Security

aaa accounting

To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.

aaa accounting { auth-proxy | system | network | exec | connections | commands level} { default | list-name} { start-stop | stop-only | none} [ broadcast] group group-name

no aaa accounting { auth-proxy | system | network | exec | connections | commands level} { default | list-name} { start-stop | stop-only | none} [ broadcast] group group-name

Syntax Description

auth-proxy Provides information about all authenticated-proxy user events.
system Performs accounting for all system-level events not associated with users, such as reloads.
network Runs accounting for all network-related service requests.
exec

Runs accounting for EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command.

connection

Provides information about all outbound connections made from the network access server.

commands level

Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.

default

Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.

list-name

Character string used to name the list of at least one of the accounting methods described in

start-stop

Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.

stop-only

Sends a "stop" accounting notice at the end of the requested user process.

none

Disables accounting services on this line or interface.

broadcast

(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group.

group groupname

At least one of the keywords described in the AAA Accounting Methods table.

Command Default

AAA accounting is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the aaa accounting command to enable accounting and to create named method lists defining specific accounting methods on a per-line or per-interface basis.

Table 1. AAA Accounting Methods

Keyword

Description

group radius

Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.

group tacacs+

Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.

group group-name

Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name.

In AAA Accounting Methods table, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius server and tacacs server commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.

Cisco IOS XE software supports the following two methods of accounting:

  • RADIUS—The network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

  • TACACS+—The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method , where list-name is any character string used to name this list (excluding the names of methods, such as radius or tacacs+) and method identifies the methods to be tried in sequence as given.

If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.


Note


System accounting does not use named accounting lists; you can only define the default list for system accounting.


For minimal accounting, include the stop-only keyword to send a stop record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.

When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server.


Note


This command cannot be used with TACACS or extended TACACS.


Examples

This example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction:

Device> enable
Device# configure terminal
Device(config)# aaa accounting commands 15 default stop-only group TACACS+
Device(config)# exit

This example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a stop-only restriction. The aaa accounting commands activates authentication proxy accounting.

Device> enable
Device# configure terminal
Device(config)# aaa new model
Device(config)# aaa authentication login default group TACACS+
Device(config)# aaa authorization auth-proxy default group TACACS+
Device(config)# aaa accounting auth-proxy default start-stop group TACACS+
Device(config)# exit

aaa accounting dot1x

To enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions, use the aaa accounting dot1x command in global configuration mode. To disable IEEE 802.1x accounting, use the no form of this command.

aaa accounting dot1x { name | default } start-stop { broadcast group { name | radius | tacacs+} [ group { name | radius | tacacs+} ... ] | group { name | radius | tacacs+} [ group { name | radius | tacacs+} ... ]}

no aaa accounting dot1x { name | default }

Syntax Description

name

Name of a server group. This is optional when you enter it after the broadcast group and group keywords.

default

Specifies the accounting methods that follow as the default list for accounting services.

start-stop

Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting notice was received by the accounting server.

broadcast

Enables accounting records to be sent to multiple AAA servers and sends accounting records to the first server in each group. If the first server is unavailable, the device uses the list of backup servers to identify the first server.

group

Specifies the server group to be used for accounting services. These are valid server group names:

  • name — Name of a server group.

  • radius — Lists of all RADIUS hosts.

  • tacacs+ — Lists of all TACACS+ hosts.

The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword.

radius

(Optional) Enables RADIUS accounting.

tacacs+

(Optional) Enables TACACS+ accounting.

Command Default

AAA accounting is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

This command requires access to a RADIUS server.

We recommend that you enter the dot1x reauthentication interface configuration command before configuring IEEE 802.1x RADIUS accounting on an interface.

Examples

This example shows how to configure IEEE 802.1x accounting:


Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa accounting dot1x default start-stop group radius
Device(config)# exit

aaa accounting identity

To enable authentication, authorization, and accounting (AAA) accounting for IEEE 802.1x, MAC authentication bypass (MAB), and web authentication sessions, use the aaa accounting identity command in global configuration mode. To disable IEEE 802.1x accounting, use the no form of this command.

aaa accounting identity { name | default } start-stop { broadcast group { name | radius | tacacs+} [ group { name | radius | tacacs+} ... ] | group { name | radius | tacacs+} [ group { name | radius | tacacs+} ... ]}

no aaa accounting identity { name | default }

Syntax Description

name

Name of a server group. This is optional when you enter it after the broadcast group and group keywords.

default

Uses the accounting methods that follow as the default list for accounting services.

start-stop

Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested-user process begins regardless of whether or not the start accounting notice was received by the accounting server.

broadcast

Enables accounting records to be sent to multiple AAA servers and send accounting records to the first server in each group. If the first server is unavailable, the switch uses the list of backup servers to identify the first server.

group

Specifies the server group to be used for accounting services. These are valid server group names:

  • name — Name of a server group.

  • radius — Lists of all RADIUS hosts.

  • tacacs+ — Lists of all TACACS+ hosts.

The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword.

radius

(Optional) Enables RADIUS authorization.

tacacs+

(Optional) Enables TACACS+ accounting.

Command Default

AAA accounting is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

To enable AAA accounting identity, you need to enable policy mode. To enable policy mode, enter the authentication display new-style command in privileged EXEC mode.

Examples

This example shows how to configure IEEE 802.1x accounting identity:


Device# authentication display new-style

Please note that while you can revert to legacy style
configuration at any time unless you have explicitly
entered new-style configuration, the following caveats
should be carefully read and understood.

(1) If you save the config in this mode, it will be written
    to NVRAM in NEW-style config, and if you subsequently
    reload the router without reverting to legacy config and
    saving that, you will no longer be able to revert.

(2) In this and legacy mode, Webauth is not IPv6-capable. It
    will only become IPv6-capable once you have entered new-
    style config manually, or have reloaded with config saved
    in 'authentication display new' mode.

Device# configure terminal
Device(config)# aaa accounting identity default start-stop group radius
Device(config)# exit

aaa authentication dot1x

To specify the authentication, authorization, and accounting (AAA) method to use on ports complying with the IEEE 802.1x authentication, use the aaa authentication dot1x command in global configuration mode. To disable authentication, use the no form of this command.

aaa authentication dot1x { default} method1

no aaa authentication dot1x { default} method1

Syntax Description

default

The default method when a user logs in. Use the listed authentication method that follows this argument.

method1

Specifies the server authentication. Enter the group radius keywords to use the list of all RADIUS servers for authentication.

Note

 

Though other keywords are visible in the command-line help strings, only the default and group radius keywords are supported.

Command Default

No authentication is performed.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The method argument identifies the method that the authentication algorithm tries in the specified sequence to validate the password provided by the client. The only method that is IEEE 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server.

If you specify group radius , you must configure the RADIUS server by entering the radius-server host global configuration command.

Use the show running-config privileged EXEC command to display the configured lists of authentication methods.

Examples

This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authentication list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is not allowed access to the network.

Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa authentication dot1x default group radius
Device(config)# exit

aaa new-model

To enable the authentication, authorization, and accounting (AAA) access control model, issue the aaa new-model command in global configuration mode. To disable the AAA access control model, use the no form of this command.

aaa new-model

no aaa new-model

Syntax Description

This command has no arguments or keywords.

Command Default

AAA is not enabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

This command enables the AAA access control system.

If the login local command is configured for a virtual terminal line (VTY), and the aaa new-model command is removed, you must reload the switch to get the default configuration or the login command. If the switch is not reloaded, the switch defaults to the login local command under the VTY.


Note


We do not recommend removing the aaa new-model command.

Examples

The following example initializes AAA:

Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# exit

The following example shows a VTY configured and the aaa new-model command removed:
Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# line vty 0 15
Device(config-line)# login local
Device(config-line)# exit
Device(config)# no aaa new-model
Device(config)# exit 
Device# show running-config | b line vty

line vty 0 4
 login local  !<=== Login local instead of "login"
line vty 5 15
 login local
!

authentication host-mode

To set the authorization manager mode on a port, use the authentication host-mode command in interface configuration mode. To return to the default setting, use the no form of this command.

authentication host-mode { multi-auth | multi-domain | multi-host | single-host}

no authentication host-mode

Syntax Description

multi-auth

Enables multiple-authorization mode (multi-auth mode) on the port.

multi-domain

Enables multiple-domain mode on the port.

multi-host

Enables multiple-host mode on the port.

single-host

Enables single-host mode on the port.

Command Default

Single host mode is enabled.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Single-host mode should be configured if only one data host is connected. Do not connect a voice device to authenticate on a single-host port. Voice device authorization fails if no voice VLAN is configured on the port.

Multi-domain mode should be configured if data host is connected through an IP phone to the port. Multi-domain mode should be configured if the voice device needs to be authenticated.

Multi-auth mode should be configured to allow devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.

Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.

Examples

This example shows how to enable multi-auth mode on a port:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication host-mode multi-auth
Device(config-if)# end

This example shows how to enable multi-domain mode on a port:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication host-mode multi-domain
Device(config-if)# end

This example shows how to enable multi-host mode on a port:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication host-mode multi-host
Device(config-if)# end

This example shows how to enable single-host mode on a port:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication host-mode single-host
Device(config-if)# end

You can verify your settings by entering the show authentication sessions interface interface details privileged EXEC command.

authentication logging verbose

To filter detailed information from authentication system messages, use the authentication logging verbose command in global configuration mode on the switch stack or on a standalone switch.

authentication logging verbose

no authentication logging verbose

Syntax Description

This command has no arguments or keywords.

Command Default

Detailed logging of system messages is not enabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

This command filters details, such as anticipated success, from authentication system messages. Failure messages are not filtered.

Examples

To filter verbose authentication system messages:

Device> enable
Device# configure terminal
Device(config)# authentication logging verbose
Device(config)# exit

You can verify your settings by entering the show running-config privileged EXEC command.

authentication mac-move permit

To enable MAC move on a device, use the authentication mac-move permit command in global configuration mode. To disable MAC move, use the no form of this command.

authentication mac-move permit

no authentication mac-move permit

Syntax Description

This command has no arguments or keywords.

Command Default

MAC move is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The command enables authenticated hosts to move between any authentication-enabled ports (MAC authentication bypass [MAB], 802.1x, or Web-auth) on a device. For example, if there is a device between an authenticated host and port, and that host moves to another port, the authentication session is deleted from the first port, and the host is reauthenticated on the new port.

If MAC move is disabled, and an authenticated host moves to another port, it is not reauthenticated, and a violation error occurs.

Examples

This example shows how to enable MAC move on a device:

Device> enable
Device# configure terminal
Device(config)# authentication mac-move permit
Device(config)# exit

authentication priority

To add an authentication method to the port-priority list, use the authentication priority command in interface configuration mode. To return to the default, use the no form of this command.

authentication priority [ dot1x | mab] { webauth}

no authentication priority [ dot1x | mab] { webauth}

Syntax Description

dot1x

(Optional) Adds 802.1x to the order of authentication methods.

mab

(Optional) Adds MAC authentication bypass (MAB) to the order of authentication methods.

webauth

Adds web authentication to the order of authentication methods.

