Command Reference, Cisco IOS XE Denali 16.3.x (Catalyst 3850 Switches)

aaa accounting

To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.

aaa accouting { auth-proxy | system | network | exec | connections | commands level} { default | list-name} { start-stop | stop-only | none} [ broadcast] group group-name

no aaa accouting { auth-proxy | system | network | exec | connections | commands level} { default | list-name} { start-stop | stop-only | none} [ broadcast] group group-name

Syntax Description


auth-proxy	Provides information about all authenticated-proxy user events.
system	Performs accounting for all system-level events not associated with users, such as reloads.
network	Runs accounting for all network-related service requests.
exec	Runs accounting for EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command.
connection	Provides information about all outbound connections made from the network access server.
commands `level`	Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.
default	Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.
`list-name`	Character string used to name the list of at least one of the accounting methods decribed in
start-stop	Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.
stop-only	Sends a "stop" accounting notice at the end of the requested user process.
none	Disables accounting services on this line or interface.
broadcast	(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group.
`group groupname`	At least one of the keywords described in Table 1

Command Default

AAA accounting is disabled.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Use the aaa accounting command to enable accounting and to create named method lists defining specific accounting methods on a per-line or per-interface basis.

Table 1. AAA accounting Methods
Keyword	Description
group radius	Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.
group tacacs+	Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.
group `group-name`	Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name.

In Table 1, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius server and tacacs server commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.

Cisco IOS software supports the following two methods of accounting:

RADIUS—The network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
TACACS+—The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method , where list-name is any character string used to name this list (excluding the names of methods, such as radius or tacacs+) and method identifies the methods to be tried in sequence as given.

If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.

Note

System accounting does not use named accounting lists; you can only define the default list for system accounting.

For minimal accounting, include the stop-only keyword to send a stop record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.

When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the appendix RADIUS Attributes in the Cisco IOS Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the appendix TACACS+ Attribute-Value Pairs in the Cisco IOS Security Configuration Guide.

Note

This command cannot be used with TACACS or extended TACACS.

This example defines a default commands accounting menthod list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction:


Device(config)# aaa accounting commands 15 default stop-only group TACACS+

This example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a stop-only restriction. The aaa accounting commands activates authentication proxy accouting.


Device(config)# aaa new model
Device(config)# aaa authentication login default group TACACS+
Device(config)# aaa authorization auth-proxy default group TACACS+
Device(config)# aaa accounting auth-proxy default start-stop group TACACS+

aaa accounting dot1x

To enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions, use the aaa accounting dot1x command in global configuration mode. To disable IEEE 802.1x accounting, use the no form of this command.

aaa accounting dot1x { name|default }start-stop { broadcast group { name|radius |tacacs+}[ group { name|radius|tacacs+}...]|group { name|radius|tacacs+} [group { name|radius|tacacs+} ... ]}

no aaa accounting dot1x { name|default }

Syntax Description


`name`	Name of a server group. This is optional when you enter it after the broadcast group and group keywords.
default	Specifies the accounting methods that follow as the default list for accounting services.
start-stop	Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting notice was received by the accounting server.
broadcast	Enables accounting records to be sent to multiple AAA servers and sends accounting records to the first server in each group. If the first server is unavailable, the switch uses the list of backup servers to identify the first server.
group	Specifies the server group to be used for accounting services. These are valid server group names: `name` — Name of a server group. radius — Lists of all RADIUS hosts. tacacs+ — Lists of all TACACS+ hosts. The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword.
radius	(Optional) Enables RADIUS accounting.
tacacs+	(Optional) Enables TACACS+ accounting.

Command Default

AAA accounting is disabled.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

This command requires access to a RADIUS server.

We recommend that you enter the dot1x reauthentication interface configuration command before configuring IEEE 802.1x RADIUS accounting on an interface.

This example shows how to configure IEEE 802.1x accounting:


Device(config)# aaa new-model
Device(config)# aaa accounting dot1x default start-stop group radius

aaa accounting identity

To enable authentication, authorization, and accounting (AAA) accounting for IEEE 802.1x, MAC authentication bypass (MAB), and web authentication sessions, use the aaa accounting identity command in global configuration mode. To disable IEEE 802.1x accounting, use the no form of this command.

aaa accounting identity { name|default }start-stop { broadcast group { name|radius |tacacs+}[ group { name|radius|tacacs+}...]|group { name|radius|tacacs+} [group { name|radius|tacacs+} ... ]}

no aaa accounting identity { name|default }

Syntax Description


`name`	Name of a server group. This is optional when you enter it after the broadcast group and group keywords.
default	Uses the accounting methods that follow as the default list for accounting services.
start-stop	Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested-user process begins regardless of whether or not the start accounting notice was received by the accounting server.
broadcast	Enables accounting records to be sent to multiple AAA servers and send accounting records to the first server in each group. If the first server is unavailable, the switch uses the list of backup servers to identify the first server.
group	Specifies the server group to be used for accounting services. These are valid server group names: `name` — Name of a server group. radius — Lists of all RADIUS hosts. tacacs+ — Lists of all TACACS+ hosts. The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword.
radius	(Optional) Enables RADIUS authorization.
tacacs+	(Optional) Enables TACACS+ accounting.

Command Default

AAA accounting is disabled.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

To enable AAA accounting identity, you need to enable policy mode. To enable policy mode, enter the authentication display new-style command in privileged EXEC mode.

This example shows how to configure IEEE 802.1x accounting identity:


Device# authentication display new-style

Please note that while you can revert to legacy style
configuration at any time unless you have explicitly
entered new-style configuration, the following caveats
should be carefully read and understood.

(1) If you save the config in this mode, it will be written
    to NVRAM in NEW-style config, and if you subsequently
    reload the router without reverting to legacy config and
    saving that, you will no longer be able to revert.

(2) In this and legacy mode, Webauth is not IPv6-capable. It
    will only become IPv6-capable once you have entered new-
    style config manually, or have reloaded with config saved
    in 'authentication display new' mode.

Device# configure terminal
Device(config)# aaa accounting identity default start-stop group radius

aaa authentication dot1x

To specify the authentication, authorization, and accounting (AAA) method to use on ports complying with the IEEE 802.1x authentication, use the aaa authentication dot1x command in global configuration mode on the switch stack or on a standalone switch. To disable authentication, use the no form of this command.

aaa authentication dot1x { default}method1

no aaa authentication dot1x { default}method1

Syntax Description

default

The default method when a user logs in. Use the listed authentication method that follows this argument.

method1

Specifies the server authentication. Enter the group radius keywords to use the list of all RADIUS servers for authentication.

Note

Though other keywords are visible in the command-line help strings, only the default and group radius keywords are supported.

Command Default

No authentication is performed.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

The method argument identifies the method that the authentication algorithm tries in the specified sequence to validate the password provided by the client. The only method that is IEEE 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server.

If you specify group radius , you must configure the RADIUS server by entering the radius-server host global configuration command.

Use the show running-config privileged EXEC command to display the configured lists of authentication methods.

This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authentication list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is not allowed access to the network.


Device(config)# aaa new-model
Device(config)# aaa authentication dot1x default group radius

aaa authorization

To set the parameters that restrict user access to a network, use the aaa authorization command in global configuration mode. To remove the parameters, use the no form of this command.

aaa authorization { auth-proxy| cache|commands level|config-commands|configuration | console|credential-download | exec | multicast|network|onep|policy-if|prepaid|radius-proxy|reverse-access | subscriber-service|template}{ default|list_name} [method1[method2...]]

aaa authorization { auth-proxy | cache | commands level | config-commands | configuration | console | credential-download | exec | multicast | network | reverse-access | template} { default | list_name } [ method1 [ method2 ...]]

no aaa authorization { auth-proxy | cache | commands level | config-commands | configuration | console | credential-download | exec | multicast | network | reverse-access | template} { default | list_name } [ method1 [ method2 ...]]

Syntax Description


auth-proxy	Runs authorization for authentication proxy services.
cache	Configures the authentication, authorization, and accounting (AAA) server.
commands	Runs authorization for all commands at the specified privilege level.
`level`	Specific command level that should be authorized. Valid entries are 0 through 15.
config-commands	Runs authorization to determine whether commands entered in configuration mode are authorized.
configuration	Downloads the configuration from the AAA server.
console	Enables the console authorization for the AAA server.
credential-download	Downloads EAP credential from Local/RADIUS/LDAP.
exec	Enables the console authorization for the AAA server.
multicast	Downloads the multicast configuration from the AAA server.
network	Runs authorization for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Programs (NCPs), and AppleTalk Remote Access (ARA).
onep	Runs authorization for the ONEP service.
reverse-access	Runs authorization for reverse access connections, such as reverse Telnet.
template	Enables template authorization for the AAA server.
default	Uses the listed authorization methods that follow this keyword as the default list of methods for authorization.
`list_name`	Character string used to name the list of authorization methods.
`method1[` `method2...]`	(Optional) An authorization method or multiple authorization methods to be used for authorization. A method may be any one of the keywords listed in the table below.

Command Default

Authorization is disabled for all actions (equivalent to the method keyword none ).

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Use the aaa authorization command to enable authorization and to create named methods lists, which define authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways in which authorization will be performed and the sequence in which these methods will be performed. A method list is a named list that describes the authorization methods (such as RADIUS or TACACS+) that must be used in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, which ensures a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or until all the defined methods are exhausted.

Note

The Cisco IOS software attempts authorization with the next listed method only when there is no response from the previous method. If authorization fails at any point in this cycle--meaning that the security server or the local username database responds by denying the user services--the authorization process stops and no other authorization methods are attempted.

If the aaa authorization command for a particular authorization type is issued without a specified named method list, the default method list is automatically applied to all interfaces or lines (where this authorization type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place. The default authorization method list must be used to perform outbound authorization, such as authorizing the download of IP pools from the RADIUS server.

Use the aaa authorization command to create a list by entering the values for the list-name and the method arguments, where list-name is any character string used to name this list (excluding all method names) and method identifies the list of authorization methods tried in the given sequence.

Note

In the table that follows, the group group-name , group ldap , group radius , and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius server and tacacs server commands to configure the host servers. Use the aaa group server radius , aaa group server ldap , and aaa group server tacacs+ commands to create a named group of servers.

This table describes the method keywords.

Table 2. aaa authorization Methods

Keyword

Description

cache group-name

Uses a cache server group for authorization.

group group-name

Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name command.

group ldap

Uses the list of all Lightweight Directory Access Protocol (LDAP) servers for authentication.

group radius

Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.

grouptacacs+

Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.

if-authenticated

Allows the user to access the requested function if the user is authenticated.

Note

The if-authenticated method is a terminating method. Therefore, if it is listed as a method, any methods listed after it will never be evaluated.

local

Uses the local database for authorization.

none

Indicates that no authorization is performed.

Cisco IOS software supports the following methods for authorization:

Cache Server Groups—The router consults its cache server groups to authorize specific rights for users.
If-Authenticated—The user is allowed to access the requested function provided the user has been authenticated successfully.
Local—The router or access server consults its local database, as defined by the username command, to authorize specific rights for users. Only a limited set of functions can be controlled through the local database.
None—The network access server does not request authorization information; authorization is not performed over this line or interface.
RADIUS—The network access server requests authorization information from the RADIUS security server group. RADIUS authorization defines specific rights for users by associating attributes, which are stored in a database on the RADIUS server, with the appropriate user.
TACACS+—The network access server exchanges authorization information with the TACACS+ security daemon. TACACS+ authorization defines specific rights for users by associating attribute-value (AV) pairs, which are stored in a database on the TACACS+ security server, with the appropriate user.

Method lists are specific to the type of authorization being requested. AAA supports five different types of authorization:

Commands—Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.
EXEC—Applies to the attributes associated with a user EXEC terminal session.

Network—Applies to network connections. The network connections can include a PPP, SLIP, or ARA connection.

Note

You must configure the aaa authorization config-commands command to authorize global configuration commands, including EXEC commands prepended by the do command.

Reverse Access—Applies to reverse Telnet sessions.
Configuration—Applies to the configuration downloaded from the AAA server.

When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.

Once defined, the method lists must be applied to specific lines or interfaces before any of the defined methods are performed.

The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS daemon as part of the authorization process. The daemon can do one of the following:

Accept the request as is.
Make changes to the request.
Refuse the request and authorization.

For a list of supported RADIUS attributes, see the module RADIUS Attributes. For a list of supported TACACS+ AV pairs, see the module TACACS+ Attribute-Value Pairs.

Note

Five commands are associated with privilege level 0: disable , enable , exit , help , and logout . If you configure AAA authorization for a privilege level greater than 0, these five commands will not be included in the privilege level command set.

The following example shows how to define the network authorization method list named mygroup, which specifies that RADIUS authorization will be used on serial lines using PPP. If the RADIUS server fails to respond, local network authorization will be performed.


Device(config)#  aaa authorization network mygroup group radius local

aaa new-model

To enable the authentication, authorization, and accounting (AAA) access control model, issue the aaa new-model command in global configuration mode. To disable the AAA access control model, use the no form of this command.

aaa new-model

no aaa new-model

Syntax Description

This command has no arguments or keywords.

Command Default

AAA is not enabled.

Command Modes

Global configuration (config)

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

This command enables the AAA access control system.

If the login local command is configured for a virtual terminal line (VTY), and the aaa new-model command is removed, you must reload the switch to get the default configuration or the login command. If the switch is not reloaded, the switch defaults to the login local command under the VTY.

Note

We do not recommend removing the aaa new-model command.

The following example shows this restriction:

Switch(config)# aaa new-model
Switch(config)# line vty 0 15
Switch(config-line)# login local
Switch(config-line)# exit
Switch(config)# no aaa new-model
Switch(config)# exit 
Switch# show running-config | b line vty

line vty 0 4
 login local  !<=== Login local instead of "login"
line vty 5 15
 login local
!

The following example initializes AAA:


Switch(config)# aaa new-model
Switch(config)#

Related Commands


Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes.
aaa authentication arap	Enables an AAA authentication method for ARAP using TACACS+.
aaa authentication enable default	Enables AAA authentication to determine if a user can access the privileged command level.
aaa authentication login	Sets AAA authentication at login.
aaa authentication ppp	Specifies one or more AAA authentication method for use on serial interfaces running PPP.
aaa authorization	Sets parameters that restrict user access to a network.

aaa policy interface-config allow-subinterface

To enable authentication, authorization, and accounting (AAA) Link Control Protocol (LCP) interface configuration policy parameters, issue the aaa policy interface-config allow-subinterface command in global configuration mode. To disable LCP interface configuration policy parameters, use the no form of this command.

aaa policy interface-config allow-subinterface

no aaa policy interface-config allow-subinterface

Syntax Description


interface-config	Specifies the LCP interface configuration policy parameters.
allow-subinterface	Specifies not to create a full virtul access interface by default.

Command Modes

Global configuration (config)

Command History


Release	Modification
Cisco IOS XE 3.6.0E	This command was introduced.

Usage Guidelines

Use the interface-config keyword to apply interface configuration mode commands on the virtual access interface associated with the session.

The following example shows how to enable AAA LCP interface configuration policy parameters:

Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa policy interface-config allow-subinterface

Related Commands


Command	Description
aaa new-model	Enables the AAA access control model.

access-session mac-move deny

To disable MAC move on a device, use the access-session mac-move deny global configuration command. To return to the default setting, use the no form of this command.

access-session mac-move deny

no access-session mac-move deny

Syntax Description

This command has no arguments or keywords.

Command Default

MAC move is enabled.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

The no form of this command enables authenticated hosts to move between any authentication-enabled ports (MAC authentication bypass [MAB], 802.1x, or Web-auth) on a device. For example, if there is a device between an authenticated host and port, and that host moves to another port, the authentication session is deleted from the first port, and the host is reauthenticated on the new port.

If MAC move is disabled, and an authenticated host moves to another port, it is not reauthenticated, and a violation error occurs.

This example shows how to enable MAC move on a device:


Device(config)# no access-session mac-move deny

Related Commands


Command	Description
authentication event	Sets the action for specific authentication events.
authentication fallback	Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication.
authentication host-mode	Sets the authorization manager mode on a port.
authentication open	Enables or disables open access on a port.
authentication order	Sets the order of authentication methods used on a port.
authentication periodic	Enables or disables reauthentication on a port.
authentication port-control	Enables manual control of the port authorization state.
authentication priority	Adds an authentication method to the port-priority list.
authentication timer	Configures the timeout and reauthentication parameters for an 802.1x-enabled port.
authentication violation	Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port with the maximum number of devices already connected to that port.
show authentication	Displays information about authentication manager events on the switch.

access-session template monitor

To set the access session template to monitor ports, use the access-session template monitor command in global configuration mode. To return to the default setting, use the no form of this command.

access-session template monitor

no access-session template monitor

Syntax Description

This command has no arguments or keywords.

Command Default

This command is not configured.

Command Modes

Global configuration (config)

Command History


Release	Modification
Cisco IOS XE Denali 16.1.1	This command was introduced.

Usage Guidelines

The access-session template monitor command enables session monitoring to create sessions on all ports where authentication configurations are not present, and MAC addresses are known. These sessions have open access ports for traffic, multi-auth host mode to control the number of hosts on a port, and port-control set to auto for sessions to undergo authentication and authorization. The access-session template monitor command is enabled by default if the device classifier or autoconf command is enabled. Session monitoring can be disabled on a per port basis.

This command is available on devices that has Identity-Based Networking Services (IBNS). The equivalent command for access-session template monitor command in IBNS new-style mode is access-session monitor . To switch from IBNS legacy mode to new style mode, use the authentication convert-to new-style command.

The following example shows how to set the access session template to monitor ports:

Device(config)# access-session template monitor

Related Commands


Command	Description
device classifier	Creates a monitor session for all the MAC addresses learned in the system.
authentication convert-to new-style	Converts all the relevant authentication commands to their CPL control policy-equivalents.

action

To set the action for the VLAN access map entry, use the action command in access-map configuration mode. To return to the default setting, use the no form of this command.

action {drop | forward}

no action

Syntax Description


drop	Drops the packet when the specified conditions are matched.
forward	Forwards the packet when the specified conditions are matched.

Command Default

The default action is to forward packets.

Command Modes

Access-map configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

You enter access-map configuration mode by using the vlan access-map global configuration command.

If the action is drop , you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.

In access-map configuration mode, use the match access-map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.

The drop and forward parameters are not used in the no form of the command.

You can verify your settings by entering the show vlan access-map privileged EXEC command.

This example shows how to identify and apply a VLAN access map (vmap4) to VLANs 5 and 6 that causes the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2:

Device(config)# vlan access-map vmap4
Device(config-access-map)# match ip address al2
Device(config-access-map)# action forward
Device(config-access-map)# exit
Device(config)# vlan filter vmap4 vlan-list 5-6

authentication host-mode

To set the authorization manager mode on a port, use the authentication host-mode command in interface configuration mode. To return to the default setting, use the no form of this command.

authentication host-mode { multi-auth | multi-domain | multi-host | single-host}

no authentication host-mode

Syntax Description


multi-auth	Enables multiple-authorization mode (multi-auth mode) on the port.
multi-domain	Enables multiple-domain mode on the port.
multi-host	Enables multiple-host mode on the port.
single-host	Enables single-host mode on the port.

Command Default

Single host mode is enabled.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Single-host mode should be configured if only one data host is connected. Do not connect a voice device to authenticate on a single-host port. Voice device authorization fails if no voice VLAN is configured on the port.

Multi-domain mode should be configured if data host is connected through an IP phone to the port. Multi-domain mode should be configured if the voice device needs to be authenticated.

Multi-auth mode should be configured to allow devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.

Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.

This example shows how to enable multi-auth mode on a port:


Device(config-if)# authentication host-mode multi-auth

This example shows how to enable multi-domain mode on a port:


Device(config-if)# authentication host-mode multi-domain

This example shows how to enable multi-host mode on a port:


Device(config-if)# authentication host-mode multi-host

This example shows how to enable single-host mode on a port:


Device(config-if)# authentication host-mode single-host

You can verify your settings by entering the show authentication sessions interface interface details privileged EXEC command.

authentication mac-move permit

To enable MAC move on a device, use the authentication mac-move permit command in global configuration mode. To disable MAC move, use the no form of this command.

authentication mac-move permit

no authentication mac-move permit

Syntax Description

This command has no arguments or keywords.

Command Default

MAC move is disabled.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

This is a legacy command. The new command is access-session mac-move deny .

The command enables authenticated hosts to move between any authentication-enabled ports (MAC authentication bypass [MAB], 802.1x, or Web-auth) on a device. For example, if there is a device between an authenticated host and port, and that host moves to another port, the authentication session is deleted from the first port, and the host is reauthenticated on the new port.

If MAC move is disabled, and an authenticated host moves to another port, it is not reauthenticated, and a violation error occurs.

This example shows how to enable MAC move on a device:


Device(config)# authentication mac-move permit

Related Commands


Command	Description
access-session mac-move deny	Disables MAC move on a device.
authentication event	Sets the action for specific authentication events.
authentication fallback	Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication.
authentication host-mode	Sets the authorization manager mode on a port.
authentication open	Enables or disables open access on a port.
authentication order	Sets the order of authentication methods used on a port.
authentication periodic	Enable or disables reauthentication on a port.
authentication port-control	Enables manual control of the port authorization state.
authentication priority	Adds an authentication method to the port-priority list.
authentication timer	Configures the timeout and reauthentication parameters for an 802.1x-enabled port.
authentication violation	Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port with the maximum number of devices already connected to that port.
show authentication	Displays information about authentication manager events on the switch.

authentication priority

To add an authentication method to the port-priority list, use the authentication priority command in interface configuration mode. To return to the default, use the no form of this command.

authentication priority[dot1x|mab] { webauth}

no authentication priority[dot1x|mab] { webauth}

Syntax Description


dot1x	(Optional) Adds 802.1x to the order of authentication methods.
mab	(Optional) Adds MAC authentication bypass (MAB) to the order of authentication methods.
webauth	Adds web authentication to the order of authentication methods.

Command Default

The default priority is 802.1x authentication, followed by MAC authentication bypass and web authentication.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Ordering sets the order of methods that the switch attempts when trying to authenticate a new device is connected to a port.

When configuring multiple fallback methods on a port, set web authentication (webauth) last.

Assigning priorities to different authentication methods allows a higher-priority method to interrupt an in-progress authentication method with a lower priority.

Note

If a client is already authenticated, it might be reauthenticated if an interruption from a higher-priority method occurs.

The default priority of an authentication method is equivalent to its position in execution-list order: 802.1x authentication, MAC authentication bypass (MAB), and web authentication. Use the dot1x , mab , and webauth keywords to change this default order.

