Configuration Commands: g to z

gas-ap-rate-limit

To set the number of Generic Advertisement Service (GAS) or Access Network Query Protocol (ANQP) request action frames sent to the controller by an access point (AP) for a given duration, use the gas-ap-rate-limit command.

gas-ap-rate-limit number-of-requests request-limit-interval

Syntax Description

number-of-requests

Number of GAS or ANQP requests allowed in a given interval. Valid range is from 1-100.

request-limit-interval

Interval in which the maximum numbers of requests is applicable. Valid range is from 100-1000 milliseconds.

Command Default

Limit is not enabled.

Command Modes

AP Profile Configuration (config-ap-profile)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to configure the number of GAS or ANQP request action frames sent to the controller by an AP for a given duration:

Device(config)# ap profile hotspot
Device(config-ap-profile)# gas-ap-rate-limit 12 120 

group

To configure a group for a venue and a venue type, use the group command. To remove the group, use the no form of the command.

group venue-group venue-type

Syntax Description

venue-group

Venue group. Options are: assembly, business, educational, industrial, institutional, mercantile, outdoor, residential, storage, unspecified, utility, and vehicular.

venue-type

Venue type. The options vary based on the venue-group.

Command Default

None

Command Modes

Wireless ANQP Server Configuration (config-wireless-anqp-server)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to configure a group for a venue and a venue type:

Device(config)# wireless hotspot anqp-server my-server
Device(config-wireless-anqp-server)# group business bank   

gtk-randomize

To configure random-GTK for hole-196 mitigation, use the gtk-randomize command. Use the no form of the command to remove the icon.

gtk-randomize

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

WLAN Configuration (config-wlan)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Usage Guidelines

The GTK used for each mobile device should be different from every GTK used for the other mobile devices associated to the BSS.

Examples

The following example shows how to configure random-GTK for hole-196 mitigation.

Device(config-wlan)# security wpa wpa2 gtk-randomize  

gnxi (Insecure Mode)

gNXI is a collection of tools for Network Management that use the gNMI and gNOI protocols. They are:

  • gNMI - gRPC Network Management Interface

  • gNOI - gRPC Network Operations Interface

gNMI is gRPC Network Management Interface developed by Google. gNMI provides the mechanism to install, manipulate, and delete the configuration of network devices, and also to view operational data. gRPC Network Operations Interface (gNOI) defines a set of gRPC-based micro-services for executing operational commands on network devices.

To configure and start gNXI process in an insecure mode, use the gnxi command. To disable this feature, use the no form of the command.

gnxi {port port-number | secure-client-auth | seure-init | secure-password-auth | secure-peer-verify-trustpoint | secure-port | secure-server | secure-trustpoint | server}

no gnxi {port port-number | secure-client-auth | seure-init | secure-password-auth | secure-peer-verify-trustpoint | secure-port | secure-server | secure-trustpoint | server}

Syntax Description

gnxi

Starts the gNXI process

port

Configures the gNXI server port

port-number

Specifies the port number. The default port number is 50052.

secure-client-auth

Configures the gNXI with client authentication

secure-init

Enables the gNMI secure server by using the primary self-signed certificate

secure-password-auth

Configures the gNXI with password authentication

secure-peer-verify-trustpoint

Configures the gNXI server peer validation trustpoint

secure-port

Configures the gNXI secure server port

secure-server

Enables the gNXI secure server

secure-trustpoint

Configures the gNXI server certificate trustpoint

server

Enables the gNXI server

Command Default

None

Command Modes

Global Configuration

Command History

Release Modification
Cisco IOS XE Bengaluru 17.6.1

This command was introduced.

Examples

The following example shows how to configure the gNIX server (Insecure Mode):


Device# configure terminal
Device(config)# gnxi server  
Device(config)# end

gnxi (Secure Mode)

gNXI is a collection of tools for Network Management that use the gNMI and gNOI protocols. They are:

  • gNMI - gRPC Network Management Interface

  • gNOI - gRPC Network Operations Interface

gNMI is gRPC Network Management Interface developed by Google. gNMI provides the mechanism to install, manipulate, and delete the configuration of network devices, and also to view operational data. gRPC Network Operations Interface (gNOI) defines a set of gRPC-based micro-services for executing operational commands on network devices.

To configure and start gNXI process in a secure mode, use the gnxi command. To disable this feature, use the no form of the command.

gnxi {secure-server | secure-trustpoint trustpoint-name | secure-client-auth | secure-port}

no gnxi {secure-server | secure-trustpoint trustpoint-name | secure-client-auth | secure-port}

Syntax Description

gnxi

Starts the gNXI process

secure-server

Enables the gNXI secure server

secure-trustpoint

Configures the gNXI server certificate trustpoint

trustpoint-name

Specifies the trustpoint name

secure-client-auth

Configures the gNXI with client authentication

secure-port

Configures the gNXI secure server port

Command Default

None

Command Modes

Global Configuration

Command History

Release Modification
Cisco IOS XE Bengaluru 17.6.1

This command was introduced.

Examples

The following example shows how to configure the gNIX server and the secure trustpoint in a secure mode:


Device# configure terminal
Device(config)# gnxi secure-trustpoint <trustpoint-name>  
Device(config)# end

hessid

To configure a homogenous extended service set, use the hessid command. To remove the service set, use the no form of the command.

hessid HESSID-value

Syntax Description

HESSID-value

HESSID value.

Command Default

None

Command Modes

Wireless ANQP Server Configuration (config-wireless-anqp-server)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to configure a homogenous extended service set:

Device(config)# wireless hotspot anqp-server my-server
Device(config-wireless-anqp-server)# hessid 00:40:96:b4:82:55  

high-density clients count

To configure the maximum number of client connections per AP radio, use the high-density clients count command in the RF profile mode. Use the no form of this command to disable the feature.

high-density clients count max-client-conn-per-radio

[no] high-density clients count max-client-conn-per-radio

Syntax Description

max-client-conn-per-radio

Configures the maximum number of client connections per AP radio. The valid range is between 0 and 400. The default value is 200 client connections.

Command Default

None

Command Modes

RF configuration mode

Command History

Release Modification
Cisco IOS XE Cupertino 17.8.1

This command was introduced.

Examples

The following example explains how to configure the maximum number of client connections per AP radio.

Device(config)# ap dot11 5ghz rf-profile rfprofile
Device(config-rf-profile)# high-density clients count 30 

hotspot anqp-server

To associate a hotspot server with a policy profile, use the hotspot anqp-server command. To remove the server, use the no form of the command.

hotspot anqp-server server-name

Syntax Description

server-name

Name of the Hotspot 2.0 ANQP server.

Command Default

None

Command Modes

Wireless Policy Configuration (config-wireless-policy)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to configure a Hotspot 2.0 ANQP server:

Device(config)# wireless profile policy hs-policy
Device(config-wireless-policy)# hotspot anqp-server test 

hyperlocation

To configure Hyperlocation and related parameters for an AP group, use the hyperlocation command in the WLAN AP Group configuration (Device(config-apgroup)#) mode. To disable Hyperlocation and related parameter configuration for the AP group, use the no form of the command.

[no] hyperlocation [ threshold { detection value-in-dBm | reset value-btwn-0-99 | trigger value-btwn-1-100} ]

Syntax Description

[no] hyperlocation

Enables or disables Hyperlocation for an AP group.

threshold detection value-in-dBm

Sets threshold to filter out packets with low RSSI. The [no] form of the command resets the threshold to its default value.

threshold reset value-btwn-0-99

Resets value in scan cycles after trigger. The [no] form of the command resets the threshold to its default value.

threshold trigger value-btwn-1-100

Sets the number of scan cycles before sending a BAR to clients. The [no] form of the command resets the threshold to its default value.

Note

 

Ensure that the Hyperlocation threshold reset value is less than the threshold trigger value.

Command Modes

WLAN AP Group configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

  • This example shows how to set threshold to filter out packets with low RSSI:

    Device(config-apgroup)# [no] hyperlocation threshold detection -100
  • This example shows how to reset value in scan cycles after trigger:

    Device(config-apgroup)# [no] hyperlocation threshold reset 8
  • This example shows how to set the number of scan cycles before sending a BAR to clients:

    Device(config-apgroup)# [no] hyperlocation threshold trigger 10

icon

To configure an icon for an Online Sign-Up (OSU) provider, use the icon command. To remove the icon, use the no form of the command.

icon file-name

Syntax Description

file-name

File name of the icon.

Command Default

None

Command Modes

ANQP OSU Provider Configuration (config-anqp-osu-provider)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Usage Guidelines

The icon must be configured under the hotspot ANQP server.

Examples

The following example shows how to configure an icon for the OSU provider:

Device(config-wireless-anqp-server)# osu-provider my-osu 
Device(config-anqp-osu-provider)# icon test  

idle-timeout

To configure the idle-timeout value in seconds for a wireless profile policy, use the idle-timeout command.

idle-timeout value

Syntax Description

value

Sets the idle-timeout value. Valid range is 15 to 100000 seconds.

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to set the idle-timeout in a wireless profile policy:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless profile policy policy-profile-name
Device(config-wireless-policy)# idle-timeout 100

ids (mesh)

To configure IDS (Rogue/Signature Detection) reporting for outdoor mesh APs, use the ids command.

ids

Syntax Description

This command has no keywords or arguments.

Command Default

IDS is disabled.

Command Modes

config-wireless-mesh-profile

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

The following example shows how to configure IDS (Rogue/Signature Detection) reporting for outdoor mesh APs:

Device # configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device (config)# wireless profile mesh mesh-profile
Device (config-wireless-mesh-profile)# ids

inactive-timeout

To enable in-active timer, use the inactive-timeout command.

inactive-timeout timeout-in-seconds

Syntax Description

timeout-in-seconds

Specifies the inactive flow timeout value. The range is from 1 to 604800.

Command Default

None

Command Modes

ET-Analytics configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to enable in-active timer in the ET-Analytics configuration mode:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# et-analytics
Device(config-et-analytics)# inactive-timeout 15
Device(config-et-analytics)# end

inner-auth-eap

To configure inner authentication Extensible Authentication Protocol (EAP) method, use the inner-auth-eap command. To remove the inner authentication EAP method, use the no form of the command.

inner-auth-eap { eap-aka | eap-fast | eap-leap | eap-peap | eap-sim | eap-tls | eap-ttls}

Syntax Description

eap-aka

Enables EAP authentication and key agreement method.

EAP-AKA is an EAP mechanism for authentication and session key distribution using the UMTS Subscriber Identity Module.

eap-fast

Enables EAP flexible authentication through the secure tunneling method.

EAP-FAST is a flexible EAP protocol that allows mutual authentication of a supplicant and a server. It is similar to EAP-PEAP, but typically does not require the use of client or server certificates.

eap-leap

Enables EAP lightweight extensible authentication protocol method.

EAP-LEAP is an EAP authentication protocol used primarily in Cisco Aironet WLANs. It encrypts data transmissions using dynamically generated wired equivalent privacy (WEP) keys, and supports mutual authentication.

eap-peap

Enables EAP-protected extensible authentication protocol method.

EAP-PEAP is an EAP authentication protocol used in wireless networks and point-to-point connections. PEAP is designed to provide more secure authentication for 802.11 WLANs that support 802.1X port access control.

eap-sim

Enables EAP subscriber identity module method.

EAP-SIM is an EAP authentication protocol used for authentication and session key distribution using the subscriber identity module (SIM) from the Global System for Mobile Communications (GSM).

eap-tls

Enables EAP transport layer security method.