Command Default

The default priority is 802.1x authentication, followed by MAC authentication bypass and web authentication.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Ordering sets the order of methods that the device attempts when trying to authenticate a new device is connected to a port.

When configuring multiple fallback methods on a port, set web authentication (webauth) last.

Assigning priorities to different authentication methods allows a higher-priority method to interrupt an in-progress authentication method with a lower priority.


Note


If a client is already authenticated, it might be reauthenticated if an interruption from a higher-priority method occurs.


The default priority of an authentication method is equivalent to its position in execution-list order: 802.1x authentication, MAC authentication bypass (MAB), and web authentication. Use the dot1x , mab , and webauth keywords to change this default order.

Examples

This example shows how to set 802.1x as the first authentication method and web authentication as the second authentication method:


Device(config-if)# authentication priority dot1x webauth

This example shows how to set MAB as the first authentication method and web authentication as the second authentication method:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 0/1/2
Device(config-if)# authentication priority mab webauth
Device(config-if)# end

authentication violation

To configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port, use the authentication violation command in interface configuration mode.

authentication violation{ protect| replace| restrict| shutdown }

no authentication violation{ protect| replace| restrict| shutdown }

Syntax Description

protect

Drops unexpected incoming MAC addresses. No syslog errors are generated.

replace

Removes the current session and initiates authentication with the new host.

restrict

Generates a syslog error when a violation error occurs.

shutdown

Error-disables the port or the virtual port on which an unexpected MAC address occurs.

Command Default

Authentication violation shutdown mode is enabled.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the authentication violation command to specify the action to be taken when a security violation occurs on a port.

Examples

This example shows how to configure an IEEE 802.1x-enabled port as error-disabled and to shut down when a new device connects it:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication violation shutdown
Device(config-if)# end

This example shows how to configure an 802.1x-enabled port to generate a system error message and to change the port to restricted mode when a new device connects to it:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication violation restrict
Device(config-if)# end

This example shows how to configure an 802.1x-enabled port to ignore a new device when it connects to the port:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication violation protect
Device(config-if)# end

This example shows how to configure an 802.1x-enabled port to remove the current session and initiate authentication with a new device when it connects to the port:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/1
Device(config-if)# authentication violation replace
Device(config-if)# end

You can verify your settings by entering the show running-config interface interface-name command.

cisp enable

To enable Client Information Signaling Protocol (CISP) on a device so that it acts as an authenticator to a supplicant device and a supplicant to an authenticator device, use the cisp enable global configuration command.

cisp enable

no cisp enable

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The link between the authenticator and supplicant device is a trunk. When you enable VTP on both devices, the VTP domain name must be the same, and the VTP mode must be server.

To avoid the MD5 checksum mismatch error when you configure VTP mode, verify that:

  • VLANs are not configured on two different devices, which can be caused by two VTP servers in the same domain.

  • Both devices have different configuration revision numbers.

Examples

This example shows how to enable CISP:

Device> enable
Device# configure terminal
Device(config)# cisp enable 
Device(config)# exit

clear errdisable interface vlan

To reenable a VLAN that was error-disabled, use the clear errdisable interface command in privileged EXEC mode.

clear errdisable interface interface-id vlan [ vlan-list]

Syntax Description

interface-id

Specifies an interface.

vlan list

(Optional) Specifies a list of VLANs to be reenabled. If a VLAN list is not specified, then all VLANs are reenabled.

Command Default

No default behavior or values.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You can reenable a port by using the shutdown and no shutdown interface configuration commands, or you can clear error-disable for VLANs by using the clear errdisable interface command.

Examples

This example shows how to reenable all VLANs that were error-disabled on Gigabit Ethernet port 4/0/2:


Device# clear errdisable interface gigabitethernet4/0/2 vlan

clear mac address-table

To delete from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, all dynamic addresses on stack members, or all dynamic addresses on a particular VLAN, use the clear mac address-table command in privileged EXEC mode. This command also clears the MAC address notification global counters.

clear mac address-table { dynamic [ address mac-addr | interface interface-id | vlan vlan-id] | move update | notification}

Syntax Description

dynamic

Deletes all dynamic MAC addresses.

address mac-addr

(Optional) Deletes the specified dynamic MAC address.

interface interface-id

(Optional) Deletes all dynamic MAC addresses on the specified physical port or port channel.

vlan vlan-id

(Optional) Deletes all dynamic MAC addresses for the specified VLAN. The range is 1 to 4094.

move update

Clears the MAC address table move-update counters.

notification

Clears the notifications in the history table and reset the counters.

Command Default

No default behavior or values.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You can verify that the information was deleted by entering the show mac address-table command.

Examples

This example shows how to remove a specific MAC address from the dynamic address table:

Device> enable
Device# clear mac address-table dynamic address 0008.0070.0007

confidentiality-offset

To enable MACsec Key Agreement protocol (MKA) to set the confidentiality offset for MACsec operations, use the confidentiality-offset command in MKA-policy configuration mode. To disable confidentiality offset, use the no form of this command.

confidentiality-offset

no confidentiality-offset

Syntax Description

This command has no arguments or keywords.

Command Default

Confidentiality offset is disabled.

Command Modes

MKA-policy configuration (config-mka-policy)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Examples

The following example shows how to enable the confidentiality offset:
Device> enable
Device# configure terminal
Device(config)# mka policy 2
Device(config-mka-policy)# confidentiality-offset

debug aaa dead-criteria transaction

To display authentication, authorization, and accounting (AAA) dead-criteria transaction values, use the debugaaadead-criteriatransaction command in privileged EXEC mode. To disable dead-criteria debugging, use the no form of this command.

debug aaa dead-criteria transaction

no debug aaa dead-criteria transaction

Syntax Description

This command has no arguments or keywords.

Command Default

If the command is not configured, debugging is not turned on.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Dead-criteria transaction values may change with every AAA transaction. Some of the values that can be displayed are estimated outstanding transaction, retransmit tries, and dead-detect intervals. These values are explained in the table below.

Examples

The following example shows dead-criteria transaction information for a particular server group:

Device> enable
Device# debug aaa dead-criteria transaction

AAA Transaction debugs debugging is on
*Nov 14 23:44:17.403: AAA/SG/TRANSAC: Computed Retransmit Tries: 10, Current Tries: 3, Current Max Tries: 10
*Nov 14 23:44:17.403: AAA/SG/TRANSAC: Computed Dead Detect Interval: 10s, Elapsed Time: 317s, Current Max Interval: 10s
*Nov 14 23:44:17.403: AAA/SG/TRANSAC: Estimated Outstanding Transaction: 6, Current Max Transaction: 6

The table below describes the significant fields shown in the display.

Table 2. debug aaa dead-criteria transaction Field Descriptions

Field

Description

AAA/SG/TRANSAC

AAA server-group transaction.

Computed Retransmit Tries

Currently computed number of retransmissions before the server is marked as dead.

Current Tries

Number of successive failures since the last valid response.

Current Max Tries

Maximum number of tries since the last successful transaction.

Computed Dead Detect Interval

Period of inactivity (the number of seconds since the last successful transaction) that can elapse before the server is marked as dead. The period of inactivity starts when a transaction is sent to a server that is considered live. The dead-detect interval is the period that the device waits for responses from the server before the device marks the server as dead.

Elapsed Time

Amount of time that has elapsed since the last valid response.

Current Max Interval

Maximum period of inactivity since the last successful transaction.

Estimated Outstanding Transaction

Estimated number of transaction that are associated with the server.

Current Max Transaction

Maximum transaction since the last successful transaction.

delay-protection

To configure MKA to use delay protection in sending MACsec Key Agreement Protocol Data Units (MKPDUs), use the delay-protection command in MKA-policy configuration mode. To disable delay protection, use the no form of this command.

delay-protection

no delay-protection

Syntax Description

This command has no arguments or keywords.

Command Default

Delay protection for sending MKPDUs is disabled.

Command Modes

MKA-policy configuration (config-mka-policy)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Examples

The following example shows how to configure MKA to use delay protection in sending MKPDUs:
Device> enable
Device# configure terminal
Device(config)# mka policy 2
Device(config-mka-policy)# delay-protection

deny (MAC access-list configuration)

To prevent non-IP traffic from being forwarded if the conditions are matched, use the deny command in MAC access-list extended configuration mode. To remove a deny condition from the named MAC access list, use the no form of this command.

deny { any | host src-MAC-addr | src-MAC-addr mask} { any | host dst-MAC-addr | dst-MAC-addr mask} [ type mask | aarp | amber | appletalk | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp] [ cos cos]

no deny { any | host src-MAC-addr | src-MAC-addr mask} { any | host dst-MAC-addr | dst-MAC-addr mask} [ type mask | aarp | amber | appletalk | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp] [ cos cos]

Syntax Description

any

Denies any source or destination MAC address.

host src-MAC-addr | src-MAC-addr mask

Defines a host MAC address and optional subnet mask. If the source address for a packet matches the defined address, non-IP traffic from that address is denied.

host dst-MAC-addr | dst-MAC-addr mask

Defines a destination MAC address and optional subnet mask. If the destination address for a packet matches the defined address, non-IP traffic to that address is denied.

type mask

(Optional) Specifies the EtherType number of a packet with Ethernet II or SNAP encapsulation to identify the protocol of the packet.

The type is 0 to 65535, specified in hexadecimal.

The mask is a mask of don’t care bits applied to the EtherType before testing for a match.

aarp

(Optional) Specifies EtherType AppleTalk Address Resolution Protocol that maps a data-link address to a network address.

amber

(Optional) Specifies EtherType DEC-Amber.

appletalk

(Optional) Specifies EtherType AppleTalk/EtherTalk.

dec-spanning

(Optional) Specifies EtherType Digital Equipment Corporation (DEC) spanning tree.

decnet-iv

(Optional) Specifies EtherType DECnet Phase IV protocol.

diagnostic

(Optional) Specifies EtherType DEC-Diagnostic.

dsm

(Optional) Specifies EtherType DEC-DSM.

etype-6000

(Optional) Specifies EtherType 0x6000.

etype-8042

(Optional) Specifies EtherType 0x8042.

lat

(Optional) Specifies EtherType DEC-LAT.

lavc-sca

(Optional) Specifies EtherType DEC-LAVC-SCA.

lsap lsap-number mask

(Optional) Specifies the LSAP number (0 to 65535) of a packet with 802.2 encapsulation to identify the protocol of the packet.

mask is a mask of don’t care bits applied to the LSAP number before testing for a match.

mop-console

(Optional) Specifies EtherType DEC-MOP Remote Console.

mop-dump

(Optional) Specifies EtherType DEC-MOP Dump.

msdos

(Optional) Specifies EtherType DEC-MSDOS.

mumps

(Optional) Specifies EtherType DEC-MUMPS.

netbios

(Optional) Specifies EtherType DEC- Network Basic Input/Output System (NetBIOS).

vines-echo

(Optional) Specifies EtherType Virtual Integrated Network Service (VINES) Echo from Banyan Systems.

vines-ip

(Optional) Specifies EtherType VINES IP.

xns-idp

(Optional) Specifies EtherType Xerox Network Systems (XNS) protocol suite (0 to 65535), an arbitrary EtherType in decimal, hexadecimal, or octal.

cos cos

(Optional) Specifies a class of service (CoS) number from 0 to 7 to set priority. Filtering on CoS can be performed only in hardware. A warning message reminds the user if the cos option is configured.

