3, Current Max Tries: 10
*Nov 14 23:44:17.403: AAA/SG/TRANSAC: Computed Dead Detect Interval: 10s, Elapsed Time: 317s, Current Max Interval: 10s
*Nov 14 23:44:17.403: AAA/SG/TRANSAC: Estimated Outstanding Transaction: 6, Current Max Transaction: 6

The table below describes the significant fields shown in the display.

Table 2. debug aaa dead-criteria transaction Field Descriptions

Field

Description

AAA/SG/TRANSAC

AAA server-group transaction.

Computed Retransmit Tries

Currently computed number of retransmissions before the server is marked as dead.

Current Tries

Number of successive failures since the last valid response.

Current Max Tries

Maximum number of tries since the last successful transaction.

Computed Dead Detect Interval

Period of inactivity (the number of seconds since the last successful transaction) that can elapse before the server is marked as dead. The period of inactivity starts when a transaction is sent to a server that is considered live. The dead-detect interval is the period that the device waits for responses from the server before the device marks the server as dead.

Elapsed Time

Amount of time that has elapsed since the last valid response.

Current Max Interval

Maximum period of inactivity since the last successful transaction.

Estimated Outstanding Transaction

Estimated number of transaction that are associated with the server.

Current Max Transaction

Maximum transaction since the last successful transaction.

delay-protection

To configure MKA to use delay protection in sending MACsec Key Agreement Protocol Data Units (MKPDUs), use the delay-protection command in MKA-policy configuration mode. To disable delay protection, use the no form of this command.

delay-protection

no delay-protection

Syntax Description

This command has no arguments or keywords.

Command Default

Delay protection for sending MKPDUs is disabled.

Command Modes

MKA-policy configuration (config-mka-policy)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Examples

The following example shows how to configure MKA to use delay protection in sending MKPDUs:
Device> enable
Device# configure terminal
Device(config)# mka policy 2
Device(config-mka-policy)# delay-protection

deny (MAC access-list configuration)

To prevent non-IP traffic from being forwarded if the conditions are matched, use the deny command in MAC access-list extended configuration mode. To remove a deny condition from the named MAC access list, use the no form of this command.

deny { any | host src-MAC-addr | src-MAC-addr mask} { any | host dst-MAC-addr | dst-MAC-addr mask} [ type mask | aarp | amber | appletalk | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp] [ cos cos]

no deny { any | host src-MAC-addr | src-MAC-addr mask} { any | host dst-MAC-addr | dst-MAC-addr mask} [ type mask | aarp | amber | appletalk | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp] [ cos cos]

Syntax Description

any

Denies any source or destination MAC address.

host src-MAC-addr | src-MAC-addr mask

Defines a host MAC address and optional subnet mask. If the source address for a packet matches the defined address, non-IP traffic from that address is denied.

host dst-MAC-addr | dst-MAC-addr mask

Defines a destination MAC address and optional subnet mask. If the destination address for a packet matches the defined address, non-IP traffic to that address is denied.

type mask

(Optional) Specifies the EtherType number of a packet with Ethernet II or SNAP encapsulation to identify the protocol of the packet.

The type is 0 to 65535, specified in hexadecimal.

The mask is a mask of don’t care bits applied to the EtherType before testing for a match.

aarp

(Optional) Specifies EtherType AppleTalk Address Resolution Protocol that maps a data-link address to a network address.

amber

(Optional) Specifies EtherType DEC-Amber.

appletalk

(Optional) Specifies EtherType AppleTalk/EtherTalk.

dec-spanning

(Optional) Specifies EtherType Digital Equipment Corporation (DEC) spanning tree.

decnet-iv

(Optional) Specifies EtherType DECnet Phase IV protocol.

diagnostic

(Optional) Specifies EtherType DEC-Diagnostic.

dsm

(Optional) Specifies EtherType DEC-DSM.

etype-6000

(Optional) Specifies EtherType 0x6000.

etype-8042

(Optional) Specifies EtherType 0x8042.

lat

(Optional) Specifies EtherType DEC-LAT.

lavc-sca

(Optional) Specifies EtherType DEC-LAVC-SCA.

lsap lsap-number mask

(Optional) Specifies the LSAP number (0 to 65535) of a packet with 802.2 encapsulation to identify the protocol of the packet.

mask is a mask of don’t care bits applied to the LSAP number before testing for a match.

mop-console

(Optional) Specifies EtherType DEC-MOP Remote Console.

mop-dump

(Optional) Specifies EtherType DEC-MOP Dump.

msdos

(Optional) Specifies EtherType DEC-MSDOS.

mumps

(Optional) Specifies EtherType DEC-MUMPS.

netbios

(Optional) Specifies EtherType DEC- Network Basic Input/Output System (NetBIOS).

vines-echo

(Optional) Specifies EtherType Virtual Integrated Network Service (VINES) Echo from Banyan Systems.

vines-ip

(Optional) Specifies EtherType VINES IP.

xns-idp

(Optional) Specifies EtherType Xerox Network Systems (XNS) protocol suite (0 to 65535), an arbitrary EtherType in decimal, hexadecimal, or octal.

cos cos

(Optional) Specifies a class of service (CoS) number from 0 to 7 to set priority. Filtering on CoS can be performed only in hardware. A warning message reminds the user if the cos option is configured.

Command Default

This command has no defaults. However, the default action for a MAC-named ACL is to deny.

Command Modes

MAC-access list extended configuration (config-ext-macl)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You enter MAC-access list extended configuration mode by using the mac access-list extended global configuration command.

If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.

When an access control entry (ACE) is added to an access control list, an implied deny-any-any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.

To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS XE terminology are listed in the table.

Table 3. IPX Filtering Criteria

IPX Encapsulation Type

Filter Criterion

Cisco IOS XE Name

Novel Name

arpa

Ethernet II

EtherType 0x8137

snap

Ethernet-snap

EtherType 0x8137

sap

Ethernet 802.2

LSAP 0xE0E0

novell-ether

Ethernet 802.3

LSAP 0xFFFF

Examples

This example shows how to define the named MAC extended access list to deny NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is denied.

Device> enable
Device# configure terminal
Device(config)# mac access-list extended mac_layer
Device(config-ext-macl)# deny any host 00c0.00a0.03fa netbios.
Device(config-ext-macl)# end

This example shows how to remove the deny condition from the named MAC extended access list:

Device> enable
Device# configure terminal
Device(config)# mac access-list extended mac_layer
Device(config-ext-macl)# no deny any 00c0.00a0.03fa 0000.0000.0000 netbios.
Device(config-ext-macl)# end

The following example shows how to deny all packets with EtherType 0x4321:

Device> enable
Device# configure terminal
Device(config)# mac access-list extended mac_layer
Device(config-ext-macl)# deny any any 0x4321 0
Device(config-ext-macl)# end

You can verify your settings by entering the show access-lists privileged EXEC command.

device-role (IPv6 snooping)

To specify the role of the device attached to the port, use the device-role command in IPv6 snooping configuration mode. To remove the specification, use the no form of this command.

device-role { node | switch}

no device-role { node | switch}

Syntax Description

node

Sets the role of the attached device to node.

switch

Sets the role of the attached device to device.

Command Default

The device role is node.

Command Modes

IPv6 snooping configuration (config-ipv6-snooping)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The device-role command specifies the role of the device attached to the port. By default, the device role is node.

The switch keyword indicates that the remote device is a switch and that the local switch is now operating in multiswitch mode; binding entries learned from the port will be marked with trunk_port preference level. If the port is configured as a trust-port, binding entries will be marked with trunk_trusted_port preference level.

Examples

This example shows how to define an IPv6 snooping policy name as policy1, place the device in IPv6 snooping configuration mode, and configure the device as the node:

Device> enable
Device# configure terminal
Device(config)# ipv6 snooping policy policy1
Device(config-ipv6-snooping)# device-role node
Device(config-ipv6-snooping)# end

device-role (IPv6 nd inspection)

To specify the role of the device attached to the port, use the device-role command in neighbor discovery (ND) inspection policy configuration mode.

device-role { host | switch}

Syntax Description

host

Sets the role of the attached device to host.

switch

Sets the role of the attached device to switch.

Command Default

The device role is host.

Command Modes

ND inspection policy configuration (config-nd-inspection)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The device-role command specifies the role of the device attached to the port. By default, the device role is host, and therefore all the inbound router advertisement and redirect messages are blocked.

The switch keyword indicates that the remote device is a switch and that the local switch is now operating in multiswitch mode; binding entries learned from the port will be marked with trunk_port preference level. If the port is configured as a trust-port, binding entries will be marked with trunk_trusted_port preference level.

Examples

The following example defines a Neighbor Discovery Protocol (NDP) policy name as policy1, places the device in ND inspection policy configuration mode, and configures the device as the host:

Device> enable
Device# configure terminal
Device(config)#  ipv6 nd inspection policy policy1
Device(config-nd-inspection)# device-role host
Device(config-nd-inspection)# end

device-tracking (interface config)

To enable SISF-based device tracking and attach the default policy to an interface or VLAN, or to enable the feature and attach a custom policy enter the device-tracking command in interface configuration mode. To detach the policy from the interface or VLAN and revert to default, use the no form of the command.

device-tracking [ attach-policy policy-name ] [ vlan { vlan-id | add vlan-id | all | except vlan-id | none | remove vlan-id } ]

no device-tracking [ attach-policy policy-name ] [ vlan { vlan-id | add vlan-id | all | except vlan-id | none | remove vlan-id } ]

Syntax Description

attach-policy policy-name

Attaches the custom policy that you specify, to the interface and all VLANs.

vlan { vlan-id | add vlan-id | all | except vlan-id | none | remove vlan-id }

Configures the VLAN list for the policy and attaches the custom policy to the specified VLANs. You can specify the following particulars:

  • vlan-id : Enter one or more VLAN IDs. The custom policy is attached to all the VLAN IDs.

  • addvlan-id : Adds specified VLANs to the existing list of VLAN IDs. The custom policy is attached to all the VLAN IDs.

  • all : Attaches the custom policy to all VLAN IDs.

    This is the default option.

  • exceptvlan-id : Attaches the custom policy to all VLAN IDs, except the ones you specify here.

  • none : Does not attach the custom policy to any VLAN.

    removevlan-id : Removes specified VLANs from the existing list of VLAN IDs. The custom policy is attached only to the VLAN IDs in the list.

Command Default

SISF-based device tracking is disabled and a policy is not attached to the interface.

Command Modes

Interface configuration [Device((config-if)# )]

Command History

Release Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

If you enter the device-tracking command in the interface configuration mode, without any other keywords, the system attaches the default policy the interface or VLAN. The default policy is a built-in policy with default settings; you cannot change any of the attributes of the default policy.

If you configure the device-tracking attach-policypolicy-name command in the interface configuration mode, you can specify a custom policy name. You must have created the custom policy in global configuration mode already. The policy is attached to the specifed interface. You can then also specify the VLANs that you want to attach it to.

If you want to change the custom policy that is attached to a target, reconfigure the device-tracking attach-policypolicy-name command.

If you want to disable the feature on a particular target, enter the no device-tracking command in the interface configuration mode.

Examples

Examples

The following example shows how to enable SISF-based device tracking and attach the default policy to an interface. The default policy has default policy parameters, none of which can be changed:
Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# interface tengigabitethernet1/0/1
Device(config-if)# device-tracking
Device(config-if)# end                       

Device# show device-tracking policies detail
Target               Type  Policy               Feature        Target range
Te1/0/1              PORT  default              Device-tracking vlan all
Te1/0/2              PORT  default              Device-tracking vlan all

Device-tracking policy default configuration: 
  security-level guard
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP6
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
Policy default is applied on the following targets: 
Target               Type  Policy               Feature        Target range
Te1/0/1              PORT  default              Device-tracking vlan all
Te1/0/2              PORT  default              Device-tracking vlan all

Examples

The following example shows how enable SISF-based device tracking and attach a custom policy called sisf-01, to the same interface as the above example, that is, Te1/0/1. Doing so replaces the existing default policy with custom policy sisf-01 on Te1/0/1.
Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# interface tengigabitethernet1/0/1
Device(config-if)# device-tracking attach-policy sisf-01 
Device(config-if)# end

Device# show device-tracking policies detail
Target               Type  Policy               Feature        Target range
Te1/0/1              PORT  sisf-01              Device-tracking vlan all
Te1/0/2              PORT  default              Device-tracking vlan all

Device-tracking policy default configuration: 
  security-level guard
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP6
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
Policy default is applied on the following targets: 
Target               Type  Policy               Feature        Target range
Te1/0/2              PORT  default              Device-tracking vlan all
 Device-tracking policy sisf-01 configuration: 
  security-level guard
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP6
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
  limit address-count 3000
Policy sisf-01 is applied on the following targets: 
Target               Type  Policy               Feature        Target range
Te1/0/1              PORT  sisf-01              Device-tracking vlan all

Examples

The following example shows how to disable SISF-based device-tracking on a target. The feature is disabled on target Te1/0/1. This is the same interface where a custom policy is applied in the previous example. The default policy continues to be available on the other interface where the feature is enabled, that is, Te1/0/2.
Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# interface tengigabitethernet1/0/1
Device(config-if)# no device-tracking attach-policy sisf-01
Device(config-if)# end

Device# show device-tracking policies detail
Target               Type  Policy               Feature        Target range
Te1/0/2              PORT  default              Device-tracking vlan all

Device-tracking policy default configuration: 
  security-level guard
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP6
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
Policy default is applied on the following targets: 
Target               Type  Policy               Feature        Target range
Te1/0/2              PORT  default              Device-tracking vlan all
 

device-tracking (VLAN config)

To enable Switch Integrated Security Features (SISF)-based device tracking and attach the default policy to a VLAN, or to enable the feature, attach a custom policy to a VLAN, and specify policy priority, enter the device-tracking command in VLAN configuration mode. To detach the policy from a VLAN and revert to default, use the no form of the command.

device-tracking [ attach-policy policy-name ] [ priority priority-value ]

Syntax Description

attach-policy policy-name

Attaches the custom policy that you specify, to the VLAN.

priority priority-value

Note

 

Although visible on the CLI, configuring this command has no effect. Policy priority is system-determined. You cannot change this.