EAP-TLS is an EAP authentication protocol, and an IETF open standard that uses the Transport Layer Security (TLS) protocol. EAP-TLS is the original, standard wireless LAN EAP authentication protocol.

eap-ttls

Enables EAP-tunneled transport layer security method.

EAP-TTLS is a simple WPA2-Enterprise Wi-Fi authentication method that has been a standard system for many years. When a user wants to connect to the network, the device initiates communication with the network and confirms that it is the correct network by identifying the server certificate.

Command Default

None

Command Modes

ANQP NAI EAP Authentication Configuration (config-anqp-nai-eap-auth)

Command History

Release Modification
Cisco IOS XE Amsterdam 17.3.1

This command was introduced in a release earlier than Cisco IOS XE Amsterdam 17.3.1.

Usage Guidelines

Prior to Cisco IOS XE Amsterdam 17.3.1, only one inner EAP authentication method was allowed. For example, inner-auth-eap eap-aka. If you use multiple inner EAP authentication methods such as inner-auth-eap eap-aka and inner-auth-eap eap-fast, then only the last method is used, and previous one was discarded. From Cisco IOS XE Amsterdam 17.3.1 onwards, you can configure multiple inner EAP authentication methods. For an example, see the code snippet given below:

wireless hotspot anqp-server my_anqp
nai-realm myvenue.cisco.com
eap-method eap-aka
credential certificate
credential usim
inner-auth-eap eap-aka
inner-auth-eap eap-fast
inner-auth-non-eap chap
inner-auth-non-eap pap
tunneled-eap-credential anonymous
tunneled-eap-credential softoken

Examples

The following example shows how to configure the inner authentication EAP method:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless hotspot anqp-server my_anqp
Device(config-wireless-anqp-server)# nai-realm myvenue.cisco.com
Device(config-anqp-nai-eap)# eap-method eap-aka 
Device(config-anqp-nai-eap-auth)#inner-auth-eap eap-aka

inner-auth-non-eap

To configure the inner authentication non-Extensible Authentication Protocol (EAP) method, use the inner-auth-non-eap command. To remove the inner authentication non-EAP method, use the no form of this command.

inner-auth-non-eap { chap | mschap | mschap-v2| pap}

Syntax Description

chap

Challenge handshake authentication protocol method.

CHAP is an authentication scheme used by Point-to-Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of a client by using a three-way handshake.

mschap

Microsoft challenge handshake authentication protocol method.

mschap-v2

Microsoft challenge handshake authentication protocol Version 2 method.

pap

Password authentication protocol method.

PAP is a password-based authentication protocol used by PPP to validate users.

Command Default

None

Command Modes

ANQP NAI EAP Authentication Configuration (config-anqp-nai-eap-auth)

Command History

Release Modification
Cisco IOS XE Amsterdam 17.3.1

This command was introduced.

Examples

The following example shows how to configure the inner authentication non-EAP method:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless hotspot anqp-server my_anqp
Device(config-wireless-anqp-server)# nai-realm myvenue.cisco.com
Device(config-anqp-nai-eap)# eap-method eap-aka 
Device(config-anqp-nai-eap-auth)#inner-auth-eap pap

install abort

To cancel an ongoing predownload or rolling access point (AP) upgrade operation, use the install abort command.

install abort issu

Syntax Description

issu

Forces the operation to use the In-Service Software Upgrade (ISSU) technique.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Usage Guidelines

The install abort command ensures that the APs with or without the predownload image do not reboot and continue to have the image in their partition.

Examples

The following example shows how to cancel a current predownload or install operation:

Device# install abort issu

install add file activate commit

To activate an installed SMU package and to commit the changes to the loadpath, use the install add file activate commit command.

install add file activate commit

Syntax Description

prompt-level

Sets the prompt level.

none

Prompting is not done.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to activate an installed package and commit the changes:

Device# install add file vwlc_apsp_16.11.1.0_74.bin activate commit

install add file flash activate issu commit

To activate the installed package using issu technique and to commit the changes to the loadpath, use the install add file flash activate issu commit command.

install add file flash activate issu commit

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

This example shows how to activate the installed package using issu technique and to commit the changes to the loadpath:

Device# install add file flash activate issu commit 

install add profile

To select the profile to rollback the AP images with AP image predownload support, use the install add profile command.

install add profile profile-name [ activate]

Syntax Description

profile-name

Profile name. The profile name can have a maximum of only 15 characters.

activate

Activates the installed package.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to select the profile to rollback the AP images:

Device# install add profile profile1

install activate

To activate an installed package, use the install activate command.

install activate { auto-abort-timer | file | profile| prompt-level}

Syntax Description

auto-abort-timer

Sets the cancel timer. The time range is between 30 and 1200 minutes.

file

Specifies the package to be activated.

profile

Specifies the profile to be activated.

prompt-level

Sets the prompt level.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.2s

This command was introduced.

Examples

The following example shows how to activate the installed package:

Device# install activate profile default
install_activate: START Thu Nov 24 20:14:53 UTC 2019

System configuration has been modified.
Press Yes(y) to save the configuration and proceed.
Press No(n) for proceeding without saving the configuration.
Press Quit(q) to exit, you may save configuration and re-enter the command. [y/n/q] y
Building configuration... 
[OK]Modified configuration has been saved 
Jan 24 20:15:02.745: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install activate
Jan 24 20:15:02.745 %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install activate 
install_activate: Activating PACKAGE

install activate profile

To activate an installed package, use the install activate profile command.

install activate profile

Syntax Description

profile

To activate the profile.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.2s

This command was introduced.

Examples

The following example shows how to activate the installed package:

Device#install activate profile default
install_activate: START Thu Nov 24 20:14:53 UTC 2019

System configuration has been modified.
Press Yes(y) to save the configuration and proceed.
Press No(n) for proceeding without saving the configuration.
Press Quit(q) to exit, you may save configuration and re-enter the command. [y/n/q] y
Building configuration... 
[OK]Modified configuration has been saved 
Jan 24 20:15:02.745: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install activate
Jan 24 20:15:02.745 %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install activate 
install_activate: Activating PACKAGE

install activate file

To activate an installed package, use the install activate file command.

install activate file file-name

Syntax Description

file-name

Specifies the package name. Options are: bootflash:, flash:, and webui:.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to use an auto cancel timer while activating an install package on a standby location:

Device# install activate file vwlc_apsp_16.11.1.0_74.bin 

install commit

To commit the changes to the loadpath, use the install commit command.

install commit

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to commit the changes to the loadpath:

Device# install commit  

install remove profile default

To specify an install package that is to be removed, use the install remove profile default command.

install remove profile default

Syntax Description

remove

Removes the install package.

profile

Specifies the profile to be removed.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to remove a default profile:

Device# install remove profile default

install deactivate

To specify an install package that is to be deactivated, use the install deactivate file command.

install deactivate file file-name

Syntax Description

file-name

Specifies the package name. Options are: bootflash:, flash:, and webui:.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to deactivate an install package:

Device# install deactivate file vwlc_apsp_16.11.1.0_74.bin

install deactivate

To specify an install package that is to be deactivated, use the install deactivate file command.

install deactivate file file-name

Syntax Description

file-name

Specifies the package name. Options are: bootflash:, flash:, and webui:.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to deactivate an install package:

Device# install deactivate file vwlc_apsp_16.11.1.0_74.bin

install prepare

To prepare a SMU package to cancel, activate, or deactivate an operation, use the install prepare command.

install prepare { abort | activate file file-name | deactivate file file-name }

Syntax Description

abort

Prepares a SMU package for cancel operation.

activate file

Prepares a SMU package for activation.

file-name

Package name.

deactivate file

Prepares a SMU package for deactivation.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to prepare a package for cancel, activate, or deactivate operation:

Device# install prepare abort
Device# install prepare activate file vwlc_apsp_16.11.1.0_74.bin 
Device# install prepare deactivate file vwlc_apsp_16.11.1.0_74.bin 

install prepare rollback

To prepare a SMU package for rollback operation, use the install prepare rollback command.

install prepare rollback to{ base | committed | id id| label label}

Syntax Description

base

Prepares to roll back to the base image.

committed

Prepares to roll back to the last committed installation point.

id

Prepares rollback to the last committed installation point.

id

The identifier of the install point to roll back to.

label

Prepares to roll back to a specific install point label.

label

Label name, with a maximum of 15 characters.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

This example shows how to prepare a package for roll back to a particular id:

Device# install prepare rollback to id 2

install rollback

To roll back to a particular installation point, use the install rollback command.

install rollback to { base | committed | id id | label label} [ prompt-level none]

Syntax Description

base

Rolls back to the base image.

prompt-level none

Sets the prompt level as none.

committed

Rolls back to the last committed installation point.

id

Rolls back to a specific install point ID.

label

Rolls back to a specific install point label.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to specify the ID of the install point to roll back to:

Device# install rollback to id 1 

interface vlan

To create or access a dynamic switch virtual interface (SVI) and to enter interface configuration mode, use the interface vlan command in global configuration mode. To delete an SVI, use the no form of this command.

interface vlan vlan-id

no interface vlan vlan-id

Syntax Description

vlan-id

VLAN number. The range is 1 to 4094.

Command Default

The default VLAN interface is VLAN 1.

Command Modes

Global configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

SVIs are created the first time you enter the interface vlan vlan-id command for a particular VLAN. The vlan-id corresponds to the VLAN-tag associated with data frames on an IEEE 802.1Q encapsulated trunk or the VLAN ID configured for an access port.


Note


When you create an SVI, it does not become active until it is associated with a physical port.


If you delete an SVI using the no interface vlan vlan-id command, it is no longer visible in the output from the show interfaces privileged EXEC command.


Note


You cannot delete the VLAN 1 interface.


You can reinstate a deleted SVI by entering the interface vlan vlan-id command for the deleted interface. The interface comes back up, but the previous configuration is gone.

The interrelationship between the number of SVIs configured on a chassis or a chassis stack and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables.

You can verify your setting by entering the show interfaces and show interfaces vlan vlan-id privileged EXEC commands.

Examples

This example shows how to create a new SVI with VLAN ID 23 and enter interface configuration mode:

Device(config)# interface vlan 23
Device(config-if)#

ip access-group

To configure WLAN access control group (ACL), use the ip access-group command. To remove a WLAN ACL group, use the no form of the command.

ip access-group [web] acl-name

no ip access-group [web]

Syntax Description

web

(Optional) Configures the IPv4 web ACL.

acl-name

Specify the preauth ACL used for the WLAN with the security type value as webauth.

Command Default

None

Command Modes

WLAN configuration

Usage Guidelines

You must disable the WLAN before using this command. See Related Commands section for more information on how to disable a WLAN.

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to configure a WLAN ACL:

Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wlan wlan1
Device(config-wlan)#ip access-group test-acl

This example shows how to configure an IPv4 WLAN web ACL:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wlan wlan1
Device(config-wlan)# ip access-group web test
Device(config-wlan)# 

ip access-list extended

To configure extended access list, use the ip access-list extended command.

ip access-list extended {<100-199> | <2000-2699> | access-list-name}

Syntax Description

<100-199>

Extended IP access-list number.

<2000-2699>

Extended IP access-list number (expanded range).

Command Default

None

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure extended access list:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# ip access-list extended access-list-name

ip address

To set a primary or secondary IP address for an interface, use the ip address command in interface configuration mode. To remove an IP address or disable IP processing, use the no form of this command.

ip address ip-address mask [secondary [vrf vrf-name]]

no ip address ip-address mask [secondary [vrf vrf-name]]

Syntax Description

ip-address

IP address.

mask

Mask for the associated IP subnet.

secondary

(Optional) Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.