Command Default

This command has no defaults. However, the default action for a MAC-named ACL is to deny.

Command Modes

MAC-access list extended configuration (config-ext-macl)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You enter MAC-access list extended configuration mode by using the mac access-list extended global configuration command.

If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.

When an access control entry (ACE) is added to an access control list, an implied deny-any-any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.

To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS XE terminology are listed in the table.

Table 3. IPX Filtering Criteria

IPX Encapsulation Type

Filter Criterion

Cisco IOS XE Name

Novel Name

arpa

Ethernet II

EtherType 0x8137

snap

Ethernet-snap

EtherType 0x8137

sap

Ethernet 802.2

LSAP 0xE0E0

novell-ether

Ethernet 802.3

LSAP 0xFFFF

Examples

This example shows how to define the named MAC extended access list to deny NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is denied.

Device> enable
Device# configure terminal
Device(config)# mac access-list extended mac_layer
Device(config-ext-macl)# deny any host 00c0.00a0.03fa netbios.
Device(config-ext-macl)# end

This example shows how to remove the deny condition from the named MAC extended access list:

Device> enable
Device# configure terminal
Device(config)# mac access-list extended mac_layer
Device(config-ext-macl)# no deny any 00c0.00a0.03fa 0000.0000.0000 netbios.
Device(config-ext-macl)# end

The following example shows how to deny all packets with EtherType 0x4321:

Device> enable
Device# configure terminal
Device(config)# mac access-list extended mac_layer
Device(config-ext-macl)# deny any any 0x4321 0
Device(config-ext-macl)# end

You can verify your settings by entering the show access-lists privileged EXEC command.

device-role (IPv6 snooping)

To specify the role of the device attached to the port, use the device-role command in IPv6 snooping configuration mode. To remove the specification, use the no form of this command.

device-role { node | switch}

no device-role { node | switch}

Syntax Description

node

Sets the role of the attached device to node.

switch

Sets the role of the attached device to device.

Command Default

The device role is node.

Command Modes

IPv6 snooping configuration (config-ipv6-snooping)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The device-role command specifies the role of the device attached to the port. By default, the device role is node.

The switch keyword indicates that the remote device is a switch and that the local switch is now operating in multiswitch mode; binding entries learned from the port will be marked with trunk_port preference level. If the port is configured as a trust-port, binding entries will be marked with trunk_trusted_port preference level.

Examples

This example shows how to define an IPv6 snooping policy name as policy1, place the device in IPv6 snooping configuration mode, and configure the device as the node:

Device> enable
Device# configure terminal
Device(config)# ipv6 snooping policy policy1
Device(config-ipv6-snooping)# device-role node
Device(config-ipv6-snooping)# end

device-role (IPv6 nd inspection)

To specify the role of the device attached to the port, use the device-role command in neighbor discovery (ND) inspection policy configuration mode.

device-role { host | switch}

Syntax Description

host

Sets the role of the attached device to host.

switch

Sets the role of the attached device to switch.

Command Default

The device role is host.

Command Modes

ND inspection policy configuration (config-nd-inspection)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The device-role command specifies the role of the device attached to the port. By default, the device role is host, and therefore all the inbound router advertisement and redirect messages are blocked.

The switch keyword indicates that the remote device is a switch and that the local switch is now operating in multiswitch mode; binding entries learned from the port will be marked with trunk_port preference level. If the port is configured as a trust-port, binding entries will be marked with trunk_trusted_port preference level.

Examples

The following example defines a Neighbor Discovery Protocol (NDP) policy name as policy1, places the device in ND inspection policy configuration mode, and configures the device as the host:

Device> enable
Device# configure terminal
Device(config)#  ipv6 nd inspection policy policy1
Device(config-nd-inspection)# device-role host
Device(config-nd-inspection)# end

device-tracking policy

To configure a Switch Integrated Security Features (SISF)-based IP device tracking policy, use the device-tracking command in global configuration mode. To delete a device tracking policy, use the no form of this command.

device-tracking policy policy-name

no device-tracking policy policy-name

Syntax Description

policy-name

User-defined name of the device tracking policy. The policy name can be a symbolic string (such as Engineering) or an integer (such as 0).

Command Default

A device tracking policy is not configured.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the SISF-based device-tracking policy command to create a device tracking policy. When the device-tracking policy command is enabled, the configuration mode changes to device-tracking configuration mode. In this mode, the administrator can configure the following first-hop security commands:

  • (Optional) device-role{node] | switch}—Specifies the role of the device attached to the port. Default is node.

  • (Optional) limit address-count value—Limits the number of addresses allowed per target.

  • (Optional) no—Negates a command or sets it to defaults.

  • (Optional) destination-glean{recovery| log-only}[dhcp]}—Enables binding table recovery by data traffic source address gleaning.

  • (Optional) data-glean{recovery| log-only}[dhcp | ndp]}—Enables binding table recovery using source or data address gleaning.

  • (Optional) security-level{glean|guard|inspect}—Specifies the level of security enforced by the feature. Default is guard.

    • glean—Gleans addresses from messages and populates the binding table without any verification.
    • guard—Gleans addresses and inspects messages. In addition, it rejects RA and DHCP server messages. This is the default option.
    • inspect—Gleans addresses, validates messages for consistency and conformance, and enforces address ownership.
  • (Optional) tracking {disable | enable}—Specifies a tracking option.

  • (Optional) trusted-port—Sets up a trusted port. It disables the guard on applicable targets. Bindings learned through a trusted port have preference over bindings learned through any other port. A trusted port is given preference in case of a collision while making an entry in the table.

Examples

This example shows how to configure an a device-tracking policy:

Device> enable
Device# configure terminal
Device(config)# device-tracking policy policy1
Device(config-device-tracking)# trusted-port
Device(config-device-tracking)# end

dot1x critical (global configuration)

To configure the IEEE 802.1X critical authentication parameters, use the dot1x critical command in global configuration mode.

dot1x critical eapol

Syntax Description

eapol

Specifies that the switch send an EAPOL-Success message when the device successfully authenticates the critical port.

Command Default

eapol is disabled

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Examples

This example shows how to specify that the device sends an EAPOL-Success message when the device successfully authenticates the critical port:

Device> enable
Device# configure terminal
Device(config)# dot1x critical eapol
Device(config)# exit

dot1x logging verbose

To filter detailed information from 802.1x system messages, use the dot1x logging verbose command in global configuration mode on a device stack or on a standalone device.

dot1x logging verbose

no dot1x logging verbose

Syntax Description

This command has no arguments or keywords.

Command Default

Detailed logging of system messages is not enabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

This command filters details, such as anticipated success, from 802.1x system messages. Failure messages are not filtered.

Examples

The following example shows how to filter verbose 802.1x system messages:

Device> enable
Device# configure terminal
Device(config)# dot1x logging verbose
Device(config)# exit

dot1x pae

To set the Port Access Entity (PAE) type, use the dot1x pae command in interface configuration mode. To disable the PAE type that was set, use the no form of this command.

dot1x pae { supplicant | authenticator}

no dot1x pae { supplicant | authenticator}

Syntax Description

supplicant

The interface acts only as a supplicant and will not respond to messages that are meant for an authenticator.

authenticator

The interface acts only as an authenticator and will not respond to any messages meant for a supplicant.

Command Default

PAE type is not set.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the no dot1x pae interface configuration command to disable IEEE 802.1x authentication on the port.

When you configure IEEE 802.1x authentication on a port, such as by entering the dot1x port-control interface configuration command, the device automatically configures the port as an IEEE 802.1x authenticator. After the no dot1x pae interface configuration command is entered, the Authenticator PAE operation is disabled.

Examples

The following example shows that the interface has been set to act as a supplicant:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 1/0/3
Device(config-if)# dot1x pae supplicant
Device(config-if)# end

dot1x supplicant controlled transient

To control access to an 802.1x supplicant port during authentication, use the dot1x supplicant controlled transient command in global configuration mode. To open the supplicant port during authentication, use the no form of this command

dot1x supplicant controlled transient

no dot1x supplicant controlled transient

Syntax Description

This command has no arguments or keywords.

Command Default

Access is allowed to 802.1x supplicant ports during authentication.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

In the default state, when you connect a supplicant device to an authenticator switch that has BPCU guard enabled, the authenticator port could be error-disabled if it receives a Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets before the supplicant switch has authenticated. You can control traffic exiting the supplicant port during the authentication period. Entering the dot1x supplicant controlled transient command temporarily blocks the supplicant port during authentication to ensure that the authenticator port does not shut down before authentication completes. If authentication fails, the supplicant port opens. Entering the no dot1x supplicant controlled transient command opens the supplicant port during the authentication period. This is the default behavior.

We recommend using the dot1x supplicant controlled transient command on a supplicant device when BPDU guard is enabled on the authenticator switch port with the spanning-tree bpduguard enable interface configuration command.

Examples

This example shows how to control access to 802.1x supplicant ports on a device during authentication:

Device> enable
Device# configure terminal
Device(config)# dot1x supplicant controlled transient
Device(config)# exit

dot1x supplicant force-multicast

To force a supplicant switch to send only multicast Extensible Authentication Protocol over LAN (EAPOL) packets whenever it receives multicast or unicast EAPOL packets, use the dot1x supplicant force-multicast command in global configuration mode. To return to the default setting, use the no form of this command.

dot1x supplicant force-multicast

no dot1x supplicant force-multicast

Syntax Description

This command has no arguments or keywords.

Command Default

The supplicant device sends unicast EAPOL packets when it receives unicast EAPOL packets. Similarly, it sends multicast EAPOL packets when it receives multicast EAPOL packets.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Enable this command on the supplicant device for Network Edge Access Topology (NEAT) to work in all host modes.

Examples

This example shows how force a supplicant device to send multicast EAPOL packets to the authenticator device:

Device> enable
Device# configure terminal
Device(config)# dot1x supplicant force-multicast
Device(config)# end

dot1x test eapol-capable

To monitor IEEE 802.1x activity on all the switch ports and to display information about the devices that are connected to the ports that support IEEE 802.1x, use the dot1x test eapol-capable command in privileged EXEC mode.

dot1x test eapol-capable [ interface interface-id]

Syntax Description

interface interface-id

(Optional) Port to be queried.