This example shows how to set 802.1x as the first authentication method and web authentication as the second authentication method:


Device(config-if)# authentication priority dotx webauth

This example shows how to set MAB as the first authentication method and web authentication as the second authentication method:


Device(config-if)# authentication priority mab webauth

Related Commands


Command	Description
authentication control-direction	Configures the port mode as unidirectional or bidirectional.
authentication event fail	Specifies how the Auth Manager handles authentication failures as a result of unrecognized user credentials.
authentication event no-response action	Specifies how the Auth Manager handles authentication failures as a result of a nonresponsive host.
authentication event server alive action reinitialize	Reinitializes an authorized Auth Manager session when a previously unreachable authentication, authorization, and accounting server becomes available.
authentication event server dead action authorize	Authorizes Auth Manager sessions when the authentication, authorization, and accounting server becomes unreachable.
authentication fallback	Enables a web authentication fallback method.
authentication host-mode	Allows hosts to gain access to a controlled port.
authentication open	Enables open access on a port.
authentication order	Specifies the order in which the Auth Manager attempts to authenticate a client on a port.
authentication periodic	Enables automatic reauthentication on a port.
authentication port-control	Configures the authorization state of a controlled port.
authentication timer inactivity	Configures the time after which an inactive Auth Manager session is terminated.
authentication timer reauthenticate	Specifies the period of time between which the Auth Manager attempts to reauthenticate authorized ports.
authentication timer restart	Specifies the period of time after which the Auth Manager attempts to authenticate an unauthorized port.
authentication violation	Specifies the action to be taken when a security violation occurs on a port.
mab	Enables MAC authentication bypass on a port.
show authentication registrations	Displays information about the authentication methods that are registered with the Auth Manager.
show authentication sessions	Displays information about current Auth Manager sessions.
show authentication sessions interface	Displays information about the Auth Manager for a given interface.

authentication violation

To configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port, use the authentication violation command in interface configuration mode.

authentication violation{protect| replace| restrict| shutdown }

no authentication violation{protect| replace| restrict| shutdown }

Syntax Description


protect	Drops unexpected incoming MAC addresses. No syslog errors are generated.
replace	Removes the current session and initiates authentication with the new host.
restrict	Generates a syslog error when a violation error occurs.
shutdown	Error-disables the port or the virtual port on which an unexpected MAC address occurs.

Command Default

Authentication violation shutdown mode is enabled.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Use the authentication violation command to specify the action to be taken when a security violation occurs on a port.

This example shows how to configure an IEEE 802.1x-enabled port as error-disabled and to shut down when a new device connects it:


Device(config-if)# authentication violation shutdown

This example shows how to configure an 802.1x-enabled port to generate a system error message and to change the port to restricted mode when a new device connects to it:


Device(config-if)# authentication violation restrict

This example shows how to configure an 802.1x-enabled port to ignore a new device when it connects to the port:


Device(config-if)# authentication violation protect

This example shows how to configure an 802.1x-enabled port to remove the current session and initiate authentication with a new device when it connects to the port:


Device(config-if)# authentication violation replace

You can verify your settings by entering the show authentication privileged EXEC command.

cisp enable

To enable Client Information Signaling Protocol (CISP) on a switch so that it acts as an authenticator to a supplicant switch and a supplicant to an authenticator switch, use the cisp enable global configuration command.

cisp enable

no cisp enable

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.
Cisco IOS XE Denali 16.3.1	This command was reintroduced. This command was not supported in Cisco IOS XE Denali 16.1.x and Cisco IOS XE Denali 16.2.x

Usage Guidelines

The link between the authenticator and supplicant switch is a trunk. When you enable VTP on both switches, the VTP domain name must be the same, and the VTP mode must be server.

To avoid the MD5 checksum mismatch error when you configure VTP mode, verify that:

VLANs are not configured on two different switches, which can be caused by two VTP servers in the same domain.
Both switches have different configuration revision numbers.

This example shows how to enable CISP:


Device(config)# cisp enable

Related Commands


Command	Description
dot1x credentials `profile`	Configures a profile on a supplicant switch.
dot1x supplicant force-multicast	Forces 802.1X supplicant to send multicast packets.
dot1x supplicant controlled transient	Configures controlled access by 802.1X supplicant.
show cisp	Displays CISP information for a specified interface.

clear errdisable interface vlan

To reenable a VLAN that was error-disabled, use the clear errdisable interface command in privileged EXEC mode.

clear errdisable interface interface-id vlan [ vlan-list]

Syntax Description


`interface-id`	Specifies an interface.
`vlan list`	(Optional) Specifies a list of VLANs to be reenabled. If a VLAN list is not specified, then all VLANs are reenabled.

Command Default

No default behavior or values.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

You can reenable a port by using the shutdown and no shutdown interface configuration commands, or you can clear error-disable for VLANs by using the clear errdisable interface command.

This example shows how to reenable all VLANs that were error-disabled on Gigabit Ethernet port 4/0/2:


Device# clear errdisable interface gigabitethernet4/0/2 vlan

Related Commands


Command	Description
errdisable detect cause	Enables error-disabled detection for a specific cause or all causes.
errdisable recovery	Configures the recovery mechanism variables.
show errdisable detect	Displays error-disabled detection status.
show errdisable recovery	Displays error-disabled recovery timer information.
show interfaces status err-disabled	Displays interface status of a list of interfaces in error-disabled state.

clear mac address-table

To delete from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, all dynamic addresses on stack members, or all dynamic addresses on a particular VLAN, use the clear mac address-table command in privileged EXEC mode. This command also clears the MAC address notification global counters.

clear mac address-table{dynamic [ address mac-addr|interface interface-id|vlan vlan-id] |move update|notification}

Syntax Description


dynamic	Deletes all dynamic MAC addresses.
address `mac-addr`	(Optional) Deletes the specified dynamic MAC address.
interface `interface-id`	(Optional) Deletes all dynamic MAC addresses on the specified physical port or port channel.
vlan `vlan-id`	(Optional) Deletes all dynamic MAC addresses for the specified VLAN. The range is 1 to 4094.
move update	Clears the MAC address table move-update counters.
notification	Clears the notifications in the history table and reset the counters.

Command Default

No default behavior or values.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

You can verify that the information was deleted by entering the show mac address-table privileged EXEC command.

This example shows how to remove a specific MAC address from the dynamic address table:


Device# clear mac address-table dynamic address 0008.0070.0007

Related Commands


Command	Description
mac address-table notification	Enables the MAC address notification feature.
mac address-table move update {receive \| transmit}	Configures MAC address-table move update on the switch.
show mac address-table	Displays the MAC address table static and dynamic entries.
show mac address-table move update	Displays the MAC address-table move update information on the switch.
show mac address-table notification	Displays the MAC address notification settings for all interfaces or on the specified interface when the interface keyword is appended.
snmp trap mac-notification change	Enables the SNMP MAC address notification trap on a specific interface.

cts manual

To manually enable an interface for Cisco TrustSec Security (CTS), use the cts manual command in interface configuration mode.

cts manual

Syntax Description

This command has no arguments or keywords.

Command Default

Disabled

Command Modes

Interface configuration (config-if)

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was modified with additional options.
Cisco IOS XE Denali 16.2.1	This command was introduced.

Usage Guidelines

Use the cts manual command to enter the TrustSec manual interface configuration in which policies and the Security Association Protocol (SAP) are configured on the link.

When cts manual command is configured, 802.1X authentication is not performed on the link. Use the policy subcommand to define and apply policies on the link. By default no policy is applied. To configure MACsec link-to-link encryption, the SAP negotiation parameters must be defined. By default SAP is not enabled. The same SAP Pairwise master key (PMK) should be configured on both sides of the link (that is, a shared secret)

The following example shows how to enter the Cisco TrustSec manual mode:


Switch# configure terminal
Switch(config)# interface gigabitethernet 0
Switch(config-if)# cts manual
Switch(config-if-cts-manual))#

The following example shows how to remove the CTS manual configuration from an interface:


Switch# configure terminal
Switch(config)# interface gigabitethernet 0
Switch(config-if)# no cts manual

Related Commands


Command	Description
propagate sgt (cts manual)	Enables Security Group Tag (SGT) propagation at Layer 2 on Cisco TrustSec Security (CTS) interfaces.
sap mode-list (cts manual)	Manually specifies the PMK and the SAP authentication and encryption modes to negotiate MACsec link encryption between two interfaces.
show cts interface	Displays Cisco TrustSec interface configuration statistics.

cts role-based enforcement

To enable Cisco TrustSec role-based (security group) access control enforcement, use the cts role-based enforcement command in global configuration mode. To disable the configuration, use the no form of this command.

cts role-based enforcement [logging-interval interval | vlan-list {all | vlan-ID [,] [-]}]

no cts role-based enforcement [logging-interval interval | vlan-list {all | vlan-ID [,] [-]}]

Syntax Description


logging-interval `interval`	(Optional) Configures a logging interval for a security group access control list (SGACL). Valid values for the `interval` argument are from 5 to 86400 seconds. The default is 300 seconds
vlan-list	(Optional) Configures VLANs on which role-based ACLs are enforced.
all	(Optional) Specifies all VLANs.
`vlan-ID`	(Optional) VLAN ID. Valid values are from 1 to 4094.
,	(Optional) Specifies another VLAN separated by a comma.
-	(Optional) Specifies a range of VLANs separated by a hyphen.

Command Default

Role-based access control is not enforced.

Command Modes

Global configuration (config)

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Usage Guidelines

Note

RBACL and SGACL are used interchangeably.

Use the cts role-based enforcement command to globally enable or disable SGACL enforcement for Cisco TrustSec-enabled interfaces in the system.

The default interval after which log for a given flow is printed is 300 seconds. Use the logging-interval keyword to change the default interval. Logging is only triggered when the Cisco ACE Application Control Engine has the logging keyword.

SGACL enforcement is not enabled by default on VLANs. Use the cts role-based enforcement vlan-list command to enable or disable SGACL enforcement for Layer 2 switched packets and for Layer 3 switched packets on an switched virtual interface (SVI).

The vlan-ID argument can be a single VLAN ID, a list of VLAN IDs, or VLAN ID ranges.

When a VLAN in which a SGACL is enforced has an active SVI, the SGACL is enforced for both Layer 2 and Layer 3 switched packets within that VLAN. Without an SVI, the SGACL is enforced only for Layer 2 switched packets, because no Layer 3 switching is possible within a VLAN without an SVI.

The following example shows configure an SGACL logging interval:


Switch(config)# cts role-based enforcement logging-interval 90
Switch(config)# logging rate-limit

May 27 10:19:21.509: %RBM-6-SGACLHIT: 
ingress_interface='GigabitEthernet1/0/2' sgacl_name='sgacl2' action='Deny' 
protocol='icmp' src-ip='16.16.1.3' src-port='8' dest-ip='17.17.1.2' dest-port='0' 
sgt='101' dgt='202' logging_interval_hits='5'

Related Commands


Command	Description
logging rate-limit	Limits the rate of messages logged per second.
show cts role-based permissions	Displays the SGACL permission list.

cts role-based l2-vrf

To select a virtual routing and forwarding (VRF) instance for Layer 2 VLANs, use the cts role-based l2-vrf command in global configuration mode. To remove the configuration, use the no form of this command.

cts role-based l2-vrf vrf-namevlan-list {all | vlan-ID} [,] [-]

no cts role-based l2-vrf vrf-namevlan-list {all | vlan-ID} [,] [-]

Syntax Description


`vrf-name`	Name of the VRF instance.
vlan-list	Specifies the list of VLANs to be assigned to a VRF instance.
all	Specifies all VLANs.
`vlan-ID`	VLAN ID. Valid values are from 1 to 4094.
,	(Optional) Specifies another VLAN separated by a comma.
-	(Optional) Specifies a range of VLANs separated by a hyphen.

Command Default

VRF instances are not selected.

Command Modes

Global configuration (config)

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Usage Guidelines

The vlan-list argument can be a single VLAN ID, a list of comma-separated VLAN IDs, or hyphen-separated VLAN ID ranges.

The all keyword is equivalent to the full range of VLANs supported by the network device. The all keyword is not preserved in the nonvolatile generation (NVGEN) process.

If the cts role-based l2-vrf command is issued more than once for the same VRF, each successive command entered adds the VLAN IDs to the specified VRF.

The VRF assignments configured by the cts role-based l2-vrf command are active as long as a VLAN remains a Layer 2 VLAN. The IP–SGT bindings learned while a VRF assignment is active are also added to the Forwarding Information Base (FIB) table associated with the VRF and the IP protocol version. If an Switched Virtual Interface (SVI) becomes active for a VLAN, the VRF-to-VLAN assignment becomes inactive and all bindings learned on the VLAN are moved to the FIB table associated with the VRF of the SVI.

Use the interface vlan command to configure an SVI interface, and the vrf forwarding command to associate a VRF instance to the interface.

The VRF-to-VLAN assignment is retained even when the assignment becomes inactive. It is reactivated when the SVI is removed or when the SVI IP address is changed. When reactivated, the IP–SGT bindings are moved back from the FIB table associated with the VRF of the SVI to the FIB table associated with the VRF assigned by the cts role-based l2-vrf command.

The following example shows how to select a list of VLANS to be assigned to a VRF instance:


Switch(config)# cts role-based l2-vrf vrf1 vlan-list 20

The following example shows how to configure an SVI interface and associate a VRF instance:


Switch(config)# interface vlan 101
Switch(config-if)# vrf forwarding vrf1

Related Commands


Command	Description
interface vlan	Configures a VLAN interface.
vrf forwarding	Associates a VRF instance or a virtual network with an interface or subinterface.
show cts role-based permissions	Displays the SGACL permission list.

cts role-based monitor

To enable role-based (security-group) access list monitoring, use the cts role-based monitor command in global configuration mode. To remove role-based access list monitoring, use the no form of this command.

cts role-based monitor {all | permissions | {default | from {sgt | unknown}} to {sgt | unknown} [ipv4]}

no cts role-based monitor {all | permissions | {default | from {sgt | unknown}} to {sgt | unknown} [ipv4]}

Syntax Description


all	Monitors permissions for all source tags to all destination tags.
permissions	Monitors permissions from a source tags to a destination tags.
default	Monitors the default permission list.
from	Specifies the source group tag for filtered traffic.
`sgt`	Security Group Tag (SGT). Valid values are from 2 to 65519.
unknown	Specifies an unknown source or destination group tag (DST).
ipv4	(Optional) Specifies the IPv4 protocol.

Command Default

Role-based access control monitoring is not enabled.

Command Modes

Global configuration (config)

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Usage Guidelines

Use the cts role-based monitor all command to enable the global monitor mode. If the cts role-based monitor all command is configured, the output of the show cts role-based permissions command displays monitor mode for all configured policies as true.

The following examples shows how to configure SGACL monitor from a source tag to a destination tag:


Switch(config)# cts role-based monitor permissions from 10 to 11

Related Commands


Command	Description
show cts role-based permissions	Displays the SGACL permission list.

cts role-based permissions

To enable permissions from a source group to a destination group, use the cts role-based permissions command in global configuration mode. To remove the permissions, use the no form of this command.

cts role-based permissions {default ipv4 | from {sgt | unknown } to {sgt | unknown} {ipv4} {rbacl-name [rbacl-name....]}}

no cts role-based permissions {default [ipv4] | from {sgt | unknown} to {sgt | unknown} [ipv4]}

Syntax Description


default	Specifies the default permissions list. Every cell (an SGT pair) for which, security group access control list (SGACL) permission is not configured statically or dynamically falls under the default category.
ipv4	Specifies the IPv4 protocol.
from	Specifies the source group tag of the filtered traffic.
`sgt`	Security Group Tag (SGT). Valid values are from 2 to 65519.
unknown	Specifies an unknown source or destination group tag.
`rbacl-name`	Role-based access control list (RBACL) or SGACL name. Up to 16 SGACLs can be specified in the configuration.

Command Default

Permissions from a source group to a destination group is not enabled.

Command Modes

Global configuration (config)

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Usage Guidelines

Use the cts role-based permissions command to define, replace, or delete the list of SGACLs for a given source group tag (SGT), destination group tag (DGT) pair. This policy is in effect as long as there is no dynamic policy for the same DGT or SGT.

The cts role-based permissions default command defines, replaces, or deletes the list of SGACLs of the default policy as long as there is no dynamic policy for the same DGT.

The following example shows how to enable permissions for a destination group:


Switch(config)# cts role-based permissions from 6 to 6 mon_2

Related Commands


Command	Description
show cts role-based permissions	Displays the SGACL permission list.

deny (MAC access-list configuration)

To prevent non-IP traffic from being forwarded if the conditions are matched, use the deny MAC access-list configuration command on the switch stack or on a standalone switch. To remove a deny condition from the named MAC access list, use the no form of this command.

deny { any|host src-MAC-addr|src-MAC-addr mask} { any|host dst-MAC-addr|dst-MAC-addr mask} [ type mask|aarp|amber|appletalk|dec-spanning|decnet-iv|diagnostic|dsm|etype-6000|etype-8042|lat|lavc-sca|lsap lsap mask|mop-console|mop-dump|msdos|mumps|netbios|vines-echo|vines-ip|xns-idp] [ cos cos]

no deny { any|host src-MAC-addr|src-MAC-addr mask} { any|host dst-MAC-addr|dst-MAC-addr mask} [ type mask|aarp|amber|appletalk|dec-spanning|decnet-iv|diagnostic|dsm|etype-6000|etype-8042|lat|lavc-sca|lsap lsap mask|mop-console|mop-dump|msdos|mumps|netbios|vines-echo|vines-ip|xns-idp] [ cos cos]

Syntax Description


any	Denies any source or destination MAC address.
host `src-MAC-addr\|src-MAC-addr mask`	Defines a host MAC address and optional subnet mask. If the source address for a packet matches the defined address, non-IP traffic from that address is denied.
host `dst-MAC-addr\|dst-MAC-addr mask`	Defines a destination MAC address and optional subnet mask. If the destination address for a packet matches the defined address, non-IP traffic to that address is denied.
`type mask`	(Optional) Specifies the EtherType number of a packet with Ethernet II or SNAP encapsulation to identify the protocol of the packet. The type is 0 to 65535, specified in hexadecimal. The mask is a mask of don’t care bits applied to the EtherType before testing for a match.
aarp	(Optional) Specifies EtherType AppleTalk Address Resolution Protocol that maps a data-link address to a network address.
amber	(Optional) Specifies EtherType DEC-Amber.
appletalk	(Optional) Specifies EtherType AppleTalk/EtherTalk.
dec-spanning	(Optional) Specifies EtherType Digital Equipment Corporation (DEC) spanning tree.
decnet-iv	(Optional) Specifies EtherType DECnet Phase IV protocol.
diagnostic	(Optional) Specifies EtherType DEC-Diagnostic.
dsm	(Optional) Specifies EtherType DEC-DSM.
etype-6000	(Optional) Specifies EtherType 0x6000.
etype-8042	(Optional) Specifies EtherType 0x8042.
lat	(Optional) Specifies EtherType DEC-LAT.
lavc-sca	(Optional) Specifies EtherType DEC-LAVC-SCA.
lsap `lsap-number mask`	(Optional) Specifies the LSAP number (0 to 65535) of a packet with 802.2 encapsulation to identify the protocol of the packet. mask is a mask of don’t care bits applied to the LSAP number before testing for a match.
mop-console	(Optional) Specifies EtherType DEC-MOP Remote Console.
mop-dump	(Optional) Specifies EtherType DEC-MOP Dump.
msdos	(Optional) Specifies EtherType DEC-MSDOS.
mumps	(Optional) Specifies EtherType DEC-MUMPS.
netbios	(Optional) Specifies EtherType DEC- Network Basic Input/Output System (NetBIOS).
vines-echo	(Optional) Specifies EtherType Virtual Integrated Network Service (VINES) Echo from Banyan Systems.
vines-ip	(Optional) Specifies EtherType VINES IP.
xns-idp	(Optional) Specifies EtherType Xerox Network Systems (XNS) protocol suite (0 to 65535), an arbitrary EtherType in decimal, hexadecimal, or octal.
cos `cos`	(Optional) Specifies a class of service (CoS) number from 0 to 7 to set priority. Filtering on CoS can be performed only in hardware. A warning message reminds the user if the cos option is configured.

Command Default

This command has no defaults. However, the default action for a MAC-named ACL is to deny.

Command Modes

Mac-access list configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

You enter MAC-access list configuration mode by using the mac access-list extended global configuration command.

If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.

When an access control entry (ACE) is added to an access control list, an implied deny-any-any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.

To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in the table.

Table 3. IPX Filtering Criteria
IPX Encapsulation Type		Filter Criterion
Cisco IOS Name	Novel Name	Filter Criterion
arpa	Ethernet II	EtherType 0x8137
snap	Ethernet-snap	EtherType 0x8137
sap	Ethernet 802.2	LSAP 0xE0E0
novell-ether	Ethernet 802.3	LSAP 0xFFFF

This example shows how to define the named MAC extended access list to deny NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is denied.


Device(config-ext-macl)# deny any host 00c0.00a0.03fa netbios.

This example shows how to remove the deny condition from the named MAC extended access list:


Device(config-ext-macl)# no deny any 00c0.00a0.03fa 0000.0000.0000 netbios.

This example denies all packets with EtherType 0x4321:


Device(config-ext-macl)# deny any any 0x4321 0

You can verify your settings by entering the show access-lists privileged EXEC command.

Related Commands


Command	Description
mac access-list extended	Creates an access list based on MAC addresses for non-IP traffic.
permit	Permits from the MAC access-list configuration. Permits non-IP traffic to be forwarded if conditions are matched.
show access-lists	Displays access control lists configured on a switch.

device-role (IPv6 snooping)

To specify the role of the device attached to the port, use the device-role command in IPv6 snooping configuration mode.

device-role { node|switch}

Syntax Description


node	Sets the role of the attached device to node.
switch	Sets the role of the attached device to switch.

Command Default

The device role is node.

Command Modes

IPv6 snooping configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

The device-role command specifies the role of the device attached to the port. By default, the device role is node.

The switch keyword indicates that the remote device is a switch and that the local switch is now operating in multiswitch mode; binding entries learned from the port will be marked with trunk_port preference level. If the port is configured as a trust-port, binding entries will be marked with trunk_trusted_port preference level.

This example shows how to define an IPv6 snooping policy name as policy1, place the device in IPv6 snooping configuration mode, and configure the device as the node:


Device(config)# ipv6 snooping policy policy1
Device(config-ipv6-snooping)# device-role node

device-role (IPv6 nd inspection)

To specify the role of the device attached to the port, use the device-role command in neighbor discovery (ND) inspection policy configuration mode.

device-role { host|monitor|router|switch}

Syntax Description


host	Sets the role of the attached device to host.
monitor	Sets the role of the attached device to monitor.
router	Sets the role of the attached device to router.
switch	Sets the role of the attached device to switch.