Note

 

If the secondary address is used for a VRF table configuration with the vrf keyword, the vrf keyword must be specified also.

vrf

(Optional) Name of the VRF table. The vrf-name argument specifies the VRF name of the ingress interface.

Command Default

No IP address is defined for the interface.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

An interface can have one primary IP address and multiple secondary IP addresses. Packets generated by the Cisco IOS software always use the primary IP address. Therefore, all devices and access servers on a segment should share the same primary network number.

Hosts can determine subnet masks using the Internet Control Message Protocol (ICMP) mask request message. Devices respond to this request with an ICMP mask reply message.

You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the software detects another host using one of its IP addresses, it will print an error message on the console.

The optional secondary keyword allows you to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and Address Resolution Protocol (ARP) requests are handled properly, as are interface routes in the IP routing table.

Secondary IP addresses can be used in a variety of situations. The following are the most common applications:

  • There may not be enough host addresses for a particular network segment. For example, your subnetting allows up to 254 hosts per logical subnet, but on one physical subnet you need 300 host addresses. Using secondary IP addresses on the devices or access servers allows you to have two logical subnets using one physical subnet.

  • Many older networks were built using Level 2 bridges. The judicious use of secondary addresses can aid in the transition to a subnetted, device-based network. Devices on an older, bridged segment can be easily made aware that many subnets are on that segment.

  • Two subnets of a single network might otherwise be separated by another network. This situation is not permitted when subnets are in use. In these instances, the first network is extended , or layered on top of the second network using secondary addresses.


Note


  • If any device on a network segment uses a secondary address, all other devices on that same segment must also use a secondary address from the same network or subnet. Inconsistent use of secondary addresses on a network segment can very quickly cause routing loops.

  • When you are routing using the Open Shortest Path First (OSPF) algorithm, ensure that all secondary addresses of an interface fall into the same OSPF area as the primary addresses.

  • If you configure a secondary IP address, you must disable sending ICMP redirect messages by entering the no ip redirects command, to avoid high CPU utilization.


Examples

In the following example, 192.108.1.27 is the primary address and 192.31.7.17 is the secondary address for GigabitEthernet interface 1/0/1:

Device# enable 
Device# configure terminal
Device(config)# interface GigabitEthernet 1/0/1
Device(config-if)# ip address 192.108.1.27 255.255.255.0
Device(config-if)# ip address 192.31.7.17 255.255.255.0 secondary


ip arp-limit rate

To configure rate limiting for Address Resolution Protocol (ARP) packets, use the ip arp-limit rate command.

ip arp-limit rate { burst-interval burst-interval | none | pps pps }

Syntax Description

pps

The maximum number of ARP packets allowed for a client per second. If packets received per client exceeds the configured limit, they are dropped. Valid values range from 15 to 1500, with a default value of 100 seconds.

burst-interval

The burst interval in seconds for excluding client. The client gets block-listed when the ARP pps crosses the configured value. Valid values range from 3 to 255, with a default value of 5 seconds.

none

Disables the ARP rate-limiting.

Command Default

Default values are configured.

Command Modes

Wireless Policy Profile Configuration (config-wireless-policy)

Command History

Release Modification
Cisco IOS XE Amsterdam 17.3.5

This command was introduced.

Usage Guidelines

This command is only available in the following releases: Cisco IOS XE Amsterdam 17.3.5 and later, Cisco IOS XE Bengaluru 17.6.3 and later, and Cisco IOS XE Cupertino 17.8.1 and above.

For RLAN, the default values are used. You cannot change the values using this command.

Examples

The following example shows how to configure rate limiting for ARP packets:

Device# configure terminal
Device(config)# wireless profile policy test1
Device(config-wireless-policy)# ip arp-limit rate pps 90

ip admission

To enable web authentication, use the ip admission command in interface configuration mode. You can also use this command in fallback-profile configuration mode. To disable web authentication, use the no form of this command.

ip admission rule

no ip admission rule

Syntax Description

rule

IP admission rule name.

Command Default

Web authentication is disabled.

Command Modes

Interface configuration

Fallback-profile configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

The ip admission command applies a web authentication rule to a switch port.

Examples

This example shows how to apply a web authentication rule to a switchport:


Device# configure terminal
Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip admission rule1

This example shows how to apply a web authentication rule to a fallback profile for use on an IEEE 802.1x enabled switch port.


Device# configure terminal
Device(config)# fallback profile profile1
Device(config-fallback-profile)# ip admission rule1

ip dhcp pool

To configure a Dynamic Host Configuration Protocol (DHCP) address pool on a DHCP server and enter DHCP pool configuration mode, use the ip dhcp pool command in global configuration mode. To remove the address pool, use the no form of this command.

ip dhcp pool name

no ip dhcp pool name


Note


When configuring the ip dhcp pool command, note that it can be affected by the ip dhcp database command if an incorrect URL is provided. The console may hang due to multiple attempts by the DHCP service to reach the URL before it returns a failure. This is expected behavior. To prevent this issue, ensure that the correct URL, including the file name, is provided when using the ip dhcp database command, especially when it includes ftp/tftp.


Syntax Description

name

Name of the pool. Can either be a symbolic string (such as engineering) or an integer (such as 0).

Command Default

DHCP address pools are not configured.

Command Modes

Global configuration

Command History

Release

Modification

12.0(1)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

During execution of this command, the configuration mode changes to DHCP pool configuration mode, which is identified by the (config-dhcp)# prompt. In this mode, the administrator can configure pool parameters, like the IP subnet number and default router list.

Examples

The following example configures pool1 as the DHCP address pool:


ip dhcp pool pool1

ip dhcp-relay information option server-override

To enable the system to globally insert the server ID override and link selection suboptions into the DHCP relay agent information option in forwarded BOOTREQUEST messages to a Dynamic Host Configuration Protocol (DHCP) server, use the ip dhcp-relay information option server-override command in global configuration mode. To disable inserting the server ID override and link selection suboptions into the DHCP relay agent information option, use the no form of this command.

ip dhcp-relay information option server-override

no ip dhcp-relay information option server-override

Syntax Description

This command has no arguments or keywords.

Command Default

The server ID override and link selection suboptions are not inserted into the DHCP relay agent information option.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Aggregation Services Routers.

12.2(33)SRE

This command was integrated into Cisco IOS Release 12.2(33)SRE.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

The ip dhcp-relay information option server-override command adds the following suboptions into the relay agent information option when DHCP broadcasts are forwarded by the relay agent from clients to a DHCP server:

  • Server ID override suboption

  • Link selection suboption

When this command is configured, the gateway address (giaddr) will be set to the IP address of the outgoing interface, which is the interface that is reachable by the DHCP server.

If the ip dhcp relay information option server-id-override command is configured on an interface, it overrides the global configuration on that interface only.

Examples

In the following example, the DHCP relay will insert the server ID override and link selection suboptions into the relay information option of the DHCP packet. The loopback interface IP address is configured to be the source IP address for the relayed messages.


Device(config)# ip dhcp-relay information option server-override
Device(config)# ip dhcp-relay source-interface loopback 0
Device(config)# interface Loopback 0
Device(config-if)# ip address 10.2.2.1 255.255.255.0

ip dhcp-relay source-interface

To globally configure the source interface for the relay agent to use as the source IP address for relayed messages, use the ip dhcp-relay source-interface command in global configuration mode. To remove the source interface configuration, use the no form of this command.

ip dhcp-relay source-interface type number

no ip dhcp-relay source-interface type number

Syntax Description

type

Interface type. For more information, use the question mark (?) online help function.

number

Interface or subinterface number. For more information about the numbering system for your networking device, use the question mark (?) online help function.

Command Default

The source interface is not configured.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Aggregation Services Routers.

12.2(33)SRE

This command was integrated into Cisco IOS Release 12.2(33)SRE.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Usage Guidelines

The ip dhcp-relay source-interface command allows the network administrator to specify a stable, hardware-independent IP address (such as a loopback interface) for the relay agent to use as a source IP address for relayed messages.

If the ip dhcp-relay source-interface global configuration command is configured and the ip dhcp relay source-interface command is also configured, the ip dhcp relay source-interface command takes precedence over the global configuration command. However, the global configuration is applied to interfaces without the interface configuration.

Examples

In the following example, the loopback interface IP address is configured to be the source IP address for the relayed messages:


Device(config)# ip dhcp-relay source-interface loopback 0
Device(config)# interface loopback 0
Device(config-if)# ip address 10.2.2.1 255.255.255.0

ip dhcp compatibility suboption

To configure the server override and link-selection suboption to an RFC or Cisco specific value, use the ip dhcp compatibility suboption [server-override | link-selection] command.

ip dhcp compatibility suboption server-override [cisco | standard]

ip dhcp compatibility suboption link-selection [cisco | standard]

Syntax Description

server-override

Configures the server override suboption to an RFC or Cisco specific value.

link-selection

Configures the link-selection suboption to an RFC or Cisco specific value.

Command Default

None

Command Modes

Global Configuration

Command History

Release Modification
Cisco IOS XE Bengaluru 17.4.1

This command was introduced.

Usage Guidelines

Examples

This example shows how to configure the DHCP Option 82 through server override:


Device# configure terminal
Device(config)# ip dhcp compatibility suboption server-override cisco
Device(config)# ip dhcp compatibility suboption link-selection cisco
Device(config)# end

ip domain lookup

To enable IP Domain Name System (DNS)-based hostname-to-address translation, use the ip domain lookup command in global configuration mode. To disable DNS-based hostname-to-address translation, use the no form of this command.

ip domain lookup [ nsap | recursive | source-interface interface-type-number | vrf vrf-name { source-interface interface-type-number } ]

Syntax Description

nsap

(Optional) Enables IP DNS queries for Connectionless Network Service (CLNS) and Network Service Access Point (NSAP) addresses.

recursive

(Optional) Enables IP DNS recursive lookup.

source-interface interface-type-number

(Optional) Specifies the source interface for the DNS resolver. Enter an interface type and number.

vrf vrf-name

(Optional) Defines a Virtual Routing and Forwarding (VRF) table. For vrf-name, enter a name for the VRF table.

Command Default

IP DNS-based hostname-to-address translation is enabled.

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Fuji 16.9.2

This command was introduced.

Cisco IOS XE Dublin

17.12.1

An issue relating to the configuration of the ip domain lookup source-interface interface-type-number command on Layer 3 physical interfaces was resolved.

Starting from this release, even if configured on a Layer 3 physical interface, the command is retained across reloads and in case the port mode is changed.

Usage Guidelines

If this command is enabled on a device and you execute the show tcp brief command, the output may be displayed very slowly.

When both IP and ISO CLNS are enabled on a device, the ip domain lookup nsap command allows you to discover a CLNS address without having to specify a full CLNS address, given a hostname.

This command is useful for the ping (ISO CLNS) command, and for CLNS Telnet connections.

If you configure the ip domain lookup source-interface interface-type-number command on a Layer 3 physical interface, note the following: If the port mode is changed or in case of a device reload, the command is automatically removed from running configuration (Refer to the output of the show running-configuration privileged EXEC command when this happens). Removal of the command causes DNS queries that use the specified source interface, to be dropped. The only available workaround is to reconfigure the command. Starting with Cisco IOS XE Dublin 17.12.1, this issue is resolved.