Command Default

SISF-based device tracking is disabled.

Command Modes

VLAN configuration mode [Device((config-vlan-config)# )]

Command History

Release Modification

Cisco IOS XE Everest 16.6.1

This command was introduced

Usage Guidelines

If you enter the device-tracking command in VLAN configuration mode, without any other keywords, the system attaches the default policy to the VLAN. The default policy is a built-in policy with default settings; you cannot change any of the parameters of the default policy.

If you configure the device-tracking attach-policypolicy-name command in VLAN configuration mode, the custom policy you specify is attached to the VLAN. With a custom policy, you can configure certain parameters of a custom policy.

You can enable the feature and attach a policy - custom or default - to one or more VLANs or a range of VLANs.

Examples

Examples

The following example shows how to enable SISF-based device tracking and attach the default policy to VLAN 500:
Device# show device-tracking policies
Target               Type  Policy               Feature        Target range
Te1/0/1              PORT  sisf-03              Device-tracking vlan all
Te1/0/1              PORT  default              Address Resolution Relay vlan all
Te1/0/2              PORT  default              Device-tracking vlan all
vlan 333             VLAN  sisf-01              Device-tracking vlan all


Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#vlan configuration 500
Device(config-vlan-config)# device-tracking                     
Device(config-vlan-config)# end


Device#show device-tracking policies 
Target               Type  Policy               Feature        Target range
Te1/0/1              PORT  sisf-03              Device-tracking vlan all
Te1/0/1              PORT  default              Address Resolution Relay vlan all
Te1/0/2              PORT  default              Device-tracking vlan all
vlan 333             VLAN  sisf-01              Device-tracking vlan allvlan 500             VLAN  default              Device-tracking vlan all

Examples

The following example shows how to attach a custom policy called sisf-03, to the same VLAN as the above example, that is, VLAN 500. Doing so replaces the existing default policy with custom policy sisf-03 on the VLAN:
Device# show device-tracking policies 
Target               Type  Policy               Feature        Target range
Te1/0/1              PORT  sisf-03              Device-tracking vlan all
Te1/0/1              PORT  default              Address Resolution Relay vlan all
Te1/0/2              PORT  default              Device-tracking vlan all
vlan 333             VLAN  sisf-01              Device-tracking vlan all
vlan 500             VLAN  default              Device-tracking vlan all

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# vlan configuration 500
Device(config-vlan-config)# device-tracking attach-policy sisf-03 
Device(config-vlan-config)# end

Device# show device-tracking policies
Target               Type  Policy               Feature        Target range
Te1/0/1              PORT  sisf-03              Device-tracking vlan all
Te1/0/1              PORT  default              Address Resolution Relay vlan all
Te1/0/2              PORT  default              Device-tracking vlan all
vlan 333             VLAN  sisf-01              Device-tracking vlan allvlan 500             VLAN  sisf-03              Device-tracking vlan all

Examples

The following example shows how to attach a custom policy to a range of VLANs (VLANs 10 to 15):
Device(config)# vlan configuration 10-15 
Device(config-vlan-config)#device-tracking attach-policy sisf-01 
Device(config-vlan-config)#end

Device# show device-tracking policies
Target               Type  Policy               Feature        Target range
Te1/0/2              PORT  default              Device-tracking vlan all
vlan 10              VLAN  sisf-01              Device-tracking vlan all
vlan 11              VLAN  sisf-01              Device-tracking vlan all
vlan 12              VLAN  sisf-01              Device-tracking vlan all
vlan 13              VLAN  sisf-01              Device-tracking vlan all
vlan 14              VLAN  sisf-01              Device-tracking vlan all
vlan 15              VLAN  sisf-01              Device-tracking vlan all

device-tracking binding

To specify how binding entries are maintained in the binding table, enter the device-tracking binding command in global configuration mode. With this command you can configure the lifetime of each state, the maximum number of entries allowed in a binding table, and whether binding entry events are logged. You can also use this command to configure static binding entries. To revert to the default value, use the no form of the command.

device-tracking binding { down-lifetime | logging | max-entries | reachable-lifetime | stale-lifetime | vlan }

For the sake of clarity, the remaining command string after each one of the above options is listed separately:

  • device-tracking binding down-lifetime { seconds | infinite }

    no device-tracking binding down-lifetime

  • device-tracking binding logging

    no device-tracking binding logging

  • device-tracking binding max-entries no_of_entries [ mac-limit no_of_entries | port-limit no_of_entries [ mac-limit no_of_entries ] | vlan-limit no_of_entries [ mac-limit no_of_entries | port-limit no_of_entries [ mac-limit no_of_entries ] ] ]

    no device-tracking binding max-entries

  • device-tracking binding reachable-lifetime { seconds | infinite } [ down-lifetime { seconds | infinite } | stale-lifetime { seconds | infinite } [ down-lifetime { seconds | infinite } ] ]

    no device-tracking binding reachable-lifetime

  • device-tracking binding stale-lifetime { seconds | infinite } [ down-lifetime { seconds | infinite } ]

    no device-tracking binding stale-lifetime

  • device-tracking binding vlan vlan_id { ipv4_add | ipv6_add | ipv6_prefix } [ interface inteface_type_no ] [ 48-bit-hardware-address ] [ reachable-lifetime { seconds | default | infinite } | tracking { default | disable | enable [ retry-interval { seconds | default } ] } [ reachable-lifetime { seconds | default | infinite } ] ]

Syntax Description

down-lifetime { seconds | infinite }

Provides the option to configure a countdown timer for a binding entry in the DOWN state, or, to disable the timer.

A binding entry enters the DOWN state when the host’s connecting interface is administratively down. If a timer is configured, one of these events may occur before timer expiry - either the interface can be up again, or, the entry can remain in the DOWN state. If the interface is up before timer expiry, the timer is stopped, and the state of the entry changes. If the entry remains in the DOWN state after timer expiry, it is removed from the binding table. If the timer is disabled or turned off, the entry is never removed from the binding table and can remain in the DOWN state indefinitely, or until the interface is up again.

Configure one of these options:

  • seconds : Configure a value for the down-lifetime timer. Enter a value between 1 and 86400 seconds. The default value is 86400 seconds (24 hours).

  • infinite : Disables the timer for the DOWN state. This means that a timer is not started when an entry enters the DOWN state.

logging

Enables generation of logs for binding entry events.

device-tracking binding max-entries no_of_entries [ mac-limit no_of_entries | port-limit no_of_entries | vlan-limit no_of_entries ]

Configures the maximum number of entries for a binding table. Enter a value between 1 and 200000. The default value is 200000.

Note

 

This limit applies only to dynamic entries and not static binding entries.

Optionally, you can also configure these limits:

  • mac-limit no_of_entries : Configures the maximum number of entries allowed per MAC address. Enter a value between 1 and 100000. By default, a limit is not set.

  • port-limit no_of_entries Configures the maximum number of entries allowed per interface. Enter a value between 1 and 100000. By default, a limit is not set.

  • vlan-limit no_of_entries : Configures the maximum number of entries allowed per VLAN. Enter a value between 1 and 100000. By default, a limit is not set.

The no form of the command resets the max-entries value to 200000 and sets the mac-limit , port-limit , vlan-limit to "no limit".

reachable-lifetime { seconds | infinite }

Provides the option to configure a countdown timer for a binding entry in the REACHABLE state, or, to disable the timer.

If a timer is configured, either one of these events may occur before timer expiry - incoming packets are received from the host, or there are no incoming packets from the host. Every time an incoming packet is received from the host, the timer is reset. If no incoming packets are received and the timer expires, then the state of the entry changes based on the reachability of the host. If the timer is disabled or turned off, the entry can remain in the REACHABLE state, indefinitely.

Configure one of these options:

  • seconds : Configure a value for the reachable-lifetime timer. Enter a value between 1 and 86400 seconds. The default value is 300 seconds (5 minutes).

  • infinite : Disables the timer for the REACHABLE state. This means that a timer is not started when an entry enters the REACHABLE state.

stale-lifetime { seconds | infinite }

Provides the option to configure a countdown timer for a binding entry in the STALE state, or, to disable the timer.

If a timer is configured, either one of these events may occur before timer expiry - incoming packets are received from the host, or there are no incoming packets from the host. If an incoming packet is received, the timer is stopped and the entry transitions to a new state. If no incoming packets are received and the timer expires, then the entry is removed from the binding table. If the timer is disabled or turned off, the entry can remain in the STALE state, indefinitely.

If polling is enabled, a final attempt is made to probe the host at stale timer expiry.

Note

 
If polling is enabled, polling occurs when the reachable lifetime timer expires (3 times), and then a final attempt at stale timer expiry as well. The time required to poll an entry after expiry of reachable lifetime, is subtracted from the stale lifetime.

Configure one of these options:

  • seconds : Configure a value for the stale-lifetime timer. Enter a value between 1 and 86400 seconds. The default value is 86400 seconds (24 hours).

  • infinite : Disables the timer for the STALE state. This means that a timer is not started when an entry enters the STALE state.

device-tracking binding vlan vlan_id { ipv4_add | ipv6_add | ipv6_prefix } [ interface inteface_type_no ] [ 48-bit-hardware-address ] [ reachable-lifetime { seconds | default | infinite } | tracking { default | disable | enable [ retry-interval { seconds | default } ] } [ reachable-lifetime { seconds | default | infinite } ] ]

Creates a static binding entry in the binding table. You can also specify how static binding entries are maintained in the binding table.

Note

 

The limit you configure for the max-entries no_of_entries option (above) does not apply to static binding entires. There is no limit to the number of static entries you can create.

  • Enter an IP address or prefix:

    • ipv4_add : Enter an IPv4 address.

    • ipv6_add : Enter an IPv6 address.

    • ipv6_prefix : Enter an IPv6 prefix.

  • interface inteface_type_no : Enter an interface type and number. Use the question mark (?) online help function to display the types of interfaces available on the device.

  • (Optional) 48-bit-hardware-address : Enter a MAC address. If you do not configure a MAC address for the binding entry, any MAC address is allowed.

  • (Optional) reachable-lifetime {seconds | default | infinite } : Configures the reachable lifetime settings for a static binding entry in the REACHABLE state. If you want to configure a reachable lifetime for a static binding entry, you must specify the MAC address for the entry.

    If you do not configure a value, the same value as configured for device-tracking binding reachable-lifetime applies.

    seconds : Configure a value for the reachable-lifetime timer. Enter a value between 1 and 86400 seconds. The default value is 300 seconds (5 minutes).

    default : Uses the same value as configured for dynamic entries in the binding table.

    infinite : Disables the timer for the REACHABLE state. This means that a timer is not started when a static binding entry enters the REACHABLE state.

  • (Optional) tracking {default | disable | enable} : Configures polling related settings for a static binding entry.

    default: Polling is disabled.

    disable : Disables polling for a static binding entry.

    enable : Enables polling for a static binding entry.

    When you enable tracking, you also have the option to configure a retry-interval. This is a multiplicative factor or "base value", for the backoff algorithm. The backoff algorithm determines the wait time between the 3 polling attempts that occur after reachable lifetime expiry.

    Enter a value between 1 and 3600 seconds. The default value is one.

Command Default

If you do not configure a value, the default values for down, reachable, and stale lifetimes, and maximum number of binding entries allowed in a binding table are applicable - as long as a policy-level value is not set. See the Usage Guidelines below for further details.

Command Modes

Global configuration [Device(config)# ]

Command History

Release Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The device-tracking binding command enables you to specify how entries are maintained in a binding table, at a global level. The settings therefore apply to all interfaces and VLANs where SISF-based device-tracking is enabled. But for the system to start extracting binding information from packets that enter the network and to create binding entries to which the settings you configure here will apply, there must exist a policy that is attached an interface or VLAN.

If there is no policy on any interface or VLAN, the only entries that can exist in a binding table are any static binding entries you create.

Changing Any Binding Entry Setting

When you reconfigure a value or setting with the device-tracking binding command, the change applies only to subsequently created binding entries. The changed configuration does not apply to existing entries. The older setting applies to an older entry.