Command Default

The device role is host.

Command Modes

ND inspection policy configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

The device-role command specifies the role of the device attached to the port. By default, the device role is host, and therefore all the inbound router advertisement and redirect messages are blocked. If the device role is enabled using the router keyword, all messages (router solicitation [RS], router advertisement [RA], or redirect) are allowed on this port.

When the router or monitor keyword is used, the multicast RS messages are bridged on the port, regardless of whether limited broadcast is enabled. However, the monitor keyword does not allow inbound RA or redirect messages. When the monitor keyword is used, devices that need these messages will receive them.

The switch keyword indicates that the remote device is a switch and that the local switch is now operating in multiswitch mode; binding entries learned from the port will be marked with trunk_port preference level. If the port is configured as a trust-port, binding entries will be marked with trunk_trusted_port preference level.

The following example defines a Neighbor Discovery Protocol (NDP) policy name as policy1, places the device in ND inspection policy configuration mode, and configures the device as the host:


Device(config)#  ipv6 nd inspection policy policy1
Device(config-nd-inspection)# device-role host

device-tracking policy

To configure a Switch Integrated Security Features (SISF)-based IP device tracking policy, use the device-tracking command in global configuration mode. To delete a device tracking policy, use the no form of this command.

device -tracking policy policy-name

no device-tracking policy policy-name

Syntax Description


`policy-name`	User-defined name of the device tracking policy. The policy name can be a symbolic string (such as Engineering) or an integer (such as 0).

Command Default

A device tracking policy is not configured.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE Denali 16.1.1	This command was introduced.

Usage Guidelines

Use the SISF-based device-tracking policy command to create a device tracking policy. When the device-tracking policy command is enabled, the configuration mode changes to device-tracking configuration mode. In this mode, the administrator can configure the following first-hop security commands:

(Optional) device-role{node] | switch}—Specifies the role of the device attached to the port. Default is node.
(Optional) limit address-count value—Limits the number of addresses allowed per target.
(Optional) no—Negates a command or sets it to defaults.
(Optional) destination-glean{recovery| log-only}[dhcp]}—Enables binding table recovery by data traffic source address gleaning.
(Optional) data-glean{recovery| log-only}[dhcp | ndp]}—Enables binding table recovery using source or data address gleaning.
(Optional) security-level{glean|guard|inspect}—Specifies the level of security enforced by the feature. Default is guard.
- glean—Gleans addresses from messages and populates the binding table without any verification.
- guard—Gleans addresses and inspects messages. In addition, it rejects RA and DHCP server messages. This is the default option.
- inspect—Gleans addresses, validates messages for consistency and conformance, and enforces address ownership.
(Optional) tracking {disable | enable}—Specifies a tracking option.
(Optional) trusted-port—Sets up a trusted port. It disables the guard on applicable targets. Bindings learned through a trusted port have preference over bindings learned through any other port. A trusted port is given preference in case of a collision while making an entry in the table.

This example shows how to configure an a device-tracking policy:


Device(config)# device-tracking policy policy1
Device(config-device-tracking)# trusted-port

dot1x critical (global configuration)

To configure the IEEE 802.1X critical authentication parameters, use the dot1x critical command in global configuration mode.

dot1x critical eapol

Syntax Description


eapol	Specifies that the switch send an EAPOL-Success message when the switch successfully authenticates the critical port.

Command Default

eapol is disabled

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

This example shows how to specify that the switch sends an EAPOL-Success message when the switch successfully authenticates the critical port:


Device(config)# dot1x critical eapol

dot1x max-start

To set the maximum number of Extensible Authentication Protocol over LAN (EAPOL) start frames that a supplicant sends (assuming that no response is received) to the client before concluding that the other end is 802.1X unaware, use the dot1x max-start command in interface configuration mode. To remove the maximum number-of-times setting, use the no form of this command.

dot1x max-start number

no dot1x max-start

Syntax Description


`number`	Maximum number of times that the router sends an EAPOL start frame. The value is from 1 to 10. The default is 3.

Command Default

The default maximum number setting is 3.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

You must enter the switchport mode access interface configuration command on a switch port before entering this command.

The following example shows that the maximum number of EAPOL Start requests has been set to 5:


Device(config)# interface g1/0/3
Device(config-if)# dot1x max-start 5

dot1x pae

To set the Port Access Entity (PAE) type, use the dot1x pae command in interface configuration mode. To disable the PAE type that was set, use the no form of this command.

dot1x pae { supplicant | authenticator | both}

no dot1x pae { supplicant | authenticator | both}

Syntax Description


supplicant	The interface acts only as a supplicant and will not respond to messages that are meant for an authenticator.
authenticator	The interface acts only as an authenticator and will not respond to any messages meant for a supplicant.
both	(Optional) The interface behaves both as a supplicant and as an authenticator and thus will respond to all dot1x messages.

Command Default

PAE type is not set.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.
Cisco IOS XE Denali 16.3.1	This command was reintroduced. This command was not supported in Cisco IOS XE Denali 16.1.x and Cisco IOS XE Denali 16.2.x

Usage Guidelines

Use the no dot1x pae interface configuration command to disable IEEE 802.1x authentication on the port.

When you configure IEEE 802.1x authentication on a port, such as by entering the dot1x port-control interface configuration command, the switch automatically configures the port as an IEEE 802.1x authenticator. After the no dot1x pae interface configuration command is entered, the Authenticator PAE operation is disabled.

The following example shows that the interface has been set to act as a supplicant:


Device(config)# interface g1/0/3
Device(config-if)# dot1x pae supplicant

dot1x supplicant controlled transient

To control access to an 802.1x supplicant port during authentication, use the dot1x supplicant controlled transient command in global configuration mode. To open the supplicant port during authentication, use the no form of this command

dot1x supplicant controlled transient

no dot1x supplicant controlled transient

Syntax Description

This command has no arguments or keywords.

Command Default

Access is allowed to 802.1x supplicant ports during authentication.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.
Cisco IOS XE Denali 16.3.1	This command was reintroduced. This command was not supported in Cisco IOS XE Denali 16.1.x and Cisco IOS XE Denali 16.2.x

Usage Guidelines

In the default state, when you connect a supplicant switch to an authenticator switch that has BPCU guard enabled, the authenticator port could be error-disabled if it receives a Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets before the supplicant switch has authenticated. Beginning with Cisco IOS Release 15.0(1)SE, you can control traffic exiting the supplicant port during the authentication period. Entering the dot1x supplicant controlled transient global configuration command temporarily blocks the supplicant port during authentication to ensure that the authenticator port does not shut down before authentication completes. If authentication fails, the supplicant port opens. Entering the no dot1x supplicant controlled transient global configuration command opens the supplicant port during the authentication period. This is the default behavior.

We strongly recommend using the dot1x supplicant controlled transient command on a supplicant switch when BPDU guard is enabled on the authenticator switch port with the spanning-tree bpduguard enable interface configuration command.

This example shows how to control access to 802.1x supplicant ports on a switch during authentication:


Device(config)# dot1x supplicant controlled transient

dot1x supplicant force-multicast

To force a supplicant switch to send only multicast Extensible Authentication Protocol over LAN (EAPOL) packets whenever it receives multicast or unicast EAPOL packets, use the dot1x supplicant force-multicast command in global configuration mode. To return to the default setting, use the no form of this command.

dot1x supplicant force-multicast

no dot1x supplicant force-multicast

Syntax Description

This command has no arguments or keywords.

Command Default

The supplicant switch sends unicast EAPOL packets when it receives unicast EAPOL packets. Similarly, it sends multicast EAPOL packets when it receives multicast EAPOL packets.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.
Cisco IOS XE Denali 16.3.1	This command was reintroduced. This command was not supported in Cisco IOS XE Denali 16.1.x and Cisco IOS XE Denali 16.2.x

Usage Guidelines

Enable this command on the supplicant switch for Network Edge Access Topology (NEAT) to work in all host modes.

This example shows how force a supplicant switch to send multicast EAPOL packets to the authenticator switch:


Device(config)# dot1x supplicant force-multicast

Related Commands


Command	Description
cisp enable	Enable Client Information Signalling Protocol (CISP) on a switch so that it acts as an authenticator to a supplicant switch.
dot1x credentials	Configure the 802.1x supplicant credentials on the port.
dot1x pae supplicant	Configure an interface to act only as a supplicant.

dot1x test eapol-capable

To monitor IEEE 802.1x activity on all the switch ports and to display information about the devices that are connected to the ports that support IEEE 802.1x, use the dot1x test eapol-capable command in privileged EXEC mode on the switch stack or on a standalone switch.

dot1x test eapol-capable [ interface interface-id]

Syntax Description


interface `interface-id`	(Optional) Port to be queried.

Command Default

There is no default setting.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Use this command to test the IEEE 802.1x capability of the devices connected to all ports or to specific ports on a switch.

There is not a no form of this command.

This example shows how to enable the IEEE 802.1x readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:


Device# dot1x test eapol-capable interface gigabitethernet1/0/13 

DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL capable

Related Commands


Command	Description
dot1x test timeout `timeout`	Configures the timeout used to wait for EAPOL response to an IEEE 802.1x readiness query.

dot1x test timeout

To configure the timeout used to wait for EAPOL response from a port being queried for IEEE 802.1x readiness, use the dot1x test timeout command in global configuration mode on the switch stack or on a standalone switch.

dot1x test timeout timeout

Syntax Description


`timeout`	Time in seconds to wait for an EAPOL response. The range is from 1 to 65535 seconds.

Command Default

The default setting is 10 seconds.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Use this command to configure the timeout used to wait for EAPOL response.

There is not a no form of this command.

This example shows how to configure the switch to wait 27 seconds for an EAPOL response:


Device# dot1x test timeout 27

You can verify the timeout configuration status by entering the show run privileged EXEC command.

Related Commands


Command	Description
dot1x test eapol-capable [interface `interface-id`]	Checks for IEEE 802.1x readiness on devices connected to all or to specified IEEE 802.1x-capable ports.

dot1x timeout

To configure the value for retry timeouts, use the dot1x timeout command in global configuration or interface configuration mode. To return to the default value for retry timeouts, use the no form of this command.

dot1x timeout { auth-period seconds|held-period seconds|quiet-period seconds|ratelimit-period seconds|server-timeout seconds|start-period seconds|supp-timeout seconds|tx-period seconds}

Syntax Description


auth-period `seconds`	Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 30.
held-period `seconds`	Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60
quiet-period `seconds`	Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state) following a failed authentication exchange before trying to reauthenticate the client. The range is from 1 to 65535. The default is 60
ratelimit-period `seconds`	Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated for the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.
server-timeout `seconds`	Configures the interval, in seconds, between two successive EAPOL-Start frames when they are being retransmitted. The range is from 1 to 65535. The default is 30. If the server does not send a response to an 802.1X packet within the specified period, the packet is sent again.
start-period `seconds`	Configures the interval, in seconds, between two successive EAPOL-Start frames when they are being retransmitted. The range is from 1 to 65535. The default is 30. In Cisco IOS Release 15.2(5)E, this command is only available in the supplicant mode. If the command is applied in any other mode, the command misses from the configuration.
supp-timeout `seconds`	Sets the authenticator-to-supplicant retransmission time for all EAP messages other than EAP Request ID. The range is from 1 to 65535. The default is 30.
tx-period `seconds`	Configures the number of seconds between retransmission of EAP request ID packets (assuming that no response is received) to the client. The range is from 1 to 65535. The default is 30. If an 802.1X packet is sent to the supplicant and the supplicant does not send a response after the retry period, the packet will be sent again.

Command Default

Periodic reauthentication and periodic rate-limiting are done.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.

The dot1x timeout reauth-period interface configuration command affects the behavior of the switch only if you have enabled periodic re-authentication by using the dot1x reauthentication interface configuration command.

During the quiet period, the switch does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a number smaller than the default.

When the ratelimit-period is set to 0 (the default), the switch does not ignore EAPOL packets from clients that have been successfully authenticated and forwards them to the RADIUS server.

The following example shows that various 802.1X retransmission and timeout periods have been set:


Device(config)# configure terminal
Device(config)# interface g1/0/3
Device(config-if)# dot1x port-control auto
Device(config-if)# dot1x timeout auth-period 2000
Device(config-if)# dot1x timeout held-period 2400
Device(config-if)# dot1x timeout quiet-period 600
Device(config-if)# dot1x timeout start-period 90
Device(config-if)# dot1x timeout supp-timeout 300
Device(config-if)# dot1x timeout tx-period 60
Device(config-if)# dot1x timeout server-timeout 60

epm access-control open

To configure an open directive for ports that do not have an access control list (ACL) configured, use the epm access-control open command in global configuration mode. To disable the open directive, use the no form of this command.

epm access-control open

no epm access-control open

Syntax Description

This command has no arguments or keywords.

Command Default

The default directive applies.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Use this command to configure an open directive that allows hosts without an authorization policy to access ports configured with a static ACL. If you do not configure this command, the port applies the policies of the configured ACL to the traffic. If no static ACL is configured on a port, both the default and open directives allow access to the port.

You can verify your settings by entering the show running-config privileged EXEC command.

This example shows how to configure an open directive.


Device(config)# epm access-control open

Related Commands


Command	Description
show running-config	Displays the contents of the current running configuration file.

ip access-list role-based

To create a role-based (security group) access control list (RBACL) and enter role-based ACL configuration mode, use the ip access-list role-based command in global configuration mode. To remove the configuration, use the no form of this command.

ip access-list role-based access-list-name

no ip access-list role-based access-list-name

Syntax Description


`access-list-name`	Name of the security group access control list (SGACL).

Command Default

Role-based ACLs are not configured.

Command Modes

Global configuration (config)

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Usage Guidelines

For SGACL logging, you must configure the permit ip log command. Also, this command must be configured in Cisco IIdentity Services Engine (ISE) to enable logging for dynamic SGACLs.

The following example shows how to define an SGACL that can be applied to IPv4 traffic and enter role-based access list configuration mode:


Switch(config)# ip access-list role-based rbacl1
Switch(config-rb-acl)# permit ip log

Related Commands


Command	Description
permit ip log	Permits logging that matches the configured entry.
show ip access-list	Displays contents of all current IP access lists.

ip admission

To enable web authentication, use the ip admission command in interface configuration mode. You can also use this command in fallback-profile configuration mode. To disable web authentication, use the no form of this command.

ip admission rule

no ip admission rule

Syntax Description


`rule`	IP admission rule name.

Command Default

Web authentication is disabled.

Command Modes

Interface configuration

Fallback-profile configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

The ip admission command applies a web authentication rule to a switch port.

This example shows how to apply a web authentication rule to a switchport:


Device# configure terminal
Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip admission rule1

This example shows how to apply a web authentication rule to a fallback profile for use on an IEEE 802.1x enabled switch port.


Device# configure terminal
Device(config)# fallback profile profile1
Device(config-fallback-profile)# ip admission rule1

ip admission name

To enable web authentication, use the ip admission name command in global configuration mode. To disable web authentication, use the no form of this command.

ip admission name name { consent|proxy http}[ absolute timer minutes|inactivity-time minutes|list { acl|acl-name} | service-policy type tag service-policy-name]

no ip admission name name { consent|proxy http}[ absolute timer minutes|inactivity-time minutes|list { acl|acl-name} | service-policy type tag service-policy-name]

Syntax Description


`name`	Name of network admission control rule.
consent	Associates an authentication proxy consent web page with the IP admission rule specified using the `admission-name` argument.
proxy http	Configures web authentication custom page.
absolute-timer `minutes`	(Optional) Elapsed time, in minutes, before the external server times out.
inactivity-time `minutes`	(Optional) Elapsed time, in minutes, before the external file server is deemed unreachable.
list	(Optional) Associates the named rule with an access control list (ACL).
`acl`	Applies a standard, extended list to a named admission control rule. The value ranges from 1 through 199, or from 1300 through 2699 for expanded range.
`acl-name`	Applies a named access list to a named admission control rule.
service-policy type tag	(Optional) A control plane service policy is to be configured.
`service-policy-name`	Control plane tag service policy that is configured using the policy-map type control tag`policyname` command, keyword, and argument. This policy map is used to apply the actions on the host when a tag is received.

Command Default

Web authentication is disabled.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

The ip admission name command globally enables web authentication on a switch.

After you enable web authentication on a switch, use the ip access-group in and ip admission web-rule interface configuration commands to enable web authentication on a specific interface.

This example shows how to configure only web authentication on a switch port:


Device# configure terminal
Device(config) ip admission name http-rule proxy http
Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip access-group 101 in
Device(config-if)# ip admission rule
Device(config-if)# end

This example shows how to configure IEEE 802.1x authentication with web authentication as a fallback mechanism on a switch port:


Device# configure terminal
Device(config)# ip admission name rule2 proxy http
Device(config)# fallback profile profile1
Device(config)# ip access group 101 in
Device(config)# ip admission name rule2
Device(config)# interface gigabitethernet1/0/1
Device(config-if)# dot1x port-control auto
Device(config-if)# dot1x fallback profile1
Device(config-if)# end

Related Commands


Command	Description
dot1x fallback	Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication.
fallback profile	Creates a web authentication fallback profile.
ip admission	Enables web authentication on a port.
show authentication sessions interface `interface` detail	Displays information about the web authentication session status.
show ip admission	Displays information about NAC cached entries or the NAC configuration.

ip dhcp snooping database

To configure the Dynamic Host Configuration Protocol (DHCP)-snooping database, use the ip dhcp snooping database command in global configuration mode. To disable the DHCP-snooping database, use the no form of this command.

ip dhcp snooping database { crashinfo:url | flash:url | ftp:url | http:url | https:url | rcp:url | scp:url | tftp:url | timeout seconds | usbflash0:url | write-delay seconds}

no ip dhcp snooping database[timeout |write-delay]

Syntax Description


crashinfo:`url`	Specifies the database URL for storing entries using crashinfo.
flash:`url`	Specifies the database URL for storing entries using flash.
ftp:`url`	Specifies the database URL for storing entries using FTP.
http:`url`	Specifies the database URL for storing entries using HTTP.
https:`url`	Specifies the database URL for storing entries using secure HTTP (https).
rcp:`url`	Specifies the database URL for storing entries using remote copy (rcp).
scp:`url`	Specifies the database URL for storing entries using Secure Copy (SCP).
tftp:`url`	Specifies the database URL for storing entries using TFTP.
timeout `seconds`	Specifies the abort timeout interval; valid values are from 0 to 86400 seconds.
usbflash0:`url`	Specifies the database URL for storing entries using USB flash.
write-delay `seconds`	Specifies the amount of time before writing the DHCP-snooping entries to an external server after a change is seen in the local DHCP-snooping database; valid values are from 15 to 86400 seconds.

Command Default

The DHCP-snooping database is not configured.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

You must enable DHCP snooping on the interface before entering this command. Use the ip dhcp snooping command to enable DHCP snooping.

This example shows how to specify the database URL using TFTP:


Device(config)#  ip dhcp snooping database tftp://10.90.90.90/snooping-rp2

This example shows how to specify the amount of time before writing DHCP snooping entries to an external server:


Device(config)#  ip dhcp snooping database write-delay 15

ip dhcp snooping information option format remote-id

To configure the option-82 remote-ID suboption, use the ip dhcp snooping information option format remote-id command in global configuration mode on the switch to configure the option-82 remote-ID suboption. To configure the default remote-ID suboption, use the no form of this command.

ip dhcp snooping information option format remote-id { hostname|string string}

no ip dhcp snooping information option format remote-id{hostname|string string}

Syntax Description


hostname	Specify the switch hostname as the remote ID.
string `string`	Specify a remote ID, using from 1 to 63 ASCII characters (no spaces).

Command Default

The switch MAC address is the remote ID.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.

When the option-82 feature is enabled, the default remote-ID suboption is the switch MAC address. This command allows you to configure either the switch hostname or a string of up to 63 ASCII characters (but no spaces) to be the remote ID.

Note

If the hostname exceeds 63 characters, it will be truncated to 63 characters in the remote-ID configuration.

This example shows how to configure the option- 82 remote-ID suboption:


Device(config)# ip dhcp snooping information option format remote-id hostname

ip dhcp snooping verify no-relay-agent-address

To disable the DHCP snooping feature from verifying that the relay agent address (giaddr) in a DHCP client message matches the client hardware address on an untrusted port, use the ip dhcp snooping verify no-relay-agent-address command in global configuration mode. To enable verification, use the no form of this command.

ip dhcp snooping verify no-relay-agent-address

no ip dhcp snooping verify no-relay-agent-address

Syntax Description

This command has no arguments or keywords.

Command Default

The DHCP snooping feature verifies that the relay-agent IP address (giaddr) field in DHCP client message on an untrusted port is 0.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

By default, the DHCP snooping feature verifies that the relay-agent IP address (giaddr) field in DHCP client message on an untrusted port is 0; the message is dropped if the giaddr field is not 0. Use the ip dhcp snooping verify no-relay-agent-address command to disable the verification. Use the no ip dhcp snooping verify no-relay-agent-address to reenable verification.

This example shows how to enable verification of the giaddr in a DHCP client message:


Device(config)# no ip dhcp snooping verify no-relay-agent-address

ip http access-class

To specify the access list that should be used to restrict access to the HTTP server, use the ip http access-class command in global configuration mode. To remove a previously configured access list association, use the no form of this command.

Note

The existing ip http access-class access-list-number command is currently supported, but is going to be deprecated. Use the ip http access-class ipv4 { access-list-number|access-list-name } and ip http access-class ipv6 access-list-name instead.

ip http access-class{access-list-number|ipv4{access-list-number|access-list-name}|ipv6 access-list-name}

no ip http access-class{access-list-number|ipv4{access-list-number|access-list-name}|ipv6 access-list-name}

Syntax Description


ipv4	Specifies the IPv4 access list to restrict access to the secure HTTP server.
ipv6	Specifies the IPv6 access list to restrict access to the secure HTTP server.
`access-list-number`	Standard IP access list number in the range 0 to 99, as configured by the access-list global configuration command.
`access-list-name`	Name of a standard IPv4 access list, as configured by the ip access-list command.

Command Default

No access list is applied to the HTTP server.

Command Modes

Global configuration (config)

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was modified. The ipv4 and ipv6 keyword were added.
Cisco IOS XE Release 3.3SE	This command was introduced.

Usage Guidelines

If this command is configured, the specified access list is assigned to the HTTP server. Before the HTTP server accepts a connection, it checks the access list. If the check fails, the HTTP server does not accept the request for a connection.