Command Default

There is no default setting.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use this command to test the IEEE 802.1x capability of the devices connected to all ports or to specific ports on a switch.

There is not a no form of this command.

Examples

This example shows how to enable the IEEE 802.1x readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:

Device> enable
Device# dot1x test eapol-capable interface gigabitethernet1/0/13 

DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL capable

dot1x test timeout

To configure the timeout used to wait for EAPOL response from a port being queried for IEEE 802.1x readiness, use the dot1x test timeout command in global configuration mode.

dot1x test timeout timeout

Syntax Description

timeout

Time in seconds to wait for an EAPOL response. The range is from 1 to 65535 seconds.

Command Default

The default setting is 10 seconds.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use this command to configure the timeout used to wait for EAPOL response.

There is not a no form of this command.

Examples

This example shows how to configure the switch to wait 27 seconds for an EAPOL response:

Device> enable
Device# dot1x test timeout 27

You can verify the timeout configuration status by entering the show running-config command.

dot1x timeout

To configure the value for retry timeouts, use the dot1x timeout command in global configuration or interface configuration mode. To return to the default value for retry timeouts, use the no form of this command.

dot1x timeout { auth-period seconds | held-period seconds | quiet-period seconds | ratelimit-period seconds | server-timeout seconds | start-period seconds | supp-timeout seconds | tx-period seconds}

Syntax Description

auth-period seconds

Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt).

The range is from 1 to 65535. The default is 30.

held-period seconds

Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt).

The range is from 1 to 65535. The default is 60

quiet-period seconds

Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state) following a failed authentication exchange before trying to reauthenticate the client.

The range is from 1 to 65535. The default is 60

ratelimit-period seconds

Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of device processing power).

  • The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated for the rate-limit period duration.

  • The range is from 1 to 65535. By default, rate limiting is disabled.

server-timeout seconds

Configures the interval, in seconds, between two successive EAPOL-Start frames when they are being retransmitted.

  • The range is from 1 to 65535. The default is 30.

If the server does not send a response to an 802.1X packet within the specified period, the packet is sent again.

start-period seconds

Configures the interval, in seconds, between two successive EAPOL-Start frames when they are being retransmitted.

The range is from 1 to 65535. The default is 30.

supp-timeout seconds

Sets the authenticator-to-supplicant retransmission time for all EAP messages other than EAP Request ID.

The range is from 1 to 65535. The default is 30.

tx-period seconds

Configures the number of seconds between retransmission of EAP request ID packets (assuming that no response is received) to the client.

  • The range is from 1 to 65535. The default is 30.

  • If an 802.1X packet is sent to the supplicant and the supplicant does not send a response after the retry period, the packet will be sent again.

Command Default

Periodic reauthentication and periodic rate-limiting are done.

Command Modes

Global configuration (config)

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.

The dot1x timeout reauth-period interface configuration command affects the behavior of the device only if you have enabled periodic re-authentication by using the dot1x reauthentication interface configuration command.

During the quiet period, the device does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a number smaller than the default.

When the ratelimit-period is set to 0 (the default), the device does not ignore EAPOL packets from clients that have been successfully authenticated and forwards them to the RADIUS server.

Examples

The following example shows that various 802.1X retransmission and timeout periods have been set:

Device> enable
Device(config)# configure terminal
Device(config)# interface gigabitethernet 1/0/3
Device(config-if)# dot1x port-control auto
Device(config-if)# dot1x timeout auth-period 2000
Device(config-if)# dot1x timeout held-period 2400
Device(config-if)# dot1x timeout quiet-period 600
Device(config-if)# dot1x timeout start-period 90
Device(config-if)# dot1x timeout supp-timeout 300
Device(config-if)# dot1x timeout tx-period 60
Device(config-if)# dot1x timeout server-timeout 60
Device(config-if)# end

dtls

To configure Datagram Transport Layer Security (DTLS) parameters, use the dtls command in radius server configuration mode. To return to the default setting, use the no  form of this command.

dtls connectiontimeout connection-timeout-value | idletimeout idle-timeout-value | [ ip | ipv6 ] { radius source-interface interface-name | vrf forwarding forwarding-table-name } | match-server-identity { email-address email-address | hostname hostname | ip-address ip-address } | port port-number | retries number-of-connection-retries | trustpoint { client trustpoint name | server trustpoint name }

no dtls

Syntax Description

connectiontimeout connection-timeout-value

(Optional) Configures the DTLS connection timeout value.

idletimeout idle-timeout-value

(Optional) Configures the DTLS idle timeout value.

[ip | ipv6] { radius source-interface interface-name | vrf forwarding forwarding-table-name}

(Optional) Configures IP or IPv6 source parameters.

match-server-identity {email-address email-address | hostname host-name | ip-address ip-address}

Configures RadSec certification validation parameters.

port port-number

(Optional) Configures the DTLS port number.

retries number-of-connection-retries

(Optional) Configures the number of DTLS connection retries.

trustpoint { client trustpoint name| server trustpoint name}

(Optional) Configures the DTLS trustpoint for the client and the server.

Command Default

  • The default value of DTLS connection timeout is 5 seconds.

  • The default value of DTLS idle timeout is 60 seconds.

  • The default DTLS port number is 2083.

  • The default value of DTLS connection retries is 5.

Command Modes

Radius server configuration (config-radius-server)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Cisco IOS XE Gibraltar 16.10.1

The match-server-identity keyword was introduced.

Cisco IOS XE Amsterdam 17.1.1

The ipv6 keyword was introduced.

Usage Guidelines

We recommend that you use the same server type, either only Transport Layer Security (TLS) or only DTLS, under an Authentication, Authorization, and Accounting (AAA) server group.

Examples

The following example shows how to configure the DTLS connection timeout value to 10 seconds:

Device> enable
Device# configure terminal
Device(config)# radius server R1
Device(config-radius-server)# dtls connectiontimeout 10
Device(config-radius-server)# end

enable password

To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove control access of the local password, use the no form of this command.

enable password [level level] { [0] unencrypted-password | [ encryption-type] encrypted-password}

no enable password [level level]

Syntax Description

level level

(Optional) Specifies the level for which the password is applicable. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal user EXEC mode user privileges. If level is not specified in the command or in the no form of the command, the privilege level defaults to 15.

0

(Optional) Specifies an unencrypted cleartext password. The password is converted to a Secure Hash Algorithm (SHA) 256 secret and is stored in the device.

unencrypted-password

Specifies the password to enter enable mode.

encryption-type

(Optional) Cisco-proprietary algorithm used to encrypt the password. If you specify encryption-type , the next argument that you supply must be an encrypted password (a password already encrypted by a Cisco device). You can specify type 7, which indicates that a hidden password follows.

encrypted-password

Encrypted password copied from another device configuration.

Command Default

No password is defined.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

If neither the enable password command nor the enable secret command is configured, and if a line password is configured for the console, the console line password serves as the enable password for all VTY (Telnet and Secure Shell [SSH]) sessions.

Use enable password command with the level option to define a password for a specific privilege level. After you specify the level and the password, share the password with users who need to access this level. Use the privilege level configuration command to specify the commands that are accessible at various levels.

Typically, you enter an encryption type only if you copy and paste a password that has already been encrypted by a Cisco device, into this command.


Caution


If you specify an encryption type and then enter a cleartext password, you will not be able to re-enter enable mode. You cannot recover a lost password that has been encrypted earlier.


If the service password-encryption command is set, the encrypted form of the password you create with the enable password command is displayed when the more nvram:startup-config command is run.

You can enable or disable password encryption with the service password-encryption command.

An enable password is defined as follows:

  • Must contain a combination of numerals from 1 to 25, and uppercase and lowercase alphanumeric characters.

  • Can have leading spaces, but they are ignored. However, intermediate and trailing spaces are recognized.

  • Can contain the question mark (?) character if you precede the question mark with the key combination Crtl-V when you create the password, for example, to create the password abc?123, do the following:

    1. Enter abc .

    2. Press Crtl-v .

    3. Enter ?123 .


Note


When the system prompt you to enter the enable password command, you need not precede the question mark with Ctrl-V; you can enter abc?123 at the password prompt.


Examples

The following example shows how to enables the password pswd2 for privilege level 2:


Device> enable
Device# configure terminal
Device(config)# enable password level 2 pswd2

The following example shows how to set the encrypted password $1$i5Rkls3LoyxzS8t9, which has been copied from a device configuration file, for privilege level 2 using encryption type 7:


Device> enable
Device# configure terminal
Device(config)# enable password level 2 5 $1$i5Rkls3LoyxzS8t9

enable secret

To specify an additional layer of security over the enable password command, use the enable secret command in global configuration mode. To turn off the enable secret function, use the no form of this command.

enable secret [level level] { [0] unencrypted-password | encryption-type encrypted-password}

no enable secret [level level] [encryption-type encrypted-password]

Syntax Description

level level

(Optional) Specifies the level for which the password is applicable. You can specify up to 15 privilege levels, using numerals 1 through 15. Level 1 is normal user EXEC mode privileges. If level is not specified in the command or in the no form of the command, the privilege level defaults to 15.

0

(Optional) Specifies an unencrypted cleartext password. The password is converted to a Secure Hash Algorithm (SHA) 256 secret and is stored in the device.

unencrypted-password

Specifies the password for users to enter enable mode. This password should be different from the password created with the enable password command.

encryption-type

Cisco-proprietary algorithm used to hash the password:

  • 5 : Specifies a message digest algorithm 5-encrypted (MD5-encrypted) secret.

  • 8 : Specifies a Password-Based Key Derivation Function 2 (PBKDF2) with SHA-256 hashed secret.

  • 9 : Specifies a scrypt-hashed secret.

encrypted-password

Hashed password that is copied from another device configuration.

Command Default

No password is defined.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

If neither the enable password command or the enable secret command is configured, and if a line password is configured for the console, the console line password serves as the enable password for all vty (Telnet and Secure Shell [SSH]) sessions.

Use the enable secret command to provide an additional layer of security over the enable password password. The enable secret command provides better security by storing the password using a nonreversible cryptographic function. The additional layer of security encryption is useful in environments where the password is sent to the network or is stored on a TFTP server.

Typically, you enter an encryption type only when you paste an encrypted password that you copied from a device configuration file, into this command.


Caution


If you specify an encryption type and then enter a cleartext password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted earlier.


If you use the same password for the enable password and enable secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted. By using the same password, however, you undermine the additional security the enable secret command provides.


Note


After you set a password using the enable secret command, a password set using the enable password command works only if the enable secret is disabled. Additionally, you cannot recover a lost password that has been encrypted by any method.


If the service password-encryption command is set, the encrypted form of the password you create is displayed when the more nvram:startup-config command is run.

You can enable or disable password encryption with the service password-encryption command.

An enable password is defined as follows:

  • Must contain a combination of numerals from 1 to 25, and uppercase and lowercase alphanumeric characters.