Examples

The following example shows how to configure IP DNS-based hostname-to-address translation:

Device# configure terminal
Device(config)# ip domain lookup
Device(config)# end

The following example shows how to configure a source interface for the DNS domain lookup:

Device# configure terminal
Device(config)# ip domain lookup source-interface gigabitethernet1/0/2
Device(config)# end

ip domain-name

To configure the host domain on the device, use the ip domain-name command.

ip domain-name domain-name [vrf vrf-name]

Syntax Description

domain-name

Default domain name.

vrf-name

Specifies the virtual routing and forwarding (VRF) to use to resolve the domain name.

Command Default

None

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure a host domain in a device:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# ip domain-name domain-name

ip flow-export destination

To configure ETA flow export destination, use the ip flow-export destination command.

ip flow-export destination ip_address port_number

Syntax Description

port_number

Port number. The range is from 1 to 65535.

Command Default

None

Command Modes

ET-Analytics configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to configure ETA flow export destination in the ET-Analytics configuration mode:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# et-analytics
Device(config-et-analytics)# ip flow-export
destination 120.0.0.1 2055
Device(config-et-analytics)# end

ip helper-address

To enable forwarding of User Datagram Protocol (UDP) broadcasts, including Bootstrap Protocol (BOOTP), received on an interface, use the ip helper-address command in interface configuration mode. To disable forwarding of broadcast packets to specific addresses, use theno form of this command.

ip helper-address [vrf name | global] address { [redundancy vrg-name]}

no ip helper-address [vrf name | global] address { [redundancy vrg-name]}

Syntax Description

vrf name

(Optional) Enables the VPN routing and forwarding (VRF) instance and the VRF name.

global

(Optional) Configures a global routing table.

address

Destination broadcast or host address to be used when forwarding UDP broadcasts. There can be more than one helper address per interface.

redundancy vrg-name

(Optional) Defines the Virtual Router Group (VRG) name.

Command Default

UDP broadcasts are not forwarded.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

10.0

This command was introduced.

12.2(4)B

This command was modified. The vrf name keyword and argument pair and the global keyword were added.

12.2(15)T

This command was modified. The redundancy vrg-name keyword and argument pair was added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

The ip forward-protocol command along with the ip helper-address command allows you to control broadcast packets and protocols that are forwarded.

One common application that requires helper addresses is DHCP, which is defined in RFC 1531. To enable BOOTP or DHCP broadcast forwarding for a set of clients, configure a helper address on the router interface connected to the client. The helper address must specify the address of the BOOTP or DHCP server. If you have multiple servers, configure one helper address for each server.

The following conditions must be met for a UDP or IP packet to be able to use the ip helper-address command:

  • The MAC address of the received frame must be all-ones broadcast address (ffff.ffff.ffff).

  • The IP destination address must be one of the following: all-ones broadcast (255.255.255.255), subnet broadcast for the receiving interface, or major-net broadcast for the receiving interface if the no ip classless command is also configured.

  • The IP time-to-live (TTL) value must be at least 2.

  • The IP protocol must be UDP (17).

  • The UDP destination port must be for TFTP, Domain Name System (DNS), Time, NetBIOS, ND, BOOTP or DHCP packet, or a UDP port specified by the ip forward-protocol udp command in global configuration mode.

If the DHCP server resides in a VPN or global space that is different from the interface VPN, then the vrf name or the global option allows you to specify the name of the VRF or global space in which the DHCP server resides.

The ip helper-address vrf name address option uses the address associated with the VRF name regardless of the VRF of the incoming interface. If the ip helper-address vrf name address command is configured and later the VRF is deleted from the configuration, then all IP helper addresses associated with that VRF name will be removed from the interface configuration.

If the ip helper-address address command is already configured on an interface with no VRF name configured, and later the interface is configured with the ip helper-address vrf name address command, then the previously configured ip helper-address address command is considered to be global.


Note


The ip helper-address command does not work on an X.25 interface on a destination router because the router cannot determine if the packet was intended as a physical broadcast.


The service dhcp command must be configured on the router to enable IP helper statements to work with DHCP. If the command is not configured, the DHCP packets will not be relayed through the IP helper statements. The service dhcp command is configured by default.

Examples

The following example shows how to define an address that acts as a helper address:


Router(config)# interface ethernet 1
Router(config-if)# ip helper-address 10.24.43.2

The following example shows how to define an address that acts as a helper address and is associated with a VRF named host1:


Router(config)# interface ethernet 1/0
Router(config-if)# ip helper-address vrf host1 10.25.44.2

The following example shows how to define an address that acts as a helper address and is associated with a VRG named group1:


Router(config)# interface ethernet 1/0
Router(config-if)# ip helper-address 10.25.45.2 redundancy group1

ip http authentication

To specify a particular authentication method for HTTP server users, use the ip http authentication command in global configuration mode. To disable a configured authentication method, use the no form of this command

ip http authentication { aaa { command-authorization level list-name | exec-authorization list-name | login-authentication list-name } | enable | local }

no ip http authentication { aaa { command-authorization level list-name | exec-authorization list-name | login-authentication list-name } | enable | local }

Syntax Description

aaa

Indicates that the authentication method used for the authentication, authorization, and accounting (AAA) login service should be used for authentication. The AAA login authentication method is specified by the aaa authentication login default command, unless otherwise specified by the login-authentication listname keyword and argument.

command-authorization

Sets the authorization method list for commands at the specified privilege level.

level Indicates a privilege value from 0 through 15. By default, there are the following three command privilege levels on the router:
  1. 0--Includes the disable , enable , exit , help , and logout commands.

  2. 1--Includes all user-level commands at the device prompt (>).

  3. 15--Includes all enable-level commands at the device prompt (>).

list-name

Sets the name of the method list.

exec-authorization

Sets the method list for EXEC authorization, which applies authorization for starting an EXEC session.

login-authentication

Sets the method list for login authentication, which enables AAA authentication for logins.

enable

Indicates that the “enable” password should be used for authentication. (This is the default method.)

local

ndicates that the login user name, password and privilege level access combination specified in the local system configuration (by the username global configuration command) should be used for authentication and authorization.

Command Default

None

Command Modes

Global Configuration (config)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

The ip http authentication command specifies the authentication method to be used for login when a client connects to the HTTP server. Use of the aaa option is recommended. The enable, local, and tacacs methods should be specified using the aaa authentication login command.

The “enable” password method is the default HTTP server authentication method. If the enable password is used as the HTTP server login authentication method, the client connects to the HTTP server with a default privilege level of 15.

Examples

The following example shows how to specify that AAA should be used for authentication for HTTP server users. The AAA login method is configured as the “local” username/password authentication method. This example also shows how to specify using the local username database for login authentication and EXEC authorization of HTTP sessions:

Device(config)# ip http authentication aaa authentication login LOCALDB local 
Device(config)# aaa authorization exec LOCALDB local
Device(config)# ip http authentication aaa login-authentication LOCALDB
Device(config)# ip http authentication aaa exec-authorization LOCALDB

ip http auth-retry

To configure the maximum number of authentication retry attempts within a specific time-window, use the ip http auth-retry command.

ip http auth-retry retry_number time-window time-in-minutes

Syntax Description

retry_number

Specifies the maximum number of authentication retry attempts.

time-window

Retry time window in minutes.

time-in-minutes

The time window period in minutes during which the maximum number of authentication retries specified can be attempted.

Command Default

None

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure the maximum number of authentication retry attempts as 5 in a time-window of 2 minutes:

Device# ip http auth-retry 5 time-window 2

ip http active-session-modules

To selectively enable HTTP applications that will service incoming HTTP requests from remote clients, use the ip http active-session-modules command. Use the no form of this command to return to the default, for which all HTTP services will be enabled.

ip http active-session-modules { list-name | all | none }

no ip http active-session-modules { list-name | all | none }

Syntax Description

list-name

Enables only those HTTP services configured in the list identified by the ip http session-module-list command to serve HTTP requests. All other HTTP or HTTPS applications on the controller will be disabled.

all

Enables all HTTP applications to service incoming HTTP requests from remote clients.

none

Disables all HTTP services.

Command Default

If no arguments or keywords are specified, all HTTP services are enabled.

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

Use the ip http active-session-modules command to selectively enable HTTP applications, for servicing incoming HTTP requests from remote clients. With this command, a selected list of applications can be enabled. All the applications can be enabled or none of the applications can be enabled, in other words, all disabled. Use the ip http session-module-list command to define a list of HTTP or secure HTTP (HTTPS) application names to be enabled. If an HTTP request is made for a service that is disabled, a 404 error message is displayed in the remote client browser.

Examples

The following example shows how to configure a different set of services to be available for HTTP and HTTPS requests. In this example, all HTTP applications are enabled for providing services to remote clients, but for HTTPS services, only the HTTPS applications defined in list1 (Simple Certificate Enrollment Protocol [SCEP] and HOME_PAGE) are enabled:

Device# ip http session-module-list list1 SCEP,HOME_PAGE
ip http active-session-modules all
ip http server
ip http secure-server
ip http secure-active-session-modules list1

ip http client secure-ciphersuite

To specify the CipherSuite that should be used for encryption over the secure HTTP connection from the client to a remote server, use the ip http client secure-ciphersuite command in global configuration mode. To remove a previously configured CipherSuite specification for the client, use the no form of this command.

ip http client secure-ciphersuite [3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]

no ip http client secure-ciphersuite

Syntax Description

3des-ede-cbc-sha

SSL_RSA_WITH_3DES_EDE_CBC_SHA--Rivest, Shamir, and Adleman (RSA) key exchange with 3DES and DES-EDE3-CBC for message encryption and Secure Hash Algorithm (SHA) for message digest.

rc4-128-sha

SSL_RSA_WITH_RC4_128_SHA--RSA key exchange (RSA Public Key Cryptography) with RC4 128-bit encryption for message encryption and SHA for message digest.

rc4-128-md5

SSL_RSA_WITH_RC4_128_MD5--RSA key exchange (RSA Public Key Cryptography) with RC4 128-bit encryption for message encryption and Message Digest 5 (MD5) for message digest.

des-cbc-sha

SSL_RSA_WITH_DES_CBC_SHA--RSA key exchange with DES-CBC for message encryption and SHA for message digest.

Command Default

The client and server negotiate the best CipherSuite that they both support from the list of available CipherSuites.

Command Modes


Global configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE

Usage Guidelines

This command allows you to restrict the list of CipherSuites (encryption algorithms) that the client offers when connecting to a secure HTTP server. For example, you may want to allow only the most secure CipherSuites to be used.

Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default). The no form of this command returns the list of available CipherSuites to the default (that is, all CipherSuites supported on your device are available for negotiation).

Examples

The following example shows how to configure the HTTPS client to use only the SSL_RSA_WITH_3DES_EDE_CBC_SHA CipherSuite:


Router(config)# ip http client secure-ciphersuite 3des-ede-cbc-sha

ip http secure-ciphersuite

To specify the CipherSuites that should be used by the secure HTTP server when negotiating a connection with a remote client, use the ip http secure-ciphersuite command in global configuration mode. To return the configuration to the default set of CipherSuites, use the no form of this command.

ip http secure-ciphersuite [3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]

no ip http secure-ciphersuite

Syntax Description

3des-ede-cbc-sha

SSL_RSA_WITH_3DES_EDE_CBC_SHA--Rivest, Shamir, and Adleman (RSA) key exchange with 3DES and DES-EDE3-CBC for message encryption and Secure Hash Algorithm (SHA) for message digest.

rc4-128-sha

SSL_RSA_WITH_RC4_128_SHA --RSA key exchange (RSA Public Key Cryptography) with RC4 128-bit encryption for message encryption and SHA for message digest.

rc4-128-md5

SSL_RSA_WITH_RC4_128_MD5 --RSA key exchange (RSA Public Key Cryptography) with RC4 128-bit encryption for message encryption and Message Digest 5 (MD5) for message digest.

des-cbc-sha

SSL_RSA_WITH_DES_CBC_SHA--RSA key exchange with DES-CBC for message encryption and SHA for message digest.