The following example shows how to define an access list as 20 and assign it to the HTTP server:


Device(config)# ip access-list standard 20
 
Device(config-std-nacl)# permit 209.165.202.130 0.0.0.255
 
Device(config-std-nacl)# permit 209.165.201.1 0.0.255.255
 
Device(config-std-nacl)# permit 209.165.200.225 0.255.255.255

Device(config-std-nacl)# exit
 
Device(config)# ip http access-class 20

The following example shows how to define an IPv4 named access list as and assign it to the HTTP server.

Device(config)# ip access-list standard Internet_filter
 
Device(config-std-nacl)# permit 1.2.3.4
 
Device(config-std-nacl)# exit
 
Device(config)# ip http access-class ipv4 Internet_filter

Related Commands


Command	Description
ip access-list	Assigns an ID to an access list and enters access list configuration mode.
ip http server	Enables the HTTP 1.1 server, including the Cisco web browser user interface.

ip source binding

To add a static IP source binding entry, use the ip source binding command. Use the no form of this command to delete a static IP source binding entry

ip source binding mac-address vlan vlan-id ip-address interface interface-id

no ip source binding mac-address vlan vlan-id ip-address interface interface-id

Syntax Description


`mac-address`	Binding MAC address.
vlan `vlan-id`	Specifies the Layer 2 VLAN identification; valid values are from 1 to 4094.
`ip-address`	Binding IP address.
interface `interface-id`	ID of the physical interface.

Command Default

No IP source bindings are configured.

Command Modes

Global configuration.

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

You can use this command to add a static IP source binding entry only.

The no format deletes the corresponding IP source binding entry. It requires the exact match of all required parameter in order for the deletion to be successful. Note that each static IP binding entry is keyed by a MAC address and a VLAN number. If the command contains the existing MAC address and VLAN number, the existing binding entry is updated with the new parameters instead of creating a separate binding entry.

This example shows how to add a static IP source binding entry:


Device# configure terminal
Deviceconfig) ip source binding 0100.0230.0002 vlan 11 10.0.0.4 interface gigabitethernet1/0/1

ip verify source

To enable IP source guard on an interface, use the ip verify source command in interface configuration mode. To disable IP source guard, use the no form of this command.

ip verify source [mac-check][ tracking]

no ip verify source

Syntax Description


mac-check	(Optional) Enables IP source guard with MAC address verification.
tracking	(Optional) Enables IP port security to learn static IP address learning on a port.

Command Default

IP source guard is disabled.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.

To enable IP source guard with source IP address filtering and MAC address verification, use the ip verify source mac-check interface configuration command.

This example shows how to enable IP source guard with source IP address filtering on an interface:


Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip verify source

This example shows how to enable IP source guard with MAC address verification:


Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip verify source mac-check

You can verify your settings by entering the show ip verify source privileged EXEC command.

ipv6 access-list

To define an IPv6 access list and to place the device in IPv6 access list configuration mode, use the ipv6 access-list command in global configuration mode. To remove the access list, use the no form of this command.

ipv6 access-list access-list-name | match-local-traffic | log-update threshold threshold-in-msgs | role-based list-name

noipv6 access-list access-list-name | client permit-control-packets| log-update threshold | role-based list-name

Syntax Description


ipv6 `access-list-name`	Creates a named IPv6 ACL (up to 64 characters in length) and enters IPv6 ACL configuration mode. `access-list-name` - Name of the IPv6 access list. Names cannot contain a space or quotation mark, or begin with a numeric.
match-local-traffic	Enables matching for locally-generated traffic.
log-update threshold `threshold-in-msgs`	Determines how syslog messages are generated after the initial packet match. `threshold-in-msgs` - Number of packets generated.
role-based `list-name`	Creates a role-based IPv6 ACL.

Command Default

No IPv6 access list is defined.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was reintroduced. This command was not supported in Cisco IOS XE Denali 16.1.x and Cisco IOS XE Denali 16.2.x

Usage Guidelines

IPv6 ACLs are defined by using the ipv6 access-list command in global configuration mode and their permit and deny conditions are set by using the deny and permit commands in IPv6 access list configuration mode. Configuring the ipv6 access-list command places the device in IPv6 access list configuration mode--the device prompt changes to Device(config-ipv6-acl)#. From IPv6 access list configuration mode, permit and deny conditions can be set for the defined IPv6 ACL.

Note

IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and an IPv6 ACL cannot share the same name.

IPv6 is automatically configured as the protocol type in permit any any and deny any any statements that are translated from global configuration mode to IPv6 access list configuration mode.

Every IPv6 ACL has implicit permit icmp any any nd-na , permit icmp any any nd-ns , and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take effect. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.

Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply an IPv6 ACL to an IPv6 interface. Use the ipv6 access-class line configuration command with the access-list-name argument to apply an IPv6 ACL to incoming and outgoing IPv6 virtual terminal connections to and from the device.

An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded, not originated, by the device.

The example configures the IPv6 ACL list named list1 and places the device in IPv6 access list configuration mode.


Device(config)# ipv6 access-list list1
Device(config-ipv6-acl)#

The following example configures the IPv6 ACL named list2 and applies the ACL to outbound traffic on Ethernet interface 0. Specifically, the first ACL entry keeps all packets from the network FEC0:0:0:2::/64 (packets that have the site-local prefix FEC0:0:0:2 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0. The second entry in the ACL permits all other traffic to exit out of Ethernet interface 0. The second entry is necessary because an implicit deny all condition is at the end of each IPv6 ACL.


Device(config)# ipv6 access-list list2 deny FEC0:0:0:2::/64 any
Device(config)# ipv6 access-list list2 permit any any
Device(config)# interface ethernet 0
Device(config-if)# ipv6 traffic-filter list2 out

ipv6 snooping policy

Note

All existing IPv6 Snooping commands (prior to Cisco IOS XE Denali 16.1.1) now have corresponding SISF-based device-tracking commands that allow you to apply your configuration to both IPv4 and IPv6 address families. For more information, see device-tracking policy.

To configure an IPv6 snooping policy and enter IPv6 snooping configuration mode, use the ipv6 snooping policy command in global configuration mode. To delete an IPv6 snooping policy, use the no form of this command.

ipv6 snooping policy snooping-policy

no ipv6 snooping policy snooping-policy

Syntax Description


`snooping-policy`	User-defined name of the snooping policy. The policy name can be a symbolic string (such as Engineering) or an integer (such as 0).

Command Default

An IPv6 snooping policy is not configured.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Use the ipv6 snooping policy command to create an IPv6 snooping policy. When the ipv6 snooping policy command is enabled, the configuration mode changes to IPv6 snooping configuration mode. In this mode, the administrator can configure the following IPv6 first-hop security commands:

The device-role command specifies the role of the device attached to the port.
The limit address-count maximum command limits the number of IPv6 addresses allowed to be used on the port.
The protocol command specifies that addresses should be gleaned with Dynamic Host Configuration Protocol (DHCP) or Neighbor Discovery Protocol (NDP).
The security-level command specifies the level of security enforced.
The tracking command overrides the default tracking policy on a port.
The trusted-port command configures a port to become a trusted port; that is, limited or no verification is performed when messages are received.

This example shows how to configure an IPv6 snooping policy:


Device(config)# ipv6 snooping policy policy1
Device(config-ipv6-snooping)#

key chain macsec

To configure a MACsec key chain name on a device interface to fetch a Pre Shared Key (PSK), use the key chain macsec command in global configuration mode. To disable it, use the no form of this command.

key chain namemacsec { description|key|exit}

Syntax Description


`name`	Name of a key chain to be used to get keys.
description	Provides description of the MACsec key chain.
key	Configure a MACsec key.
exit	Exits from the MACsec key-chain configuration mode.
no	Negates the command or sets the default values.

Command Default

key chain macsec is disabled.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

This example shows how to configure MACsec key chain to fetch a 128-bit Pre Shared Key (PSK):


Switch#configure terminal
Switch(config)#key chain kc1 macsec
Switch(config-keychain-macsec)#key 1000
Switch(config-keychain-macsec)#cryptographic-algorithm aes-128-cmac
Switch(config-keychain-macsec-key)# key-string fb63e0269e2768c49bab8ee9a5c2258f
Switch(config-keychain-macsec-key)#end
Switch#

This example shows how to configure MACsec key chain to fetch a 256-bit Pre Shared Key (PSK):


Switch#configure terminal
Switch(config)#key chain kc1 macsec
Switch(config-keychain-macsec)#key 2000
Switch(config-keychain-macsec)#cryptographic-algorithm aes-256-cmac
Switch(config-keychain-macsec-key)# key-string c865632acb269022447c417504a1bf5db1c296449b52627ba01f2ba2574c2878
Switch(config-keychain-macsec-key)#end
Switch#

limit address-count

To limit the number of IPv6 addresses allowed to be used on the port, use the limit address-count command in Neighbor Discovery Protocol (NDP) inspection policy configuration mode or IPv6 snooping configuration mode. To return to the default, use the no form of this command.

limit address-count maximum

no limit address-count

Syntax Description


`maximum`	The number of addresses allowed on the port. The range is from 1 to 10000.

Command Default

The default is no limit.

Command Modes

ND inspection policy configuration

IPv6 snooping configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

The limit address-count command limits the number of IPv6 addresses allowed to be used on the port on which the policy is applied. Limiting the number of IPv6 addresses on a port helps limit the binding table size. The range is from 1 to 10000.

This example shows how to define an NDP policy name as policy1, place the switch in NDP inspection policy configuration mode, and limit the number of IPv6 addresses allowed on the port to 25:


Device(config)# ipv6 nd inspection policy policy1
Device(config-nd-inspection)# limit address-count 25

This example shows how to define an IPv6 snooping policy name as policy1, place the switch in IPv6 snooping policy configuration mode, and limit the number of IPv6 addresses allowed on the port to 25:


Device(config)# ipv6 snooping policy policy1
Device(config-ipv6-snooping)# limit address-count 25

mab request format attribute 32

To enable VLAN ID-based MAC authentication on a switch, use the mab request format attribute 32 vlan access-vlan command in global configuration mode. To return to the default setting, use the no form of this command.

mab request format attribute 32 vlan access-vlan

no mab request format attribute 32 vlan access-vlan

Syntax Description

This command has no arguments or keywords.

Command Default

VLAN-ID based MAC authentication is disabled.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Use this command to allow a RADIUS server to authenticate a new user based on the host MAC address and VLAN.

Use this feature on networks with the Microsoft IAS RADIUS server. The Cisco ACS ignores this command.

This example shows how to enable VLAN-ID based MAC authentication on a switch:


Device(config)# mab request format attribute 32 vlan access-vlan

Related Commands


Command	Description
authentication event	Sets the action for specific authentication events.
authentication fallback	Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication.
authentication host-mode	Sets the authorization manager mode on a port.
authentication open	Enables or disables open access on a port.
authentication order	Sets the order of authentication methods used on a port.
authentication periodic	Enables or disables reauthentication on a port.
authentication port-control	Enables manual control of the port authorization state.
authentication priority	Adds an authentication method to the port-priority list.
authentication timer	Configures the timeout and reauthentication parameters for an 802.1x-enabled port.
authentication violation	Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port with the maximum number of devices already connected to that port.
mab	Enables MAC-based authentication on a port.
mab eap	Configures a port to use the Extensible Authentication Protocol (EAP).
show authentication	Displays information about authentication manager events on the switch.

macsec network-link

To enable MKA MACsec configuration on the uplink interfaces, use the macsec network-link command on the interface. To disable it, use the no form of this command.

macsec network-link

Syntax Description


macsec network-link	Enables MKA MACsec configuration on device interfaces using EAP-TLS authentication protocol.

Command Default

macsec network-link is disabled.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

This example shows how to configure MACsec MKA on an interface using the EAP-TLS authentication protocol:


Switch#configure terminal
Switch(config)# int G1/0/20
Switch(config-if)# macsec network-link
Switch(config-if)# end
Switch#

match (access-map configuration)

To set the VLAN map to match packets against one or more access lists, use the match command in access-map configuration mode on the switch stack or on a standalone switch. To remove the match parameters, use the no form of this command.

match {ip address {name | number} [name | number] [name | number]... | ipv6 address {name | number} [name | number] [name | number]... | mac address {name} [name] [name]... }

no match {ip address {name | number} [name | number] [name | number]... | ipv6 address {name | number} [name | number] [name | number]... | mac address {name} [name] [name]... }

Syntax Description


ip address	Sets the access map to match packets against an IP address access list.
ipv6 address	Sets the access map to match packets against an IPv6 address access list.
mac address	Sets the access map to match packets against a MAC address access list.
`name`	Name of the access list to match packets against.
`number`	Number of the access list to match packets against. This option is not valid for MAC access lists.

Command Default

The default action is to have no match parameters applied to a VLAN map.

Command Modes

Access-map configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

You enter access-map configuration mode by using the vlan access-map global configuration command.

You must enter one access list name or number; others are optional. You can match packets against one or more access lists. Matching any of the lists counts as a match of the entry.

In access-map configuration mode, use the match command to define the match conditions for a VLAN map applied to a VLAN. Use the action command to set the action that occurs when the packet matches the conditions.

Packets are matched only against access lists of the same protocol type; IP packets are matched against IP access lists, IPv6 packets are matched against IPv6 access lists, and all other packets are matched against MAC access lists.

IP, IPv6, and MAC addresses can be specified for the same map entry.

This example shows how to define and apply a VLAN access map vmap4 to VLANs 5 and 6 that will cause the interface to drop an IP packet if the packet matches the conditions defined in access list al2:

Device(config)# vlan access-map vmap4
Device(config-access-map)# match ip address al2
Device(config-access-map)# action drop
Device(config-access-map)# exit
Device(config)# vlan filter vmap4 vlan-list 5-6

You can verify your settings by entering the show vlan access-map privileged EXEC command.

mka policy (global configuration)

To create a MACsec Key Agreement (MKA) protocol policy and to enter MKA policy configuration mode, use the no form of this command. mka policy command in global configuration mode. To delete the policy, use the no form of this command.

mka policy policy-name

no mka policy policy-name

Syntax Description


`policy-name`	Identifies an MKA policy and enters MKA policy configuration mode. The maximum length for the policy name is 16 characters.

Command Default

No MKA policies are created.

Command Modes

Global configuration (config)

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Usage Guidelines

If you enter the name of an existing policy, you see a warning that any changes to the policy deletes all active MKA sessions with that policy. Whenever you change an MKA policy, active MKA sessions with that policy applied are cleared. If you try to create a policy name with more than 16 characters, you see a warning message, and the policy is not created.

If you enter the no mka policy policy-name command to delete a policy that is applied to at least one interface, you are prompted to first remove the policy from all interfaces that it is applied to and then to reenter the command. If you attempt to delete a policy and the policy name does not exist, you are notified.

When you enter MKA policy mode, these commands are available:

confidentiality-offset—Sets the confidentiality offset for MACsec operation
replay-protection—Configures MKA to use replay protection for MACsec operation

The following example shows how to configure an MKA policy and what you see if you create a policy name that already exists:


Device(config)# mka policy test-policy 
Device(config-mka-policy)# exit 
Device(config)# mka policy test-policy 
%MKA policy "test-policy" may have associated active MKA Sessions. 
	Changes to MKA Policy "test-policy" values 
	will cause all associated active MKS Sessions to be cleared.

Related Commands


Command	Description
mka policy (interface configuration)	Applies an MKA policy to an interface.
show mka policy	Displays information about defined MKA protocol policies.

mka pre-shared-key

To configure MKA MACsec on a device interface using a Pre Shared Key (PSK), use the mka pre-shared-key key-chain key-chain name command in global configuration mode. To disable it, use the no form of this command.

mka pre-shared-key key-chain key-chain-name

Syntax Description


mka pre-shared-key key-chain	Enables MACsec MKA configuration on device interfaces using a PSK.

Command Default

mka pre-shared-key is disabled.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

This example shows how to configure MKA MACsec on an interface using a PSK:


Switch#
Switch(config)# int G1/0/20
Switch(config-if)# mka pre-shared-key key-chain kc1
Switch(config-if)# end
Switch#

no authentication logging verbose

To filter detailed information from authentication system messages, use the no authentication logging verbose command in global configuration mode on the switch stack or on a standalone switch.

no authentication logging verbose

Syntax Description

This command has no arguments or keywords.

Command Default

All details are displayed in the system messages.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

This command filters details, such as anticipated success, from authentication system messages. Failure messages are not filtered.

To filter verbose authentication system messages:


Device(config)# no authentication logging verbose

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands


Command	Description
no authentication logging verbose	Filters details from authentication system messages.
no dot1x logging verbose	Filters details from 802.1x system messages.
no mab logging verbose	Filters details from MAC authentication bypass (MAB) system messages.

no dot1x logging verbose

To filter detailed information from 802.1x system messages, use the no dot1x logging verbose command in global configuration mode on the switch stack or on a standalone switch.

no dot1x logging verbose

Syntax Description

This command has no arguments or keywords.

Command Default

All details are displayed in the system messages.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

This command filters details, such as anticipated success, from 802.1x system messages. Failure messages are not filtered.

To filter verbose 802.1x system messages:


Device(config)# no dot1x logging verbose

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands


Command	Description
no authentication logging verbose	Filters details from authentication system messages.
no dot1x logging verbose	Filters details from 802.1x system messages.
no mab logging verbose	Filters details from MAC authentication bypass (MAB) system messages.

no mab logging verbose

To filter detailed information from MAC authentication bypass (MAB) system messages, use the no mab logging verbose command in global configuration mode on the switch stack or on a standalone switch.

no mab logging verbose

Syntax Description

This command has no arguments or keywords.

Command Default

All details are displayed in the system messages.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

This command filters details, such as anticipated success, from MAC authentication bypass (MAB) system messages. Failure messages are not filtered.

To filter verbose MAB system messages:


Device(config)# no mab logging verbose

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands


Command	Description
no authentication logging verbose	Filters details from authentication system messages.
no dot1x logging verbose	Filters details from 802.1x system messages.
no mab logging verbose	Filters details from MAC authentication bypass (MAB) system messages.

permit (MAC access-list configuration)

To allow non-IP traffic to be forwarded if the conditions are matched, use the permit MAC access-list configuration command on the switch stack or on a standalone switch. To remove a permit condition from the extended MAC access list, use the no form of this command.

{ permit { any|host src-MAC-addr|src-MAC-addr mask} { any|host dst-MAC-addr|dst-MAC-addr mask} [ type mask|aarp|amber|appletalk|dec-spanning|decnet-iv|diagnostic|dsm|etype-6000|etype-8042|lat|lavc-sca|lsap lsap mask|mop-console|mop-dump|msdos|mumps|netbios|vines-echo|vines-ip|xns-idp] [ cos cos]

nopermit { any|host src-MAC-addr|src-MAC-addr mask} { any|host dst-MAC-addr|dst-MAC-addr mask} [ type mask|aarp|amber|appletalk|dec-spanning|decnet-iv|diagnostic|dsm|etype-6000|etype-8042|lat|lavc-sca|lsap lsap mask|mop-console|mop-dump|msdos|mumps|netbios|vines-echo|vines-ip|xns-idp] [ cos cos]

Syntax Description


any	Denies any source or destination MAC address.
host `src-MAC-addr` \|  `src-MAC-addr mask`	Specifies a host MAC address and optional subnet mask. If the source address for a packet matches the defined address, non-IP traffic from that address is denied.
host `dst-MAC-addr` \|  `dst-MAC-addr mask`	Specifies a destination MAC address and optional subnet mask. If the destination address for a packet matches the defined address, non-IP traffic to that address is denied.
`type mask`	(Optional) Specifies the EtherType number of a packet with Ethernet II or SNAP encapsulation to identify the protocol of the packet. `type` is 0 to 65535, specified in hexadecimal. `mask` is a mask of don’t care bits applied to the EtherType before testing for a match.
aarp	(Optional) Specifies EtherType AppleTalk Address Resolution Protocol that maps a data-link address to a network address.
amber	(Optional) Specifies EtherType DEC-Amber.
appletalk	(Optional) Specifies EtherType AppleTalk/EtherTalk.
dec-spanning	(Optional) Specifies EtherType Digital Equipment Corporation (DEC) spanning tree.
decnet-iv	(Optional) Specifies EtherType DECnet Phase IV protocol.
diagnostic	(Optional) Specifies EtherType DEC-Diagnostic.
dsm	(Optional) Specifies EtherType DEC-DSM.
etype-6000	(Optional) Specifies EtherType 0x6000.
etype-8042	(Optional) Specifies EtherType 0x8042.
lat	(Optional) Specifies EtherType DEC-LAT.
lavc-sca	(Optional) Specifies EtherType DEC-LAVC-SCA.
lsap `lsap-number mask`	(Optional) Specifies the LSAP number (0 to 65535) of a packet with 802.2 encapsulation to identify the protocol of the packet. The mask is a mask of don’t care bits applied to the LSAP number before testing for a match.
mop-console	(Optional) Specifies EtherType DEC-MOP Remote Console.
mop-dump	(Optional) Specifies EtherType DEC-MOP Dump.
msdos	(Optional) Specifies EtherType DEC-MSDOS.
mumps	(Optional) Specifies EtherType DEC-MUMPS.
netbios	(Optional) Specifies EtherType DEC- Network Basic Input/Output System (NetBIOS).
vines-echo	(Optional) Specifies EtherType Virtual Integrated Network Service (VINES) Echo from Banyan Systems.
vines-ip	(Optional) Specifies EtherType VINES IP.
xns-idp	(Optional) Specifies EtherType Xerox Network Systems (XNS) protocol suite.
cos `cos`	(Optional) Specifies an arbitrary class of service (CoS) number from 0 to 7 to set priority. Filtering on CoS can be performed only in hardware. A warning message appears if the cos option is configured.

Command Default

This command has no defaults. However, the default action for a MAC-named ACL is to deny.

Command Modes

Mac-access list configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Though visible in the command-line help strings, appletalk is not supported as a matching condition.

You enter MAC access-list configuration mode by using the mac access-list extended global configuration command.

If you use the host keyword, you cannot enter an address mask; if you do not use the any or host keywords, you must enter an address mask.

After an access control entry (ACE) is added to an access control list, an implied deny-any-any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.

To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in the following table.

Table 4. IPX Filtering Criteria
IPX Encapsulation Type		Filter Criterion
Cisco IOS Name	Novell Name	Filter Criterion
arpa	Ethernet II	EtherType 0x8137
snap	Ethernet-snap	EtherType 0x8137
sap	Ethernet 802.2	LSAP 0xE0E0
novell-ether	Ethernet 802.3	LSAP 0xFFFF

This example shows how to define the MAC-named extended access list to allow NetBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is allowed.