  • Can have leading spaces, but they are ignored. However, intermediate and trailing spaces are recognized.

  • Can contain the question mark (?) character if you precede the question mark with the key combination Crtl-v when you create the password; for example, to create the password abc?123, do the following:

    1. Enter abc .

    2. Press Crtl-v .

    3. Enter ?123 .


Note


When the system prompts you to enter the enable password command, you need not precede the question mark with Ctrl-v; you can enter abc?123 at the password prompt.


Examples

The following example shows how to specify a password with the enable secret command:


Device> enable
Device# configure terminal
Device(config)# enable secret password

After specifying a password with the enable secret command, users must enter this password to gain access. Otherwise, passwords set using the enable password command will no longer work.


Password: password

The following example shows how to enable the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8, which has been copied from a device configuration file, for privilege level 2, using the encryption type 4:


Device> enable
Device# configure terminal
Device(config)# enable password level 2 4 $1$FaD0$Xyti5Rkls3LoyxzS8

The following example shows the warning message that is displayed when a user enters the enable secret 4 encrypted-password command:


Device> enable
Device# configure terminal
Device(config)# enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

WARNING: Command has been added to the configuration but Type 4 passwords have been deprecated.
Migrate to a supported password type

Device(config)# end
Device# show running-config | inc secret

enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

epm access-control open

To configure an open directive for ports that do not have an access control list (ACL) configured, use the epm access-control open command in global configuration mode. To disable the open directive, use the no form of this command.

epm access-control open

no epm access-control open

Syntax Description

This command has no arguments or keywords.

Command Default

The default directive applies.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use this command to configure an open directive that allows hosts without an authorization policy to access ports configured with a static ACL. If you do not configure this command, the port applies the policies of the configured ACL to the traffic. If no static ACL is configured on a port, both the default and open directives allow access to the port.

You can verify your settings by entering the show running-config command.

Examples

This example shows how to configure an open directive.

Device> enable
Device# configure terminal
Device(config)# epm access-control open
Device(config)# exit

include-icv-indicator

To include the integrity check value (ICV) indicator in MKPDU, use the include-icv-indicator command in MKA-policy configuration mode. To disable the ICV indicator, use the no form of this command.

include-icv-indicator

no include-icv-indicator

Syntax Description

This command has no arguments or keywords.

Command Default

ICV indicator is included.

Command Modes

MKA-policy configuration (config-mka-policy)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Examples

The following example shows how to include the ICV indicator in MKPDU:
Device> enable
Device# configure terminal
Device(config)# mka policy 2
Device(config-mka-policy)# include-icv-indicator

ip access-list

To define an IP access list or object-group access control list (ACL) by name or number or to enable filtering for packets with IP helper-address destinations, use the ip access-list command in global configuration mode. To remove the IP access list or object-group ACL or to disable filtering for packets with IP helper-address destinations, use the no form of this command.

ip access-list { {extended | resequence | standard} {access-list-number | access-list-name} | helper egress check | log-update threshold threshold-number | logging {hash-generation | interval time} | persistent | role-based access-list-name}

ip access-list { {extended | resequence | standard} {access-list-number | access-list-name} | helper egress check | log-update threshold | logging {hash-generation | interval} | persistent | role-based access-list-name}

Syntax Description

standard

Specifies a standard IP access list.

resequence

Specifies a resequenced IP access list.

extended

Specifies an extended IP access list. Required for object-group ACLs.

access-list-name

Name of the IP access list or object-group ACL. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists.

access-list-number

Number of the access list.

  • A standard IP access list is in the ranges 1-99 or 1300-1999.

  • An extended IP access list is in the ranges 100-199 or 2000-2699.

helper egress check

Enables permit or deny matching capability for an outbound access list that is applied to an interface, for traffic that is relayed via the IP helper feature to a destination server address.

log-update

Controls the access list log updates.

threshold threshold-number

Sets the access list logging threshold. The range is 0 to 2147483647.

logging

Controls the access list logging.

hash-generation

Enables syslog hash code generation.

interval time

Sets the access list logging interval in milliseconds. The range is 0 to 2147483647.

persistent

Access control entry (ACE) sequence numbers are persistent across reloads.

Note

 

This is enabled by default and cannot be disabled.

role-based

Specifies a role-based IP access list.

Command Default

No IP access list or object-group ACL is defined, and outbound ACLs do not match and filter IP helper relayed traffic.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use this command to configure a named or numbered IP access list or an object-group ACL. This command places the device in access-list configuration mode, where you must define the denied or permitted access conditions by using the deny and permit commands.

Specifying the standard or extended keyword with the ip access-list command determines the prompt that appears when you enter access-list configuration mode. You must use the extended keyword when defining object-group ACLs.

You can create object groups and IP access lists or object-group ACLs independently, which means that you can use object-group names that do not yet exist.

Use the ip access-group command to apply the access list to an interface.

The ip access-list helper egress check command enables outbound ACL matching for permit or deny capability on packets with IP helper-address destinations. When you use an outbound extended ACL with this command, you can permit or deny IP helper relayed traffic based on source or destination User Datagram Protocol (UDP) ports. The ip access-list helper egress check command is disabled by default; outbound ACLs will not match and filter IP helper relayed traffic.

Examples

The following example defines a standard access list named Internetfilter:

Device> enable
Device# configure terminal
Device(config)# ip access-list standard Internetfilter
Device(config-std-nacl)# permit 192.168.255.0 0.0.0.255
Device(config-std-nacl)# permit 10.88.0.0 0.0.255.255
Device(config-std-nacl)# permit 10.0.0.0 0.255.255.255

The following example shows how to create an object-group ACL that permits packets from the users in my_network_object_group if the protocol ports match the ports specified in my_service_object_group:

Device> enable
Device# configure terminal
Device(config)# ip access-list extended my_ogacl_policy
Device(config-ext-nacl)# permit tcp object-group my_network_object_group portgroup
 my_service_object_group any
Device(config-ext-nacl)# deny tcp any any

The following example shows how to enable outbound ACL filtering on packets with helper-address destinations:

Device> enable
Device# configure terminal
Device(config)# ip access-list helper egress check

ip access-list role-based

To create a role-based (security group) access control list (RBACL) and enter role-based ACL configuration mode, use the ip access-list role-based command in global configuration mode. To remove the configuration, use the no form of this command.

ip access-list role-based access-list-name

no ip access-list role-based access-list-name

Syntax Description

access-list-name

Name of the security group access control list (SGACL).

Command Default

Role-based ACLs are not configured.

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

For SGACL logging, you must configure the permit ip log command. Also, this command must be configured in Cisco Identity Services Engine (ISE) to enable logging for dynamic SGACLs.

Examples

The following example shows how to define an SGACL that can be applied to IPv4 traffic and enter role-based access list configuration mode:

Device> enable
Device# configure terminal
Device(config)# ip access-list role-based rbacl1
Device(config-rb-acl)# permit ip log
Device(config-rb-acl)# end

ip admission

To enable web authentication, use the ip admission command in interface configuration mode or fallback-profile configuration mode. To disable web authentication, use the no form of this command.

ip admission rule

no ip admission rule

Syntax Description

rule

IP admission rule name.

Command Default

Web authentication is disabled.

Command Modes

Interface configuration (config-if)

Fallback-profile configuration (config-fallback-profile)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The ip admission command applies a web authentication rule to a switch port.

Examples

This example shows how to apply a web authentication rule to a switchport:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip admission rule1
Device(config-if)# end

This example shows how to apply a web authentication rule to a fallback profile for use on an IEEE 802.1x enabled switch port.

Device> enable
Device# configure terminal
Device(config)# fallback profile profile1
Device(config-fallback-profile)# ip admission rule1
Device(config-fallback-profile)# end

ip admission name

To enable web authentication, use the ip admission name command in global configuration mode. To disable web authentication, use the no form of this command.

ip admission name name { consent | proxy http} [ absolute timer minutes | inactivity-time minutes | list { acl | acl-name} | service-policy type tag service-policy-name]

no ip admission name name { consent | proxy http} [ absolute timer minutes | inactivity-time minutes | list { acl | acl-name} | service-policy type tag service-policy-name]

Syntax Description

name

Name of network admission control rule.

consent

Associates an authentication proxy consent web page with the IP admission rule specified using the admission-name argument.

proxy http

Configures web authentication custom page.

absolute-timer minutes

(Optional) Elapsed time, in minutes, before the external server times out.

inactivity-time minutes

(Optional) Elapsed time, in minutes, before the external file server is deemed unreachable.

list (Optional) Associates the named rule with an access control list (ACL).
acl

Applies a standard, extended list to a named admission control rule. The value ranges from 1 through 199, or from 1300 through 2699 for expanded range.

acl-name

Applies a named access list to a named admission control rule.

service-policy type tag

(Optional) A control plane service policy is to be configured.

service-policy-name

Control plane tag service policy that is configured using the policy-map type control tagpolicyname command, keyword, and argument. This policy map is used to apply the actions on the host when a tag is received.

Command Default

Web authentication is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The ip admission name command globally enables web authentication on a switch.

After you enable web authentication on a switch, use the ip access-group in and ip admission web-rule interface configuration commands to enable web authentication on a specific interface.

Examples

This example shows how to configure only web authentication on a switch port:

Device> enable
Device# configure terminal
Device(config) ip admission name http-rule proxy http
Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip access-group 101 in
Device(config-if)# ip admission rule
Device(config-if)# end

This example shows how to configure IEEE 802.1x authentication with web authentication as a fallback mechanism on a switch port:

Device> enable
Device# configure terminal
Device(config)# ip admission name rule2 proxy http
Device(config)# fallback profile profile1
Device(config)# ip access group 101 in
Device(config)# ip admission name rule2
Device(config)# interface gigabitethernet1/0/1
Device(config-if)# dot1x port-control auto
Device(config-if)# dot1x fallback profile1
Device(config-if)# end

ip dhcp snooping database

To configure the Dynamic Host Configuration Protocol (DHCP)-snooping database, use the ip dhcp snooping database command in global configuration mode. To disable the DHCP-snooping database, use the no form of this command.

ip dhcp snooping database { crashinfo: url | flash: url | ftp: url | http: url | https: url | rcp: url | scp: url | tftp: url | timeout seconds | usbflash0: url | write-delay seconds }

no ip dhcp snooping database [ timeout | write-delay ]

abor

Syntax Description

crashinfo:url

Specifies the database URL for storing entries using crashinfo.

flash:url

Specifies the database URL for storing entries using flash.

ftp:url

Specifies the database URL for storing entries using FTP.

http:url

Specifies the database URL for storing entries using HTTP.

https:url

Specifies the database URL for storing entries using secure HTTP (https).

rcp:url

Specifies the database URL for storing entries using remote copy (rcp).

scp:url

Specifies the database URL for storing entries using Secure Copy (SCP).

tftp:url

Specifies the database URL for storing entries using TFTP.

timeout seconds

Specifies the cancel timeout interval; valid values are from 0 to 86400 seconds.

usbflash0:url

Specifies the database URL for storing entries using USB flash.

write-delay seconds

Specifies the amount of time before writing the DHCP-snooping entries to an external server after a change is seen in the local DHCP-snooping database; valid values are from 15 to 86400 seconds.