Command Default

The HTTPS server negotiates the best CipherSuite using the list received from the connecting client.

Command Modes


Global configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE

Usage Guidelines

This command is used to restrict the list of CipherSuites (encryption algorithms) that should be used for encryption over the HTTPS connection. For example, you may want to allow only the most secure CipherSuites to be used.

Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default).

The supported CipherSuites vary by Cisco IOS software image. For example, “IP Sec56” (“k8”) images support only the SSL_RSA_WITH_DES_CBC_SHA CipherSuite in Cisco IOS Release 12.2(15)T.

In terms of router processing load (speed), the following list ranks the CipherSuites from fastest to slowest (slightly more processing time is required for the more secure and more complex CipherSuites):

  1. SSL_RSA_WITH_DES_CBC_SHA

  2. SSL_RSA_WITH_RC4_128_MD5

  3. SSL_RSA_WITH_RC4_128_SHA

  4. SSL_RSA_WITH_3DES_EDE_CBC_SHA

Additional information about these CipherSuites can be found online from sources that document the Secure Sockets Layer (SSL) 3.0 protocol.

Examples

The following exampleshows how to restrictsthe CipherSuites offered to a connecting secure web client:


Router(config)# ip http secure-ciphersuite rc4-128-sha rc4-128-md5
 

ip http secure-server

To enable a secure HTTP (HTTPS) server, enter the ip http secure-server command in global configuration mode. To disable the HTTPS server, use the no form of this command..

ip http secure-server

no ip http secure-server

Syntax Description

This command has no arguments or keywords.

Command Default

The HTTPS server is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

The HTTPS server uses the Secure Sockets Layer (SSL) version 3.0 protocol.


Caution


When enabling an HTTPS server, you should always disable the standard HTTP server to prevent unsecured connections to the same services. Disable the standard HTTP server using the no ip http server command in global configuration mode (this step is precautionary; typically, the HTTP server is disabled by default).

If a certificate authority (CA) is used for certification, you should declare the CA trustpoint on the routing device before enabling the HTTPS server.

To close HTTP/TCP port 8090, you must disable both the HTTP and HTTPS servers. Enter the no http server and the no http secure-server commands, respectively.

Examples

In the following example the HTTPS server is enabled, and the (previously configured) CA trustpoint CA-trust-local is specified:


Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#ip http secure-server
Device(config)#ip http secure-trustpoint CA-trust-local
Device(config)#end

Device#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12a
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint: CA-trust-local

ip http server

To enable the HTTP server on your IP or IPv6 system, including the Cisco web browser user interface, enter the ip http server command in global configuration mode. To disable the HTTP server, use the no form of this command..

ip http server

no ip http server

Syntax Description

This command has no arguments or keywords.

Command Default

The HTTP server uses the standard port 80 by default.

HTTP/TCP port 8090 is open by default.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

The command enables both IPv4 and IPv6 access to the HTTP server. However, an access list configured with the ip http access-class command is applied only to IPv4 traffic. IPv6 traffic filtering is not supported.


Caution


The standard HTTP server and the secure HTTP (HTTPS) server can run on a system at the same time. If you enable the HTTPS server using the ip http secure-server command, disable the standard HTTP server using the no ip http server command to ensure that secure data cannot be accessed through the standard HTTP connection.

To close HTTP/TCP port 8090, you must disable both the HTTP and HTTPS servers. Enter the no http server and the no http secure-server commands, respectively.

Examples

The following example shows how to enable the HTTP server on both IPv4 and IPv6 systems.

After enabling the HTTP server, you can set the base path by specifying the location of the HTML files to be served. HTML files used by the HTTP web server typically reside in system flash memory. Remote URLs can be specified using this command, but use of remote path names (for example, where HTML files are located on a remote TFTP server) is not recommended.


Device(config)#ip http server
Device(config)#ip http path flash:

ip http session-module-list

To define a list of HTTP or secure HTTP application names, use the ip http session-module-list command in global configuration mode. To remove the defined list, use the no form of this command.

ip http session-module-list listname prefix1 [ prefix2,...prefixn ]

no ip http session-module-list listname prefix1 [ prefix2,...prefixn ]

Syntax Description

listname

Name of the list.

prefix 1

Associated HTTP or HTTPS application names. Prefix strings represent the names of applications, for example, SCEP, WEB_EXEC or HOME_PAGE.

prefix2,...prefixn

(Optional) Additional associated HTTP or HTTPS application names. Each application is separated by a comma.

Command Default

No list of HTTP or HTTPS application names is defined.

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

Use this command to define a list of HTTP or HTTPS application names. The defined list can then be used by the ip http active-session-modules or ip http secure-active-session-modules commands to selectively enable HTTP or HTTPS applications, respectively, for servicing incoming HTTP and HTTPS requests from remote clients.

When defining a list of HTTP or HTTPS application names, use the following guidelines:

  • A maximum of four lists can be defined on a controller. Attempts to define more than four lists will fail and an error message will be displayed stating the limit restrictions.

  • An existing list can be removed using the no ip http session-module-list command.

  • You cannot reconfigure an existing list. Instead of reconfiguring an existing list, remove the existing list and create a new list with the same name.

  • There is no limit to how many application names can be in the list. However, the maximum number of sessions that can be registered with the Cisco IOS HTTP or HTTPS server is 32.

Examples

The following example shows how to configure a different set of services to be available for HTTP and HTTPS requests. In this example, all HTTP applications are enabled for providing services to remote clients, but for HTTPS services, only the HTTPS applications defined in list1 (Simple Certificate Enrollment Protocol [SCEP] and HOME_PAGE) are enabled:

Device# ip http session-module-list list1 SCEP,HOME_PAGE
Device# ip http active-session-modules all
Device# ip http server
Device# ip http secure-server
Device# ip http secure-active-session-modules list1

ip igmp snooping

To globally enable Internet Group Management Protocol (IGMP) snooping on the device or to enable it on a per-VLAN basis, use the ip igmp snooping global configuration command on the device stack or on a standalone device. To return to the default setting, use the no form of this command.

ip igmp snooping [ vlan vlan-id]

no ip igmp snooping [ vlan vlan-id]

Syntax Description

vlan vlan-id

(Optional) Enables IGMP snooping on the specified VLAN. Ranges are 1—1001 and 1006—4094.

Command Default

IGMP snooping is globally enabled on the device.

IGMP snooping is enabled on VLAN interfaces.

Command Modes

Global configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

When IGMP snooping is enabled globally, it is enabled in all of the existing VLAN interfaces. When IGMP snooping is globally disabled, it is disabled on all of the existing VLAN interfaces.

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs, and cannot be used in IGMP snooping.

Examples

The following example shows how to globally enable IGMP snooping:

Device(config)# ip igmp snooping

The following example shows how to enable IGMP snooping on VLAN 1:

Device(config)# ip igmp snooping vlan 1

You can verify your settings by entering the show ip igmp snooping command in privileged EXEC mode.

ip mac-binding

To configure the ip-mac binding on the device, use the ip mac-binding command. To disable ip-mac binding on the device, use the no form of the command

[no] ip mac-binding

Syntax Description

This command has no keywords or arguments.

Command Default

IP MAC binding is enabled.

Command Modes

Wireless Policy Configuration (config-wireless-policy)

Command History

Release Modification
Cisco IOS XE Bengaluru 17.4.1

This command was introduced.

Usage Guidelines

When non-Cisco WGB devices (that do not perform a dot11 association for the wired clients behind them) are connected to a Cisco Catalyst 9800 Series Wireless Controller, the wired clients behind the WGB may not get IP addresses. In such instances, run no ip mac-binding and ipv4 dhcp required commands on the policy profile. The ipv4 dhcp required command ensures that the WGB device performs a DHCP to get the IP address. Besides, you must also enable Passive Client feature and ARP broadcast on the client VLAN.

If WGB and Wired client are configured with Static IP address, then the data received from WGB will not be forwarded. We recommend that you enable DHCP on the WGB (enabling DHCP on the wired client is optional).

A sample configuration is given below:

Device# configure terminal
Device(config)# wireless profile policy default-policy-profile
Device(config-wireless-policy)# ipv4 dhcp required
Device(config-wireless-policy)# no ip mac-binding
Device(config-wireless-policy)# passive-client
Device(config-wireless-policy)# exit
Device(config)# vlan configuration 1
Device(config-vlan)# arp broadcast

Examples

The following example shows how to configure the ip-mac binding.

Device# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Device(config)# wireless profile policy default-policy-profile
Device(config-wireless-policy)# [no] ip mac-binding

ip multicast vlan

To configure IP multicast on a single VLAN, use the ip multicast vlan command in global configuration mode. To remove the VLAN from the WLAN, use the no form of the command.

ip multicast vlan {vlan-name | vlan-id}

no ip multicast vlan {vlan-name | vlan-id}

Syntax Description

vlan-name

Specifies the VLAN name.

vlan-id

Specifies the VLAN ID.

Command Default

Disabled.

Command Modes

WLAN configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

None

Examples

This example configures vlan_id01 as a multicast VLAN.


Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless multicast
Device(config)# wlan test-wlan 1
Device(config-wlan)# ip multicast vlan vlan_id01

ip nbar protocol-discovery

To configure application recognition on the wireless policy on enabling the NBAR2 engine, use the ip nbar protocol-discovery command.

ip nbar protocol-discovery

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure application recognition on the wireless policy:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless profile policy profile-policy-name
Device(config-wireless-policy)# ip nbar protocol-discovery

ip nbar protocol-pack

To load the protocol pack from bootflash, use the ip nbar protocol-pack command.

ip nbar protocol-pack bootflash: [force]

Syntax Description

bootflash:

Load the protocol pack from bootflash:

force

Force load the Load protocol pack from the selected source.

Command Default

None

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to load the NBAR2 protocol pack from bootflash:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# ip nbar protocol-pack bootflash:

ip overlap

To enable overlapping client IP address in flex deployment, use the ip overlap command.


Note


By default, the configuration is disabled.


ip overlap

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Global Configuration

Command History

Release Modification
Cisco IOS XE Bengaluru 17.4.1

This command was introduced.

Usage Guidelines

Examples

This example shows how to enable overlapping client IP address in flex deployment:


Device# configure terminal
Device(config)# wireless profile flex flex1
Device(config-wireless-flex-profile)# [no] ip overlap

ip ssh

To configure Secure Shell (SSH) control parameters on your router, use the ip ssh command in global configuration mode. To restore the default value, use the no form of this command.

ip ssh [timeout seconds | authentication-retries integer]

no ip ssh [timeout seconds | authentication-retries integer]

Syntax Description

timeout

(Optional) The time interval that the router waits for the SSH client to respond.

This setting applies to the SSH negotiation phase. Once the EXEC session starts, the standard timeouts configured for the vty apply. By default, there are 5 vtys defined (0-4), therefore 5 terminal sessions are possible. After the SSH executes a shell, the vty timeout starts. The vty timeout defaults to 10 minutes.

seconds

(Optional) The number of seconds until timeout disconnects, with a maximum of 120 seconds. The default is 120 seconds.

authentication- retries

(Optional) The number of attempts after which the interface is reset.

integer

(Optional) The number of retries, with a maximum of 5 authentication retries. The default is 3.