Device(config-ext-macl)# permit any host 00c0.00a0.03fa netbios

This example shows how to remove the permit condition from the MAC-named extended access list:


Device(config-ext-macl)# no permit any 00c0.00a0.03fa 0000.0000.0000 netbios

This example permits all packets with EtherType 0x4321:


Device(config-ext-macl)# permit any any 0x4321 0

You can verify your settings by entering the show access-lists privileged EXEC command.

Related Commands


Command	Description
deny	Denies from the MAC access-list configuration. Denies non-IP traffic to be forwarded if conditions are matched.
mac access-list extended	Creates an access list based on MAC addresses for non-IP traffic.
show access-lists	Displays access control lists configured on a switch.

propagate sgt (cts manual)

To enable Security Group Tag (SGT) propagation at Layer 2 on Cisco TrustSec Security (CTS) interfaces, use the propagate sgt command in interface configuration mode. To disable SGT propagation, use the no form of this command.

propagate sgt

Syntax Description

This command has no arguments or keywords.

Command Default

SGT processing propagation is enabled.

Command Modes

CTS manual interface configuration mode (config-if-cts-manual)

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Usage Guidelines

SGT processing propagation allows a CTS-capable interface to accept and transmit a CTS Meta Data (CMD) based L2 SGT tag. The no propagate sgt command can be used to disable SGT propagation on an interface in situations where a peer device is not capable of receiving an SGT, and as a result, the SGT tag cannot be put in the L2 header.

The following example shows how to disable SGT propagation on a manually-configured TrustSec-capable interface:


Switch# configure terminal
Switch(config)# interface gigabitethernet 0
Switch(config-if)# cts manual
Switch(config-if-cts-manual)# no propagate sgt

The following example shows that SGT propagation is disabled on Gigabit Ethernet interface 0:


Switch#show cts interface brief
Global Dot1x feature is Disabled
Interface GigabitEthernet0:
    CTS is enabled, mode:    MANUAL
    IFC state:               OPEN
    Authentication Status:   NOT APPLICABLE
        Peer identity:       "unknown"
        Peer's advertised capabilities: ""
    Authorization Status:    NOT APPLICABLE
    SAP Status:              NOT APPLICABLE
    Propagate SGT:           Disabled
    Cache Info:
        Cache applied to link : NONE

Related Commands


Command	Description
cts manual	Enables an interface for CTS.
show cts interface	Displays Cisco TrustSec states and statistics per interface.

protocol (IPv6 snooping)

To specify that addresses should be gleaned with Dynamic Host Configuration Protocol (DHCP) or Neighbor Discovery Protocol (NDP), or to associate the protocol with an IPv6 prefix list, use the protocol command. To disable address gleaning with DHCP or NDP, use the no form of the command.

protocol { dhcp|ndp}

no protocol { dhcp|ndp}

Syntax Description


dhcp	Specifies that addresses should be gleaned in Dynamic Host Configuration Protocol (DHCP) packets.
ndp	Specifies that addresses should be gleaned in Neighbor Discovery Protocol (NDP) packets.

Command Default

Snooping and recovery are attempted using both DHCP and NDP.

Command Modes

IPv6 snooping configuration mode

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

If an address does not match the prefix list associated with DHCP or NDP, then control packets will be dropped and recovery of the binding table entry will not be attempted with that protocol.

Using the no protocol { dhcp|ndp} command indicates that a protocol will not be used for snooping or gleaning.
If the no protocol dhcp command is used, DHCP can still be used for binding table recovery.
Data glean can recover with DHCP and NDP, though destination guard will only recovery through DHCP.

This example shows how to define an IPv6 snooping policy name as policy1, place the switch in IPv6 snooping policy configuration mode, and configure the port to use DHCP to glean addresses:


Device(config)# ipv6 snooping policy policy1
Device(config-ipv6-snooping)# protocol dhcp

radius server

Note

Starting from Cisco IOS 15.2(5)E release, the radius server command replaces the radius-server host command, being used in releases prior to Cisco IOS Release 15.2(5)E. The old command has been deprecated.

Use the radius server configuration sub-mode command on the switch stack or on a standalone switch to configure the RADIUS server parameters, including the RADIUS accounting and authentication. Use the no form of this command to return to the default settings.

radius server name

address {ipv4 | ipv6} ip{address | hostname} auth-port udp-port acct-port udp-port

key string

automate tester name | retransmit value | timeout seconds

no radius server name

Syntax Description

address {ipv4 | ipv6} ip{address | hostname}

Specify the IP address of the RADIUS server.

auth-port udp-port

(Optional) Specify the UDP port for the RADIUS authentication server. The range is from 0 to 65536.

acct-port udp-port

(Optional) Specify the UDP port for the RADIUS accounting server. The range is from 0 to 65536.

key string

(Optional) Specify the authentication and encryption key for all RADIUS communication between the switch and the RADIUS daemon.

Note

The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in this command. Leading spaces are ignored, but spaces within and at the end of the key are used. If there are spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.

automate tester name

(Optional) Enable automatic server testing of the RADIUS server status, and specify the username to be used.

retransmit value

(Optional) Specifies the number of times a RADIUS request is resent when the server is not responding or responding slowly. The range is 1 to 100. This setting overrides the radius-server retransmit global configuration command setting.

timeout seconds

(Optional) Specifies the time interval that the Switch waits for the RADIUS server to reply before sending a request again. The range is 1 to 1000. This setting overrides the radius-server timeout global configuration command setting.

no radius server name

Returns to the default settings

Command Default

The UDP port for the RADIUS accounting server is 1646.
The UDP port for the RADIUS authentication server is 1645.
Automatic server testing is disabled.
The timeout is 60 minutes (1 hour).
When the automatic testing is enabled, testing occurs on the accounting and authentication UDP ports.
The authentication and encryption key ( string) is not configured.

Command Modes

Radius server sub-mode configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced to replace the radius-server host command.

Usage Guidelines

We recommend that you configure the UDP port for the RADIUS accounting server and the UDP port for the RADIUS authentication server to non-default values.
You can configure the authentication and encryption key by using the key string sub-mode configuration command. Always configure the key as the last item in this command.
Use the automate-tester name keywords to enable automatic server testing of the RADIUS server status and to specify the username to be used.

This example shows how to configure 1645 as the UDP port for the authentication server and 1646 as the UDP port for the accounting server, and configure a key string:

Device(config)# radius server ISE
Device(config-radius-server)# address ipv4 10.1.1 auth-port 1645 acct-port 1646
Device(config-radius-server)# key cisco123

sap mode-list (cts manual)

To select the Security Association Protocol (SAP) authentication and encryption modes (prioritized from highest to lowest) used to negotiate link encryption between two interfaces, use the sap mode-list command in CTS dot1x interface configuration mode. To remove a mode-list and revert to the default, use the no form of this command.

Use the sap mode-list command to manually specify the Pairwise Master Key (PMK) and the Security Association Protocol (SAP) authentication and encryption modes to negotiate MACsec link encryption between two interfaces. Use the no form of the command to disable the configuration.

sap pmk mode-list {gcm-encrypt | gmac | no-encap | null} [gcm-encrypt|gmac|no-encap|null]

no sap pmk mode-list {gcm-encrypt | gmac | no-encap | null} [gcm-encrypt|gmac|no-encap|null]

Syntax Description


pmk `hex_value`	Specifies the Hex-data PMK (without leading 0x; enter even number of hex characters, or else the last character is prefixed with 0.).
mode-list	Specifies the list of advertised modes (prioritized from highest to lowest).
gcm-encrypt	Specifies GMAC authentication, GCM encryption.
gmac	Specifies GMAC authentication only, no encryption.
no-encap	Specifies no encapsulation.
null	Specifies encapsulation present, no authentication, no encryption.

Command Default

The default encryption is sap pmk mode-list gcm-encrypt null . When the peer interface does not support 802.1AE MACsec or 802.REV layer-2 link encryption, the default encryption is null .

Command Modes

CTS manual interface configuration (config-if-cts-manual)

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Usage Guidelines

Use the sap pmk mode-list command to specify the authentication and encryption method.

The Security Association Protocol (SAP) is an encryption key derivation and exchange protocol based on a draft version of the 802.11i IEEE protocol. SAP is used to establish and maintain the 802.1AE link-to-link encryption (MACsec) between interfaces that support MACsec.

SAP and the Pairwise Master Key (PMK) can be manually configured between two interfaces with the sap pmk mode-list command. When using 802.1X authentication, both sides (supplicant and authenticator) receive the PMK and the MAC address of the peer's port from the Cisco Secure Access Control Server.

If a device is running CTS-aware software but the hardware is not CTS-capable, disallow encapsulation with the sap mode-list no-encap command.

The following example shows how to configure SAP on a Gigabit Ethernet interface:


Switch# configure terminal
Switch(config)# interface gigabitethernet 2/1
Switch(config-if)# cts manual
Switch(config-if-cts-manual)# sap pmk FFFEE mode-list gcm-encrypt

Related Commands


Command	Description
cts manual	Enables an interface for CTS.
propagate sgt (cts manual)	Enables Security Group Tag (SGT) propagation at Layer 2 on Cisco TrustSec Security (CTS) interfaces.
show cts interface	Displays Cisco TrustSec interface configuration statistics.

security level (IPv6 snooping)

To specify the level of security enforced, use the security-level command in IPv6 snooping policy configuration mode.

security level { glean|guard|inspect}

Syntax Description


glean	Extracts addresses from the messages and installs them into the binding table without performing any verification.
guard	Performs both glean and inspect. Additionally, RA and DHCP server messages are rejected unless they are received on a trusted port or another policy authorizes them.
inspect	Validates messages for consistency and conformance; in particular, address ownership is enforced. Invalid messages are dropped.

Command Default

The default security level is guard.

Command Modes

IPv6 snooping configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

This example shows how to define an IPv6 snooping policy name as policy1, place the device in IPv6 snooping configuration mode, and configure the security level as inspect:


Device(config)# ipv6 snooping policy policy1
Device(config-ipv6-snooping)# security-level inspect

security passthru

To modify the IPsec pass-through, use the security passthru command. To disable, use the no form of the command.

security passthru ip-address

no security passthru

Syntax Description


`ip-address`	IP address of the IPsec gateway (router) that is terminating the VPN tunnel.

Command Default

None.

Command Modes

wlan

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

None.

This example shows how to modify IPSec pass-through.

Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#security passthrough 10.1.1.1

server-private (RADIUS)

To configure the IP address of the private RADIUS server for the group server, use the server-private command in RADIUS server-group configuration mode. To remove the associated private server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.

server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]

no server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]

Syntax Description


`ip-address`	IP address of the private RADIUS server host.
auth-port `port-number`	(Optional) User Datagram Protocol (UDP) destination port for authentication requests. The default value is 1645.
acct-port `port-number`	Optional) UDP destination port for accounting requests. The default value is 1646.
non-standard	(Optional) RADIUS server is using vendor-proprietary RADIUS attributes.
timeout `seconds`	(Optional) Time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used.
retransmit `retries`	(Optional) Number of times a RADIUS request is resent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the radius-server retransmit command.
key `string`	(Optional) Authentication and encryption key used between the router and the RADIUS daemon running on the RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used. The `string` can be 0 (specifies that an unencrypted key follows), 6 (specifies that an advanced encryption scheme [AES] encrypted key follows), 7 (specifies that a hidden key follows), or a line specifying the unencrypted (clear-text) server key.

Command Default

If server-private parameters are not specified, global configurations will be used; if global configurations are not specified, default values will be used.

Command Modes

RADIUS server-group configuration (config-sg-radius)

Command History


Release	Modification
Cisco IOS XE Denali 16.1.1	This command was introduced.

Usage Guidelines

Use the server-private command to associate a particular private server with a defined server group. To prevent possible overlapping of private addresses between virtual route forwarding (VRF) instances, private servers (servers with private addresses) can be defined within the server group and remain hidden from other groups, while the servers in the global pool (default "radius" server group) can still be referred to by IP addresses and port numbers. Thus, the list of servers in server groups includes references to the hosts in the global configuration and the definitions of private servers.

Note

If the radius-server directed-request command is configured, then a private RADIUS server cannot be used as the group server by configuring the server-private (RADIUS) command.
Creating or updating AAA server statistics record for private RADIUS servers are not supported. If private RADIUS servers are used, then error messages and tracebacks will be encountered, but these error messages or tracebacks do not have any impact on the AAA RADIUS functionality. To avoid these error messages and tracebacks, configure public RADIUS server instead of private RADIUS server.

Use the password encryption aes command to configure type 6 AES encrypted keys.

The following example shows how to define the sg_water RADIUS group server and associate private servers with it:


Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa group server radius sg_water
Device(config-sg-radius)# server-private 10.1.1.1 timeout 5 retransmit 3 key xyz
Device(config-sg-radius)# server-private 10.2.2.2 timeout 5 retransmit 3 key xyz

Related Commands


Command	Description
aaa group server	Groups different server hosts into distinct lists and distinct methods.
aaa new-model	Enables the AAA access control model.
password encryption aes	Enables a type 6 encrypted preshared key.
radius-server host	Specifies a RADIUS server host.
radius-server directed-request	Allows users to log in to a Cisco NAS and select a RADIUS server for authentication.

show aaa clients

To show AAA client statistics, use the show aaa clients command.

show aaa clients [ detailed]

Syntax Description


detailed	(Optional) Shows detailed AAA client statistics.

Command Modes

User EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

This is an example of output from the show aaa clients command:


Device# show aaa clients

Dropped request packets: 0

show aaa command handler

To show AAA command handler statistics, use the show aaa command handler command.

show aaa command handler

Syntax Description

This command has no arguments or keywords.

Command Modes

User EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

This is an example of output from the show aaa command handler command:


Device# show aaa command handler

AAA Command Handler Statistics:
    account-logon: 0, account-logoff: 0
    account-query: 0, pod: 0
    service-logon: 0, service-logoff: 0
    user-profile-push: 0, session-state-log: 0
    reauthenticate: 0, bounce-host-port: 0
    disable-host-port: 0, update-rbacl: 0
    update-sgt: 0, update-cts-policies: 0
    invalid commands: 0
    async message not sent: 0

show aaa local

To show AAA local method options, use the show aaa local command.

show aaa local { netuser { name|all }| statistics|user lockout}

Syntax Description


netuser	Specifies the AAA local network or guest user database.
`name`	Network user name.
all	Specifies the network and guest user information.
statistics	Displays statistics for local authentication.
user lockout	Specifies the AAA local locked-out user.

Command Modes

User EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

This is an example of output from the show aaa local statistics command:


Device# show aaa local statistics

Local EAP statistics

EAP Method         Success       Fail
-------------------------------------
Unknown                  0          0
EAP-MD5                  0          0
EAP-GTC                  0          0
LEAP                     0          0
PEAP                     0          0
EAP-TLS                  0          0
EAP-MSCHAPV2             0          0
EAP-FAST                 0          0

Requests received from AAA:                  0
Responses returned from EAP:                 0
Requests dropped (no EAP AVP):               0
Requests dropped (other reasons):            0
Authentication timeouts from EAP:            0

Credential request statistics
Requests sent to backend:                    0
Requests failed (unable to send):            0
Authorization results received

  Success:                                   0
  Fail:                                      0

show aaa servers

To shows all AAA servers as seen by the AAA server MIB, use the show aaa servers command.

show aaa servers [ private| public| [ detailed] ]

Syntax Description


detailed	(Optional) Displays private AAA servers as seen by the AAA Server MIB.
public	(Optional) Displays public AAA servers as seen by the AAA Server MIB.
detailed	(Optional) Displays detailed AAA server statistics.

Command Modes

User EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

This is an example of output from the show aaa servers command:


Device# show aaa servers
RADIUS: id 1, priority 1, host 172.20.128.2, auth-port 1645, acct-port 1646
State: current UP, duration 9s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 0m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0

show aaa sessions

To show AAA sessions as seen by the AAA Session MIB, use the show aaa sessions command.

show aaa sessions

Syntax Description

This command has no arguments or keywords.

Command Modes

User EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

This is an example of output from the show aaa sessions command:


Device# show aaa sessions
Total sessions since last reload: 7
Session Id: 4007
   Unique Id: 4025
   User Name: *not available*
   IP Address: 0.0.0.0
   Idle Time: 0
   CT Call Handle: 0

show authentication history

To display the authenticated sessions alive on the device, use the show authentication history command.

show authentication history [ min-uptime seconds]

Syntax Description


min-uptime `seconds`	(Optional) Displays sessions within the minimum uptime. The range is from 1 through 4294967295 seconds.

Command Modes

User EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Use the show authentication history command to display the authenticated sessions alive on the device.

This is an example of output from the show authentication history command:


Device# show authentication history
Interface  MAC Address     Method  Domain  Status  Uptime
Gi3/0/2    0021.d864.07c0  dot1x   DATA    Auth    38s

Session count = 1

show authentication sessions

To display information about current Auth Manager sessions, use the show authentication sessions command.

show authentication sessions [ database] [ handle handle-id[ details] ] [ interface type number[ details] [ mac mac-address[ interface type number] [ method method-name[ interface type number[ details] [session-id session-id [ details] ]

Syntax Description


database	(Optional) Shows only data stored in session database.
handle `handle-id`	(Optional) Specifies the particular handle for which Auth Manager information is to be displayed.
details	(Optional) Shows detailed information.
interface `type` `number`	(Optional) Specifies a particular interface type and number for which Auth Manager information is to be displayed.
mac `mac-address`	(Optional) Specifies the particular MAC address for which you want to display information.
method `method-name`	(Optional) Specifies the particular authentication method for which Auth Manager information is to be displayed. If you specify a method (dot1x , mab , or webauth ), you may also specify an interface.
session-id `session-id`	(Optional) Specifies the particular session for which Auth Manager information is to be displayed.

Command Modes

User EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Use the show authentication sessions command to display information about all current Auth Manager sessions. To display information about specific Auth Manager sessions, use one or more of the keywords.

This table shows the possible operating states for the reported authentication sessions.

Table 5. Authentication Method States
State	Description
Not run	The method has not run for this session.
Running	The method is running for this session.
Failed over	The method has failed and the next method is expected to provide a result.
Success	The method has provided a successful authentication result for the session.
Authc Failed	The method has provided a failed authentication result for the session.

This table shows the possible authentication methods.

Table 6. Authentication Method States
State	Description
dot1x	802.1X
mab	MAC authentication bypass
webauth	web authentication

The following example shows how to display all authentication sessions on the switch:


Device# show authentication sessions 
Interface    MAC Address     Method   Domain   Status         Session ID
Gi1/0/48     0015.63b0.f676  dot1x    DATA     Authz Success  0A3462B1000000102983C05C
Gi1/0/5      000f.23c4.a401  mab      DATA     Authz Success  0A3462B10000000D24F80B58
Gi1/0/5      0014.bf5d.d26d  dot1x    DATA     Authz Success  0A3462B10000000E29811B94

The following example shows how to display all authentication sessions on an interface:


Device# show authentication sessions interface gigabitethernet2/0/47
            Interface:  GigabitEthernet2/0/47
          MAC Address:  Unknown
           IP Address:  Unknown
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-host
     Oper control dir:  both
        Authorized By:  Guest Vlan
          Vlan Policy:  20
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A3462C8000000000002763C
      Acct Session ID:  0x00000002
               Handle:  0x25000000
Runnable methods list:
       Method   State
       mab      Failed over
       dot1x    Failed over
----------------------------------------
            Interface:  GigabitEthernet2/0/47
          MAC Address:  0005.5e7c.da05
           IP Address:  Unknown
            User-Name:  00055e7cda05
               Status:  Authz Success
               Domain:  VOICE
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A3462C8000000010002A238
      Acct Session ID:  0x00000003
               Handle:  0x91000001
Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

show cts interface

To display Cisco TrustSec (CTS) configuration statistics for an interface, use the show cts interface command in EXEC or privileged EXEC mode.

show cts interface [type slot/port | brief | summary]

Syntax Description


type `slot/port`	(Optional) Specifies an interface type and slot or port number. A verbose output for this interface is returned.
brief	(Optional) Displays abbreviated status for all CTS interfaces.
summary	(Optional) Displays a tabular summary of all CTS interfaces with 4 or 5 key status fields for each interface.

Command Default

None

Command Modes

EXEC (>)
Privileged EXEC (#)

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was modified with additional options.
Cisco IOS XE Denali 16.2.1	This command was introduced.

Usage Guidelines

Use the show cts interface command without keywords to display verbose status for all CTS interfaces.

The following example displays output without using a keyword (verbose status for all CTS interfaces):


Switch# show cts interface 

Global Dot1x feature is Disabled
 Interface GigabitEthernet0/1/0:
     CTS is enabled, mode:    MANUAL
     IFC state:               OPEN
     Interface Active for 00:00:18.232
     Authentication Status:   NOT APPLICABLE
         Peer identity:       "unknown"
         Peer's advertised capabilities: ""
     Authorization Status:    NOT APPLICABLE
     SAP Status:              NOT APPLICABLE
         Configured pairwise ciphers:
             gcm-encrypt
             null
 
         Replay protection:      enabled
         Replay protection mode: STRICT
 
         Selected cipher:
 
     Propagate SGT:           Enabled
     Cache Info:
         Cache applied to link : NONE
 
     Statistics:
         authc success:              0
         authc reject:               0
         authc failure:              0
         authc no response:          0
         authc logoff:               0
         sap success:                0
         sap fail:                   0
         authz success:              0
         authz fail:                 0
         port auth fail:             0
         Ingress:
             control frame bypassed: 0
             sap frame bypassed:     0
             esp packets:            0
             unknown sa:             0
             invalid sa:             0
             inverse binding failed: 0
             auth failed:            0
             replay error:           0
         Egress:
             control frame bypassed: 0
             esp packets:            0
             sgt filtered:           0
             sap frame bypassed:     0
             unknown sa dropped:     0
             unknown sa bypassed:    0

The following example displays output using the brief keyword:


Device# show cts interface brief
 
Global Dot1x feature is Disabled
 Interface GigabitEthernet0/1/0:
     CTS is enabled, mode:    MANUAL
     IFC state:               OPEN
     Interface Active for 00:00:40.386
     Authentication Status:   NOT APPLICABLE
         Peer identity:       "unknown"
         Peer's advertised capabilities: ""
     Authorization Status:    NOT APPLICABLE
     SAP Status:              NOT APPLICABLE
     Propagate SGT:           Enabled
     Cache Info:
         Cache applied to link : NONE

Related Commands


Command	Description
cts manual	Enables an interface for CTS.
propagate sgt (cts manual)	Enables Security Group Tag (SGT) propagation at Layer 2 on Cisco TrustSec Security (CTS) interfaces.
sap mode-list (cts manual)	Manually specifies the PMK and the SAP authentication and encryption modes to negotiate MACsec link encryption between two interfaces.

show cts role-based permissions

To display the role-based (security group) access control permission list, use the show cts role-based permissions command in privileged EXEC mode.