Command Default

The DHCP-snooping database is not configured.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You must enable DHCP snooping on the interface before entering this command. Use the ip dhcp snooping command to enable DHCP snooping.

Examples

This example shows how to specify the database URL using TFTP:

Device> enable
Device# configure terminal
Device(config)#  ip dhcp snooping database tftp://10.90.90.90/snooping-rp2
Device(config)# exit

This example shows how to specify the amount of time before writing DHCP snooping entries to an external server:

evice> enable
Device# configure terminal
Device(config)#  ip dhcp snooping database write-delay 15
Device(config)# exit

ip dhcp snooping information option format remote-id

To configure the option-82 remote-ID suboption, use the ip dhcp snooping information option format remote-id command in global configuration mode on the device to configure the option-82 remote-ID suboption. To configure the default remote-ID suboption, use the no form of this command.

ip dhcp snooping information option format remote-id { hostname | string string}

no ip dhcp snooping information option format remote-id { hostname | string string}

Syntax Description

hostname

Specify the device hostname as the remote ID.

string string

Specify a remote ID, using from 1 to 63 ASCII characters (no spaces).

Command Default

The device MAC address is the remote ID.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.

When the option-82 feature is enabled, the default remote-ID suboption is the device MAC address. This command allows you to configure either the device hostname or a string of up to 63 ASCII characters (but no spaces) to be the remote ID.


Note


If the hostname exceeds 63 characters, it will be truncated to 63 characters in the remote-ID configuration.


Examples

This example shows how to configure the option- 82 remote-ID suboption:

Device> enable
Device# configure terminal
Device(config)# ip dhcp snooping information option format remote-id hostname
Device(config)# exit

ip dhcp snooping verify no-relay-agent-address

To disable the DHCP snooping feature from verifying that the relay agent address (giaddr) in a DHCP client message matches the client hardware address on an untrusted port, use the ip dhcp snooping verify no-relay-agent-address command in global configuration mode. To enable verification, use the no form of this command.

ip dhcp snooping verify no-relay-agent-address

no ip dhcp snooping verify no-relay-agent-address

Syntax Description

This command has no arguments or keywords.

Command Default

The DHCP snooping feature verifies that the relay-agent IP address (giaddr) field in DHCP client message on an untrusted port is 0.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

By default, the DHCP snooping feature verifies that the relay-agent IP address (giaddr) field in DHCP client message on an untrusted port is 0; the message is dropped if the giaddr field is not 0. Use the ip dhcp snooping verify no-relay-agent-address command to disable the verification. Use the no ip dhcp snooping verify no-relay-agent-address to reenable verification.

Examples

This example shows how to enable verification of the giaddr in a DHCP client message:

Device> enable
Device# configure terminal
Device(config)# no ip dhcp snooping verify no-relay-agent-address
Device(config)# exit

ip http access-class

To specify the access list that should be used to restrict access to the HTTP server, use the ip http access-class command in global configuration mode. To remove a previously configured access list association, use the no form of this command.

ip http access-class { access-list-number | ipv4 { access-list-number | access-list-name } | ipv6 access-list-name }

no ip http access-class { access-list-number | ipv4 { access-list-number | access-list-name } | ipv6 access-list-name }

Syntax Description

access-list-number

Standard IP access list number in the range 0 to 99, as configured by the access-list global configuration command.

ipv4

Specifies the IPv4 access list to restrict access to the secure HTTP server.

access-list-name

Name of a standard IPv4 access list, as configured by the ip access-list command.

ipv6

Specifies the IPv6 access list to restrict access to the secure HTTP server.

Command Default

No access list is applied to the HTTP server.

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

If this command is configured, the specified access list is assigned to the HTTP server. Before the HTTP server accepts a connection, it checks the access list. If the check fails, the HTTP server does not accept the request for a connection.

Examples

The following example shows how to define an access list as 20 and assign it to the HTTP server:

Device> enable
Device(config)# ip access-list standard 20
Device(config-std-nacl)# permit 209.165.202.130 0.0.0.255
Device(config-std-nacl)# permit 209.165.201.1 0.0.255.255
Device(config-std-nacl)# permit 209.165.200.225 0.255.255.255
Device(config-std-nacl)# exit
Device(config)# ip http access-class 20
Device(config-std-nacl)# exit
 

The following example shows how to define an IPv4 named access list as and assign it to the HTTP server.

Device> enable
Device(config)# ip access-list standard Internet_filter
Device(config-std-nacl)# permit 1.2.3.4
Device(config-std-nacl)# exit 
Device(config)# ip http access-class ipv4 Internet_filter
Device(config)# exit

ip radius source-interface

To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface command in global configuration mode. To prevent RADIUS from using the IP address of a specified interface for all outgoing RADIUS packets, use the no form of this command.

ip radius source-interface interface-name [vrf vrf-name]

no ip radius source-interface

Syntax Description

interface-name

Name of the interface that RADIUS uses for all of its outgoing packets.

vrf vrf-name

(Optional) Per virtual route forwarding (VRF) configuration.

Command Default

No default behavior or values.

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use this command to set the IP address of an interface to be used as the source address for all outgoing RADIUS packets. The IP address is used as long as the interface is in the up state. The RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses. Radius uses the IP address of the interface that it is associated to, regardless of whether the interface is in the up or down state.

The ip radius source-interface command is especially useful in cases where the router has many interfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.

The specified interface should have a valid IP address and should be in the up state for a valid configuration. If the specified interface does not have a valid IP address or is in the down state, RADIUS selects a local IP that corresponds to the best possible route to the AAA server. To avoid this, add a valid IP address to the interface or bring the interface to the up state.

Use the vrf vrf-name keyword and argument to configure this command per VRF, which allows multiple disjoined routing or forwarding tables, where the routes of one user have no correlation with the routes of another user.

Examples

The following example shows how to configure RADIUS to use the IP address of interface s2 for all outgoing RADIUS packets:


ip radius source-interface s2

The following example shows how to configure RADIUS to use the IP address of interface Ethernet0 for VRF definition:


ip radius source-interface Ethernet0 vrf vrf1

ip source binding

To add a static IP source binding entry, use the ip source binding command. Use the no form of this command to delete a static IP source binding entry

ip source binding mac-address vlan vlan-id ip-address interface interface-id

no ip source binding mac-address vlan vlan-id ip-address interface interface-id

Syntax Description

mac-address

Binding MAC address.

vlan vlan-id

Specifies the Layer 2 VLAN identification; valid values are from 1 to 4094.

ip-address

Binding IP address.

interface interface-id

ID of the physical interface.

Command Default

No IP source bindings are configured.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You can use this command to add a static IP source binding entry only.

The no format deletes the corresponding IP source binding entry. It requires the exact match of all required parameter in order for the deletion to be successful. Note that each static IP binding entry is keyed by a MAC address and a VLAN number. If the command contains the existing MAC address and VLAN number, the existing binding entry is updated with the new parameters instead of creating a separate binding entry.

Examples

This example shows how to add a static IP source binding entry:

Device> enable
Device# configure terminal
Device(config) ip source binding 0100.0230.0002 vlan 11 10.0.0.4 interface gigabitethernet1/0/1
Device(config)# exit

ip ssh source-interface

To specify the IP address of an interface as the source address for a Secure Shell (SSH) client device, use the ip ssh source-interface command in global configuration mode. To remove the IP address as the source address, use the no form of this command.

ip ssh source-interface interface

no ip ssh source-interface interface

Syntax Description

interface

The interface whose address is used as the source address for the SSH client.

Command Default

The address of the closest interface to the destination is used as the source address (the closest interface is the output interface through which the SSH packet is sent).

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Usage Guidelines

By specifying this command, you can force the SSH client to use the IP address of the source interface as the source address.

Examples

In the following example, the IP address assigned to GigabitEthernet interface 1/0/1 is used as the source address for the SSH client:

Device> enable
Device# configure terminal
Device(config)# ip ssh source-interface GigabitEthernet 1/0/1
Device(config)# exit

ip verify source

To enable IP source guard on an interface, use the ip verify source command in interface configuration mode. To disable IP source guard, use the no form of this command.

ip verify source [mac-check][ tracking]

no ip verify source

mac-check

(Optional) Enables IP source guard with MAC address verification.

tracking

(Optional) Enables IP port security to learn static IP address learning on a port.

Command Default

IP source guard is disabled.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.

To enable IP source guard with source IP address filtering and MAC address verification, use the ip verify source mac-check interface configuration command.

Examples

This example shows how to enable IP source guard with source IP address filtering on an interface:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip verify source
Device(config-if)# end

This example shows how to enable IP source guard with MAC address verification:

Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip verify source mac-check
Device(config-if)# end

You can verify your settings by entering the show ip verify source command.

ipv6 access-list

To define an IPv6 access list and to place the device in IPv6 access list configuration mode, use the ipv6 access-list command in global configuration mode. To remove the access list, use the no form of this command.

ipv6 access-list access-list-name | match-local-traffic | log-update threshold threshold-in-msgs | role-based list-name

noipv6 access-list access-list-name | client permit-control-packets| log-update threshold | role-based list-name

Syntax Description

ipv6 access-list-name

Creates a named IPv6 ACL (up to 64 characters in length) and enters IPv6 ACL configuration mode.

access-list-name : Name of the IPv6 access list. Names cannot contain a space or quotation mark, or begin with a numeric.

match-local-traffic

Enables matching for locally-generated traffic.

log-update threshold threshold-in-msgs

Determines how syslog messages are generated after the initial packet match.

threshold-in-msgs - Number of packets generated.

role-based list-name

Creates a role-based IPv6 ACL.

Command Default

No IPv6 access list is defined.

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

IPv6 ACLs are defined by using the ipv6 access-list command in global configuration mode and their permit and deny conditions are set by using the deny and permit commands in IPv6 access list configuration mode. Configuring the ipv6 access-list command places the device in IPv6 access list configuration mode. From IPv6 access list configuration mode, permit and deny conditions can be set for the defined IPv6 ACL.


Note


IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and an IPv6 ACL cannot share the same name.


IPv6 is automatically configured as the protocol type in permit any any and deny any any statements that are translated from global configuration mode to IPv6 access list configuration mode.

Every IPv6 ACL has implicit permit icmp any any nd-na , permit icmp any any nd-ns , and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take effect. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.

Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply an IPv6 ACL to an IPv6 interface. Use the ipv6 access-class line configuration command with the access-list-name argument to apply an IPv6 ACL to incoming and outgoing IPv6 virtual terminal connections to and from the device.

An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded, not originated, by the device.