Command Default

SSH control parameters are set to default router values.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.0(5)S

This command was introduced.

12.1(1)T

This command was integrated into Cisco IOS Release 12.1(1) T.

12.2(17a)SX

This command was integrated into Cisco IOS Release 12.2(17a)SX.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

Cisco IOS XE Release 2.4

This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

Before you configure SSH on your router, you must enable the SSH server using the crypto key generate rsa command.

Examples

The following examples configure SSH control parameters on your router:


ip ssh timeout 120
ip ssh authentication-retries 3

ip ssh version

To specify the version of Secure Shell (SSH) to be run on a router, use the ip ssh version command in global configuration mode. To disable the version of SSH that was configured and to return to compatibility mode, use the no form of this command.

ip ssh version [1 | 2]

no ip ssh version [1 | 2]

Syntax Description

1

(Optional) Router runs only SSH Version 1.

2

(Optional) Router runs only SSH Version 2.

Command Default

If this command is not configured, SSH operates in compatibility mode, that is, Version 1 and Version 2 are both supported.

Command Modes


Global configuration

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.3(2)XE

This command was integrated into Cisco IOS Release 12.3(2)XE.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.3(7)JA

This command was integrated into Cisco IOS Release 12.3(7)JA.

12.0(32)SY

This command was integrated into Cisco IOS Release 12.0(32)SY.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

15.2(2)SA2

This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.

Usage Guidelines

You can use this command with the 2 keyword to ensure that your router will not inadvertently establish a weaker SSH Version 1 connection.

Examples

The following example shows that only SSH Version 1 support is configured:


Router (config)# ip ssh version 1

The following example shows that only SSH Version 2 is configured:


Router (config)# ip ssh version 2

The following example shows that SSH Versions 1 and 2 are configured:


Router (config)# no ip ssh version

ip tftp blocksize

To specify TFTP client blocksize, use the ip tftp blocksize command.

ip tftp blocksize blocksize-value

Syntax Description

blocksize-value

Blocksize value. Valid range is from 512-8192 Kbps.

Command Default

TFTP client blocksize is not configured.

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

Use this command to change the default blocksize to decrease the image download time.

Examples

The following example shows how to specify TFTP client blocksize:

Device(config)# ip tftp blocksize 512

ip verify source

To enable IP source guard on an interface, use the ip verify source command in interface configuration mode. To disable IP source guard, use the no form of this command.

ip verify source

no ip verify source

Command Default

IP source guard is disabled.

Command Modes

Interface configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.

Examples

This example shows how to enable IP source guard with source IP address filtering on an interface:


Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip verify source

You can verify your settings by entering the show ip verify source privileged EXEC command.

ipv4-address-type

To configure the 802.11u IPv4 address type, use the ipv4-address-type command. To remove the address type, use the no form of the command.

ipv4-address-type { double-nated-private| not-available| not-known| port-restricted| port-restricted-double-nated| port-restricted-single-nated| public| single-nated-private}

Syntax Description

double-nated-private

Sets IPv4 address as double network address translation (NAT) private.

not-available

Sets IPv4 address type as not available.

not-known

Sets IPv4 address type availability as not known.

port-restricted

Sets IPv4 address type as port-restricted.

port-restricted-double-nated

Sets IPv4 address type as port-restricted and double NATed.

port-restricted-single-nated

Sets IPv4 address type as port-restricted and single NATed.

public

Sets IPv4 address type as public.

single-nated-private

Sets IPv4 address as single NATed private.

Command Default

None

Command Modes

Wireless ANQP Server Configuration (config-wireless-anqp-server)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to configure a a 802.11u IPv4 address type:

Device(config)# wireless hotspot anqp-server my-server
Device(config-wireless-anqp-server)# ipv4-address-type public   

ipv4 arp-proxy

To enable proxy-ARP, use the ipv4 arp-proxy command. To disable proxy-ARP, use the no form of this command.

ipv4 arp-proxy

no ipv4 arp-proxy

Syntax Description

This command has no arguments or keywords.

Command Default

ARP proxy is not enabled.

Command Modes

wireless policy configuration (config-wireless-policy)

Command History

Release Modification
Cisco IOS XE Amsterdam 17.3.1

This command was introduced.

Usage Guidelines

Proxy-ARP is applicable to only in central switching mode.

Example

Examples

The following example shows how to enable proxy-ARP:

Device(config-wireless-policy)#ipv4 arp-proxy

ipv4 dhcp

To configure the DHCP parameters for a WLAN, use the ipv4 dhcp command.

ipv4 dhcp {opt82 | {ascii | rid | format | {ap_ethmac | ap_location | apmac | apname | policy_tag | ssid | vlan_id }} | required | server | dhcp-ip-addr}

Syntax Description

opt82

Sets DHCP option 82 for wireless clients on this WLAN

required

Specifies whether DHCP address assignment is required

server

Configures the WLAN's IPv4 DHCP Server

ascii

Supports ASCII for DHCP option 82

rid

Supports adding Cisco 2 byte RID for DHCP option 82

format

Sets RemoteID format

ap_ethmac

Enables DHCP AP Ethernet MAC address

ap_location

Enables AP location

apmac

Enables AP MAC address

apname

Enables AP name

site_tag (Policy tag)

Enables Site tag

ssid

Enables SSID

vlan_id

Enables VLAN ID

dhcp-ip-addr

Enter the override DHCP server's IP Address.

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure DHCP address assignment as a requirement:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless profile policy demo-profile-name
Device(config-wireless-policy)# ipv4 dhcp required

ipv4 flow monitor

To configure the IPv4 traffic ingress flow monitor for a WLAN profile policy, use the ipv4 flow monitor input command.

ipv4 flow monitor monitor-name input

Syntax Description

monitor-name

Flow monitor name.

input

Enables flow monitor on ingress traffic.

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure the IPv4 traffic ingress flow monitor for a WLAN profile policy:
Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless profile policy policy-profile-name
Device(config-wireless-policy)# ipv4 flow monitor flow-monitor-name input

ipv6 access-list

To define an IPv6 access list and to place the device in IPv6 access list configuration mode, use the ipv6 access-list command in global configuration mode. To remove the access list, use the no form of this command.

ipv6 access-list access-list-name | match-local-traffic | log-update threshold threshold-in-msgs | role-based list-name

noipv6 access-list access-list-name | client permit-control-packets| log-update threshold | role-based list-name

Syntax Description

ipv6 access-list-name

Creates a named IPv6 ACL (up to 64 characters in length) and enters IPv6 ACL configuration mode.

access-list-name - Name of the IPv6 access list. Names cannot contain a space or quotation mark, or begin with a numeric.

match-local-traffic

Enables matching for locally-generated traffic.

log-update threshold threshold-in-msgs

Determines how syslog messages are generated after the initial packet match.

threshold-in-msgs - Number of packets generated.

role-based list-name

Creates a role-based IPv6 ACL.

Command Default

No IPv6 access list is defined.

Command Modes


Global configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

IPv6 ACLs are defined by using the ipv6 access-list command in global configuration mode and their permit and deny conditions are set by using the deny and permit commands in IPv6 access list configuration mode. Configuring the ipv6 access-list command places the device in IPv6 access list configuration mode--the device prompt changes to Device(config-ipv6-acl)#. From IPv6 access list configuration mode, permit and deny conditions can be set for the defined IPv6 ACL.


Note


IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and an IPv6 ACL cannot share the same name.


IPv6 is automatically configured as the protocol type in permit any any and deny any any statements that are translated from global configuration mode to IPv6 access list configuration mode.

Every IPv6 ACL has implicit permit icmp any any nd-na , permit icmp any any nd-ns , and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take effect. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.

Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply an IPv6 ACL to an IPv6 interface. Use the ipv6 access-class line configuration command with the access-list-name argument to apply an IPv6 ACL to incoming and outgoing IPv6 virtual terminal connections to and from the device.

An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded, not originated, by the device.

Examples

The example configures the IPv6 ACL list named list1 and places the device in IPv6 access list configuration mode.


Device(config)# ipv6 access-list list1
Device(config-ipv6-acl)#

The following example configures the IPv6 ACL named list2 and applies the ACL to outbound traffic on Ethernet interface 0. Specifically, the first ACL entry keeps all packets from the network FEC0:0:0:2::/64 (packets that have the site-local prefix FEC0:0:0:2 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0. The second entry in the ACL permits all other traffic to exit out of Ethernet interface 0. The second entry is necessary because an implicit deny all condition is at the end of each IPv6 ACL.


Device(config)# ipv6 access-list list2 deny FEC0:0:0:2::/64 any
Device(config)# ipv6 access-list list2 permit any any
Device(config)# interface ethernet 0
Device(config-if)# ipv6 traffic-filter list2 out

ipv6-address-type

To configure the 802.11u IPv6 address type, use the ipv6-address-type command. To remove the address type, use the no form of the command.

ipv6-address-type { available| not-available| not-known}

Syntax Description

available

Sets IPv6 address type as available.

not-available

Sets IPv6 address type as not available.

not-known

Sets IPv6 address type availability as not known.

Command Default

None

Command Modes

Wireless ANQP Server Configuration (config-wireless-anqp-server)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to configure a 802.11u IPv6 address type:

Device(config)# wireless hotspot anqp-server my-server
Device(config-wireless-anqp-server)# ipv4-address-type available   

ipv6 address

To configure an IPv6 address based on an IPv6 general prefix and enable IPv6 processing on an interface, use the ipv6 address command in interface configuration mode. To remove the address from the interface, use the no form of this command.

ipv6 address {ipv6-prefix/prefix-length | prefix-name sub-bits/prefix-length}

no ipv6 address {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}

Syntax Description

ipv6-address

The IPv6 address to be used.

/ prefix-length

The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

prefix-name

A general prefix, which specifies the leading bits of the network to be configured on the interface.

sub-bits

The subprefix bits and host bits of the address to be concatenated with the prefixes provided by the general prefix specified with the prefix-name argument.

The sub-bits argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

Command Default

No IPv6 addresses are defined for any interface.

Command Modes


Interface configuration

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was integrated into Cisco ASR 1000 Series devices.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

15.2(2)SNG

This command was implemented on the Cisco ASR 901 Series Aggregation Services devices.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The ipv6 address command allows multiple IPv6 addresses to be configured on an interface in various different ways, with varying options. The most common way is to specify the IPv6 address with the prefix length.

Addresses may also be defined using the general prefix mechanism, which separates the aggregated IPv6 prefix bits from the subprefix and host bits. In this case, the leading bits of the address are defined in a general prefix, which is globally configured or learned (for example, through use of Dynamic Host Configuration Protocol-Prefix Delegation (DHCP-PD)), and then applied using the prefix-name argument. The subprefix bits and host bits are defined using the sub-bits argument.

Using the no ipv6 address autoconfig command without arguments removes all IPv6 addresses from an interface.

IPv6 link-local addresses must be configured and IPv6 processing must be enabled on an interface by using the ipv6 address link-local command.