Syntax Description


default	(Optional) Displays information about the default permission list.
details	(Optional) Displays attached access control list (ACL) details.
ipv4	(Optional) Displays information about the IPv4 protocol.
from	(Optional) Displays information about the source group.
`sgt`	(Optional) Security Group Tag. Valid values are from 2 to 65519.
to	(Optional) Displays information about the destination group.
unknown	(Optional) Displays information about unknown source and destination groups.

Command Modes

Privileged EXE (#)

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Usage Guidelines

This command displays the content of the SGACL permission matrix. You can specify the source security group tag (SGT) by using the from keyword and the destination SGT by using the to keyword. When both these keywords are specified RBACLs of a single cell are displayed. An entire column is displayed when only the to keyword is used. An entire row is displayed when the from keyword is used. The entire permission matrix is displayed when both the from and to keywords are omitted.

The command output is sorted by destination SGT as a primary key and the source SGT as a secondary key. SGACLs for each cell is displayed in the same order they are defined in the configuration or acquired from Cisco Identity Services Engine (ISE).

The details keyword is provided when a single cell is selected by specifying both from and to keywords. When the details keyword is specified the access control entries of SGACLs of a single cell are displayed.

The following is sample output from the show role-based permissions command:


Switch# show cts role-based permissions 

IPv4 Role-based permissions default (monitored):
default_sgacl-02
Permit IP-00
IPv4 Role-based permissions from group 305:sgt to group 306:dgt (monitored):
test_reg_tcp_permit-02
RBACL Monitor All for Dynamic Policies : TRUE
RBACL Monitor All for Configured Policies : FALSE
IPv4 Role-based permissions from group 6:SGT_6 to group 6:SGT_6 (configured):
		mon_1
IPv4 Role-based permissions from group 10 to group 11 (configured):
		mon_2
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE

Related Commands


Command	Description
cts role-based permissions	Enables permissions from a source group to a destination group.
cts role-based monitor	Enables role-based access list monitoring.

show cisp

To display CISP information for a specified interface, use the show cisp command in privileged EXEC mode.

show cisp {[ clients|interface interface-id] |registrations|summary}

Syntax Description


clients	(Optional) Display CISP client details.
interface `interface-id`	(Optional) Display CISP information about the specified interface. Valid interfaces include physical ports and port channels.
registrations	Displays CISP registrations.
summary	(Optional) Displays CISP summary.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.
Cisco IOS XE Denali 16.3.1	This command was reintroduced. This command was not supported in Cisco IOS XE Denali 16.1.x and Cisco IOS XE Denali 16.2.x

This example shows output from the show cisp interface command:


Device# show cisp interface fast 0
CISP not enabled on specified interface

This example shows output from the show cisp registration command:


Device# show cisp registrations
Interface(s) with CISP registered user(s):
------------------------------------------
Fa1/0/13
Auth Mgr (Authenticator)
Gi2/0/1
Auth Mgr (Authenticator)
Gi2/0/2
Auth Mgr (Authenticator)
Gi2/0/3
Auth Mgr (Authenticator)
Gi2/0/5
Auth Mgr (Authenticator)
Gi2/0/9
Auth Mgr (Authenticator)
Gi2/0/11
Auth Mgr (Authenticator)
Gi2/0/13
Auth Mgr (Authenticator)
Gi3/0/3
Gi3/0/5
Gi3/0/23

Related Commands


Command	Description
cisp enable	Enable Client Information Signalling Protocol (CISP)
dot1x credentials `profile`	Configure a profile on a supplicant switch

show dot1x

To display IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified port, use the show dot1x command in user EXEC mode.

show dot1x [ all [ count |details |statistics |summary] ][ interface type number[ details |statistics] ][ statistics]

Syntax Description


all	(Optional) Displays the IEEE 802.1x information for all interfaces.
count	(Optional) Displays total number of authorized and unauthorized clients.
details	(Optional) Displays the IEEE 802.1x interface details.
statistics	(Optional) Displays the IEEE 802.1x statistics for all interfaces.
summary	(Optional) Displays the IEEE 802.1x summary for all interfaces.
interface `type number`	(Optional) Displays the IEEE 802.1x status for the specified port.

Command Modes

User EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

This is an example of output from the show dot1x all command:


Device# show dot1x all
Sysauthcontrol              Enabled
Dot1x Protocol Version            3

This is an example of output from the show dot1x all count command:


Device# show dot1x all count
Number of Dot1x sessions
-------------------------------
Authorized Clients        = 0
UnAuthorized Clients      = 0
Total No of Client        = 0

This is an example of output from the show dot1x all statistics command:


Device# show dot1x statistics
Dot1x Global Statistics for
--------------------------------------------
RxStart = 0     RxLogoff = 0    RxResp = 0      RxRespID = 0
RxReq = 0       RxInvalid = 0   RxLenErr = 0
RxTotal = 0

TxStart = 0     TxLogoff = 0    TxResp = 0
TxReq = 0       ReTxReq = 0     ReTxReqFail = 0
TxReqID = 0     ReTxReqID = 0   ReTxReqIDFail = 0
TxTotal = 0

show eap pac peer

To display stored Protected Access Credentials (PAC) for Extensible Authentication Protocol (EAP) Flexible Authentication via Secure Tunneling (FAST) peers, use the show eap pac peer command in privileged EXEC mode.

show eap pac peer

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

This is an example of output from the show eap pac peers privileged EXEC command:


Device> show eap pac peers
No PACs stored

Related Commands


Command	Description
clear eap sessions	Clears EAP session information for the switch or for the specified port.

show ip dhcp snooping statistics

To display DHCP snooping statistics in summary or detail form, use the show ip dhcp snooping statistics command in user EXEC mode.

show ip dhcp snooping statistics [ detail ]

Syntax Description


detail	(Optional) Displays detailed statistics information.

Command Modes

User EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

In a switch stack, all statistics are generated on the stack master. If a new active switch is elected, the statistics counters reset.

This is an example of output from the show ip dhcp snooping statistics command:


Device> show ip dhcp snooping statistics

 Packets Forwarded                                     = 0
 Packets Dropped                                       = 0
 Packets Dropped From untrusted ports                  = 0

This is an example of output from the show ip dhcp snooping statistics detail command:


Device> show ip dhcp snooping statistics detail

 Packets Processed by DHCP Snooping                    = 0
 Packets Dropped Because
   IDB not known                                       = 0
   Queue full                                          = 0
   Interface is in errdisabled                         = 0
   Rate limit exceeded                                 = 0
   Received on untrusted ports                         = 0
   Nonzero giaddr                                      = 0
   Source mac not equal to chaddr                      = 0
   Binding mismatch                                    = 0
   Insertion of opt82 fail                             = 0
   Interface Down                                      = 0
   Unknown output interface                            = 0
   Reply output port equal to input port               = 0
   Packet denied by platform                           = 0

This table shows the DHCP snooping statistics and their descriptions:

Table 7. DHCP Snooping Statistics
DHCP Snooping Statistic	Description
Packets Processed by DHCP Snooping	Total number of packets handled by DHCP snooping, including forwarded and dropped packets.
Packets Dropped Because IDB not known	Number of errors when the input interface of the packet cannot be determined.
Queue full	Number of errors when an internal queue used to process the packets is full. This might happen if DHCP packets are received at an excessively high rate and rate limiting is not enabled on the ingress ports.
Interface is in errdisabled	Number of times a packet was received on a port that has been marked as error disabled. This might happen if packets are in the processing queue when a port is put into the error-disabled state and those packets are subsequently processed.
Rate limit exceeded	Number of times the rate limit configured on the port was exceeded and the interface was put into the error-disabled state.
Received on untrusted ports	Number of times a DHCP server packet (OFFER, ACK, NAK, or LEASEQUERY) was received on an untrusted port and was dropped.
Nonzero giaddr	Number of times the relay agent address field (giaddr) in the DHCP packet received on an untrusted port was not zero, or the no ip dhcp snooping information option allow-untrusted global configuration command is not configured and a packet received on an untrusted port contained option-82 data.
Source mac not equal to chaddr	Number of times the client MAC address field of the DHCP packet (chaddr) does not match the packet source MAC address and the ip dhcp snooping verify mac-address global configuration command is configured.
Binding mismatch	Number of times a RELEASE or DECLINE packet was received on a port that is different than the port in the binding for that MAC address-VLAN pair. This indicates someone might be trying to spoof the real client, or it could mean that the client has moved to another port on the switch and issued a RELEASE or DECLINE. The MAC address is taken from the chaddr field of the DHCP packet, not the source MAC address in the Ethernet header.
Insertion of opt82 fail	Number of times the option-82 insertion into a packet failed. The insertion might fail if the packet with the option-82 data exceeds the size of a single physical packet on the internet.
Interface Down	Number of times the packet is a reply to the DHCP relay agent, but the SVI interface for the relay agent is down. This is an unlikely error that occurs if the SVI goes down between sending the client request to the DHCP server and receiving the response.
Unknown output interface	Number of times the output interface for a DHCP reply packet cannot be determined by either option-82 data or a lookup in the MAC address table. The packet is dropped. This can happen if option 82 is not used and the client MAC address has aged out. If IPSG is enabled with the port-security option and option 82 is not enabled, the MAC address of the client is not learned, and the reply packets will be dropped.
Reply output port equal to input port	Number of times the output port for a DHCP reply packet is the same as the input port, causing a possible loop. Indicates a possible network misconfiguration or misuse of trust settings on ports.
Packet denied by platform	Number of times the packet has been denied by a platform-specific registry.

show macsec

To display 802.1ae Media Access Control Security (MACsec) information, use the show macsec command in privileged EXEC mode.

show macsec { interfaceinterface-id | summary}

Syntax Description


interface `interface-id`	Displays MACsec interface details.
summary	Displays MACsec summary information.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Examples

This is sample output of the show macsec interface command when there is no MACsec session established on the interface:


Switch# show macsec interface gigabitethernet 1/0/1
 MACsec is enabled
  Replay protect : enabled
  Replay window : 0
  Include SCI : yes
  Cipher : GCM-AES-128
  Confidentiality Offset : 0
 Capabilities
  Max. Rx SA : 16
  Max. Tx SA : 16
  Validate Frames : strict
  PN threshold notification support : Yes
  Ciphers supported : GCM-AES-128
 No Transmit Secure Channels
 No Receive Secure Channels

This is sample output of the show macsec interface command after the session is established:


Switch# show macsec interface gigabitethernet 1/0/1
MACsec is enabled
  Replay protect : enabled
  Replay window : 0
  Include SCI : yes
  Cipher : GCM-AES-128
  Confidentiality Offset : 0
 Capabilities
  Max. Rx SA : 16
  Max. Tx SA : 16
  Validate Frames : strict
  PN threshold notification support : Yes
  Ciphers supported : GCM-AES-128
 Transmit Secure Channels
  SCI : 0022BDCF9A010002
   Elapsed time : 00:00:00
   Current AN: 0   Previous AN: -1
   SC Statistics
    Auth-only (0 / 0)
    Encrypt (1910 / 0)
 Receive Secure Channels
  SCI : 001B2140EC4C0000
   Elapsed time : 00:00:00
   Current AN: 0   Previous AN: -1
   SC Statistics
    Notvalid pkts 0      Invalid pkts 0
    Valid pkts 1         Late pkts 0
    Uncheck pkts 0       Delay pkts 0
  Port Statistics
   Ingress untag pkts  0        Ingress notag pkts 1583
   Ingress badtag pkts 0        Ingress unknownSCI pkts 0
   Ingress noSCI pkts 0         Unused pkts 0
   Notusing pkts 0              Decrypt bytes 80914
   Ingress miss pkts 1492

This is sample output of the show macsec summary command to see all established MACsec sessions:


Switch# show macsec summary
Interface                     Transmit SC         Receive SC
GigabitEthernet1/0/18              0                   0
GigabitEthernet1/0/20              1                   1
GigabitEthernet1/0/21              0                   0
GigabitEthernet1/0/22              1                   1
GigabitEthernet4/0/19              0                   0
GigabitEthernet4/0/20              1                   1
GigabitEthernet4/0/22              0                   0

Related Commands


Command	Description
macsec	Enables MACsec on an interface

show mka policy

To display a summary of all defined MACsec Key Agreement (MKA) protocol policies, including the MKA default policy, or to display a summary of a specified policy, use the show mka policy command in privileged EXEC mode.

show mka policy [ policy-name [ detail] [ sessions]]

Syntax Description


`policy-name`	(Optional) Specifies the name for the policy.
detail	(Optional) Displays detailed configuration information for the specified MKA policy, including the names of the physical interfaces to which the policy is applied. The output shows the default values for each configuration option. When entered after the session keyword, displays detailed status information about all active MKA sessions with the specified policy name.
sessions	(Optional) Displays a summary of all active MKA sessions with the specified policy name.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Examples

This is sample output of the show mka policy command:


Switch# show mka policy
MKA Policy Summary...
Policy            KS       Delay   Replay  Window     Conf   Interfaces
Name              Priority Protect Protect Size       Offset Applied
===============================================================================
*DEFAULT POLICY*  0        NO      YES     0          0      Gi1/0/1
MkaPolicy-1       0        NO      YES     1000       0      Gi1/0/2  Gi1/0/3
MkaPolicy-2       0        NO      YES     0          50
MkaPolicy-3       0        YES     YES     64         30     Gi1/0/4  Gi1/0/5
                                                             Gi1/0/6
my_policy         0        NO      YES     4294967295 0
test-policy       0        NO      YES     10000      0

Table 8. Table 0-5 show mka policy Output FIelds
Field	Description
Policy Name	The string identifier of the policy.
KS Priority	The set value of the priority for becoming the key server (KS). The range is 0 to 255, with 0 as the highest priority and 255 as the lowest priority. A value of 0 means that the switch should always try to act as the key server, while a value of 255 means that it should never try to act as the server. This value is not configurable.
Delay Protect	The set value of delay protection being provided. This value is not configurable.
Replay Protect	The configured value of replay protection being provided. (This is configurable by entering the replay-protection window-size command.)
Window Size	The configured size of the replay protection window in number of frames per packet. If replay protection is off, the value is 0. If replay protection is on and the value is 0, a strict in-order verification of MACsec frames occurs. (This is configurable by entering the replay-protection window-size command.)
Conf Offset	The configured value of the confidentiality offset in the number of bytes to offset protection or encryption into each frame in MACsec. Configurable values are 0 (no offset), 30, or 50 bytes.
Interfaces Applied	The short name of each interface on which this policy is applied. The string is empty if it is not applied to any interfaces.

This is sample output of the show mka policy detail command:


Switch# show mka policy MkaPolicy detail
MKA Policy Configuration ("MkaPolicy-3")
========================
MKA Policy Name........ MkaPolicy-3
Key Server Priority.... 0
Delay Protection....... NO
Replay Protection...... YES
Replay Window Size..... 64
Confidentiality Offset. 30
Applied Interfaces...
  GigabitEthernet1/0/4    GigabitEthernet1/0/5
  GigabitEthernet1/0/6

This is sample output of the show mka policy sessions command:


Switch# show mka policy replay-policy sessions
Summary of All Active MKA Sessions with MKA Policy "replay-policy"...
Interface Peer-RxSCI          Policy-Name      Audit-Session-ID
Port-ID   Local-TxSCI         Key-Svr Status   CKN
================================================================================
Gi1/0/25  001b.2140.ec3c/0000 replay-policy    0A05783B0000001700448BA8
2         001e.bdfe.6d99/0002 YES     Secured  3808F996026DFB8A2FCEC9A88BBD0680

Related Commands


Command	Description
mka policy (global configuration)	Creates an MKA policy and enters MKA policy configuration mode.
mka policy (interface configuration)	Applies an MKA policy to the interface.

show mka session

To display a summary of active MACsec Key Agreement (MKA) Protocol sessions, use the show mka session command in privileged EXEC mode.

show mka session [ interfaceinterface-id] [ port-idport-id]] [ local-scisci] [ detail]

Syntax Description


interface `interface-id`	(Optional) Displays status information for active MKA sessions on an interface.
port-id `port-id`	(Optional) Displays a summary of active MKA sessions running on the interface with the specified port ID. To see the port ID, enter the show mka session interface `interface-id` command. Port identifier values begin at 2 and monotonically increase for each new session that uses a virtual port on the same physical interface.
local-sci `sci`	(Optional) Displays status information for the MKA session identified by the Local TX-SCI. To determine the Local TX-SCI for a specific session, enter the show mka session command without any keywords. The SCI must be 8 octets (16 hexadecimal digits) long.
detail	(Optional) Displays detailed status information about all active MKA sessions, all sessions on the specified interface, or on the specified interface with the specified port ID.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Examples

This is sample output of the show mka session command:


Switch# show mka session
Total MKA Sessions....... 1
      Secured Sessions... 1
      Pending Sessions... 0
================================================================================
Interface Peer-RxSCI          Policy-Name      Audit-Session-ID
Port-ID   Local-TxSCI         Key-Svr Status   CKN
================================================================================
Gi1/0/1   001b.213d.28ed/0000 *DEFAULT POLICY* 02020202000000000000EAA6
2         001e.bdfe.8402/0002 YES     Secured  3A06ECB1183E42BB4D7817EB2B949D0E
Gi1/0/1   001a.323a.38ef/0000 *DEFAULT POLICY* 02020314000000000000EAB9
3         001e.bdfe.8402/0003 YES     Pending  CFB1E3B513344AB3417E17FBCB449D3A
Gi1/0/2   001c.113f.2d3a/0000 MkaPolicy-1      02020533000000000000EC81
2         001e.bdfe.8402/0002 YES     Secured  F103EABB133F4AB3497312EF2A949A03

Table 9. Table 0-6 show mka session Output Fields
Field	Description
Interface	The short name of the physical interface on which the MKA session is active.
Peer-RxSCI	The MAC address of the interface of the peer concatenated with the peer 16-bit Port-ID.
Policy-name	The name of the policy used at session start to set initial configuration values.
Audit session ID	Session ID.
Port-ID	The Port-ID used in the Local-TX-SCI.
Local-TxSCI	The MAC address of the physical interface concatenated with the 16-bit Port-ID.
Key Server Status	The key server: has value ‘Y’ for YES if the MKA session is the key server, otherwise, ‘N’ for NO.
CKN	Connectivity association key (CAK) name

This is sample output of the show mka session detail command:


Switch# show mka session detail
MKA Detailed Status for MKA Session
===================================
Status: SECURED - Secured MKA Session with MACsec
Local Tx-SCI............. 0022.bdcf.9a01/0002
Interface MAC Address.... 0022.bdcf.9a01
MKA Port Identifier...... 2
Interface Name........... GigabitEthernet1/0/1
Audit Session ID......... 0B0B0B3D0000034F050FA69B
CAK Name (CKN)........... 46EFE9FE85199FE404FB7AFA3FD0732E
Member Identifier (MI)... D7B00EDA353242704CC6B0DB
Message Number (MN)...... 7
Authenticator............ YES
Key Server............... YES
Latest SAK Status........ Rx & Tx
Latest SAK AN............ 0
Latest SAK KI (KN)....... D7B00EDA353242704CC6B0DB00000001 (1)
Old SAK Status........... FIRST-SAK
Old SAK AN............... 0
Old SAK KI (KN).......... FIRST-SAK (0)
SAK Transmit Wait Time... 0s (Not waiting for any peers to respond)
SAK Retire Time.......... 0s (No Old SAK to retire)
MKA Policy Name.......... *DEFAULT POLICY*
Key Server Priority...... 0
Delay Protection......... NO
Replay Protection........ YES
Replay Window Size....... 0
Confidentiality Offset... 0
Algorithm Agility........ 80C201
Cipher Suite............. 0080020001000001 (GCM-AES-128)
MACsec Capability........ 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired........... YES
# of MACsec Capable Live Peers............ 1
# of MACsec Capable Live Peers Responded.. 1
Live Peers List:
  MI                        MN          Rx-SCI (Peer)
  ---------------------------------------------------------
  DA296D3E62E0961234BF39A6  7           001b.2140.ec4c/0000
Potential Peers List:
  MI                        MN          Rx-SCI (Peer)
  ---------------------------------------------------------

This is sample output of the show mka session interface command:


Switch# show mka session interface gigabitethernet1/0/25
Summary of All Currently Active MKA Sessions on Interface GigabitEthernet1/0/25.
Interface Peer-RxSCI          Policy-Name      Audit-Session-ID
Port-ID   Local-TxSCI         Key-Svr Status   CKN
================================================================================
Gi1/0/25  001b.2140.ec3c/0000 replay-policy    0A05783B0000001700448BA8
2         001e.bdfe.6d99/0002 YES     Secured  3808F996026DFB8A2FCEC9A88BBD0680

Related Commands


Command	Description
clear mka sessions	Clears all MKA sessions or clear MKA sessions on a port-ID, interface, or Local TX-SCI.
macsec	Enables MACsec on an interface.

show mka statistics

To display global MACsec Key Agreement (MKA) Protocol statistics and error counters, use the show mka statistics command in privileged EXEC mode.

show mka statistics [ interfaceinterface-idport-idport-id] | [ local-scisci]}

Syntax Description


interface `interface-id`	(Optional) Displays statistics for an MKA session on an interface. Only physical interfaces are valid.
port-id `port-id`	Displays a summary of active MKA sessions running on the interface with the specified port ID. To see the port ID, enter the show mka session or show mka session interface `interface-id` command. Port identifier values begin at 2 and monotonically increase for each new active session using a virtual port on the same physical interface.
local-sci `sci`	(Optional) Shows statistics for an MKA session identified by its Local TX-SCI. To determine the Local TX-SCI for a session, enter the show mka session detail command. The SCI must be 8 octets (16 hexadecimal digits) long.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Examples

This is an example of the show mka statistics command output:


Switch# show mka statistics
MKA Global Statistics
=====================
MKA Session Totals
   Secured.................... 32
   Reauthentication Attempts.. 31
   Deleted (Secured).......... 1
   Keepalive Timeouts......... 0
CA Statistics
   Pairwise CAKs Derived...... 32
   Pairwise CAK Rekeys........ 31
   Group CAKs Generated....... 0
   Group CAKs Received........ 0
SA Statistics
   SAKs Generated............. 32
   SAKs Rekeyed............... 31
   SAKs Received.............. 0
   SAK Responses Received..... 32
MKPDU Statistics
   MKPDUs Validated & Rx...... 580
      "Distributed SAK"..... 0
      "Distributed CAK"..... 0
   MKPDUs Transmitted......... 597
      "Distributed SAK"..... 32
      "Distributed CAK"..... 0
MKA Error Counter Totals
========================
Bring-up Failures.................. 0
Reauthentication Failures.......... 0
SAK Failures
   SAK Generation.................. 0
   Hash Key Generation............. 0
   SAK Encryption/Wrap............. 0
   SAK Decryption/Unwrap........... 0
CA Failures
   Group CAK Generation............ 0
   Group CAK Encryption/Wrap....... 0
   Group CAK Decryption/Unwrap..... 0
   Pairwise CAK Derivation......... 0
   CKN Derivation.................. 0
   ICK Derivation.................. 0
   KEK Derivation.................. 0
   Invalid Peer MACsec Capability.. 2
MACsec Failures
   Rx SC Creation................... 0
   Tx SC Creation................... 0
   Rx SA Installation............... 0
   Tx SA Installation............... 0
MKPDU Failures
   MKPDU Tx......................... 0
   MKPDU Rx Validation.............. 0
   MKPDU Rx Bad Peer MN............. 0
   MKPDU Rx Non-recent Peerlist MN.. 0

Table 10. Table 0-7 show mka Global Statistics Output Fields (continued)
Field	Description
Reauthentications	Reauthentications from 802.1x.
Pairwise CAKs Derived	Pairwise secure connectivity association keys (CAKs) derived through EAP authentication.
Pairwise CAK Rekeys	Pairwise CAK rekeys after reauthentication.
Group CAKs Generated	Generated group CAKs while acting as a key server in a group CA.
Group CAKs Received	Received group CAKs while acting as a nonkey server member in a group CA.
SAK Rekeys	Secure association key (SAK) rekeys that have been initiated as key servers or received as nonkey server members.
SAKs Generated	Generated SAKs while acting as a key server in any CA.
SAKs Received	Received SAKs while acting as a nonkey server member in any CA.
MPDUs Validated & Rx	MACsec Key Agreement Protocol Data Units (MPDUs) received and validated.
MPDUs Transmitted	Transmitted MPDUs.