Examples

The example configures the IPv6 ACL list named list1 and places the device in IPv6 access list configuration mode.

Device> enable
Device# configure terminal
Device(config)# ipv6 access-list list1
Device(config-ipv6-acl)# end

The following example configures the IPv6 ACL named list2 and applies the ACL to outbound traffic on Ethernet interface 0. Specifically, the first ACL entry keeps all packets from the network FEC0:0:0:2::/64 (packets that have the site-local prefix FEC0:0:0:2 as the first 64 bits of their source IPv6 address) from exiting from GigabitEthernet interface 0/1/2. The second entry in the ACL permits all other traffic to exit out of Ethernet interface 0. The second entry is necessary because an implicit deny all condition is at the end of each IPv6 ACL.

Device> enable
Device# configure terminal
Device(config)# ipv6 access-list list2 deny FEC0:0:0:2::/64 any
Device(config)# ipv6 access-list list2 permit any any
Device(config)# interface gigabitethernet 0/1/2
Device(config-if)# ipv6 traffic-filter list2 out
Device(config-if)# end

ipv6 snooping policy

To configure an IPv6 snooping policy and enter IPv6 snooping configuration mode, use the ipv6 snooping policy command in global configuration mode. To delete an IPv6 snooping policy, use the no form of this command.

ipv6 snooping policy snooping-policy

no ipv6 snooping policy snooping-policy

Syntax Description

snooping-policy

User-defined name of the snooping policy. The policy name can be a symbolic string (such as Engineering) or an integer (such as 0).

Command Default

An IPv6 snooping policy is not configured.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the ipv6 snooping policy command to create an IPv6 snooping policy. When the ipv6 snooping policy command is enabled, the configuration mode changes to IPv6 snooping configuration mode. In this mode, the administrator can configure the following IPv6 first-hop security commands:

  • The device-role command specifies the role of the device attached to the port.

  • The limit address-count maximum command limits the number of IPv6 addresses allowed to be used on the port.

  • The protocol command specifies that addresses should be gleaned with Dynamic Host Configuration Protocol (DHCP) or Neighbor Discovery Protocol (NDP).

  • The security-level command specifies the level of security enforced.

  • The tracking command overrides the default tracking policy on a port.

  • The trusted-port command configures a port to become a trusted port; that is, limited or no verification is performed when messages are received.

Examples

This example shows how to configure an IPv6 snooping policy:

Device> enable
Device# configure terminal
Device(config)# ipv6 snooping policy policy1
Device(config-ipv6-snooping)# end

key chain macsec

To configure a MACsec key chain name on a device interface to fetch a Pre Shared Key (PSK), use the key chain macsec command in global configuration mode. To disable it, use the no form of this command.

key chain name macsec

no key chain name [ macsec ]

Syntax Description

name

Name of a key chain to be used to get keys.

Command Default

Key chain macsec is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Examples

This example shows how to configure MACsec key chain to fetch a 128-bit Pre Shared Key (PSK):

Device> enable
Device# configure terminal
Device(config)# key chain kc1 macsec
Device(config-keychain-macsec)# key 1000
Device(config-keychain-macsec)# cryptographic-algorithm aes-128-cmac
Device(config-keychain-macsec-key)# key-string fb63e0269e2768c49bab8ee9a5c2258f
Device(config-keychain-macsec-key)# end
Device#

Examples

This example shows how to configure MACsec key chain to fetch a 256-bit Pre Shared Key (PSK):

Device> enable
Device# configure terminal
Device(config)# key chain kc1 macsec
Device(config-keychain-macsec)# key 2000
Device(config-keychain-macsec)# cryptographic-algorithm aes-256-cmac
Device(config-keychain-macsec-key)# key-string c865632acb269022447c417504a1b
f5db1c296449b52627ba01f2ba2574c2878
Device(config-keychain-macsec-key)# end
Device#

key config-key password-encrypt

To store a type 6 encryption key in private NVRAM, use the key config-key password-encrypt command in global configuration mode. To disable the encryption, use the no form of this command.

key config-key password-encrypt [text]

no key config-key password-encrypt [text]

Syntax Description

text

(Optional) Password or master key .

Note

 

We recommended that you do not use the text argument, and instead use interactive mode (using the Enter key after you enter the key config-key password-encrypt command) so that the preshared key is not printed anywhere and, therefore, cannot be seen.

Command Default

Type 6 password encryption key is not stored in private NVRAM.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You can securely store plain text passwords in type 6 format in NVRAM using a CLI. Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. Use the key config-key password-encrypt command along with the password encryption aes command to configure and enable the password (symmetric cipher Advanced Encryption Standard [AES] is used to encrypt the keys). The password (key) configured using the key config-key password-encrypt command is the master encryption key that is used to encrypt all other keys in the device.

If you configure the password encryption aes command without configuring the key config-key password-encrypt command, the following message is displayed at startup or during a nonvolatile generation (NVGEN) process, such as when the show running-config or copy running-config startup-config commands are configured:


“Can not encrypt password. Please configure a configuration-key with ‘key config-key’”

Changing a Password

If the password (master key) is changed or reencrypted, use the key config-key password-encrypt command) for the list registry to pass the old key and the new key to the application modules that are using type 6 encryption.

Deleting a Password

If the master key that was configured using the key config-key password-encrypt command is deleted from the system, a warning is displayed (and a confirm prompt is issued) stating that all type 6 passwords will become useless. As a security measure, after the passwords are encrypted, they will never be decrypted in the Cisco IOS software. However, passwords can be re-encrypted, as explained in the previous paragraph.


Caution


If the password that is configured using the key config-key password-encrypt command is lost, it cannot be recovered. We, therefore, recommend that you store the password in a safe location.


Unconfiguring Password Encryption

If you unconfigure password encryption using the no password encryption aes command, all the existing type 6 passwords are left unchanged, and as long as the password (master key) that was configured using the key config-key password-encrypt command exists, the type 6 passwords will be decrypted as and when required by the application.

Storing Passwords

Because no one can read the password (configured using the key config-key password-encrypt command), there is no way that the password can be retrieved from the device. Existing management stations cannot know what it is unless the stations are enhanced to include this key somewhere, in which case, the password needs to be stored securely within the management system. If configurations are stored using TFTP, the configurations are not standalone, meaning that they cannot be loaded onto a device. Before or after the configurations are loaded onto a device, the password must be manually added (using the key config-key password-encrypt command). The password can be manually added to the stored configuration. However we do not recommend this because adding the password manually allows anyone to decrypt all the passwords in that configuration.

Configuring New or Unknown Passwords

If you enter or cut and paste ciphertext that does not match the master key, or if there is no master key, the ciphertext is accepted or saved, but an alert message is displayed:


“ciphertext>[for username bar>] is incompatible with the configured master key.”

If a new master key is configured, all plain keys are encrypted and made type 6 keys. The existing type 6 keys are not encrypted. The existing type 6 keys are left as is.

If the old master key is lost or is unknown, you have the option of deleting the master key using the no key config-key password-encrypt command. Deleting the master key causes the existing encrypted passwords to remain encrypted in the device configuration. The passwords cannot be decrypted.

Examples

The following example shows how a type 6 encryption key is stored in NVRAM:


Device> enable
Device# configure terminal
Device (config)# key config-key password-encrypt

key-server

To configure MKA key-server options, use the key-server command in MKA-policy configuration mode. To disable MKA key-server options, use the no form of this command.

key-server priority value

no key-server priority

Syntax Description

priority value

Specifies the priority value of the MKA key-server.

Command Default

MKA key-server is disabled.

Command Modes

MKA-policy configuration (config-mka-policy)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Examples

The following example shows how to configure the MKA key-server:
Device> enable
Device# configure terminal
Device(config)# mka policy 2
Device(config-mka-policy)# key-server priority 33

limit address-count

To limit the number of IPv6 addresses allowed to be used on the port, use the limit address-count command in Neighbor Discovery Protocol (NDP) inspection policy configuration mode or IPv6 snooping configuration mode. To return to the default, use the no form of this command.

limit address-count maximum

no limit address-count

Syntax Description

maximum

The number of addresses allowed on the port. The range is from 1 to 10000.

Command Default

The default is no limit.

Command Modes

IPv6 snooping configuration (config-ipv6-snooping)

ND inspection policy configuration (config-nd-inspection)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The limit address-count command limits the number of IPv6 addresses allowed to be used on the port on which the policy is applied. Limiting the number of IPv6 addresses on a port helps limit the binding table size. The range is from 1 to 10000.

Examples

This example shows how to define an NDP policy name as policy1, and limit the number of IPv6 addresses allowed on the port to 25:

Device> enable
Device# configure terminal
Device(config)# ipv6 nd inspection policy policy1
Device(config-nd-inspection)# limit address-count 25
Device(config-nd-inspection)# end

This example shows how to define an IPv6 snooping policy name as policy1, and limit the number of IPv6 addresses allowed on the port to 25:

Device> enable
Device# configure terminal
Device(config)# ipv6 snooping policy policy1
Device(config-ipv6-snooping)# limit address-count 25
Device(config-ipv6-snooping)# end

mab logging verbose

To filter detailed information from MAC authentication bypass (MAB) system messages, use the mab logging verbose command in global configuration mode. Use the no form of this command to disable logging MAB system messages.

mab logging verbose

no mab logging verbose

Syntax Description

This command has no arguments or keywords.

Command Default

Detailed logging of system messages is not enabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

This command filters details, such as anticipated success, from MAC authentication bypass (MAB) system messages. Failure messages are not filtered.

Examples

To filter verbose MAB system messages:

Device> enable
Device# configure terminal
Device(config)# mab logging verbose
Device(config)# exit

You can verify your settings by entering the show running-config command.

mab request format attribute 32

To enable VLAN ID-based MAC authentication on a device, use the mab request format attribute 32 vlan access-vlan command in global configuration mode. To return to the default setting, use the no form of this command.

mab request format attribute 32 vlan access-vlan

no mab request format attribute 32 vlan access-vlan

Syntax Description

This command has no arguments or keywords

Command Default

VLAN-ID based MAC authentication is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use this command to allow a RADIUS server to authenticate a new user based on the host MAC address and VLAN. Use this feature on networks with the Microsoft IAS RADIUS server. The Cisco ACS ignores this command.

Examples

This example shows how to enable VLAN-ID based MAC authentication on a device:

Device> enable
Device# configure terminal
Device(config)# mab request format attribute 32 vlan access-vlan
Device(config)# exit

macsec-cipher-suite

To configure cipher suite for deriving Security Association Key (SAK), use the macsec-cipher-suite command in MKA-policy configuration mode. To disable cipher suite for SAK, use the no form of this command.

macsec-cipher-suite {gcm-aes-128 | gcm-aes-256 }

no macsec-cipher-suite {gcm-aes-128 | gcm-aes-256 }

Syntax Description

gcm-aes-128

Configures cipher suite for deriving SAK with 128-bit encryption.

gcm-aes-256

Configures cipher suite for deriving SAK with 256-bit encryption.