Examples

The following example shows how to enable IPv6 processing on the interface and configure an address based on the general prefix called my-prefix and the directly specified bits:

Device(config-if) ipv6 address my-prefix 0:0:0:7272::72/64

Assuming the general prefix named my-prefix has the value of 2001:DB8:2222::/48, then the interface would be configured with the global address 2001:DB8:2222:7272::72/64.

ipv6 dhcp pool

To configure a Dynamic Host Configuration Protocol (DHCP) for IPv6 server configuration information pool and enter DHCP for IPv6 pool configuration mode, use the ipv6 dhcp pool command in global configuration mode. To delete a DHCP for IPv6 pool, use the no form of this command.

ipv6 dhcp pool poolname

no ipv6 dhcp pool poolname

Syntax Description

poolname

User-defined name for the local prefix pool. The pool name can be a symbolic string (such as "Engineering") or an integer (such as 0).

Command Default

DHCP for IPv6 pools are not configured.

Command Modes


Global configuration

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.4(24)T

This command was integrated into Cisco IOS Release 12.4(24)T.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

12.2(33)SRE

This command was modified. It was integrated into Cisco IOS Release 12.2(33)SRE.

12.2(33)XNE

This command was modified. It was integrated into Cisco IOS Release 12.2(33)XNE.

Usage Guidelines

Use the ipv6 dhcp pool command to create a DHCP for IPv6 server configuration information pool. When the ipv6 dhcp pool command is enabled, the configuration mode changes to DHCP for IPv6 pool configuration mode. In this mode, the administrator can configure pool parameters, such as prefixes to be delegated and Domain Name System (DNS) servers, using the following commands:

  • address prefix IPv6-prefix [lifetime {valid-lifetime preferred-lifetime | infinite }] sets an address prefix for address assignment. This address must be in hexadecimal, using 16-bit values between colons.

  • link-address IPv6-prefix sets a link-address IPv6 prefix. When an address on the incoming interface or a link-address in the packet matches the specified IPv6-prefix, the server uses the configuration information pool. This address must be in hexadecimal, using 16-bit values between colons.

  • vendor-specific vendor-id enables DHCPv6 vendor-specific configuration mode. Specify a vendor identification number. This number is the vendor IANA Private Enterprise Number. The range is 1 to 4294967295. The following configuration command is available:
    • suboption number sets vendor-specific suboption number. The range is 1 to 65535. You can enter an IPv6 address, ASCII text, or a hex string as defined by the suboption parameters.

Note


The hex value used under the suboption keyword allows users to enter only hex digits (0-f). Entering an invalid hex value does not delete the previous configuration.


Once the DHCP for IPv6 configuration information pool has been created, use the ipv6 dhcp server command to associate the pool with a server on an interface. If you do not configure an information pool, you need to use the ipv6 dhcp server interface configuration command to enable the DHCPv6 server function on an interface.

When you associate a DHCPv6 pool with an interface, only that pool services requests on the associated interface. The pool also services other interfaces. If you do not associate a DHCPv6 pool with an interface, it can service requests on any interface.

Not using any IPv6 address prefix means that the pool returns only configured options.

The link-address command allows matching a link-address without necessarily allocating an address. You can match the pool from multiple relays by using multiple link-address configuration commands inside a pool.

Since a longest match is performed on either the address pool information or the link information, you can configure one pool to allocate addresses and another pool on a subprefix that returns only configured options.

Examples

The following example specifies a DHCP for IPv6 configuration information pool named cisco1 and places the router in DHCP for IPv6 pool configuration mode:


Router(config)# ipv6 dhcp pool cisco1
Router(config-dhcpv6)#

The following example shows how to configure an IPv6 address prefix for the IPv6 configuration pool cisco1:


Router(config-dhcpv6)# address prefix 2001:1000::0/64
Router(config-dhcpv6)# end

The following example shows how to configure a pool named engineering with three link-address prefixes and an IPv6 address prefix:


Router# configure terminal
Router(config)# ipv6 dhcp pool engineering
Router(config-dhcpv6)# link-address 2001:1001::0/64
Router(config-dhcpv6)# link-address 2001:1002::0/64
Router(config-dhcpv6)# link-address 2001:2000::0/48
Router(config-dhcpv6)# address prefix 2001:1003::0/64
Router(config-dhcpv6)# end

The following example shows how to configure a pool named 350 with vendor-specific options:


Router# configure terminal
Router(config)# ipv6 dhcp pool 350
Router(config-dhcpv6)# vendor-specific 9
Router(config-dhcpv6-vs)# suboption 1 address 1000:235D::1
Router(config-dhcpv6-vs)# suboption 2 ascii "IP-Phone"
Router(config-dhcpv6-vs)# end

ipv6 enable

To enable IPv6 processing on an interface that has not been configured with an explicit IPv6 address, use the ipv6 enable command in interface configuration mode. To disable IPv6 processing on an interface that has not been configured with an explicit IPv6 address, use the no form of this command.

ipv6 enable

no ipv6 enable

Syntax Description

This command has no arguments or keywords.

Command Default

IPv6 is disabled.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

15.2(2)SNG

This command was implemented on the Cisco ASR 901 Series Aggregation Services devices.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

15.2(2)SA2

This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.

Usage Guidelines

The ipv6 enable command automatically configures an IPv6 link-local unicast address on the interface while also enabling the interface for IPv6 processing. The no ipv6 enable command does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address.

Examples

The following example enables IPv6 processing on Ethernet interface 0/0:


Device(config)# interface ethernet 0/0
Device(config-if)# ipv6 enable

ipv6 flow-export destination

To configure IPv6 ETA flow export destination, use the ipv6 flow-export destination command.

ipv6 flow-export destination ipv6_address port_number [ source-interface interface-name ] [ ipfix]

Syntax Description

ip_address

Flow destination address.

port_number

Flow destination port number. The range is from 1 to 65535.

source-interface

(Optional) The source interface name of the exported ETA record.

interface-number

(Optional) The source address of the exported ETA record. The IP address of the interface is used as source IP address of the exported ETA record packet.

ipfix

(Optional) The format of the exported ETA records.

Command Default

None

Command Modes

ET-Analytics configuration

Command History

Release Modification

Cisco IOS XE Amsterdam 17.1.1s

This command was introduced.

Examples

This example shows how to configure ETA flow export destination:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# et-analytics
Device(config-et-analytics)# ipv6 flow-export destination 2001:181:181::1 22 source-interface loopback0 ipfix
Device(config-et-analytics)# end

ipv6 nd proxy

To enable IPv6 Neighbor Discovery (ND) or Duplicate Address Detection (DAD), use the ipv6 nd proxy command. To disable ND or DAD proxy, use the no form of this command.

ipv6 nd proxy {dad-proxy | full-proxy}

no ipv6 nd proxy {dad-proxy | full-proxy}

Syntax Description

dad-proxy

Enables the DAD proxy.

full-proxy

Enables the full proxy. This enables DAD proxy and non-DAD Neighbor Solicitation proxy.

Command Default

Neighbor Discovery Proxy is not enabled.

Command Modes

wireless policy configuration (config-wireless-policy)

Command History

Release Modification
Cisco IOS XE Amsterdam 17.3.1

This command was introduced.

Usage Guidelines

DAD proxy is applicable only in central switching mode.

Example

Examples

The following example shows how to enable DAD proxy:

Device(config-wireless-policy)#ipv6 nd proxy dad-proxy

ipv6 mld snooping

To enable Multicast Listener Discovery version 2 (MLDv2) protocol snooping globally, use the ipv6 mld snooping command in global configuration mode. To disable the MLDv2 snooping globally, use the no form of this command.

ipv6 mld snooping

no ipv6 mld snooping

Syntax Description

This command has no arguments or keywords.

Command Default

This command is enabled.

Command Modes


Global configuration

Command History

Release

Modification

12.2(18)SXE

This command was introduced on the Supervisor Engine 720.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

15.4(2)S

This command was implemented on the Cisco ASR 901 Series Aggregation Services Router.

Usage Guidelines

MLDv2 snooping is supported on the Supervisor Engine 720 with all versions of the Policy Feature Card 3 (PFC3).

To use MLDv2 snooping, configure a Layer 3 interface in the subnet for IPv6 multicast routing or enable the MLDv2 snooping querier in the subnet.

Examples

This example shows how to enable MLDv2 snooping globally:


Router(config)# ipv6 mld snooping 

ipv6 nd managed-config-flag

To set the managed address configuration flag in IPv6 router advertisements, use the ipv6 nd managed-config-flag command in an appropriate configuration mode. To clear the flag from IPv6 router advertisements, use the no form of this command.

ipv6 nd managed-config-flag

no ipv6 nd managed-config-flag

Syntax Description

This command has no keywords or arguments.

Command Default

The managed address configuration flag is not set in IPv6 router advertisements.

Command Modes

Interface configuration

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

Setting the managed address configuration flag in IPv6 router advertisements indicates to attached hosts whether they should use stateful autoconfiguration to obtain addresses. If the flag is set, the attached hosts should use stateful autoconfiguration to obtain addresses. If the flag is not set, the attached hosts should not use stateful autoconfiguration to obtain addresses.

Hosts may use stateful and stateless address autoconfiguration simultaneously.

Examples

This example shows how to configure the managed address configuration flag in IPv6 router advertisements:
Device(config)# interface 
Device(config-if)# ipv6 nd managed-config-flag

ipv6 nd other-config-flag

To set the other stateful configuration flag in IPv6 router advertisements, use the ipv6 nd other-config-flag command in an appropriate configuration mode. To clear the flag from IPv6 router advertisements, use the no form of this command.

ipv6 nd other-config-flag

Syntax Description

This command has no keywords or arguments.

Command Default

The other stateful configuration flag is not set in IPv6 router advertisements.

Command Modes

Interface configuration

Dynamic template configuration

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

The setting of the other stateful configuration flag in IPv6 router advertisements indicates to attached hosts how they can obtain autoconfiguration information other than addresses. If the flag is set, the attached hosts should use stateful autoconfiguration to obtain the other (nonaddress) information.


Note


If the managed address configuration flag is set using the ipv6 nd managed-config-flag command, then an attached host can use stateful autoconfiguration to obtain the other (nonaddress) information regardless of the setting of the other stateful configuration flag.


Examples

This example (not applicable for BNG) configures the “other stateful configuration” flag in IPv6 router advertisements:

Device(config)# interface 
Device(config-if)# ipv6 nd other-config-flag

ipv6 nd ra throttler attach-policy

To configure a IPv6 policy for feature RA throttler, use the ipv6 nd ra-throttler attach-policy command.

ipv6 nd ra-throttler attach-policy policy-name

Syntax Description

ipv6

IPv6 root chain.

ra-throttler

Configure RA throttler on the VLAN.

attach-policy

Apply a policy for feature RA throttler.

policy-name

Policy name for feature RA throttler

Command Default

None

Command Modes

config-vlan

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure configure a IPv6 policy for feature RA throttler:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# vlan configuration vlan-id
Device(config-vlan-config)# ipv6 nd ra-throttler attach-policy

ipv6 nd raguard policy

To define the router advertisement (RA) guard policy name and enter RA guard policy configuration mode, use the ipv6 nd raguard policy command in global configuration mode.

ipv6 nd raguardpolicy policy-name

Syntax Description

policy-name

IPv6 RA guard policy name.

Command Default

An RA guard policy is not configured.

Command Modes


Global configuration (config)#

Command History

Release

Modification

12.2(50)SY

This command was introduced.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

15.0(2)SE

This command was integrated into Cisco IOS Release 15.0(2)SE.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

Use the ipv6 nd raguard policy command to configure RA guard globally on a router. Once the device is in ND inspection policy configuration mode, you can use any of the following commands:

  • device-role

  • drop-unsecure

  • limit address-count

  • sec-level minimum

  • trusted-port

  • validate source-mac

After IPv6 RA guard is configured globally, you can use the ipv6 nd raguard attach-policy command to enable IPv6 RA guard on a specific interface.

Examples

The following example shows how to define the RA guard policy name as policy1 and place the device in policy configuration mode:


Device(config)# ipv6 nd raguard policy policy1
Device(config-ra-guard)#

ipv6 traffic-filter

This command enables IPv6 traffic filter.

To enable the filtering of IPv6 traffic on an interface, use the ipv6 traffic-filter command. To disable the filtering of IPv6 traffic on an interface, use the no form of the command.

Use the ipv6 traffic-filter interface configuration command on the switch stack or on a standalone switch to filter IPv6 traffic on an interface. The type and direction of traffic that you can filter depends on the feature set running on the switch stack. Use the no form of this command to disable the filtering of IPv6 traffic on an interface.

ipv6 traffic-filter [web] acl-name

no ipv6 traffic-filter [web]

Syntax Description

web

(Optional) Specifies an IPv6 access name for the WLAN Web ACL.

acl-name

Specifies an IPv6 access name.

Command Default

Filtering of IPv6 traffic on an interface is not configured.

Command Modes

wlan

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 {default | vlan} global configuration command and reload the switch.

You can use the ipv6 traffic-filter command on physical interfaces (Layer 2 or Layer 3 ports), Layer 3 port channels, or switch virtual interfaces (SVIs).

You can apply an ACL to outbound or inbound traffic on Layer 3 interfaces (port ACLs), or to inbound traffic on Layer 2 interfaces (router ACLs).

If any port ACL (IPv4, IPv6, or MAC) is applied to an interface, that port ACL is used to filter packets, and any router ACLs attached to the SVI of the port VLAN are ignored.

Examples

This example shows how to filter IPv6 traffic on an interface:

Device(config-wlan)# ipv6 traffic-filter TestDocTrafficFilter
                                            
                                             

key

To identify an authentication key on a key chain, use the key command in key-chain configuration mode. To remove the key from the key chain, use the no form of this command.

key key-id

no key key-id

Syntax Description

key-id

Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.

Command Default

No key exists on the key chain.

Command Modes

Command Modes Key-chain configuration (config-keychain)

Usage Guidelines

It is useful to have multiple keys on a key chain so that the software can sequence through the keys as they become invalid after time, based on the accept-lifetime and send-lifetime key chain key command settings.

Each key has its own key identifier, which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and Message Digest 5 (MD5) authentication key in use. Only one authentication packet is sent, regardless of the number of valid keys. The software starts looking at the lowest key identifier number and uses the first valid key.

If the last key expires, authentication will continue and an error message will be generated. To disable authentication, you must manually delete the last valid key.

To remove all keys, remove the key chain by using the no key chain command.

Examples

The following example shows how to specify a key to identify authentication on a key-chain:

Device(config-keychain)#key 1

key config-key password-encrypt

To set a private configuration key for password encryption, use the key config-key password-encrypt command. To disable this feature, use the no form of this command.

key config-key password-encrypt <config-key>

Syntax Description

config-key

Enter a value with minimum 8 characters.

Note

 

The value must not begin with the following special characters:

!, #, and ;

Command Default

None

Command Modes

Global configuration mode

Command History

Release Modification

Cisco IOS XE Gibraltar 17.6.1

This command was introduced.

Examples

The following example shows how to set a username and password for AP management:

Device# enable
Device# configure terminal
Device(config)# key config-key password-encryption 12345678
Device(config-ap-profile)# password encryption aes
Device(config-ap-profile)# end

ldap attribute-map

To configure a dynamic attribute map on an SLDAP server, use the ldap attribute-map command.

ldap attribute-map map-name

Command Default

None

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to configure a dynamic attribute map on an SLDAP server:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# ldap attribute-map map1
Device(config-attr-map)# map type department supplicant-group
Device(config-attr-map)# exit

ldap server

To configure secure LDAP, use the ldap server command.

ldap server name

Syntax Description

name

Server name.

Command Default

None

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to configure secure LDAP:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# ldap server server1
Device(config-ldap-server)# ipv4 9.4.109.20
Device(config-ldap-server)# timeout retransmit 20
Device(config-ldap-server)# bind authenticate root-dn CN=ldapipv6user,CN=Users,DC=ca,DC=ssh2,DC=com password Cisco12345
Device(config-ldap-server)# base-dn CN=Users,DC=ca,DC=ssh2,DC=com
Device(config-ldap-server)# mode secure no- negotiation
Device(config-ldap-server)# end

license air level

To configure AIR licenses on a wireless controller, enter the license air level command in global configuration mode. To revert to the default setting, use the no form of this command.

license air level { air-network-advantage [ addon air-dna-advantage ] | air-network-essentials [ addon air-dna-essentials ] }

no license air level

Syntax Description

air-network-advantage

Configures the AIR Network Advantage license level.

addon air-dna-advantage

(Optional) Configures the add-on AIR DNA Advantage license level.

This add-on option is available with the AIR Network Advantage license.

air-network-essentials

Configures the AIR Network Essentials license level.

addon air-dna-essentials

(Optional) Configures the add-on AIR DNA Essentials license level.

This add-on option is available with the AIR Network Essential license.

Command Default

For all Cisco Catalyst 9800 Wireless controllers the default license is AIR DNA Advantage.

For EWC-APs:

  • Prior to Cisco IOS XE Bengaluru 17.4.1, the default license is AIR DNA Essentials.

  • Starting with Cisco IOS XE Bengaluru 17.4.1, the default license is AIR Network Essentials

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Cisco IOS XE Amsterdam 17.3.2a

This command continues to be available and applicable with the introduction of Smart Licensing Using Policy.

Cisco IOS XE Bengaluru 17.4.1

Only for EWC-APs, the default license was changed from AIR DNA Essentials to AIR Network Essentials.

Usage Guidelines

In the Smart Licensing Using Policy environment, you can use the license air level command to change the license level being used on the product instance, or to additionally configure an add-on license on the product instance. The change is effective after a reload.

The licenses that can be configured are:

  • AIR Network Essential

  • AIR Network Advantage

  • AIR DNA Essential

  • AIR DNA Advantage

You can configure AIR DNA Essential or AIR DNA Advantage license level and on term expiry, you can move to the Network Advantage or Network Essentials license level, if you do not want to renew the DNA license.

Every connecting AP requires a Cisco DNA Center License to leverage the unique value properties of the controller.

Examples

The following example show how to configure the AIR DNA Essential license level:
Device# configure terminal
Device(config)# license air level network-essentials addon air-dna-essentials

The following example shows how the AIR DNA Advantage license level is configured to begin with and then changed to AIR DNA Essentials:

Current configuration as AIR DNA Advantage:

Device# show version
Cisco IOS XE Software, Version 17.03.02
Cisco IOS Software [Amsterdam], C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.3.2, RELEASE SOFTWARE
<output truncated>
AIR License Level: AIR DNA Advantage
Next reload AIR license Level: AIR DNA Advantage

Smart Licensing Status: Registration Not Applicable/Not Applicable
<output truncated>
Configuration of AIR DNA Essentials :
Device# configure terminal
Device(config)# license air level air-network-essentials addon air-dna-essentials
Device# exit
Device# show version
Cisco IOS XE Software, Version 17.03.02
Cisco IOS Software [Amsterdam], C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.3.2, RELEASE SOFTWARE 
<output truncated>
AIR License Level: AIR DNA Advantage
Next reload AIR license Level: AIR DNA Essentials          
Smart Licensing Status: Registration Not Applicable/Not Applicable
<output truncated>

Device# write memory
Device# reload
After reload:
Device# show version
Cisco IOS XE Software, Version 17.03.02
Cisco IOS Software [Amsterdam], C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.3.2, RELEASE SOFTWARE 
<output truncated>
AIR License Level: AIR DNA Essentials
Next reload AIR license Level: AIR DNA Essentials

Smart Licensing Status: Registration Not Applicable/Not Applicable
<output truncated>

license smart (global config)

To configure licensing-related settings such as the mode of transport and the URL that the product instance uses to communicate with Cisco Smart Software Manager (CSSM), or Cisco Smart Licensing Utility (CSLU), or Smart Software Manager On-Prem (SSM On-Prem), to configure the usage reporting interval, to configure the information that must be exluded or included in a license usage report (RUM report), enter the license smart command in global configuration mode. Use the no form of the command to revert to default values.

license smart { custom_id ID | enable | privacy { all | hostname | version } | proxy { address address_hostname | port port } | reservation | server-identity-check | transport { automatic | callhome | cslu | off | smart } | url { url | cslu cslu_or_on-prem_url | default | smart smart_url | utility secondary_url } | usage { customer-tags { tag1 | tag2 | tag3 | tag4 } tag_value | interval interval_in_days } | utility [ customer_info { city city | country country | postalcode postalcode | state state | street street } ] }

no license smart { custom_id | enable | privacy { all | hostname | version } | proxy { address address_hostname | port port } | reservation | server-identity-check | transport | url { url | cslu cslu_or_on-prem_url | default | smart smart_url | utility secondary_url } | usage { customer-tags { tag1 | tag2 | tag3 | tag4 } tag_value | interval interval_in_days } | utility [ customer_info { city city | country country | postalcode postalcode | state state | street street } ] }

Syntax Description

custom_id ID

Although available on the CLI, this option is not supported.

enable

Although visible on the CLI, configuring this keyword has no effect. Smart licensing is always enabled.

privacy { all | hostname | version }

Sets a privacy flag to prevent the sending of the specified data privacy related information.

When the flag is disabled, the corresponding information is sent in a message or offline file created by the product instance.

Depending on the topology this is sent to one or more components, including CSSM, CSLU, and SSM On-Prem.

All data privacy settings are disabled by default. You must configure the option you want to exclude from all communication:

  • all : All data privacy related information is excluded from any communication.

    The no form of the command causes all data privacy related information to be sent in a message or offline file.

    Note

     

    The Product ID (PID) and serial number are included in the RUM report regardless of whether data privacy is enabled or not.

  • hostname : Excludes hostname information from any communication. When hostname privacy is enabled, the UDI of the product instance is displayed on the applicable user interfaces (CSSM, CSLU, and SSM On-Prem).

    The no form of the command causes hostname information to be sent in a message or offline file. The hostname is displayed on the applicable user interfaces (CSSM, CSLU, and SSM On-Prem).

  • version : Excludes the Cisco IOS-XE software version running on the product instance and the Smart Agent version from any communication.

    The no form of the command causes version information to be sent in a message or offline file.

proxy { address address_hostname | port port }

Configures a proxy for license usage synchronization with CSLU or CSSM. This means that you can use this option to configure a proxy only if the transport mode is license smart transport smart (CSSM), or license smart transport cslu (CSLU).

However, you cannot configure a proxy for license usage synchronization in an SSM On-Prem deployment, which also uses license smart transport cslu as the transport mode.

Configure the following options:

  • address address_hostname : Configures the proxy address.

    For address_hostname , enter the enter the IP address or hostname of the proxy.

  • portport : Configures the proxy port.

    For port, enter the proxy port number.

reservation

Enables or disables a license reservation feature.

Note

 

Although available on the CLI, this option is not applicable because license reservation is not applicable in the Smart Licensing Using Policy environment.

server-identity-check

Enables or disables the HTTP secure server identity check.

transport { automatic | callhome | cslu | off | smart }

Configures the mode of transport the product instance uses to communicate with CSSM. Choose from the following options:

  • automatic : Sets the transport mode cslu .

    Note