Related Commands


Command	Description
clear mka statistics	Clears all MKA statistics or those on a specified interface port-ID or Local TX-SCI.

show mka summary

To display a summary of MACsec Key Agreement (MKA) sessions and global statistics, use the show mka summary command in privileged EXEC mode.

show mka summary

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE Denali 16.3.1	This command was introduced.

Examples

This is an example of the show mka summary command output:


Switch# show mka summary
Summary of All Currently Active MKA Sessions...
===============================================
Total MKA Sessions.......................... 1
Initializing (Waiting for Peer)............ 0
Pending (Waiting for Peer MACsec Reply).... 0
Secured (Secured MKA Session with MACsec).. 1
Reauthenticating MKA Sessions............... 0
Interface Peer-RxSCI Policy-Name Audit-Session-ID
Port-ID Local-TxSCI Key-Svr Status CKN
================================================================================
Gi1/0/25 001b.2140.ec3c/0000 replay-policy 0A05783B0000001700448BA8
2 001e.bdfe.6d99/0002 YES Secured 3808F996026DFB8A2FCEC9A88BBD0680
MKA Global Statistics
=====================
MKA Session Totals
Secured.................. 36
Reauthentications........ 23
Deleted (Secured)........ 0
Keepalive Timeouts....... 4
MACsec SAK-Use Timeouts.. 0
CA Statistics
Pairwise CAKs Derived.... 33
Pairwise CAK Rekeys...... 23
Group CAKs Generated..... 0
Group CAKs Received...... 0
SA Statistics
SAKs Generated........... 61
SAKs Rekeyed............. 54
SAKs Received............ 0
SAK Responses Received... 59
MKPDU Statistics
MKPDUs Validated & Rx.... 75774
"Distributed SAK"..... 0
"Distributed CAK"..... 0
MKPDUs Transmitted....... 75049
"Distributed SAK"..... 96
"Distributed CAK"..... 0
MKA Error Counter Totals
========================
Internal Failures................ 0
Session Failures
Failed while Initializing..... 6
Failed while Pending MACsec... 2
Reauthentication Failure...... 0
SAK Failures
SAK Generation................ 0
Hash Key Generation........... 0
SAK Encryption/Wrap........... 0
SAK Decryption/Unwrap......... 0
CA Failures
Group CAK Generation.......... 0
Group CAK Encryption/Wrap..... 0
Group CAK Decryption/Unwrap... 0
Pairwise CAK Derivation....... 0
CKN Derivation................ 0
ICK Derivation................ 0
KEK Derivation................ 0
MACsec Failures
Rx SC Creation................ 2
Tx SC Creation................ 2
Rx SA Installation............ 2
Tx SA Installation............ 0
MKPDU Failures
MKPDU Tx...................... 0
MKPDU Rx Validation........... 13
Bad Peer MN (anti-replay).. 0
Non-recent Peerlist MN..... 0
MKA Policy Summary...
Policy KS Delay Replay Window Conf Interfaces
Name Priority Protect Protect Size Offset Applied
===============================================================================
*DEFAULT POLICY* 0 NO YES 0 0 Gi1/0/26 Gi1/0/29
replay-policy 0 NO YES 300 0 Gi1/0/25
Incredible-59#sh mka policy replay-policy
MKA Policy Summary...
Policy KS Delay Replay Window Conf Interfaces
Name Priority Protect Protect Size Offset Applied
===============================================================================
replay-policy 0 NO YES 300 0 Gi1/0/25

Table 11. Table 0-8 show mka summary Output Fields
Field	Description
Reauthentications	Reauthentications from 802.1x.
Pairwise CAKs Derived	Pairwise secure connectivity association keys (CAKs) derived through EAP authentication.
Pairwise CAK Rekeys	Pairwise CAK rekeys after reauthentication.
Group CAKs Generated	Generated group CAKs while acting as a key server in a group CA.
Group CAKs Received	Received group CAKs while acting as a nonkey server member in a group CA.
SAK Rekeys	Secure association key (SAK) rekeys that have been initiated as key servers or received as a non-key server members.
SAKs Generated	Generated SAKs while acting as a key server in any CA.
SAKs Received	Received SAKs while acting as a nonkey server member in any CA.
MPDUs Validated & Rx	MACsec Key Agreement Protocol Data Units (MPDUs) received and validated.
MPDUs Transmitted	Transmitted MPDUs.

Related Commands


Command	Description
show mka policy	Displays information about defined MKA protocol policies.
show mka session	Displays a summary of active MKA sessions.
show mka statistics	Displays global MKA statistics.

show radius server-group

To display properties for the RADIUS server group, use the show radius server-group command.

show radius server-group { name|all}

Syntax Description


`name`	Name of the server group. The character string used to name the group of servers must be defined using the aaa group server radius command.
all	Displays properties for all of the server groups.

Command Modes

User EXEC

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

Use the show radius server-group command to display the server groups that you defined by using the aaa group server radius command.

This is an example of output from the show radius server-group all command:


Device# show radius server-group all
Server group radius
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard  Memlocks = 1

This table describes the significant fields shown in the display.

Table 12. show radius server-group command Field Descriptions
Field	Description
Server group	Name of the server group.
Sharecount	Number of method lists that are sharing this server group. For example, if one method list uses a particular server group, the sharecount would be 1. If two method lists use the same server group, the sharecount would be 2.
sg_unconfigured	Server group has been unconfigured.
Type	The type can be either standard or nonstandard. The type indicates whether the servers in the group accept nonstandard attributes. If all servers within the group are configured with the nonstandard option, the type will be shown as "nonstandard".
Memlocks	An internal reference count for the server-group structure that is in memory. The number represents how many internal data structure packets or transactions are holding references to this server group. Memlocks is used internally for memory management purposes.

show storm-control

To display broadcast, multicast, or unicast storm control settings on the switch or on the specified interface or to display storm-control history, use the show storm-control command in user EXEC mode.

show storm-control [interface-id] [broadcast | multicast | unicast]

Syntax Description


`interface-id`	(Optional) Interface ID for the physical port (including type, stack member for stacking-capable switches, module, and port number).
broadcast	(Optional) Displays broadcast storm threshold setting.
multicast	(Optional) Displays multicast storm threshold setting.
unicast	(Optional) Displays unicast storm threshold setting.

Command Modes

User EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

When you enter an interface ID, the storm control thresholds appear for the specified interface.

If you do not enter an interface ID, settings appear for one traffic type for all ports on the switch.

If you do not enter a traffic type, settings appear for broadcast storm control.

This is an example of a partial output from the show storm-control command when no keywords are entered. Because no traffic-type keyword was entered, the broadcast storm control settings appear.

Device> show storm-control
Interface Filter State  Upper      Lower     Current
--------- ------------- ---------- --------- ---------
Gi1/0/1   Forwarding    20 pps     10 pps    5 pps
Gi1/0/2   Forwarding    50.00%     40.00%    0.00%
<output truncated>

This is an example of output from the show storm-control command for a specified interface. Because no traffic-type keyword was entered, the broadcast storm control settings appear.

Device> show storm-control gigabitethernet 1/0/1
Interface Filter State  Upper      Lower     Current
--------- ------------- ---------- --------- ---------
Gi1/0/1 		Forwarding 			20 pps 			 10 pps    5 pps

The following table describes the fields in the show storm-control display:

Table 13. show storm-control Field Descriptions
Field	Description
Interface	Displays the ID of the interface.
Filter State	Displays the status of the filter: Blocking—Storm control is enabled, and a storm has occurred. Forwarding—Storm control is enabled, and no storms have occurred. Inactive—Storm control is disabled.
Upper	Displays the rising suppression level as a percentage of total available bandwidth in packets per second or in bits per second.
Lower	Displays the falling suppression level as a percentage of total available bandwidth in packets per second or in bits per second.
Current	Displays the bandwidth usage of broadcast traffic or the specified traffic type (broadcast, multicast, or unicast) as a percentage of total available bandwidth. This field is only valid when storm control is enabled.

show vlan access-map

To display information about a particular VLAN access map or for all VLAN access maps, use the show vlan access-map command in privileged EXEC mode.

show vlan access-map [map-name]

Syntax Description


`map-name`	(Optional) Name of a specific VLAN access map.

Command Default

None

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

This is an example of output from the show vlan access-map command:

Device# show vlan access-map
Vlan access-map "vmap4"  10
  Match clauses:
    ip  address: al2
  Action:
    forward
Vlan access-map "vmap4"  20
  Match clauses:
    ip  address: al2
  Action:
    forward

show vlan filter

To display information about all VLAN filters or about a particular VLAN or VLAN access map, use the show vlan filter command in privileged EXEC mode.

show vlan filter {access-map name | vlan vlan-id}

Syntax Description


access-map `name`	(Optional) Displays filtering information for the specified VLAN access map.
vlan `vlan-id`	(Optional) Displays filtering information for the specified VLAN. The range is 1 to 4094.

Command Default

None

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

This is an example of output from the show vlan filter command:

Device# show vlan filter
VLAN Map map_1 is filtering VLANs:
  20-22

show vlan group

To display the VLANs that are mapped to VLAN groups, use the show vlan group command in privileged EXEC mode.

show vlan group [group-name vlan-group-name [user_count]]

Syntax Description


group-name `vlan-group-name`	(Optional) Displays the VLANs mapped to the specified VLAN group.
user_count	(Optional) Displays the number of users in each VLAN mapped to a specified VLAN group.

Command Default

None

Command Modes

Privileged EXEC

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

The show vlan group command displays the existing VLAN groups and lists the VLANs and VLAN ranges that are members of each VLAN group. If you enter the group-name keyword, only the members of the specified VLAN group are displayed.

This example shows how to display the members of a specified VLAN group:

Device# show vlan group group-name group2 
vlan group group1 :40-45

This example shows how to display number of users in each of the VLANs in a group:

Device# show vlan group group-name group2 user_count
  VLAN     : Count
-------------------
  40        : 5
  41        : 8
  42        : 12
  43        : 2
  44        : 9
  45        : 0

storm-control

To enable broadcast, multicast, or unicast storm control and to set threshold levels on an interface, use the storm-control command in interface configuration mode. To return to the default setting, use the no form of this command.

storm-control {action {shutdown | trap} | {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]}}

no storm-control {action {shutdown | trap} | {broadcast | multicast | unicast} level}

Syntax Description


action	Specifies the action taken when a storm occurs on a port. The default action is to filter traffic and to not send an Simple Network Management Protocol (SNMP) trap.
shutdown	Disables the port during a storm.
trap	Sends an SNMP trap when a storm occurs.
broadcast	Enables broadcast storm control on the interface.
multicast	Enables multicast storm control on the interface.
unicast	Enables unicast storm control on the interface.
level	Specifies the rising and falling suppression levels as a percentage of total bandwidth of the port.
`level`	Rising suppression level, up to two decimal places. The range is 0.00 to 100.00. Block the flooding of storm packets when the value specified for level is reached.
`level-low`	(Optional) Falling suppression level, up to two decimal places. The range is 0.00 to 100.00. This value must be less than or equal to the rising suppression value. If you do not configure a falling suppression level, it is set to the rising suppression level.
level bps	Specifies the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port.
`bps`	Rising suppression level, up to 1 decimal place. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached. You can use metric suffixes such as k, m, and g for large number thresholds.
`bps-low`	(Optional) Falling suppression level, up to 1 decimal place. The range is 0.0 to 10000000000.0. This value must be equal to or less than the rising suppression value. You can use metric suffixes such as k, m, and g for large number thresholds.
level pps	Specifies the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port.
`pps`	Rising suppression level, up to 1 decimal place. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for pps is reached. You can use metric suffixes such as k, m, and g for large number thresholds.
`pps-low`	(Optional) Falling suppression level, up to 1 decimal place. The range is 0.0 to 10000000000.0. This value must be equal to or less than the rising suppression value. You can use metric suffixes such as k, m, and g for large number thresholds.

Command Default

Broadcast, multicast, and unicast storm control are disabled.

The default action is to filter traffic and to not send an SNMP trap.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

The storm-control suppression level can be entered as a percentage of total bandwidth of the port, as a rate in packets per second at which traffic is received, or as a rate in bits per second at which traffic is received.

When specified as a percentage of total bandwidth, a suppression value of 100 percent means that no limit is placed on the specified traffic type. A value of level 0 0 means that all broadcast, multicast, or unicast traffic on that port is blocked. Storm control is enabled only when the rising suppression level is less than 100 percent. If no other storm-control configuration is specified, the default action is to filter the traffic causing the storm and to send no SNMP traps.

Note

When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as Open Shortest Path First (OSPF) and regular multicast data traffic, so both types of traffic are blocked.

The trap and shutdown options are independent of each other.

If you configure the action to be taken as shutdown (the port is error-disabled during a storm) when a packet storm is detected, you must use the no shutdown interface configuration command to bring the interface out of this state. If you do not specify the shutdown action, specify the action as trap (the switch generates a trap when a storm is detected).

When a storm occurs and the action is to filter traffic, if the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. If the falling suppression level is specified, the switch blocks traffic until the traffic rate drops below this level.

Note

Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel. When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel physical interfaces.

When a broadcast storm occurs and the action is to filter traffic, the switch blocks only broadcast traffic.

For more information, see the software configuration guide for this release.

This example shows how to enable broadcast storm control with a 75.5-percent rising suppression level:

Device(config-if)# storm-control broadcast level 75.5

This example shows how to enable unicast storm control on a port with a 87-percent rising suppression level and a 65-percent falling suppression level:

Device(config-if)# storm-control unicast level 87 65

This example shows how to enable multicast storm control on a port with a 2000-packets-per-second rising suppression level and a 1000-packets-per-second falling suppression level:

Device(config-if)# storm-control multicast level pps 2k 1k

This example shows how to enable the shutdown action on a port:

Device(config-if)# storm-control action shutdown

You can verify your settings by entering the show storm-control privileged EXEC command.

switchport port-security aging

To set the aging time and type for secure address entries or to change the aging behavior for secure addresses on a particular port, use the switchport port-security aging command in interface configuration mode. To disable port security aging or to set the parameters to their default states, use the no form of this command.

switchport port-security aging {static | time time | type {absolute | inactivity}}

no switchport port-security aging {static | time | type}

Syntax Description


static	Enables aging for statically configured secure addresses on this port.
time `time`	Specifies the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port.
type	Sets the aging type.
absolute	Sets absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.
inactivity	Sets the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.

Command Default

The port security aging feature is disabled. The default time is 0 minutes.

The default aging type is absolute.

The default static aging behavior is disabled.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

To enable secure address aging for a particular port, set the aging time to a value other than 0 for that port.

To allow limited time access to particular secure addresses, set the aging type as absolute . When the aging time lapses, the secure addresses are deleted.

To allow continuous access to a limited number of secure addresses, set the aging type as inactivity . This removes the secure address when it become inactive, and other addresses can become secure.

To allow unlimited access to a secure address, configure it as a secure address, and disable aging for the statically configured secure address by using the no switchport port-security aging static interface configuration command.

This example sets the aging time as 2 hours for absolute aging for all the secure addresses on the port:

Device(config)# interface gigabitethernet1/0/1
Device(config-if)# switchport port-security aging time 120

This example sets the aging time as 2 minutes for inactivity aging type with aging enabled for configured secure addresses on the port:

Device(config)# interface gigabitethernet1/0/2
Device(config-if)# switchport port-security aging time 2 
Device(config-if)# switchport port-security aging type inactivity 
Device(config-if)# switchport port-security aging static

This example shows how to disable aging for configured secure addresses:

Device(config)# interface gigabitethernet1/0/2
Device(config-if)# no switchport port-security aging static

switchport port-security mac-address

To configure secure MAC addresses or sticky MAC address learning, use the switchport port-security mac-address interface configuration command. To return to the default setting, use the no form of this command.

switchport port-security mac-address {mac-address [vlan {vlan-id {access | voice}}] | sticky [mac-address | vlan {vlan-id {access | voice}}]}

no switchport port-security mac-address {mac-address [vlan {vlan-id {access | voice}}] | sticky [mac-address | vlan {vlan-id {access | voice}}]}

Syntax Description

mac-address

A secure MAC address for the interface by entering a 48-bit MAC address. You can add additional secure MAC addresses up to the maximum value configured.

vlan vlan-id

(Optional) On a trunk port only, specifies the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used.

vlan access

(Optional) On an access port only, specifies the VLAN as an access VLAN.

vlan voice

(Optional) On an access port only, specifies the VLAN as a voice VLAN.

Note

The voice keyword is available only if voice VLAN is configured on a port and if that port is not the access VLAN.

sticky

Enables the interface for sticky learning. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.

mac-address

(Optional) A MAC address to specify a sticky secure MAC address.

Command Default

No secure MAC addresses are configured.

Sticky learning is disabled.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

A secure port has the following limitations:

A secure port can be an access port or a trunk port; it cannot be a dynamic access port.
A secure port cannot be a routed port.
A secure port cannot be a protected port.
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
A secure port cannot belong to a Gigabit or 10-Gigabit EtherChannel port group.
You cannot configure static secure or sticky secure MAC addresses in the voice VLAN.
When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the Cisco IP phone.
Voice VLAN is supported only on access ports and not on trunk ports.

Sticky secure MAC addresses have these characteristics:

When you enable sticky learning on an interface by using the switchport port-security mac-address sticky interface configuration command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds all sticky secure MAC addresses to the running configuration.
If you disable sticky learning by using the no switchport port-security mac-address sticky interface configuration command or the running configuration is removed, the sticky secure MAC addresses remain part of the running configuration but are removed from the address table. The addresses that were removed can be dynamically reconfigured and added to the address table as dynamic addresses.
When you configure sticky secure MAC addresses by using the switchport port-security mac-address sticky mac-address interface configuration command, these addresses are added to the address table and the running configuration. If port security is disabled, the sticky secure MAC addresses remain in the running configuration.
If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the interface shuts down, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost. If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.
If you disable sticky learning and enter the switchport port-security mac-address sticky mac-address interface configuration command, an error message appears, and the sticky secure MAC address is not added to the running configuration.

You can verify your settings by using the show port-security privileged EXEC command.

This example shows how to configure a secure MAC address and a VLAN ID on a port:

Device(config)# interface gigabitethernet 2/0/2
Device(config-if)# switchport mode trunk
Device(config-if)# switchport port-security
Device(config-if)# switchport port-security mac-address 1000.2000.3000 vlan 3

This example shows how to enable sticky learning and to enter two sticky secure MAC addresses on a port:

Device(config)# interface gigabitethernet 2/0/2
Device(config-if)# switchport port-security mac-address sticky 
Device(config-if)# switchport port-security mac-address sticky 0000.0000.4141
Device(config-if)# switchport port-security mac-address sticky 0000.0000.000f

switchport port-security maximum

To configure the maximum number of secure MAC addresses, use the switchport port-security maximum command in interface configuration mode. To return to the default settings, use the no form of this command.

switchport port-security maximum value [vlan [vlan-list | [access | voice]]]

no switchport port-security maximum value [vlan [vlan-list | [access | voice]]]

Syntax Description

value

Sets the maximum number of secure MAC addresses for the interface.

The default setting is 1.

vlan

(Optional) For trunk ports, sets the maximum number of secure MAC addresses on a VLAN or range of VLANs. If the vlan keyword is not entered, the default value is used.

vlan-list

(Optional) Range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.

access

(Optional) On an access port only, specifies the VLAN as an access VLAN.

voice

(Optional) On an access port only, specifies the VLAN as a voice VLAN.

Note

The voice keyword is available only if voice VLAN is configured on a port and if that port is not the access VLAN.

Command Default

When port security is enabled and no keywords are entered, the default maximum number of secure MAC addresses is 1.

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system. This number is determined by the active Switch Database Management (SDM) template. See the sdm prefer command. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.

A secure port has the following limitations:

A secure port can be an access port or a trunk port.
A secure port cannot be a routed port.
A secure port cannot be a protected port.
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
A secure port cannot belong to a Gigabit or 10-Gigabit EtherChannel port group.
When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the Cisco IP phone.

Voice VLAN is supported only on access ports and not on trunk ports.
When you enter a maximum secure address value for an interface, if the new value is greater than the previous value, the new value overrides the previously configured value. If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value, the command is rejected.

Setting a maximum number of addresses to one and configuring the MAC address of an attached device ensures that the device has the full bandwidth of the port.

When you enter a maximum secure address value for an interface, this occurs:

If the new value is greater than the previous value, the new value overrides the previously configured value.
If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value, the command is rejected.

You can verify your settings by using the show port-security privileged EXEC command.

This example shows how to enable port security on a port and to set the maximum number of secure addresses to 5. The violation mode is the default, and no secure MAC addresses are configured.