Command Default

GCM-AES-128 encryption is enabled.

Command Modes

MKA-policy configuration (config-mka-policy)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

If the device supports both GCM-AES-128 and GCM-AES-256 ciphers, it is highly recommended to define and use a user-defined MKA policy to include both or only 256 bits cipher, based on your requirements..

Examples

The following example shows how to configure MACsec cipher suite for deriving SAK with 256-bit encryption:
Device> enable
Device# configure terminal
Device(config)# mka policy 2
Device(config-mka-policy)# macsec-cipher-suite gcm-aes-256

macsec network-link

To enable MACsec Key Agreement protocol (MKA) configuration on the uplink interfaces, use the macsec network-link command in interface configuration mode. To disable it, use the no form of this command.

macsec network-link

no macsec network-link

Syntax Description

macsec network-link

Enables MKA MACsec configuration on device interfaces using EAP-TLS authentication protocol.

Command Default

MACsec network-link is disabled.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Examples

This example shows how to configure MACsec MKA on an interface using the EAP-TLS authentication protocol:

Device> enable
Device# configure terminal
Device(config)# interface GigabitEthernet 1/0/20
Device(config-if)# macsec network-link
Device(config-if)# end
Device#

match (access-map configuration)

To set the VLAN map to match packets against one or more access lists, use the match command in access-map configuration mode. To remove the match parameters, use the no form of this command.

match {ip address {name | number} [name | number] [name | number]... | ipv6 address {name | number} [name | number] [name | number]... | mac address {name} [name] [name]... }

no match {ip address {name | number} [name | number] [name | number]... | ipv6 address {name | number} [name | number] [name | number]... | mac address {name} [name] [name]... }

Syntax Description

ip address

Sets the access map to match packets against an IP address access list.

ipv6 address

Sets the access map to match packets against an IPv6 address access list.

mac address

Sets the access map to match packets against a MAC address access list.

name

Name of the access list to match packets against.

number

Number of the access list to match packets against. This option is not valid for MAC access lists.

Command Default

The default action is to have no match parameters applied to a VLAN map.

Command Modes

Access-map configuration (config-access-map)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You enter access-map configuration mode by using the vlan access-map global configuration command.

You must enter one access list name or number; others are optional. You can match packets against one or more access lists. Matching any of the lists counts as a match of the entry.

In access-map configuration mode, use the match command to define the match conditions for a VLAN map applied to a VLAN. Use the action command to set the action that occurs when the packet matches the conditions.

Packets are matched only against access lists of the same protocol type; IP packets are matched against IP access lists, IPv6 packets are matched against IPv6 access lists, and all other packets are matched against MAC access lists.

IP, IPv6, and MAC addresses can be specified for the same map entry.

Examples

This example shows how to define and apply a VLAN access map vmap4 to VLANs 5 and 6 that will cause the interface to drop an IP packet if the packet matches the conditions defined in access list al2:

Device> enable
Device(config)# vlan access-map vmap4
Device(config-access-map)# match ip address al2
Device(config-access-map)# action drop
Device(config-access-map)# exit
Device(config)# vlan filter vmap4 vlan-list 5-6
Device(config)# exit

You can verify your settings by entering the show vlan access-map command.

mka pre-shared-key

To configure MACsec Key Agreement (MKA) MACsec on a device interface using a Pre Shared Key (PSK), use the mka pre-shared-key key-chain key-chain name command in interface configuration mode. To disable it, use the no form of this command.

mka pre-shared-key key-chain key-chain-name

no mka pre-shared-key key-chain key-chain-name

Syntax Description

mka pre-shared-key key-chain

Enables MACsec MKA configuration on device interfaces using a PSK.

Command Default

MKA pre-shared-key is disabled.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Examples

This example shows how to configure MKA MACsec on an interface using a PSK:


Device> enable
Device# configure terminal
Device(config)# interface Gigabitethernet 1/0/20
Device(config-if)# mka pre-shared-key key-chain kc1
Device(config-if)# end
Device#

mka suppress syslogs sak-rekey

To suppress MACsec Key Agreement (MKA) secure association key (SAK) rekey messages during logging, use the mka suppress syslogs sak-rekey command in global configuration mode. To enable MKA SAK rekey message logging, use the no form of this command.

mka suppres syslogs sak-rekey

no mka suppres syslogs sak-rekey

This command has no arguments or keywords.

Command Default

All MKA SAK syslog messages are displayed on the console.

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.9.1

This command was introduced.

Usage Guidelines

MKA SAK syslogs are continuously generated at every rekey interval, and when MKA is configured on multiple interfaces, the amount of syslog generated is too high. Use this command to suppress the MKA SAK syslogs.

Examples

The following example shows show to suppress MKA SAK syslog logging:

Device> enable
Device# configure terminal
Device(config)# mka suppress syslogs sak-rekey

password encryption aes

To enable a type 6 encrypted preshared key, use the password encryption aes command in global configuration mode. To disable password encryption, use the no form of this command.

password encryption aes

no password encryption aes

Syntax Description

This command has no arguments or keywords.

Command Default

Preshared keys are not encrypted.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

You can securely store plain text passwords in type 6 format in NVRAM using a CLI. Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. Use the key config-key password-encrypt command along with the password encryption aes command to configure and enable the password (symmetric cipher Advanced Encryption Standard [AES] is used to encrypt the keys). The password (key) that is configured using the key config-key password-encrypt command is the master encryption key that is used to encrypt all other keys in the router.

If you configure the password encryption aes command without configuring the key config-key password-encrypt command, the following message is displayed at startup or during a nonvolatile generation (NVGEN) process, such as when the show running-config or copy running-config startup-config commands are run:


“Can not encrypt password. Please configure a configuration-key with ‘key config-key’”

Changing a Password

If the password (master key) is changed or re-encrypted using the key config-key password-encrypt command), the list registry passes the old key and the new key to the application modules that are using type 6 encryption.

Deleting a Password

If the master key that was configured using the key config-key password-encrypt command is deleted from the system, a warning is displayed (and a confirm prompt is issued) that states that all type 6 passwords will no longer be applicable. As a security measure, after the passwords are encrypted, they will never be decrypted in the Cisco IOS software. However, passwords can be re-encrypted as explained in the previous paragraph.


Caution


If a password that is configured using the key config-key password-encrypt command is lost, it cannot be recovered. Therefore, the password should be stored in a safe location.


Unconfiguring Password Encryption

If you unconfigure password encryption using the no password encryption aes command, all the existing type 6 passwords are left unchanged. As long as the password (master key) that was configured using the key config-key password-encrypt command exists, the type 6 passwords are decrypted as and when required by the application.

Storing Passwords

Because no one can read the password (configured using the key config-key password-encrypt command), there is no way that the password can be retrieved from the router. Existing management stations cannot know what it is unless the stations are enhanced to include this key somewhere. Therefore, the password needs to be stored securely within the management system. If configurations are stored using TFTP, the configurations are not standalone, meaning that they cannot be loaded onto a router. Before or after the configurations are loaded onto a router, the password must be manually added (using the key config-key password-encrypt command). The password can be manually added to the stored configuration, but we do not recommend this because adding the password manually allows anyone to decrypt all the passwords in that configuration.

Configuring New or Unknown Passwords

If you enter or cut and paste ciphertext that does not match the master key, or if there is no master key, the ciphertext is accepted or saved, but the following alert message is displayed:


“ciphertext>[for username bar>] is incompatible with the configured master key.”

If a new master key is configured, all the plain keys are encrypted and converted to type 6 keys. The existing type 6 keys are not encrypted. The existing type 6 keys are left as is.

If the old master key is lost or unknown, you have the option of deleting the master key using the no key config-key password-encrypt command. This causes the existing encrypted passwords to remain encrypted in the router configuration. The passwords will not be decrypted.

Examples

The following example shows how a type 6 encrypted preshared key is enabled:


Device> enable
Device# configure terminal
Device (config)# password encryption aes

permit (MAC access-list configuration)

To allow non-IP traffic to be forwarded if the conditions are matched, use the permit command in MAC access-list configuration mode. To remove a permit condition from the extended MAC access list, use the no form of this command.

{ permit { any | host src-MAC-addr | src-MAC-addr mask} { any | host dst-MAC-addr | dst-MAC-addr mask} [ type mask | aarp | amber | appletalk | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp] [ cos cos]

nopermit { any | host src-MAC-addr | src-MAC-addr mask} { any | host dst-MAC-addr | dst-MAC-addr mask} [ type mask | aarp | amber | appletalk | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp] [ cos cos]

Syntax Description

any

Denies any source or destination MAC address.

host src-MAC-addr | src-MAC-addr mask

Specifies a host MAC address and optional subnet mask. If the source address for a packet matches the defined address, non-IP traffic from that address is denied.

host dst-MAC-addr | dst-MAC-addr mask

Specifies a destination MAC address and optional subnet mask. If the destination address for a packet matches the defined address, non-IP traffic to that address is denied.

type mask

(Optional) Specifies the EtherType number of a packet with Ethernet II or SNAP encapsulation to identify the protocol of the packet.

  • type is 0 to 65535, specified in hexadecimal.

  • mask is a mask of don’t care bits applied to the EtherType before testing for a match.

aarp

(Optional) Specifies EtherType AppleTalk Address Resolution Protocol that maps a data-link address to a network address.

amber

(Optional) Specifies EtherType DEC-Amber.

appletalk

(Optional) Specifies EtherType AppleTalk/EtherTalk.

dec-spanning

(Optional) Specifies EtherType Digital Equipment Corporation (DEC) spanning tree.

decnet-iv

(Optional) Specifies EtherType DECnet Phase IV protocol.

diagnostic

(Optional) Specifies EtherType DEC-Diagnostic.

dsm

(Optional) Specifies EtherType DEC-DSM.

etype-6000

(Optional) Specifies EtherType 0x6000.

etype-8042

(Optional) Specifies EtherType 0x8042.

lat

(Optional) Specifies EtherType DEC-LAT.

lavc-sca

(Optional) Specifies EtherType DEC-LAVC-SCA.

lsap lsap-number mask

(Optional) Specifies the LSAP number (0 to 65535) of a packet with 802.2 encapsulation to identify the protocol of the packet.

The mask is a mask of don’t care bits applied to the LSAP number before testing for a match.

mop-console

(Optional) Specifies EtherType DEC-MOP Remote Console.

mop-dump

(Optional) Specifies EtherType DEC-MOP Dump.

msdos

(Optional) Specifies EtherType DEC-MSDOS.

mumps

(Optional) Specifies EtherType DEC-MUMPS.

netbios

(Optional) Specifies EtherType DEC- Network Basic Input/Output System (NetBIOS).

vines-echo

(Optional) Specifies EtherType Virtual Integrated Network Service (VINES) Echo from Banyan Systems.

vines-ip