To display the current settings, enter the show device-tracking database command in privileged EXEC mode.

Global versus Policy-Level Settings

For some of the settings you configure with this command, there are policy level counterparts. (A policy level paramter is configured in the device-tracking configuration mode and applies only to that policy). The tables below clarifies when a globally configured value takes precedence and when a policy-level value takes precedence:

Option under device-tracking binding global configuration command

Policy-level counterpart in the device-tracking configuration mode

device-tracking binding reachable-lifetime { seconds | infinite }

tracking enable [reachable-lifetime [seconds | infinite] ]

Device(config)# device-tracking binding
reachable-lifetime 2000
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)# 
Device(config-device-tracking)# tracking enable 
reachable-lifetime 250

If a policy-level value and a globally configured value exists, the policy-level value applies.

If only a globally configured value exists, the globally configured value applies.

If only a policy-level value exists the policy-level value applies.

See: Example: Configuring a Reachable, Stale, and Down Lifetime at the Global vs Policy Level.

Option under device-tracking binding global configuration command

Policy-level counterpart in the device-tracking configuration mode

device-tracking binding stale-lifetime { seconds | infinite }

tracking disable [stale-lifetime [seconds | infinite] ]

Device(config)# device-tracking binding
stale-lifetime 2000
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)# 
Device(config-device-tracking)# tracking enable 
stale-lifetime 500

If a policy-level value and a globally configured value exists, the policy-level value applies.

If only a globally configured value exists, the globally configured value applies.

If only a policy-level value exists the policy-level value applies.

See: Example: Configuring a Reachable, Stale, and Down Lifetime at the Global vs Policy Level.

Option under device-tracking binding global configuration command

Policy-level counterpart in the device-tracking configuration mode

device-tracking binding max-entries no_of_entries [ mac-limit no_of_entries | port-limit no_of_entries | vlan-limit no_of_entries ]

limit address-count ip-per-port

Device(config)# device-tracking binding 
max-entries 30 vlan-limit 25 port-limit 20 mac-limit 19
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)# 
Device(config-device-tracking)# limit address-count 30 

If a policy-level value and globally configured values exist, the creation of binding entries is stopped when a limit is reached - this can be one of the global values or the policy-level value.

If only globally configured values exist, the creation of binding entries is stopped when a limit is reached.

If only a policy-level value exists, the creation of binding entries is stopped when the policy-level limit is reached.

Example: Global vs Policy-Level Address Limits.

Option under device-tracking binding global configuration command

Policy-level counterpart in the device-tracking configuration mode

device-tracking binding max-entries no_of_entries [ mac-limit no_of_entries ]

IPv4 per MAC and IPv6 per MAC

While you cannot configure either one of the above limits in a policy, a programmatically created policy may have either one, both, or neither one of the limits.

Device(config)# device-tracking binding max-entries 300
mac-limit 3
Device# show device-tracking policy LISP-DT-GLEAN-VLAN

Policy LISP-DT-GLEAN-VLAN configuration:
  security-level glean (*)
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
  limit address-count for IPv4 per mac 4 (*)
  limit address-count for IPv6 per mac 12 (*)
  tracking enable
<output truncated>

If a policy-level value and globally configured values exists, the creation of binding entries is stopped when a limit is reached - this can be one of the global values or the policy-level value.

If only globally configured values exist, the creation of binding entries is stopped when a limit is reached.

If only a policy-level value exists, the creation of binding entries is stopped when the policy-level limit is reached.

Configuring Down, Reachable, Stale Lifetimes

When you configure a non-default value for the down-lifetime , or reachable-lifetime , or stale-lifetime keywords, the system reverts the lifetimes that you do not configure, to default values. The following example clarifies this behaviour: Example: Configuring Non-Default Values for Reachable, Stale, and Down Lifetimes.

To display the currently configured lifetime values, enter the show running-config | include device-tracking command in privileged EXEC mode.

Configuring MAC, Port, VLAN Limits

When you configure a non-default value for the mac-limit , or port-limit , or vlan-limit keywords, the system reverts the limits that you do not configure, to default values.

To configure all three limits in the same command line, first configure the VLAN limit, then the port limit, and finally the MAC limit:
Device(config)# device-tracking binding max-entries 15 vlan-limit 2 port-limit 20 mac-limit 5

You can also use this system behavior when you want to reset one or more - but not all limits, to their default values. Although the default for all three keywords is that there is no limit, you cannot enter the number "0" to set a limit to its default value. Zero is not within the valid value range for any of the limits. To reset one or more limits to their default values, leave out the corresponding keyword. The following example clarifies this behaviour: Example: Setting VLAN, Port, and MAC Limits to Default Values.

Enabling Logging of Binding Entry Events

When you configure the device-tracking binding logging global configuration command to generate logs for binding entry events, you may also have to configure a few general logging settings, depending on your requirements:

  • (Required) The logging buffered informational command in global configuration mode.

    With this command you enable message logging at a device level and you specify a severity level. Configuring the command allows logs to be copied and stored to a local, internal buffer. Specifying a severity level causes messages at that level and numerically lower levels to be logged.

    Logs generated for binding entry events have a severity level of 6 (meaning, informational). For example:

    %SISF-6-ENTRY_CREATED: Entry created IP=192.0.2.24 VLAN=200 MAC=001b.4411.4ab6 I/F=Te1/0/4 Preflevel=00FF

  • (Optional) The logging console command in global configuration mode.

    With this command you send the logs to the console (all available TTY lines).


    Caution


    A low severity level may cause the number of messages being displayed on the console to increase significantly. Further, the console is a slow display device. In message storms some logging messages may be silently dropped when the console queue becomes full. Set severity levels accordingly.


    If you don't want to configure this command, you can view logs when required by entering the show logging command in privileged EXEC mode.

If the logging console command is not enabled, logs are not displayed on the device console, but if you have configured device-tracking binding logging and logging buffered informational , logs will be generated and available in the local buffer.

For information about the kind of binding entry events for which logs are generated, see the system message guide for the corresponding release: System Message Guides. Search for SISF-6.

While the device-tracking binding logging command logs binding entry events, there is also the device-tracking logging command, which enables snooping security logging. The two command log different kinds of events and the generated logs have different severity levels.

Creating a Static Binding Entry

If there are silent but reachable hosts in the Layer 2 domain, and you want to retain binding information for these silent hosts, you can create static binding entries.

While there is no limit to the number of static entries you can create, these entries also contribute to the size of the binding table. Consider the number of such entries you require, before you create them.

You can create a static binding entry even if a policy is not attached to the interface or VLAN specified in the static binding entry.

When you configure a static binding entry followed by its settings (for example, reachable-lifetime), the configuration applies only to that static binding entry and not to any other entries, static or dynamic. The following example shows you how to created a static binding entry: Example: Creating a Static Binding Entry.

Examples

Example: Configuring Non-Default Values for Reachable, Stale, and Down Lifetimes

The following example clarifies system behaviour when you configure values for reachable, stale, and down lifetimes seperately (the effect is not cumulative). It also show you how to configure values in a way that configuration is retained for all the lifetimes.

In the first step of this example only a reachable-lifetime is configured. This means the down-lifetime and stale lifetime are set to default, because the stale-lifetime and down-lifetime keywords have been left out:
Device(config)# device-tracking binding reachable-lifetime 700
Device(config)# exit
Device# show running-config | include device-tracking
device-tracking policy sisf-01
 device-tracking attach-policy sisf-01
 device-tracking attach-policy sisf-01 vlan 200device-tracking binding reachable-lifetime 700
device-tracking binding logging
In the next step of this example, a stale-lifetime of 1500 seconds and a down-lifetime of 1000 seconds is configured. With this, the reachable-lifetime configured in the previous step, is to default:
Device(config)# device-tracking binding stale-lifetime 1500 down-lifetime 1000
Device(config)# exit
Device# show running-config | include device-tracking    
device-tracking policy sisf-01
 device-tracking attach-policy sisf-01
 device-tracking attach-policy sisf-01 vlan 200device-tracking binding stale-lifetime 1500 down-lifetime 1000
device-tracking binding logging
In the next step of this example, reachable, down, and stale lifetimes of 700, 1000, and 200 respectively, are configured. With this, the value for the stale-lifetime is changed from 1500 seconds, to 1000 seconds. The down-lifetime is changed from 1000 to 200. The reachable-lifetime is configured as 700 seconds.
Device(config)# device-tracking binding reachable-lifetime 700 stale-lifetime 1000 down-lifetime 200
Device(config)# exit
Device# show running-config | include device-tracking
device-tracking policy sisf-01
 device-tracking attach-policy sisf-01
 device-tracking attach-policy sisf-01 vlan 200device-tracking binding reachable-lifetime 700 stale-lifetime 1000 down-lifetime 200
device-tracking binding logging

If any one of the lifetimes requires a change and the values for the other lifetimes must be retained, all three keywords must be reconfigured with the required values - everytime, and in the same command line.

Example: Configuring a Reachable, Stale, and Down Lifetime at the Global vs Policy Level

The following example shows you how to configure the reachable, stale, and down lifetimes for binding entries, at a global level. This example also shows you how you can then override the global setting and configure a different lifetime for entries learnt on a particular interface or VLAN, by configuring a policy-level setting.

In the first part of the example, the output of the show device-tracking policy policy-name command shows that a policy-level value is not set and the default binding table settings are applicable to the existing entries. After a reachable, stale, and down lifetime is configured with the device-tracking binding command in global configuration mode, the new values are effective and are applied only to the four new entries that are added to the table.


Note


In the output of the show device-tracking database command, note the Time left column for the binding entries. There is minor difference in the reachable lifetime of each entry. This is a system-imposed jitter (+/- 5 percent of the configured value), to ensure that system performance is not affected when a large number of entries are added to the binding table. Binding entries go through their lifecycle in a staggered manner thus preventing points of congestion.


Current configuration, which shows that policy-level reachable lifetime is not configured. The binding table entries show that the current reachable lifetime is 500 seconds (time left + age):
Device# show device-tracking policy sisf-01 
Device-tracking policy sisf-01 configuration: 
  security-level guard
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP6
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
Policy sisf-01 is applied on the following targets: 
Target               Type  Policy               Feature        Target range
Te1/0/4              PORT  sisf-01              Device-tracking vlan 200

Device# show device-tracking database 
Binding Table has 4 entries, 4 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   

Network Layer Address                        Link Layer Address     Interface  vlan       prlvl      age        state      Time left       <<<< 
ARP 192.0.9.9                                000a.959d.6816         Te1/0/4    200        0064       40s        REACHABLE  466 s           
ARP 192.0.9.8                                000a.959d.6816         Te1/0/4    200        0064       40s        REACHABLE  472 s           
ARP 192.0.9.7                                000a.959d.6816         Te1/0/4    200        0064       40s        REACHABLE  470 s           
ARP 192.0.9.6                                000a.959d.6816         Te1/0/4    200        0064       40s        REACHABLE  469 s      
Configuration of reachable, stale and down lifetime at the global level. New values apply only to binding entries created after this:
Device(config)# device-tracking binding reachable-lifetime 700 stale-lifetime 1000 down-lifetime 200

Device # show device-tracking database         
Binding Table has 8 entries, 8 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   

Network Layer Address                        Link Layer Address     Interface  vlan       prlvl      age        state      Time left       
ARP 192.0.9.13                               000a.959d.6816         Te1/0/4    200        00C8       4s         REACHABLE  699 s           <<<< new global value applied
ARP 192.0.9.12                               000a.959d.6816         Te1/0/4    200        00C8       4s         REACHABLE  719 s           <<<< new global value applied
ARP 192.0.9.11                               000a.959d.6816         Te1/0/4    200        00C8       4s         REACHABLE  728 s           <<<< new global value applied
ARP 192.0.9.10                               000a.959d.6816         Te1/0/4    200        00C8       4s         REACHABLE  712 s           <<<< new global value applied
ARP 192.0.9.9                                000a.959d.6816         Te1/0/4    200        0064       9mn        STALE      try 0 1209 s          
ARP 192.0.9.8                                000a.959d.6816         Te1/0/4    200        0064       9mn        VERIFY     5 s try 3       
ARP 192.0.9.7                                000a.959d.6816         Te1/0/4    200        0064       9mn        VERIFY     2816 ms try 3   
ARP 192.0.9.6                                000a.959d.6816         Te1/0/4    200        0064       9mn        VERIFY     1792 ms try 3   

In this second part of the example, a policy level value is configured and the reachable lifetime is set to 50 seconds. This new reachable lifetime is again applicable only to entries created after this.

Only a reachable lifetime is configured at the policy-level and not a stale and down lifetime. This means it is still the global values that apply if the reachable lifetime of the two new entries expires and they move to the STALE or DOWN state.

Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)# tracking enable reachable-lifetime 50
Device# show device-tracking policy sisf-01 
Device-tracking policy sisf-01 configuration: 
  security-level guard
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP6
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
  tracking enable reachable-lifetime 50    <<<< new value applies only to binding entries created after this and on interfaces and VLANs where this policy is attached.
Policy sisf-01 is applied on the following targets: 
Target               Type  Policy               Feature        Target range
Te1/0/4              PORT  sisf-01              Device-tracking vlan 200

Device# show device-tracking database         
Binding Table has 10 entries, 10 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


Network Layer Address                        Link Layer Address     Interface  vlan       prlvl      age        state      Time left       
ARP 192.0.9.21                               000a.959d.6816         Te1/0/4    200        0064       5s         REACHABLE  45 s            <<<< new policy-level value applied
ARP 192.0.9.20                               000a.959d.6816         Te1/0/4    200        0064       5s         REACHABLE  46 s            <<<< new policy-level value applied
ARP 192.0.9.13                               000a.959d.6816         Te1/0/4    200        00C8       14mn       STALE     try 0 865 s           
ARP 192.0.9.12                               000a.959d.6816         Te1/0/4    200        00C8       14mn       STALE     try 0 183 s           
ARP 192.0.9.11                               000a.959d.6816         Te1/0/4    200        00C8       14mn       STALE     try 0 178 s           
ARP 192.0.9.10                               000a.959d.6816         Te1/0/4    200        00C8       14mn       STALE     try 0 165 s           
ARP 192.0.9.9                                000a.959d.6816         Te1/0/4    200        0064       23mn       STALE     try 0 327 s           
ARP 192.0.9.8                                000a.959d.6816         Te1/0/4    200        0064       23mn       STALE     try 0 286 s           
ARP 192.0.9.7                                000a.959d.6816         Te1/0/4    200        0064       23mn       STALE     try 0 303 s           
ARP 192.0.9.6                                000a.959d.6816         Te1/0/4    200        0064       23mn       STALE     try 0 306 s          

Device# show device-tracking database <<<< checking binding table again after new policy-level reachable-lifetime expires
Binding Table has 7 entries, 7 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   

Network Layer Address                        Link Layer Address     Interface  vlan       prlvl      age        state      Time left       
ARP 192.0.9.21                               000a.959d.6816         Te1/0/4    200        0064       3mn        STALE     try 0 887 s  <<<< global value applies for stale-lifetime;  policy-level value was not configured
ARP 192.0.9.20                               000a.959d.6816         Te1/0/4    200        0064       3mn        STALE     try 0 884 s  <<<< global value applies for stale-lifetime;  policy-level value was not configured
ARP 192.0.9.13                               000a.959d.6816         Te1/0/4    200        00C8       17mn       STALE     try 0 664 s           
ARP 192.0.9.9                                000a.959d.6816         Te1/0/4    200        0064       27mn       STALE     try 0 136 s           
ARP 192.0.9.8                                000a.959d.6816         Te1/0/4    200        0064       27mn       STALE     try 0 96 s            
ARP 192.0.9.7                                000a.959d.6816         Te1/0/4    200        0064       27mn       STALE     try 0 108 s           
ARP 192.0.9.6                                000a.959d.6816         Te1/0/4    200        0064       27mn       STALE     try 0 111 s  

Example: Creating a Static Binding Entry

The following example shows you how to create a static binding entry. The "S" at the beginning of the entry indicates that it is a static binding entry:
Device(config)# device-tracking binding vlan 100 192.0.2.1 interface tengigabitethernet1/0/1 00:00:5e:00:53:af reachable-lifetime infinite
Device(config)# exit
Device# show device-tracking database
Binding Table has 2 entries, 0 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    Network Layer Address                    Link Layer Address     Interface  vlan       prlvl      age        state      Time left                    
S   192.0.2.1                                0000.5e00.53af         Te1/0/1    100        0100       14s        REACHABLE  N/A             

Example: Global vs Policy-Level Address Limits

The following example show you how to assess which address limit is reached, when you configure address limits at the global level and at the policy-level.

The global level settings refer to the values configured for the following command string: device-tracking bindingmax-entries no_of_entries [ mac-limit no_of_entries| port-limit no_of_entries| vlan-limit no_of_entries]

The policy level parameter refers to the limit address-count option in the device-tracking configuration mode.

For this first part of the example, the configuration is as follows:

  • Global configuration: max-entries=30, vlan-limit=25, port-limit=20, mac-limit=19.

  • Policy-level configuration: limit address-count=45.

The output of the show device-tracking database details privileged EXEC command shows that the port limit (max/port) is reached first. A maximum of 20 entries are allowed on a port or interface. No further binding entries are created after this. While the mac limit is configured with a lower absolute value (19), the output of the show device-tracking database mac privileged EXEC command shows that there are only 3 unique MAC address in the list of binding entries in the table - this limit is therefore not reached.

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# device-tracking binding max-entries 30 vlan-limit 25 port-limit 20 mac-limit 19
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)# limit address-count 45
Device(config-device-tracking)# end
Device# show device-tracking policy sisf-01    
Device-tracking policy sisf-01 configuration: 
  security-level guard
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP6
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
  limit address-count 45
Policy sisf-01 is applied on the following targets: 
Target               Type  Policy               Feature        Target range
Te1/0/4              PORT  sisf-01              Device-tracking vlan 200

Device# show device-tracking database details
 Binding table configuration:
 ----------------------------
 max/box  : 30
 max/vlan : 25
 max/port : 20
 max/mac  : 19

 Binding table current counters:
 ------------------------------
 dynamic  : 20
 local    : 0
 total    : 20    <<<< no further entries created after this.

 Binding table counters by state:
 ----------------------------------
 REACHABLE  : 20
   total    : 20
<output truncated>

Device# show device-tracking database        
Binding Table has 20 entries, 20 dynamic (limit 30)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   

Network Layer Address                        Link Layer Address     Interface  vlan       prlvl      age        state      Time left       
ARP 192.0.9.39                               000c.959d.6816         Te1/0/4    200        0064       14s        REACHABLE  37 s            
ARP 192.0.9.38                               000b.959d.6816         Te1/0/4    200        0064       14s        REACHABLE  37 s            
ARP 192.0.9.37                               000b.959d.6816         Te1/0/4    200        0064       14s        REACHABLE  36 s            
ARP 192.0.9.36                               000b.959d.6816         Te1/0/4    200        0064       14s        REACHABLE  39 s            
ARP 192.0.9.35                               000b.959d.6816         Te1/0/4    200        0064       14s        REACHABLE  38 s            
ARP 192.0.9.34                               000b.959d.6816         Te1/0/4    200        0064       14s        REACHABLE  37 s            
ARP 192.0.9.33                               000b.959d.6816         Te1/0/4    200        0064       15s        REACHABLE  36 s            
ARP 192.0.9.32                               000b.959d.6816         Te1/0/4    200        0064       15s        REACHABLE  37 s            
ARP 192.0.9.31                               000b.959d.6816         Te1/0/4    200        0064       15s        REACHABLE  36 s            
ARP 192.0.9.30                               000b.959d.6816         Te1/0/4    200        0064       15s        REACHABLE  36 s            
ARP 192.0.9.29                               000b.959d.6816         Te1/0/4    200        0064       15s        REACHABLE  35 s            
ARP 192.0.9.28                               000a.959d.6816         Te1/0/4    200        0064       15s        REACHABLE  36 s            
ARP 192.0.9.27                               000a.959d.6816         Te1/0/4    200        0064       16s        REACHABLE  35 s            
ARP 192.0.9.26                               000a.959d.6816         Te1/0/4    200        0064       16s        REACHABLE  36 s            
ARP 192.0.9.25                               000a.959d.6816         Te1/0/4    200        0064       16s        REACHABLE  34 s            
ARP 192.0.9.24                               000a.959d.6816         Te1/0/4    200        0064       16s        REACHABLE  35 s            
ARP 192.0.9.23                               000a.959d.6816         Te1/0/4    200        0064       16s        REACHABLE  34 s            
ARP 192.0.9.22                               000a.959d.6816         Te1/0/4    200        0064       16s        REACHABLE  36 s            
ARP 192.0.9.21                               000a.959d.6816         Te1/0/4    200        0064       17s        REACHABLE  33 s            
ARP 192.0.9.20                               000a.959d.6816         Te1/0/4    200        0064       17s        REACHABLE  33 s            

Device# show device-tracking database mac
 MAC                    Interface  vlan       prlvl      state            Time left        Policy           Input_index
 000c.959d.6816         Te1/0/4    200        NO TRUST   MAC-REACHABLE    27 s             sisf-01          12      
 000b.959d.6816         Te1/0/4    200        NO TRUST   MAC-REACHABLE    27 s             sisf-01          12      
 000a.959d.6816         Te1/0/4    200        NO TRUST   MAC-REACHABLE    27 s             sisf-01          12 
 

For this second part of the example, the configuration is as follows:

  • Global configuration: max-entries=30, vlan-limit=25, port-limit=20, mac-limit=19.

  • Policy-level configuration: limit address-count=14.

The limit that is reached first is the policy-level, limit address-count . A maximum of 14 IP addresses (IPv4 and 1Pv6) are allowed on the port or interface where policy "sisf-01" is applied. No further binding entries are created after this. While the mac limit is configured with a lower absolute value (19), there are only 3 unique MAC address in the list of binding entries in the table - this limit is therefore not reached.

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)# limit address-count 14
Device(config-device-tracking)# end
Device# show device-tracking policy sisf-01    
Device-tracking policy sisf-01 configuration: 
  security-level guard
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP6
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
  limit address-count 14
Policy sisf-01 is applied on the following targets: 
Target               Type  Policy               Feature        Target range
Te1/0/4              PORT  sisf-01              Device-tracking vlan 200
 
After the stale lifetime of all the existing entries has expired and the entries have been removed from the binding table, new entries are added according to the reconfigured values:
Device# show device-tracking database  <<<<checking time left for stale-lifetime to expire for existing entries. 
Binding Table has 20 entries, 20 dynamic (limit 30)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   

Network Layer Address                        Link Layer Address     Interface  vlan       prlvl      age        state     Time left       
ARP 192.0.9.39                               000c.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 316 s           
ARP 192.0.9.38                               000b.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 279 s           
ARP 192.0.9.37                               000b.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 308 s           
ARP 192.0.9.36                               000b.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 274 s           
ARP 192.0.9.35                               000b.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 279 s           
ARP 192.0.9.34                               000b.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 261 s           
ARP 192.0.9.33                               000b.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 258 s           
ARP 192.0.9.32                               000b.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 263 s           
ARP 192.0.9.31                               000b.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 266 s           
ARP 192.0.9.30                               000b.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 273 s           
ARP 192.0.9.29                               000b.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 277 s           
ARP 192.0.9.28                               000a.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 282 s           
ARP 192.0.9.27                               000a.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 272 s           
ARP 192.0.9.26                               000a.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 268 s           
ARP 192.0.9.25                               000a.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 244 s           
ARP 192.0.9.24                               000a.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 248 s           
ARP 192.0.9.23                               000a.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 284 s           
ARP 192.0.9.22                               000a.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 241 s           
ARP 192.0.9.21                               000a.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 256 s           
ARP 192.0.9.20                               000a.959d.6816         Te1/0/4    200        0064       13mn       STALE     try 0 243 s    

Device# show device-tracking database  <<<no output indicates no entries in the database
 
Device# show device-tracking database details

 Binding table configuration:
 ----------------------------
 max/box  : 30
 max/vlan : 25
 max/port : 20
 max/mac  : 19

 Binding table current counters:
 ------------------------------
 dynamic  : 14
 local    : 0
 total    : 14

 Binding table counters by state:
 ----------------------------------
 REACHABLE  : 14
   total    : 14
<output truncated>

Device# show device-tracking database          
Binding Table has 14 entries, 14 dynamic (limit 30)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   

Network Layer Address                        Link Layer Address     Interface  vlan       prlvl      age        state      Time left       
ARP 192.0.9.68                               0001.5e00.53af         Te1/0/4    200        0064       4s         REACHABLE  48 s            
ARP 192.0.9.67                               0001.5e00.53af         Te1/0/4    200        0064       4s         REACHABLE  48 s            
ARP 192.0.9.66                               0001.5e00.53af         Te1/0/4    200        0064       4s         REACHABLE  47 s            
ARP 192.0.9.65                               0001.5e00.53af         Te1/0/4    200        0064       4s         REACHABLE  48 s            
ARP 192.0.9.64                               0001.5e00.53af         Te1/0/4    200        0064       4s         REACHABLE  46 s            
ARP 192.0.9.63                               0000.5e00.53af         Te1/0/4    200        0064       7s         REACHABLE  44 s            
ARP 192.0.9.62                               0000.5e00.53af         Te1/0/4    200        0064       7s         REACHABLE  45 s            
ARP 192.0.9.61                               0000.5e00.53af         Te1/0/4    200        0064       7s         REACHABLE  43 s            
ARP 192.0.9.60                               0000.5e00.53af         Te1/0/4    200        0064       7s         REACHABLE  44 s            
ARP 192.0.9.59                               0000.5e00.53af         Te1/0/4    200        0064       7s         REACHABLE  44 s            
ARP 192.0.9.58                               0000.5e00.53af         Te1/0/4    200        0064       8s         REACHABLE  44 s            
ARP 192.0.9.57                               0000.5e00.53af         Te1/0/4    200        0064       8s         REACHABLE  44 s            
ARP 192.0.9.56                               0000.5e00.53af         Te1/0/4    200        0064       10s        REACHABLE  41 s            
ARP 192.0.9.55                               0000.5e00.53af         Te1/0/4    200        0064       10s        REACHABLE  40 s   

Device# show device-tracking database mac      
 MAC                    Interface  vlan       prlvl      state            Time left        Policy           Input_index
 0001.5e00.53af         Te1/0/4    200        NO TRUST   MAC-REACHABLE    30 s             sisf-01          12      
 0000.5e00.53af         Te1/0/4    200        NO TRUST   MAC-REACHABLE    30 s             sisf-01          12      

Example: Setting VLAN, Port, and MAC Limits to Default Values

The following example shows you how to reset one or more limits to their default values.
Device(config)# device-tracking binding max-entries 30 vlan-limit 25 port-limit 20 mac-limit 19 <<<< all three limits configured.
Device(config)#exit
Device# show device-tracking database details

 Binding table configuration:
 ----------------------------
 max/box  : 30
 max/vlan : 25
 max/port : 20
 max/mac  : 19
<output truncated>

Device# configure terminal
Device(config)# device-tracking binding max-entries 30 vlan-limit 25 <<<< only VLAN limit configured;  port-limit and mac-limit keywords leftout. 
Device(config)# exit
Device# show device-tracking database details

 Binding table configuration:
 ----------------------------
 max/box  : 30
 max/vlan : 25
 max/port : no limit    <<<reset to default
 max/mac  : no limit    <<<reset to default

Example: Global vs Policy-Level Limits Relating to MAC Addresses

The following example shows how precendence is determined for global and policy-level MAC limits. The global value specifies the maximum number of entries allowed per MAC address. The policy-level IPv4 per MAC and IPv6 per MAC limits, which may be present only in a programmatic policy, specify the number of IPv4 and IPv6 addresses allowed per MAC address.

In the first part of the example, the global value (10 entries allowed per MAC address) is higher than the policy-level setting (3 IPv4 addresses allowed for each MAC address). The Binding table current counters, in the output of the show device-tracking database details privileged EXEC command shows that and the limit that is reached first is the policy level limit.


Note


No configuration is displayed for the policy-level setting, because you cannot configure the "IPv4 per mac" or the "IPv6 per mac" in any policy. In this example, the DT-PROGRAMMATIC policy is applied to target by configuring the ip dhcp snooping vlan vlan command in global configuration mode. The IPv4 per mac limit exists, because the programmatically created policy has a limit for this parameter.


Device# configure terminal
Device(config)# ip dhcp snooping vlan 200
Device(config)# end
Device# show device-tracking policy DT-PROGRAMMATIC
Policy DT-PROGRAMMATIC configuration:
  security-level glean (*)
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
  limit address-count for IPv4 per mac 3 (*)
  tracking enable
Policy DT-PROGRAMMATIC is applied on the following targets:
Target      Type    Policy               Feature            Target range
Te1/0/4     PORT    DT-PROGRAMMATIC      Device-tracking    vlan 200

  note:
  Binding entry Down timer: 24 hours (*)
  Binding entry Stale timer:   24 hours (*)

Device(config)# device-tracking binding max-entries 50 mac-limit 10
Device# show device-tracking database details
Binding table configuration:
 ----------------------------
 max/box  : 50
 max/vlan : no limit
 max/port : no limit
 max/mac  : 10

 Binding table current counters:
 ------------------------------
 dynamic  : 3
 local    : 0
 total    : 3

 Binding table counters by state:
 ----------------------------------
 REACHABLE  : 2
   total    : 3

Device# show device-tracking database      
Binding Table has 3 entries, 3 dynamic (limit 50)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


Network Layer Address                    Link Layer Address     Interface  vlan       prlvl      age       state      Time left       
ARP 192.0.9.8                            000a.959d.6816         Te1/0/4    200        0064       4s        REACHABLE  25 s            
ARP 192.0.9.7                            000a.959d.6816         Te1/0/4    200        0064       4s        REACHABLE  27 s            
ARP 192.0.9.6                            000a.959d.6816         Te1/0/4    200        0064       55s       VERIFY     5s try 2       
<<<<<<policy-level limit reached;  only up to 3 IPv4 addresses per MAC address are allowed. 

Device# show device-tracking database mac
 MAC                    Interface  vlan       prlvl      state            Time left        Policy           Input_index
 000a.959d.6816         Te1/0/4    200        NO TRUST   MAC-STALE        93585 s          DT-PROGRAMMATIC          12      
 

In the second part of the example, the global value (2 entries allowed per MAC address) is lower than the policy-level setting (3 IPv4 addresses allowed for each MAC address). The Binding table current counters, in the output of the show device-tracking database details privileged EXEC command shows that and the limit that is reached first is the policy level limit.


Device# show device-tracking policy DT-PROGRAMMATIC

Policy DT-PROGRAMMATIC configuration:
  security-level glean (*)
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
  limit address-count for IPv4 per mac 3 (*)
  tracking enable
Policy DT-PROGRAMMATIC is applied on the following targets:
Target      Type    Policy               Feature            Target range
Te1/0/4     PORT    DT-PROGRAMMATIC      Device-tracking    vlan 200

  note:
  Binding entry Down timer: 24 hours (*)
  Binding entry Stale timer:   24 hours (*)

Device(config)# device-tracking binding max-entries 50 mac-limit 2
Device# show device-tracking database details
Binding table configuration:
 ----------------------------
 max/box  : 50
 max/vlan : no limit
 max/port : no limit
 max/mac  : 2

 Binding table current counters:
 ------------------------------
 dynamic  : 2
 local    : 0
 total    : 2

 Binding table counters by state:
 ----------------------------------
 REACHABLE  : 2
   total    : 2

Device# show device-tracking database   
Binding Table has 3 entries, 3 dynamic (limit 50)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


Network Layer Address                    Link Layer Address     Interface  vlan       prlvl      age       state      Time left       
ARP 192.0.9.3                            000a.959d.6816         Te1/0/4    200        0064       5s        REACHABLE   27 s            
ARP 192.0.9.4                            000a.959d.6816         Te1/0/4    200        0064       6s        REACHABLE   20 s            

<<<<<<global limit reached;  only up to 2 binding entries per MAC address is allowed. 

Device# show device-tracking database mac
 MAC                    Interface  vlan       prlvl      state            Time left        Policy           Input_index
 000a.959d.6816         Te1/0/4    200        NO TRUST   MAC-STALE        93585 s          DT-PROGRAMMATIC       12      
 

device-tracking logging

To log snooping security events like packet drops, unresolved packets, and suspected MAC or IP theft, configure the device-tracking logging command in global configuration mode. To disable logging, enter the no form of the command.

device-tracking logging [ packet drop | resolution-veto | theft ]

no device-tracking logging [ packet drop | resolution-veto | theft ]

Syntax Description

packet drop

Logs packet drop events.

resolution-veto

Logs unresolved packet events.

theft

Logs IP and MAC theft events.

Command Default

Events are not logged.

Command Modes

Global configuration [Device(config)# ]

Command History

Release Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Logs generated for snooping security events have a severity level of 4 (meaning, warnings). For example:

%SISF-4-PAK_DROP: Message dropped A=FE80::20D:FF:FE0E:F G=- V=10 I=Tu0 P=NDP::RA Reason=Packet not authorized on port

You can view snooping security logs by entering the show logging | include SISF-4 command in privileged EXEC mode.

For information about the snooping events for which logs are generated, see the system message guide for the corresponding release: System Message Guides. Search for SISF-4.

Packet Drop Events

When you configure the packet drop keyword, a log is generated everytime a packet is dropped. The log also includes the reason for the packet drop. The reasons include and are not limited to the following:

  • Packet not authorized on port: This means that a security feature dropped the packet because a packet of this kind is not expected on the port, based on the configuration. Examples of such security features and the situations in which a packet is dropped, include and are not limited to the following: The Router Advertisement Guard feature may decide to drop IPv6 Router Advertisement packets if they are received on ports that are not configured as router-facing ports. The DHCP Guard feature may drop packets from DHCP server (DHCP OFFER or DHCP REPLY) if they are received on a port which is not configured as server-facing port.

  • Packet accepted but not forwarded: This means that the packet is not forwarded, but it is still considered valid to glean binding information from. This is usually seen when packets from a host are seen by SISF during the validation phase (while the binding is in a transitional state).

  • Malformed Packet dropped in Guard mode: This means that the incoming packet is malformed and cannot be parsed properly.

  • Packet is throttled: This means the packet was dropped because it exceeds the throttling limit for packets within a time interval. The system allows a maximum of 50 packets in 5 seconds.

  • Silent drop: This happens to packets that are generated either by device-tracking instances to communicate among the different instances across multiple switches, or as a response to an action trigged by device-tracking. For instance, a response on the probe that was initiated by the device-tracking, to determine the reachability status of the host reachability.

  • Martian packet: This means that the incoming packet was dropped because it has Martian source IP address, such as, a multicast, loopback, or unspecified address.

  • Martian mac: This means that the incoming packet was dropped because it has a Martian MAC or Link-Layer source address.

  • Address limit per box reached: This means that the incoming packet was dropped, because the limit configured with the device-tracking binding max-entries no_of_entries global configuration command, was reached. Enter the show device-tracking database details privileged EXEC command to display current limits.

  • Address limit per vlan reached: This means that the incoming packet was dropped, because the limit configured with the device-tracking binding max-entries no_of_entries vlan-limit no_of_entries global configuration command, was reached. Enter the show device-tracking database details privileged EXEC command to display current limits.

  • Address limit per port reached: This means that the incoming packet was dropped, because the limit configured with the device-tracking binding max-entries no_of_entries port-limit no_of_entries global configuration command, was reached. Enter the show device-tracking database details privileged EXEC command to display current limits.

  • Address limit per policy reached : This means that the incoming packet was dropped, because the limit configured with the limit address-count ip-per-port keyword in the device-tracking configuration mode was reached. This is configured at a policy level. Enter the show device-tracking policypolicy-name privileged EXEC command to display current limits.

  • Address limit per mac reached: This means that the incoming packet was dropped, because the limit configured with the device-tracking binding max-entries no_of_entries mac-limit no_of_entries global configuration command, was reached. Enter the show device-tracking database details privileged EXEC command to display current limits.

  • Address Family limit per mac reached: This means that the incoming packet was dropped, because the IPv4 per MAC or IPv6 per MAC limit specified in a programmatic policy was reached. You cannot configure this policy parameter; a programmatically created policy may have either an IPv4 per MAC limit, or an IPv6 per MAC limit, or both, or neither. Enter the show device-tracking policypolicy-name privileged EXEC command to display the limit if it exists.

Resolution Veto Events

When you configure the resolution-veto keyword, a log is generated for every unresolved packet. This logging option meant to be used only if the IPv6 Destination Guard feature is also enabled.

The IPv6 Destination Guard feature ensures that the device performs address resolution only for those addresses that are known to be active on the link. All destinations that are active on the link are entered in the binding table. When a destination is not found in the binding table, address resolution is prevented. By configuring resolution-veto logging you can keep track of such unresolved packets.

If the resolution-veto keyword is configured and the the IPv6 Destination Guard feature is not, logs are not generated.

Theft Events

When you configure the theft keyword, a log is generated when SISF detects an IP theft, or a MAC theft or both.

In the log, verified binding information (IP, MAC address, interface or VLAN) is preceded by the term "Known" . A suspicious IP address and MAC address is preceded by the term "New" or "Cand". Interface and VLAN information is also provided along with the suspiscious IP or MAC address - this helps you identify where the suspiscious traffic was seen.

For example, see the following MAC theft log:
%SISF-4-MAC_THEFT: MAC Theft Cand IP=2001::12B VLAN=70 MAC=9cfc.e85e.139d Cand I/F=Gi1/0/4 Known IP=71.0.0.96 Known I/F=Ac0

These snippets of the log show the IP address of the suspiscious host and the interface on which it was seen: Cand IP=2001::12B, VLAN=70, Cand I/F=Gi1/0/4.

This snippet of the log shows the known MAC address, which the suspiscious host is using: MAC=9cfc.e85e.139d.

These snippets of the log show the IP address and interface of the existing, verified entry: Known IP=71.0.0.96 and Known I/F=Ac0.

Examples

Examples

The following are examples of logs generated for packet drop events:

%SISF-4-PAK_DROP: Message dropped A=FE80::20D:FF:FE0E:F G=- V=10 I=Tu0 P=NDP::RA Reason=Packet not authorized on port 

%SISF-4-PAK_DROP: Message dropped A=20.0.0.1 M=dead.beef.0001 V=20 I=Gi1/0/23 P=ARP Reason=Packet accepted but not forwarded 

Examples

The following are examples of logs generated for IP and MAC theft events:
%SISF-4-MAC_AND_IP_THEFT: MAC_AND_IP Theft A=FE80::EE1D:8BFF:FE9B:102 V=102 I=Vl102 M=ec1d.8b9b.0102 New=Tu0

%SISF-4-MAC_THEFT: MAC Theft IP=192.2.1.2 VLAN=102 MAC=cafe.cafe.cafe I/F=Gi1/0/3 New I/F over fabric 

%SISF-4-IP_THEFT: IP Theft IP=FE80::9873:1D5E:E6E9:1F7E VLAN=20 MAC=2079.18d5.13ad IF=Ac0 New I/F over fabric 

%SISF-4-IP_THEFT: IP Theft IP=10.0.187.5 VLAN=10 Cand-MAC=0069.0000.0001 Cand-I/F=Gi1/0/23 Known MAC over-fabric Known I/F over-fabric

%SISF-4-MAC_THEFT: MAC Theft Cand IP=2001::12B VLAN=70 MAC=9cfc.e85e.139d Cand I/F=Gi1/0/4 Known IP=71.0.0.96 Known I/F=Ac0

device-tracking policy

To create a custom device-tracking policy, and to enter the device-tracking configuration mode to configure the various parameter of the policy, enter the device-tracking policy command in global configuration mode. To delete a device tracking policy, use the no form of this command.

device-tracking policy policy-name

no device-tracking policy policy-name

Syntax Description

policy-name

Creates a device-tracking policy with the specified name - if it doesn't already exist. You can also specify the name of a programmatically created policy.

After you configure a policy name, the device enters the device-tracking configuration mode, where you can configure policy parameters. Enter a question mark (?) at the system prompt to see the list of policy parameters that can be configured.

Command Default

SISF-based device tracking is disabled.

Command Modes

Global configuration [Device(config)# ]

Command History

Release Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Cisco IOS XE Fuji 16.9.1

The option to change the parameters of any programmatic policy was deprecated.

Usage Guidelines

When you enter the device-tracking policypolicy-name command in global configuration mode, the system creates a custom policy with the specified name (if it does not already exist) and enters the device-tracking configuration mode. In this mode, you can configure policy parameters.

After you create a policy and configure its parameters, you must attach it to an interface or VLAN. Only then does the activity of extracting binding information (IP and MAC address) from packets that enter the network and the creation of binding entries, actually begin. For more information about attaching a policy, see device-tracking (interface config)device-tracking (VLAN config).

To display detailed information about all the policies available on the device and the targets they are attached to, enter the show device-tracking policies detail command in privileged EXEC mode.

Configuring Policy Parameters

You can configure the parameters of a policy only if it is a custom policy. You cannot change the parameters of a programmatic policy. You also cannot change the parameters of the default policy.

To display the list of parameters for a policy, enter a question mark (?) at the system prompt in device-tracking configuration mode:
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)# ?                  
device-tracking policy configuration mode:
  data-glean            binding recovery by data traffic source address
                        gleaning
  default               Set a command to its defaults
  destination-glean     binding recovery by data traffic destination address
                        gleaning
  device-role           Sets the role of the device attached to the port
  distribution-switch   Distribution switch to sync with
  exit                  Exit from device-tracking policy configuration mode
  limit                 Specifies a limit
  medium-type-wireless  Force medium type to wireless
  no                    Negate a command or set its defaults
  prefix-glean          Glean prefixes in RA and DHCP-PD traffic
  protocol              Sets the protocol to glean (default all)
  security-level        setup security level
  tracking              Override default tracking behavior
  trusted-port          setup trusted port
  vpc                   setup vpc port

Keyword

Description

data-glean

Enables learning of addresses from a data packet snooped from a source inside the network and populates the binding table with the data traffic source address. Enter one of these options:

  • log-only : Generates a syslog message upon data packet notification.

  • recovery : Uses a protocol to enable binding table recovery. Enter NDP or DHCP.

default

Sets the policy paramter to its default value. You can set these policy attributes to their default values:

  • data-glean : Source address is not learnt or gleaned.

  • destination-glean : Destination address is not learnt or gleaned

  • device-role : Node.

  • distribution-switch : Not supported.

  • limit : An address count limit is not set.

  • medium-type-wireless : <tbd>

  • prefix-glean : Prefixes are not learnt.

  • protocol : Addresses of all protocols (ARP, DHCP4, DHCP6, NDP, and UDP) are gleaned.

  • security-level : Guard.

  • tracking : Polling is disabled.

  • trusted-port : Disabled, that is, the guard function is enabled on the configured target)

  • vpc : Not supported.

destination-glean

Enables population of the binding table by gleaning the destination address of data traffic. Enter one of these options:

  • log-only : Generates a syslog message upon data packet notification.

  • recovery : Uses a protocol to enable binding table recovery. Enter NDP or DHCP.

device-role

Indicates the type of device that is facing the port and this can be one of the following:

  • node : Allows creation of binding entries for a port.

  • switch : Stops the creation of binding entries for a port. This option is suited to multi-switch set-ups, where the possibility of large device tracking tables is very high. Here, a port facing a device (an uplink trunk port) can be configured to stop creating binding entries, and the traffic arriving at such a port can be trusted, because the switch on the other side of the trunk port will have device tracking enabled and that will have checked the validity of the binding entry.

    This option is commonly used along with the trusted-port keyword. Configuring both the device-role and trusted-port options on an uplink trunk port helps build an efficient and scalable “secure zone”. Both parameters must be configured to achieve an efficient distribution of the creation of binding table entries (thus keeping the binding tables smaller).

distribution-switch

Although visible on the CLI, this keyword is not supported. Any configuration does not take effect.

exit

Exits the device-tracking configuration mode and returns to global configuration mode.

limit address-count

Configures the maximum number of number of IPv4 and IPv6 addresses to be allowed per port. The purpose of this limit is to ensure that binding entries are restricted to only known and expected hosts.

ip-per-port : Enter the maximum number of IP addresses you want to allow on a port. This limit applies to IPv4 and IPv6 addresses as a whole. When the limit is reached, no further IP addresses can be added to the binding table, and traffic from new hosts are dropped.

Enter a value between 1 and 32000.

medium-type-wireless

Although visible on the CLI, this keyword is not supported. Any configuration does not take effect.

no

Negates the command, that is, reverts a policy parameter to its default value.

For information about what the default value is, see the default keyword.

  • data-glean

  • destination-glean

  • device-role

  • distribution-switch : Not supported.

  • limit address-count

  • medium-type-wireless

  • prefix-glean

  • protocol

  • security-level

  • tracking

  • trusted-port

  • vpc : Not supported.

prefix-glean only

Enables learning of prefixes from either IPv6 Router Advertisements or from DHCP-PD. You have the following option:

(Optional) only : Gleans only prefixes and not host addresses.

protocol

Gleans addresses of specified protocols. By default, all are gleaned. Enter one of these options:

  • arp [prefix-list name] : Gleans addresses in ARP packets. Optionally, enter the name of prefix-list that is to be matched.

  • dhcp4 [prefix-list name] : Gleans addresses in DHCPv4 packets. Optionally, enter the name of prefix-list that is to be matched.

  • dhcp6 [prefix-list name] : Gleans addresses in DHCPv6 packets. Optionally, enter the name of prefix-list that is to be matched.

  • ndp [prefix-list name] : Gleans addresses in NDP packets. Optionally, enter the name of prefix-list that is to be matched.

  • udp [prefix-list name] : Although visible on the CLI, this option is not supported. Any configuration does not take effect.

security-level

Specifies the level of security that is enforced. When a packet enters the network, SISF extracts the IP and MAC address (the source of the packet) and subsequent action, is dictated by the security level configured in the policy.

Enter one of these options:

  • glean : Extracts the IP and MAC address and enters them into the binding table, without any verification. Use this option if you want to only learn about the host and not rely on SISF for authentication of the binding entry.

  • guard : Extracts the IP and MAC address and checks this information against the binding table. The outcome of the verification determines if a binding entry is added, or updated, or if the packet is dropped and the client is rejected

    This is the default value for the security-level parameter.

  • inspect : Although this keyword is available on the CLI, we recommend not using it. The glean and guard options described above address most use cases and network requirements.

tracking

Determines if an entry is polled after the reachable lifetime expires. Polling is a periodic and conditional checking of the host to see the state it is in, whether it is still connected, and whether it is communicating. For more information about polling, see the Usage Guidelines below.

By default, polling is not enabled.

Enter one of these options:

  • disable : Turns off polling action.

    [stale-lifetime {seconds | infinite} ] : Optionally you can also configure a stale-lifetime. If you do, configure one of the following for the stale-lifetime timer:

    • seconds : Configure a value for the stale-lifetime timer. Enter a value between 1 and 86400 seconds. The default value is 86400 seconds (24 hours).

    • infinite : Disables the timer for the STALE state. This means that a timer is not started when an entry enters the STALE state and the entry remains in the STALE state, indefinitely.

  • enable : Turns on polling action.

    [reachable-lifetime [seconds | infinite] ] : Optionally you can also configure a reachable-lifetime. If you do, configure one of the following for the reachable-lifetime timer:

    • seconds : Configure a value for the reachable-lifetime timer. Enter a value between 1 and 86400 seconds. The default value is 300 seconds (5 minutes).

    • infinite : Disables the timer for the REACHABLE state. This means that a timer is not started when an entry enters the REACHABLE state and the entry remains in the REACHABLE state, indefinitely.

trusted-port

This option disables the guard function on configured targets. Bindings learned through a trusted-port have preference over bindings learned through any other port. A trusted port is also given preference in case of a collision while making an entry in the table.

This option is commonly used along with the device-role keyword. Configuring both the device-role and trusted-port options on an uplink trunk port helps achieve an efficient distribution of the creation of binding table entries (thus keeping the binding tables smaller).

vpc

Although visible on the CLI, this option is not supported. Any configuration does not take effect.

Global versus Poicy-Level Settings

You configure policy parameters in the device-tracking configuration mode and what you configure for a policy applies only to that policy. Some of the policy parameters have counterparts in the global configuration mode. For detailed information about the parameters that have global-level counterparts and to know which value takes precendence (whether the globally configured or the policy-level value), see: device-tracking binding.

Polling a Host

If you configure the tracking policy parameter, the switch sends a polling request after the reachable lifetime expires. The switch polls the host up to 3 times at fixed, system-determined intervals. You can also specify an interval by using the device-tracking tracking retry-interval seconds command in global configuration mode. The polling request is in the form of an Address Resolution Protocol (ARP) probe or a Neighbor Solicitation message. During this time the state of the entry changes to VERIFY.

If a polling response is received (thus confirming reachability of the host), the state of the entry changes back to REACHABLE. If the switch does not receive a polling response after 3 attempts, the entry changes to the STALE state.


Note


Using the tracking policy parameter, you can enable or disable polling at a policy-level regardless of whether the polling is enabled or disabled at the global configuration level (the device-tracking tracking command in global configuration mode. See Example: Disabling Polling at a Policy-Leveland device-tracking tracking.


Changing the Limit Address-Count

If you configure a limit using the limit address-count policy parameter and then change it - the new limit is applicable only to entries learned after the change. Further, regardless of whether the new limit is higher or lower than the previous limit, existing entries are not affected and are allowed to go through their binding entry lifecycle.

If the binding table is full (in accordance with the previous limit), any new entries are not added until the existing entries complete their lifecycle. SISF attempts to create space for new entries by identifying and removing only inactive entries . But if the entries are active, they are not removed and are allowed to go through their binding entry lifecycle.

If you want to make the new lower limit take effect immediately, you can use either one of these options:

  • Enter the clear device-tracking database command in privileged EXEC mode and specify an interface or VLAN. This removes all existing entries from the database of only the specified target. New entries are then learned and added as per the current limit address-count settings. See Example: Changing the Address Count Limit.

  • Remove and reattach the policy on the required target. Enter the no device-tracking policypolicy-name command in interface or VLAN configuration mode to remove the policy. Removing the policy from an interface or VLAN removes the bindings that are attached to the target. Enter the device-tracking policypolicy-name command in interface or VLAN configuration mode to reattach it. Reattaching the policy causes learning of all the binding entries according to the new limit.

Examples

Examples

The following example shows how you can disable polling at the policy-level even if polling is enabled at the global level. Here, polling is disabled for all interfaces and VLANs were policy sisf-01 is applied.
Device# configure terminal                          
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# device-tracking tracking
Device(config)# exit
Device# show running-config | include device-tracking device-tracking tracking
device-tracking policy sisf-01
 device-tracking attach-policy sisf-01
 device-tracking attach-policy sisf-01 vlan 200
device-tracking binding reachable-lifetime 700 stale-lifetime 1000 down-lifetime 200
device-tracking binding logging

Device# configure terminal                          
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)# tracking disable
Device(config-device-tracking)# end
Device# show device-tracking policy sisf-01
Device-tracking policy sisf-01 configuration: 
  security-level guard
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP6
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
  limit address-count 5
  tracking disable
Policy sisf-01 is applied on the following targets: 
Target               Type  Policy               Feature        Target range
Te1/0/4              PORT  sisf-01              Device-tracking vlan 200
vlan 200             VLAN  sisf-01              Device-tracking vlan all

Examples

The following example shows you how to make a change in the limit address-count policy parameter setting take effect immediately. In this example, the clear command is used to remove all entries from the binding table for the changed settings to take effect immediately.
Device# show device-tracking policy sisf-01
Device-tracking policy sisf-01 configuration: 
  security-level guard
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP6
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
  limit address-count 25
Policy sisf-01 is applied on the following targets: 
Target               Type  Policy               Feature        Target range
Te1/0/4              PORT  sisf-01              Device-tracking vlan 200
vlan 200             VLAN  sisf-01              Device-tracking vlan all

Device# show running-config | include device-tracking
device-tracking policy sisf-01
 device-tracking attach-policy sisf-01
 device-tracking attach-policy sisf-01 vlan 200
device-tracking binding reachable-lifetime 700 stale-lifetime 1000 down-lifetime 200
device-tracking binding logging


*Dec 13 15:08:50.723: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.25 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.723: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.26 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.724: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.27 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.724: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.28 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.724: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.29 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.724: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.30 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.725: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.31 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.725: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.32 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.725: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.33 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.725: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.34 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.726: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.35 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.726: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.36 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.726: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.37 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.726: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.38 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.727: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.39 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.727: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.40 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.727: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.41 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.727: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.42 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.728: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.43 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.728: %SISF-6-ENTRY_MAX_ORANGE: Reaching 80% of max adr allowed per policy (25) V=200 I=Te1/0/4 M=001d.4411.3ab7
*Dec 13 15:08:50.728: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.44 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.728: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.45 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.728: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.46 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.729: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.47 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.729: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.48 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:08:50.729: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.49 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF

Device# show device-tracking database Binding Table has 25 entries, 25 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    Network Layer Address                    Link Layer Address     Interface  vlan       prlvl      age        state      Time left       
ARP 192.0.9.49                               001d.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  699 s           
ARP 192.0.9.48                               001d.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  691 s           
ARP 192.0.9.47                               001d.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  687 s           
ARP 192.0.9.46                               001d.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  714 s           
ARP 192.0.9.45                               001d.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  692 s           
ARP 192.0.9.44                               001d.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  702 s           
ARP 192.0.9.43                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  680 s           
ARP 192.0.9.42                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  708 s           
ARP 192.0.9.41                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  683 s           
ARP 192.0.9.40                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  708 s           
ARP 192.0.9.39                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  710 s           
ARP 192.0.9.38                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  697 s           
ARP 192.0.9.37                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  707 s           
ARP 192.0.9.36                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  695 s           
ARP 192.0.9.35                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  708 s           
ARP 192.0.9.34                               001c.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  706 s           
ARP 192.0.9.33                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  683 s           
ARP 192.0.9.32                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  697 s           
ARP 192.0.9.31                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  683 s           
ARP 192.0.9.30                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  678 s           
ARP 192.0.9.29                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  696 s           
ARP 192.0.9.28                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  704 s           
ARP 192.0.9.27                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  713 s           
ARP 192.0.9.26                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  695 s           
ARP 192.0.9.25                               001b.4411.3ab7         Te1/0/4    200        00FF       22s        REACHABLE  686 s           
The address count limit is changed from 25 to a lower limit of 5. But because the existing entries have not completed their binding entry lifecycle, they are not deleted from the binding table. In order to make the new address count limit of 5 take effect immediately, the clear device-tracking database command is used to delete all existing entries. New entries are then learned and added as per the current limit address-count settings.

Device# configure terminal    
Device(config)# device-tracking policy sisf-01
Device(config-device-tracking)# limit address-count 5
Device(config-device-tracking)# end
Device# show device-tracking policy sisf-01
Device-tracking policy sisf-01 configuration: 
  security-level guard
  device-role node
  gleaning from Neighbor Discovery
  gleaning from DHCP6
  gleaning from ARP
  gleaning from DHCP4
  NOT gleaning from protocol unkn
  limit address-count 5
Policy sisf-01 is applied on the following targets: 
Target               Type  Policy               Feature        Target range
Te1/0/4              PORT  sisf-01              Device-tracking vlan 200
vlan 200             VLAN  sisf-01              Device-tracking vlan all

Device# show device-tracking database                   
Binding Table has 25 entries, 25 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    Network Layer Address                    Link Layer Address     Interface  vlan       prlvl      age        state      Time left       
ARP 192.0.9.49                               001d.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  654 s           
ARP 192.0.9.48                               001d.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  646 s           
ARP 192.0.9.47                               001d.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  642 s           
ARP 192.0.9.46                               001d.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  669 s           
ARP 192.0.9.45                               001d.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  647 s           
ARP 192.0.9.44                               001d.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  657 s           
ARP 192.0.9.43                               001c.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  635 s           
ARP 192.0.9.42                               001c.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  663 s           
ARP 192.0.9.41                               001c.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  638 s           
ARP 192.0.9.40                               001c.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  663 s           
ARP 192.0.9.39                               001c.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  665 s           
ARP 192.0.9.38                               001c.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  652 s           
ARP 192.0.9.37                               001c.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  662 s           
ARP 192.0.9.36                               001c.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  650 s           
ARP 192.0.9.35                               001c.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  663 s           
ARP 192.0.9.34                               001c.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  661 s           
ARP 192.0.9.33                               001b.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  637 s           
ARP 192.0.9.32                               001b.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  652 s           
ARP 192.0.9.31                               001b.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  638 s           
ARP 192.0.9.30                               001b.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  633 s           
ARP 192.0.9.29                               001b.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  651 s           
ARP 192.0.9.28                               001b.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  658 s           
ARP 192.0.9.27                               001b.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  668 s           
ARP 192.0.9.26                               001b.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  650 s           
ARP 192.0.9.25                               001b.4411.3ab7         Te1/0/4    200        00FF       67s        REACHABLE  641 s           

Device# clear device-tracking database

*Dec 13 15:10:22.837: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.49 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.838: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.48 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.838: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.47 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.838: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.46 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.839: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.45 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.839: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.44 VLAN=200 MAC=001d.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.839: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.43 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.839: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.42 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.840: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.41 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.840: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.40 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.840: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.39 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.841: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.38 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.841: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.37 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.841: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.36 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.842: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.35 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.842: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.34 VLAN=200 MAC=001c.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.842: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.33 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.842: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.32 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.843: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.31 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.843: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.30 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.843: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.29 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.844: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.28 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.844: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.27 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.844: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.26 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:10:22.844: %SISF-6-ENTRY_DELETED: Entry deleted IP=192.0.9.25 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF

Device# show device-tracking database 
<no output; binding table cleared>

*Dec 13 15:11:38.346: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.25 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:11:38.346: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.26 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:11:38.347: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.27 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:11:38.347: %SISF-6-ENTRY_MAX_ORANGE: Reaching 80% of max adr allowed per policy (5) V=200 I=Te1/0/4 M=001b.4411.3ab7
*Dec 13 15:11:38.347: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.28 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF
*Dec 13 15:11:38.347: %SISF-6-ENTRY_CREATED: Entry created IP=192.0.9.29 VLAN=200 MAC=001b.4411.3ab7 I/F=Te1/0/4 Preflevel=00FF

Device# show device-tracking database
Binding Table has 5 entries, 5 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    Network Layer Address                    Link Layer Address     Interface  vlan       prlvl      age        state      Time left       
ARP 192.0.9.29                               001b.4411.3ab7         Te1/0/4    200        00FF       15s        REACHABLE  716 s           
ARP 192.0.9.28                               001b.4411.3ab7         Te1/0/4    200        00FF       15s        REACHABLE  702 s           
ARP 192.0.9.27                               001b.4411.3ab7         Te1/0/4    200        00FF       15s        REACHABLE  705 s           
ARP 192.0.9.26                               001b.4411.3ab7         Te1/0/4    200        00FF       15s        REACHABLE  716 s           
ARP 192.0.9.25                               001b.4411.3ab7         Te1/0/4    200        00FF       15s        REACHABLE  718 s       

device-tracking tracking

To enable polling for IPv4 and IPv6 and configure the polling parameters, configure the device-tracking tracking command in global configuration mode. To disable polling, enter the no form of the command.


Note


This command does not enable the SISF-based device-tracking feature. It enables configuration of polling parameters on a device where the device-tracking feature is enabled.


device-tracking tracking [ auto-source [ fallback ipv4_and_fallback_source_mask ip_prefix_mask [ override ] | retry-interval seconds ]

no device-tracking tracking [ auto-source | retry-interval ]

Syntax Description

auto-source

Causes the source address of an Address Resolution Protocol (ARP) probe to be sourced in the following order of preference:

  • The first preference is to set the source address to the VLAN SVI, if an SVI is configured.

  • The second preference is to locate an IP-MAC binding entry in device-tracking table, from same subnet and use that as the source address.

  • The third and last preference is to use 0.0.0.0 as the source address.

fallback ipv4_and_fallback_source_maskip_prefix_mask

Causes the source address of an ARP probe to be sourced in the following order of preference:

  • The first preference is to set the source address to the VLAN SVI, if an SVI is configured.

  • The second preference is to locate an IP-MAC binding entry in device-tracking table, from same subnet and use that as the source address.

  • The third and last preference is to compute the source address from the client's IPv4 address and the mask provided.

    The source MAC address is taken from the MAC address of the switchport facing the client.

If you configure the fallback keyword, you must also specify an IP address and mask.

override

Causes the source address of an ARP probe to be sourced in the following order of preference:

  • The first preference is to set the source address to the VLAN SVI, if this is configured.

  • The second and last preference is to use 0.0.0.0 as the source address.

Note

 

This keyword configures SISF to not select the source address from the binding table. We do not recommend using this option if an SVI is not configured.

retry-interval seconds

Configures a multiplicative factor or "base value", for the backoff algorithm. The backoff algorithm determines the wait time between the 3 polling attempts that occur after reachable lifetime expiry.

Enter a value between 1 and 3600 seconds. The default value is one.

When polling, there is an increasing wait time between the 3 polling attempts or retries. The backoff algorithm determines this wait time. The value you configure for the retry interval is multiplied by the backoff algorithm's wait time.

For example, if the backoff algorithm determines a wait time of 2, 4, and 6 seconds between the 3 attempts respectively, and you configure a retry interval of 2 seconds, the actual interval you will observe is as follows: 2*2 seconds of wait time before the first polling attempt, 2*4 seconds for the second polling attempt and 2*6 for the third polling attempt.

If polling is enabled, but a retry interval is not configured, the switch polls the host up to 3 times at system-determined intervals.

This configuration applies to ARP probes and Neighbor Solicitation messages.

Command Default

Polling is disabled by default.

Command Modes

Global configuration [Device(config)# ]

Command History

Release Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Polling is a periodic and conditional checking of the host to see the state it is in, whether it is still connected, and whether it is communicating. Polling enables you to assess the continued presence of a tracked device.

Polling occurs at these junctures: 3 times after the reachable lifetime timer expires, and a final attempt at stale lifetime expiry.

  • In an IPv4 network, polling is in the form of an ARP probe. Here, the switch sends unicast ARP probes to the connected host, to determine the host's reachability status. When sending ARP probes, the system constructs packets according to RFC 5227 specifications.

  • In an IPv6 network, polling is in the form of a Neighbor Solicitation message. Here, the switch verifies reachability of a connected host by using the unicast address of the connected host as the destination address.

Configure the device-tracking tracking command in global configuration mode, to enable polling for IPv4 and IPv6.

Also configure the retry-interval seconds to configure the polling interval after reachable lifetime timer expiry.


Note


The auto-source , fallback ipv4_and_fallback_source_maskip_prefix_mask , and override keywords apply only to ARP probes and not Neighbor Solicitation messages.

The value you configure for retry-interval seconds keywords applies to both IPv4 and IPv6.


Enter the show running-config | include device-tracking display current polling settings. For example:
Device# show running-config | include device-tracking
device-tracking tracking retry-interval 2
device-tracking policy sisf-01
 device-tracking attach-policy sisf-01 vlan 200
device-tracking binding reachable-lifetime 50 stale-lifetime 150 down-lifetime 30
device-tracking binding logging

Enter the show device-tracking database command in privileged EXEC mode, to display the duration of the various lifetimes of an entry. While polling, the system changes the state of the entry to VERIFY. Check the Time left column in the output to observe the duration.

When you track the reachable and stale lifetime of an entry with the show device-tracking database command, and polling is enabled, you may notice that the STALE lifetime is sometimes shorter than what you have configured. This is because the time required for polling is subtracted from the stale lifetime.

Global versus Policy-Level Settings for Polling

After you configure device-tracking tracking command in global configuration mode, you still have the flexibility to turn polling on or off, for individual interfaces and VLANs. For this you must enable or disable polling in the policy. Note how the global and policy-level settings interact:

Global Setting

Policy-Level Setting

Result

Polling is enabled at the global level.

Device(config)# device-tracking tracking

Polling is enabled on an interface or VLAN.

Device(config-device-tracking)# tracking enable

Polling is effective on the interface or VLAN.

Polling is disabled on an interface or VLAN.

Device(config-device-tracking)# tracking disable

Polling is not effective on the interface or VLAN.

Default polling is configured on the interface or VLAN.

Device(config-device-tracking)# default tracking

Because polling is enabled at the global config level, polling is effective on the interface or VLAN.

The no form of the command is configured on the interface or VLAN.

Device(config-device-tracking)# no tracking

The no form of the command sets the command to its default. But because polling is enabled at the global config level, polling is effective on the interface or VLAN.

Polling is disabled at the global level.

Device(config)# no device-tracking tracking

Polling is enabled on an interface or VLAN.

Device(config-device-tracking)# tracking enable

Polling is effective on the interface or VLAN.

Polling is disabled on an interface or VLAN.

Device(config-device-tracking)# tracking disable

Polling is not effective on the interface or VLAN.

Default polling is configured on the interface or VLAN.

Device(config-device-tracking)# default tracking

Polling is not effective on the interface or VLAN.

The no form of the command is configured on the interface or VLAN.

Device(config-device-tracking)# no tracking

Polling is not effective on the interface or VLAN.

device-tracking upgrade-cli

To convert legacy IP Device Tracking (IPDT) and IPv6 Snooping commands to SISF commands, configure the device-tracking upgrade-cli command in global configuration mode. To revert to legacy commands, enter the no form of the command.

device-tracking upgrade-cli [ force | revert ]

no device-tracking upgrade-cli [ force | revert ]

Syntax Description

force

Skips the confirmation step and converts legacy IPDT and IPv6 Snooping commands to SISF commands.

revert

Reverts to legacy IPDT and IPv6 Snooping commands.

Command Default

Legacy IPDT and IPv6 Snooping commands remain as-is.

Command Modes

Global configuration [Device(config)# ]

Command History

Release Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Based on the legacy configuration that exists on your device, the device-tracking upgrade-cli command upgrades your CLI differently. Consider the following configuration scenarios and the corresponding migration results before you migrate your existing configuration.


Note


You cannot configure a mix of the old IPDT and IPv6 snooping CLI with the SISF-based device tracking CLI.


Only IPDT Configuration Exists

If your device has only IPDT configuration, running the device-tracking upgrade-cli command converts the configuration to use the new SISF policy that is created and attached to the interface. You can then update this SISF policy.

If you continue to use the legacy commands, this restricts you to operate in a legacy mode where only the legacy IPDT and IPv6 snooping commands are available on the device.

Only IPv6 Snooping Configuration Exists

On a device with existing IPv6 snooping configuration, the old IPv6 Snooping commands are available for further configuration. The following options are available:

  • (Recommended) Use the device-tracking upgrade-cli command to convert all your legacy configuration to the new SISF-based device tracking commands. After conversion, only the new device tracking commands will work on your device.

  • Use the legacy IPv6 Snooping commands for your future configuration and do not run the device-tracking upgrade-cli command. With this option, only the legacy IPv6 Snooping commands are available on your device, and you cannot use the new SISF-based device tracking CLI commands.

Both IPDT and IPv6 Snooping Configuration Exist

On a device that has both legacy IPDT configuration and IPv6 snooping configuration, you can convert legacy commands to the SISF-based device tracking CLI commands. However, note that only one snooping policy can be attached to an interface, and the IPv6 snooping policy parameters override the IPDT settings.


Note


If you do not migrate to the new SISF-based commands and continue to use the legacy IPv6 snooping or IPDT commands, your IPv4 device tracking configuration information may be displayed in the IPv6 snooping commands, as the SISF-based device tracking feature handles both IPv4 and IPv6 configuration. To avoid this, we recommend that you convert your legacy configuration to SISF-based device tracking commands.

No IPDT or IPv6 Snooping Configuration Exists

If your device has no legacy IP Device Tracking or IPv6 Snooping configurations, you can use only the new SISF-based device tracking commands for all your future configuration. The legacy IPDT commands and IPv6 snooping commands are not available.

Examples

The following example shows you how to convert IPv6 Snooping commands to SISF-based device-tracking commands.
Device# show ipv6 snooping features
Feature name   priority state
Device-tracking   128   READY
Source guard       32   READY

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# device-tracking upgrade-cli       
 IPv6 Snooping and IPv4 device tracking CLI will be
 converted to the new top level device-tracking CLI
Are you sure ? [yes]: yes
Number of Snooping Policies Upgraded: 2
Device(config)# exit 
After conversion, only the new SISF-based device-tracking commands will work on your device:

Device# show ipv6 snooping features
                         ^
% Invalid input detected at '^' marker.

Device# show device-tracking features
Feature name   priority state
Device-tracking   128   READY
Source guard       32   READY

Device# show device-tracking policies
Target               Type  Policy               Feature        Target range
Te1/0/4              PORT  sisf-01              Device-tracking vlan 200
vlan 200             VLAN  sisf-01              Device-tracking vlan all

dot1x authenticator eap profile

To configure the Extensible Authentication Protocol (EAP) profile to use during 802.1x authentication, use the dot1x authenticator eap profile command in interface configuration mode. To disable the EAP profile, use the no form of this command.

dot1x authenticator eap profile [name]

no dot1x authenticator eap profile

Syntax Description

name

EAP authenticator profile name.

Command Default

EAP profile is disabled.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Cupertino 17.7.1

This command was introduced.

Usage Guidelines

You must enter the switchport mode access command on a switch port before entering this command.

Examples

The following example shows how to configure Cisco TrustSec manual configuration and 802.1x configurations together:

Device(config)# interface gigabitethernet 1/0/1
Device(config-if)# switchport mode access
Device(config-if)# cts manual
Device(config-if-cts-manual)# propagate sgt
Device(config-if-cts-manual)# policy static sgt 77 trusted
Device(config-if-cts-manual)# exit
Device(config-if)# dot1x pae authenticator
Device(config-if)# dot1x authenticator eap profile md5

dot1x critical (global configuration)

To configure the IEEE 802.1X critical authentication parameters, use the dot1x critical command in global configuration mode.

dot1x critical eapol

Syntax Description

eapol

Specifies that the switch send an EAPOL-Success message when the device successfully authenticates the critical port.

Command Default

eapol is disabled

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Examples

This example shows how to specify that the device sends an EAPOL-Success message when the device successfully authenticates the critical port:

Device> enable
Device# configure terminal
Device(config)# dot1x critical eapol
Device(config)# exit

dot1x logging verbose

To filter detailed information from 802.1x system messages, use the dot1x logging verbose command in global configuration mode on a device stack or on a standalone device.

dot1x logging verbose

no dot1x logging verbose

Syntax Description

This command has no arguments or keywords.

Command Default

Detailed logging of system messages is not enabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

This command filters details, such as anticipated success, from 802.1x system messages. Failure messages are not filtered.

Examples

The following example shows how to filter verbose 802.1x system messages:

Device> enable
Device# configure terminal
Device(config)# dot1x logging verbose
Device(config)# exit

dot1x pae

To set the Port Access Entity (PAE) type, use the dot1x pae command in interface configuration mode. To disable the PAE type that was set, use the no form of this command.

dot1x pae { supplicant | authenticator}

no dot1x pae { supplicant | authenticator}

Syntax Description

supplicant

The interface acts only as a supplicant and will not respond to messages that are meant for an authenticator.

authenticator

The interface acts only as an authenticator and will not respond to any messages meant for a supplicant.

Command Default

PAE type is not set.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the no dot1x pae interface configuration command to disable IEEE 802.1x authentication on the port.

When you configure IEEE 802.1x authentication on a port, such as by entering the dot1x port-control interface configuration command, the device automatically configures the port as an IEEE 802.1x authenticator. After the no dot1x pae interface configuration command is entered, the Authenticator PAE operation is disabled.

Examples

The following example shows that the interface has been set to act as a supplicant:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 1/0/3
Device(config-if)# dot1x pae supplicant
Device(config-if)# end

dot1x supplicant controlled transient

To control access to an 802.1x supplicant port during authentication, use the dot1x supplicant controlled transient command in global configuration mode. To open the supplicant port during authentication, use the no form of this command

dot1x supplicant controlled transient

no dot1x supplicant controlled transient

Syntax Description

This command has no arguments or keywords.

Command Default

Access is allowed to 802.1x supplicant ports during authentication.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

In the default state, when you connect a supplicant device to an authenticator switch that has BPCU guard enabled, the authenticator port could be error-disabled if it receives a Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets before the supplicant switch has authenticated. You can control traffic exiting the supplicant port during the authentication period. Entering the dot1x supplicant controlled transient command temporarily blocks the supplicant port during authentication to ensure that the authenticator port does not shut down before authentication completes. If authentication fails, the supplicant port opens. Entering the no dot1x supplicant controlled transient command opens the supplicant port during the authentication period. This is the default behavior.

We recommend using the dot1x supplicant controlled transient command on a supplicant device when BPDU guard is enabled on the authenticator switch port with the spanning-tree bpduguard enable interface configuration command.

Examples

This example shows how to control access to 802.1x supplicant ports on a device during authentication:

Device> enable
Device# configure terminal
Device(config)# dot1x supplicant controlled transient
Device(config)# exit

dot1x supplicant force-multicast

To force a supplicant switch to send only multicast Extensible Authentication Protocol over LAN (EAPOL) packets whenever it receives multicast or unicast EAPOL packets, use the dot1x supplicant force-multicast command in global configuration mode. To return to the default setting, use the no form of this command.

dot1x supplicant force-multicast

no dot1x supplicant force-multicast

Syntax Description

This command has no arguments or keywords.

Command Default

The supplicant device sends unicast EAPOL packets when it receives unicast EAPOL packets. Similarly, it sends multicast EAPOL packets when it receives multicast EAPOL packets.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Enable this command on the supplicant device for Network Edge Access Topology (NEAT) to work in all host modes.

Examples

This example shows how force a supplicant device to send multicast EAPOL packets to the authenticator device:

Device> enable
Device# configure terminal
Device(config)# dot1x supplicant force-multicast
Device(config)# end

dot1x test eapol-capable

To monitor IEEE 802.1x activity on all the switch ports and to display information about the devices that are connected to the ports that support IEEE 802.1x, use the dot1x test eapol-capable command in privileged EXEC mode.

dot1x test eapol-capable [ interface interface-id]

Syntax Description

interface interface-id

(Optional) Port to be queried.

Command Default

There is no default setting.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use this command to test the IEEE 802.1x capability of the devices connected to all ports or to specific ports on a switch.

There is not a no form of this command.

Examples

This example shows how to enable the IEEE 802.1x readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:

Device> enable
Device# dot1x test eapol-capable interface gigabitethernet1/0/13 

DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL capable

dot1x test timeout

To configure the timeout used to wait for EAPOL response from a port being queried for IEEE 802.1x readiness, use the dot1x test timeout command in global configuration mode.

dot1x test timeout timeout

Syntax Description

timeout

Time in seconds to wait for an EAPOL response. The range is from 1 to 65535 seconds.

Command Default

The default setting is 10 seconds.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use this command to configure the timeout used to wait for EAPOL response.

There is not a no form of this command.

Examples

This example shows how to configure the switch to wait 27 seconds for an EAPOL response:

Device> enable
Device# dot1x test timeout 27

You can verify the timeout configuration status by entering the show running-config command.

dot1x timeout

To configure the value for retry timeouts, use the dot1x timeout command in global configuration or interface configuration mode. To return to the default value for retry timeouts, use the no form of this command.

dot1x timeout { auth-period seconds | held-period seconds | quiet-period seconds | ratelimit-period seconds | server-timeout seconds | start-period seconds | supp-timeout seconds | tx-period seconds}

Syntax Description

auth-period seconds

Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt).

The range is from 1 to 65535. The default is 30.

held-period seconds

Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt).

The range is from 1 to 65535. The default is 60

quiet-period seconds

Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state) following a failed authentication exchange before trying to reauthenticate the client.

The range is from 1 to 65535. The default is 60

ratelimit-period seconds

Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of device processing power).

  • The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated for the rate-limit period duration.

  • The range is from 1 to 65535. By default, rate limiting is disabled.

server-timeout seconds

Configures the interval, in seconds, between two successive EAPOL-Start frames when they are being retransmitted.

  • The range is from 1 to 65535. The default is 30.

If the server does not send a response to an 802.1X packet within the specified period, the packet is sent again.

start-period seconds

Configures the interval, in seconds, between two successive EAPOL-Start frames when they are being retransmitted.

The range is from 1 to 65535. The default is 30.

supp-timeout seconds

Sets the authenticator-to-supplicant retransmission time for all EAP messages other than EAP Request ID.

The range is from 1 to 65535. The default is 30.

tx-period seconds

Configures the number of seconds between retransmission of EAP request ID packets (assuming that no response is received) to the client.

  • The range is from 1 to 65535. The default is 30.

  • If an 802.1X packet is sent to the supplicant and the supplicant does not send a response after the retry period, the packet will be sent again.

Command Default

Periodic reauthentication and periodic rate-limiting are done.

Command Modes

Global configuration (config)

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.

The dot1x timeout reauth-period interface configuration command affects the behavior of the device only if you have enabled periodic re-authentication by using the dot1x reauthentication interface configuration command.

During the quiet period, the device does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a number smaller than the default.

When the ratelimit-period is set to 0 (the default), the device does not ignore EAPOL packets from clients that have been successfully authenticated