Device(config)# interface gigabitethernet 2/0/2
Device(config-if)# switchport mode access
Device(config-if)# switchport port-security
Device(config-if)# switchport port-security maximum 5

switchport port-security violation

To configure secure MAC address violation mode or the action to be taken if port security is violated, use the switchport port-security violation command in interface configuration mode. To return to the default settings, use the no form of this command.

switchport port-security violation {protect | restrict | shutdown | shutdown vlan}

no switchport port-security violation {protect | restrict | shutdown | shutdown vlan}

Syntax Description


protect	Sets the security violation protect mode.
restrict	Sets the security violation restrict mode.
shutdown	Sets the security violation shutdown mode.
shutdown vlan	Sets the security violation mode to per-VLAN shutdown.

Command Default

The default violation mode is shutdown .

Command Modes

Interface configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

In the security violation protect mode, when the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note

We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.

In the security violation restrict mode, when the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

In the security violation shutdown mode, the interface is error-disabled when a violation occurs and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands.

When the security violation mode is set to per-VLAN shutdown, only the VLAN on which the violation occurred is error-disabled.

A secure port has the following limitations:

A secure port can be an access port or a trunk port.
A secure port cannot be a routed port.
A secure port cannot be a protected port.
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
A secure port cannot belong to a Gigabit or 10-Gigabit EtherChannel port group.

A security violation occurs when the maximum number of secure MAC addresses are in the address table and a station whose MAC address is not in the address table attempts to access the interface or when a station whose MAC address is configured as a secure MAC address on another secure port attempts to access the interface.

When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command. You can manually re-enable the port by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface privileged EXEC command.

You can verify your settings by using the show port-security privileged EXEC command.

This example show how to configure a port to shut down only the VLAN if a MAC security violation occurs:

Device(config)# interface gigabitethernet2/0/2
Device(config)# switchport port-security violation shutdown vlan

tacacs server

To configure the TACACS+ server for IPv6 or IPv4 and enter TACACS+ server configuration mode, use the tacacs server command in global configuration mode. To remove the configuration, use the no form of this command.

tacacs server name

no tacacs server

Syntax Description


name	Name of the private TACACS+ server host.

Command Default

No TACACS+ server is configured.

Command Modes

Global configuration (config)

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

The tacacs server command configures the TACACS server using the name argument and enters TACACS+ server configuration mode. The configuration is applied once you have finished configuration and exited TACACS+ server configuration mode.

The following example shows how to configure the TACACS server using the name server1 and enter TACACS+ server configuration mode to perform further configuration:


Device(config)# tacacs server server1
Device(config-server-tacacs)#

Related Commands


Command	Description
address ipv6 (TACACS+)	Configures the IPv6 address of the TACACS+ server.
key (TACACS+)	Configures the per-server encryption key on the TACACS+ server.
port (TACACS+)	Specifies the TCP port to be used for TACACS+ connections.
send-nat-address (TACACS+)	Sends a client’s post-NAT address to the TACACS+ server.
single-connection (TACACS+)	Enables all TACACS packets to be sent to the same server using a single TCP connection.
timeout (TACACS+)	Configures the time to wait for a reply from the specified TACACS server.

tracking (IPv6 snooping)

To override the default tracking policy on a port, use the tracking command in IPv6 snooping policy configuration mode.

tracking { enable [ reachable-lifetime { value|infinite}] | disable [ stale-lifetime { value|infinite}

Syntax Description


enable	Enables tracking.
reachable-lifetime	(Optional) Specifies the maximum amount of time a reachable entry is considered to be directly or indirectly reachable without proof of reachability. The reachable-lifetime keyword can be used only with the enable keyword. Use of the reachable-lifetime keyword overrides the global reachable lifetime configured by the ipv6 neighbor binding reachable-lifetime command.
`value`	Lifetime value, in seconds. The range is from 1 to 86400, and the default is 300.
infinite	Keeps an entry in a reachable or stale state for an infinite amount of time.
disable	Disables tracking.
stale-lifetime	(Optional) Keeps the time entry in a stale state, which overwrites the global stale-lifetime configuration. The stale lifetime is 86,400 seconds. The stale-lifetime keyword can be used only with the disable keyword. Use of the stale-lifetime keyword overrides the global stale lifetime configured by the ipv6 neighbor binding stale-lifetime command.

Command Default

The time entry is kept in a reachable state.

Command Modes

IPv6 snooping configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

The tracking command overrides the default tracking policy set by the ipv6 neighbor tracking command on the port on which this policy applies. This function is useful on trusted ports where, for example, you may not want to track entries but want an entry to stay in the binding table to prevent it from being stolen.

The reachable-lifetime keyword is the maximum time an entry will be considered reachable without proof of reachability, either directly through tracking or indirectly through IPv6 snooping. After the reachable-lifetime value is reached, the entry is moved to stale. Use of the reachable-lifetime keyword with the tracking command overrides the global reachable lifetime configured by the ipv6 neighbor binding reachable-lifetime command.

The stale-lifetime keyword is the maximum time an entry is kept in the table before it is deleted or the entry is proven to be reachable, either directly or indirectly. Use of the reachable-lifetime keyword with the tracking command overrides the global stale lifetime configured by the ipv6 neighbor binding stale-lifetime command.

This example shows how to define an IPv6 snooping policy name as policy1, place the switch in IPv6 snooping policy configuration mode, and configure an entry to stay in the binding table for an infinite length of time on a trusted port:


Device(config)# ipv6 snooping policy policy1
Device(config-ipv6-snooping)# tracking disable stale-lifetime infinite

trusted-port

To configure a port to become a trusted port, use the trusted-port command in IPv6 snooping policy mode or ND inspection policy configuration mode. To disable this function, use the no form of this command.

trusted-port

no trusted-port

Syntax Description

This command has no arguments or keywords.

Command Default

No ports are trusted.

Command Modes

ND inspection policy configuration

IPv6 snooping configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

When the trusted-port command is enabled, limited or no verification is performed when messages are received on ports that have this policy. However, to protect against address spoofing, messages are analyzed so that the binding information that they carry can be used to maintain the binding table. Bindings discovered from these ports will be considered more trustworthy than bindings received from ports that are not configured to be trusted.

This example shows how to define an NDP policy name as policy1, place the switch in NDP inspection policy configuration mode, and configure the port to be trusted:


Device(config)# ipv6  nd inspection  policy1
Device(config-nd-inspection)# trusted-port

This example shows how to define an IPv6 snooping policy name as policy1, place the switch in IPv6 snooping policy configuration mode, and configure the port to be trusted:


Device(config)# ipv6 snooping policy policy1
Device(config-ipv6-snooping)# trusted-port

wireless dot11-padding

To enable over-the-air frame padding, use the wireless dot11-padding command. To disable, use the no form of the command.

wireless dot11-padding

no wireless dot11-padding

Command Default

Disabled.

Command Modes

config

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

None.

This example shows how to enable over-the-air frame padding


Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wireless dot11-padding

wireless security dot1x

To configure IEEE 802.1x global configurations, use the wireless security dot1x command.

wireless security dot1x [eapol-key {retries retries | timeout milliseconds} | group-key interval sec | identity-request {retries retries | timeout seconds} | radius [call-station-id] {ap-macaddress | ap-macaddress-ssid | ipaddress | macaddress} | request {retries retries | timeout seconds} | wep key {index 0 | index 3}]

Syntax Description


eapol-key	Configures eapol-key related parameters.
retries `retries`	(Optional) Specifies the maximum number of times (0 to 4 retries) that the controller retransmits an EAPOL (WPA) key message to a wireless client. The default value is 2.
timeout `milliseconds`	(Optional) Specifies the amount of time (200 to 5000 milliseconds) that the controller waits before retransmitting an EAPOL (WPA) key message to a wireless client using EAP or WPA/WPA-2 PSK. The default value is 1000 milliseconds.
group-key interval `sec`	Configures EAP-broadcast key renew interval time in seconds (120 to 86400 seconds).
identity-request	Configures EAP ID request related parameters.
retries `retries`	(Optional) Specifies the maximum number of times (0 to 4 retries) that the controller request the EAP ID. The default value is 2.
timeout `seconds`	(Optional) Specifies the amount of time (1 to 120 seconds) that the controller waits before retransmitting an EAP Identity Request message to a wireless client. The default value is 30 seconds.
radius	Configures radius messages.
call-station-id	(Optional) Configures Call-Station Id sent in radius messages.
ap-macaddress	Sets Call Station Id Type to the AP's MAC Address.
ap-macaddress-ssid	Sets Call Station Id Type to 'AP MAC address':'SSID'.
ipaddress	Sets Call Station Id Type to the system's IP Address.
macaddress	Sets Call Station Id Type to the system's MAC Address.
request	Configures EAP request related parameters.
retries `retries`	(Optional) For EAP messages other than Identity Requests or EAPOL (WPA) key messages, specifies the maximum number of times (0 to 20 retries) that the controller retransmits the message to a wireless client. The default value is 2.
timeout `seconds`	(Optional) For EAP messages other than Identity Requests or EAPOL (WPA) key messages, specifies the amount of time (1 to 120 seconds) that the controller waits before retransmitting the message to a wireless client. The default value is 30 seconds.
wep key	Configures 802.1x WEP related paramters.
index 0	Specifies the WEP key index value as 0
index 3	Specifies the WEP key index value as 3

Command Default

Default for eapol-key-timeout: 1 second.

Default for eapol-key-retries: 2 retries.

Command Modes

config

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

None.

This example lists all the commands under wireless security dot1x .


Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wireless security dot1x ?
  eapol-key         Configure eapol-key related parameters
  group-key         Configures EAP-broadcast key renew interval time in seconds
  identity-request  Configure EAP ID request related parameters
  radius            Configure radius messages
  request           Configure EAP request related parameters
  wep               Configure 802.1x WEP related paramters
  <cr>

wireless security lsc

To configure locally significant certificates, use the wireless security lsc command.

wireless security lsc {ap-provision [auth-list mac-addr | revert number] | other-params key-size | subject-params country state city orgn dept email | trustpoint trustpoint}

Syntax Description


ap-provision	Specifies the access point provision list settings.
auth-list `mac-addr`	Specifies the provision list authorization settings.
revert `number`	Specifies the number of times the access point attempts to join the controller using an LSC before reverting to the default certificate. The maximum number of attempts cannot exceed 255.
other-params `key-size`	Specifies the device certificate key size settings.
subject-params `country` `state` `city` `orgn` `dept` `email`	Specifies the device certificate settings. Country, state, city, organization, department, and email of the certificate authority.
trustpoint `trustpoint`	Specifies the LSC Trustpoint.

Command Default

None

Command Modes

config

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

You can configure only one CA server. To configure a different CA server, delete the configured CA server by using the config certificate lsc ca-server delete command, and then configure a different CA server.

If you configure an access point provision list, only the access points in the provision list are provisioned when you enable AP provisioning (in Step 8). If you do not configure an access point provision list, all access points with an MIC or SSC certificate that join the controller are LSC provisioned.

This example shows how to configure locally significant certificate:

Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wireless security lsc ?
  ap-provision    Provisioning the AP's with LSC's
  other-params    Configure Other Parameters for Device Certs
  subject-params  Configure the Subject Parameters for Device Certs
  trustpoint      Configure LSC Trustpoint
  <cr>

wireless security strong-password

To configure strong password enforcement options, use the wireless security strong-password command. To disable strong password, use the no form of the command.

wireless security strong-password

no wireless security strong-password

Command Default

None.

Command Modes

config

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

None.

This example shows how to configure a strong-password for wireless security.


Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wireless security strong-password

wireless wps ap-authentication

To configure the access point neighbor authentication, use the wireless wps ap-authentication command. To remove the access point neighbor authentication, use the no form of the command.

wireless wps ap-authentication [threshold value]

no wireless wps ap-authentication [threshold]

Syntax Description


threshold `value`	Specifies that the WMM-enabled clients are on the wireless LAN. Threshold value (1 to 255).

Command Default

None.

Command Modes

config

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

None.

This example shows how to set the threshold value for WMM-enabled clients.


Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wireless wps ap-authentication threshold 65

wireless wps auto-immune

To enable protection from denial of service (DoS) attacks, use the wireless wps auto-immune command. To disable, use the no form of the command.

wireless wps auto-immune

no wireless wps auto-immune

Command Default

Disabled.

Command Modes

config

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

A potential attacker can use specially crafted packets to mislead the Intrusion Detection System (IDS) into treating a legitimate client as an attacker. It causes the controller to disconnect this legitimate client and launch a DoS attack. The auto-immune feature, when enabled, is designed to protect against such attacks. However, conversations using Cisco 792x phones might be interrupted intermittently when the auto-immune feature is enabled. If you experience frequent disruptions when using 792x phones, you might want to disable this feature.

This example shows how to enable protection from denial of service (DoS) attack:


Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wireless wps auto-immune

wireless wps cids-sensor

To configure Intrusion Detection System (IDS) sensors for the Wireless Protection System (WPS), use the wireless wps cids-sensor command. To remove the Intrusion Detection System (IDS) sensors for the Wireless Protection System (WPS), use the no form of the command.

wireless wps cids-sensor index [ip-address ip-addr username username password password_type password]

no wireless wps cids-sensor index

Syntax Description


`index`	Specifies the IDS sensor internal index.
ip-address `ip-addr` username `username` password `password_type` `password`	Specifies the IDS sensor IP address, IDS sensor username, password type and IDS sensor password.

Command Default

Disabled.

Command Modes

config

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

None

This example shows how to configure the Intrusion Detection System with the IDS index, IDS sensor IP address, IDS username and IDS password.


Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wireless wps cids-sensor 1 10.0.0.51 Sensor_user0doc1 passowrd01

wireless wps client-exclusion

To configure client exclusion policies, use the wireless wps client-exclusion command. To remove the client exclusion policies, use the no form of the command.

wireless wps client-exclusion {all | dot11-assoc | dot11-auth | dot1x-auth | ip-theft | web-auth}

no wireless wps client-exclusion {all | dot11-assoc | dot11-auth | dot1x-auth | ip-theft | web-auth}

Syntax Description


dot11-assoc	Specifies that the controller excludes clients on the sixth 802.11 association attempt, after five consecutive failures.
dot11-auth	Specifies that the controller excludes clients on the sixth 802.11 authentication attempt, after five consecutive failures.
dot1x-auth	Specifies that the controller excludes clients on the sixth 802.11X authentication attempt, after five consecutive failures.
ip-theft	Specifies that the control excludes clients if the IP address is already assigned to another device. For more information, see the Usage Guidelines section.
web-auth	Specifies that the controller excludes clients on the fourth web authentication attempt, after three consecutive failures.
all	Specifies that the controller excludes clients for all of the above reasons.

Command Default

Enabled.

Command Modes

config

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

In IP-theft scenarios, there are differences between the older Cisco IOS XE releases and the Cisco IOS XE Denali 16.x releases:


Older Cisco IOS XE Releases	Cisco IOS XE Denali 16.x Releases
Priority wise, wired clients have higher priority over wireless clients, and DHCP IP has higher priority over static IP. The client security type is not checked; security of all client types are treated with same priority. If the existing binding is from a higher priority source, the new binding is ignored and an IP-theft is signaled. If the existing binding has the same source-priority as the new binding, the binding is ignored and an IP-theft is signaled. This ensures that the bindings are not toggled if two hosts send traffic using the same IP. Only the initial binding is retained in the software. If the new binding is from a higher priority source, the existing binding is replaced. This results in an IP-theft notification of existing binding and also a new binding notification.	There is not really a fundamental difference between wired and wireless; what matters is the trust (preflevel) of the entry, which is a function on how it was learnt (ARP, DHCP, ND, and so on) and the policy that is attached to the port. When preflevel is equal, the IP takeover is denied if the old entry is still reachable. IP takeover occurs when the update comes from a trusted port or a new entry gets IP from the DHCP server. Otherwise, you must explicitly grant it. The IP-theft is not reported if an old entry is replaced by a new and a more trusted one.

This example shows how to disable clients on the 802.11 association attempt after five consecutive failures.


Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wireless wps client-exclusion dot11-assoc

wireless wps mfp infrastructure

To configure Management Frame Protection (MFP), use the wireless wps mfp infrastructure command. To remove the Management Frame Protection (MFP), use the no form of the command.

wireless wps mfp infrastructure

no wireless wps mfp infrastructure

Command Default

None.

Command Modes

config

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

None.

This example shows how to enable the infrastructure MFP.


Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wireless wps mfp infrastructure

wireless wps rogue

To configure various rouge parameters, use the wireless wps rogue command.

wireless wps rogue {adhoc | client} [alert mac-addr | contain mac-addr no-of-aps]

Syntax Description


adhoc	Configures the status of an Independent Basic Service Set (IBSS or ad-hoc) rogue access point.
client	Configures rogue clients
alert `mac-addr`	Generates an SNMP trap upon detection of the ad-hoc rogue, and generates an immediate alert to the system administrator for further action for the MAC address of the ad-hoc rogue access point.
contain `mac-addr` `no-of-aps`	Contains the offending device so that its signals no longer interfere with authorized clients. Maximum number of Cisco access points assigned to actively contain the ad-hoc rogue access point (1 through 4, inclusive).

Command Default

None.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

None.

This example shows how to generate an immediate alert to the system administrator for further action for the MAC address of the ad-hoc rogue access point.


Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wireless wps rouge adhoc alert mac_addr

wireless wps shun-list re-sync

To force the controller to synchronization with other controllers in the mobility group for the shun list, use the wireless wps shun-list re-sync command.

wireless wps shun-list re-sync

Command Default

None.

Command Modes

Any command mode

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

None.

This example shows how to configure the controller to synchronize with other controllers for the shun list.


Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wireless wps shun-list re-sync

vlan access-map

To create or modify a VLAN map entry for VLAN packet filtering, and change the mode to the VLAN access-map configuration, use the vlan access-map command in global configuration mode on the switch stack or on a standalone switch. To delete a VLAN map entry, use the no form of this command.

vlan access-map name [number]

no vlan access-map name [number]

Note

This command is not supported on switches running the LAN Base feature set.

Syntax Description


`name`	Name of the VLAN map.
`number`	(Optional) The sequence number of the map entry that you want to create or modify (0 to 65535). If you are creating a VLAN map and the sequence number is not specified, it is automatically assigned in increments of 10, starting from 10. This number is the sequence to insert to, or delete from, a VLAN access-map entry.

Command Default

There are no VLAN map entries and no VLAN maps applied to a VLAN.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

In global configuration mode, use this command to create or modify a VLAN map. This entry changes the mode to VLAN access-map configuration, where you can use the match access-map configuration command to specify the access lists for IP or non-IP traffic to match and use the action command to set whether a match causes the packet to be forwarded or dropped.

In VLAN access-map configuration mode, these commands are available:

action —Sets the action to be taken (forward or drop).
default —Sets a command to its defaults.
exit —Exits from VLAN access-map configuration mode.
match —Sets the values to match (IP address or MAC address).
no —Negates a command or set its defaults.

When you do not specify an entry number (sequence number), it is added to the end of the map.

There can be only one VLAN map per VLAN and it is applied as packets are received by a VLAN.

You can use the no vlan access-map name [number] command with a sequence number to delete a single entry.

Use the vlan filter interface configuration command to apply a VLAN map to one or more VLANs.

For more information about VLAN map entries, see the software configuration guide for this release.

This example shows how to create a VLAN map named vac1 and apply matching conditions and actions to it. If no other entries already exist in the map, this will be entry 10.

Device(config)# vlan access-map vac1
Device(config-access-map)# match ip address acl1
Device(config-access-map)# action forward

This example shows how to delete VLAN map vac1:

Device(config)# no vlan access-map vac1

vlan filter

To apply a VLAN map to one or more VLANs, use the vlan filter command in global configuration mode on the switch stack or on a standalone switch. To remove the map, use the no form of this command.

vlan filter mapname vlan-list {list | all}

no vlan filter mapname vlan-list {list | all}

Note

This command is not supported on switches running the LAN Base feature set.

Syntax Description


`mapname`	Name of the VLAN map entry.
vlan-list	Specifies which VLANs to apply the map to.
`list`	The list of one or more VLANs in the form tt, uu-vv, xx, yy-zz, where spaces around commas and dashes are optional. The range is 1 to 4094.
all	Adds the map to all VLANs.

Command Default

There are no VLAN filters.

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

To avoid accidentally dropping too many packets and disabling connectivity in the middle of the configuration process, we recommend that you completely define the VLAN access map before applying it to a VLAN.

For more information about VLAN map entries, see the software configuration guide for this release.

This example applies VLAN map entry map1 to VLANs 20 and 30:

Device(config)# vlan filter map1 vlan-list 20, 30

This example shows how to delete VLAN map entry mac1 from VLAN 20:

Device(config)# no vlan filter map1 vlan-list 20

You can verify your settings by entering the show vlan filter privileged EXEC command.

vlan group

To create or modify a VLAN group, use the vlan group command in global configuration mode. To remove a VLAN list from the VLAN group, use the no form of this command.

vlan group group-name vlan-list vlan-list

no vlan group group-name vlan-list vlan-list

Syntax Description


`group-name`	Name of the VLAN group. The group name may contain up to 32 characters and must begin with a letter.
vlan-list `vlan-list`	Specifies one or more VLANs to be added to the VLAN group. The `vlan-list` argument can be a single VLAN ID, a list of VLAN IDs, or VLAN ID range. Multiple entries are separated by a hyphen (-) or a comma (,).

Command Default

None

Command Modes

Global configuration

Command History


Release	Modification
Cisco IOS XE 3.2SE	This command was introduced.

Usage Guidelines

If the named VLAN group does not exist, the vlan group command creates the group and maps the specified VLAN list to the group. If the named VLAN group exists, the specified VLAN list is mapped to the group.

The no form of the vlan group command removes the specified VLAN list from the VLAN group. When you remove the last VLAN from the VLAN group, the VLAN group is deleted.

A maximum of 100 VLAN groups can be configured, and a maximum of 4094 VLANs can be mapped to a VLAN group.

This example shows how to map VLANs 7 through 9 and 11 to a VLAN group:

Device(config)# vlan group group1 vlan-list 7-9,11

This example shows how to remove VLAN 7 from the VLAN group:

Device(config)# no vlan group group1 vlan-list 7

Bias-Free Language

Results

Chapter: Security

Security

aaa accounting

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

aaa accounting dot1x

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

aaa accounting identity

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

aaa authentication dot1x

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

aaa authorization

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

aaa new-model

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Related Commands

aaa policy interface-config allow-subinterface

Syntax Description

Command Modes

Command History

Usage Guidelines

Related Commands

access-session mac-move deny

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Related Commands

access-session template monitor

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Related Commands

action

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

authentication host-mode

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

authentication mac-move permit

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines