Usage Guidelines

The GTK used for each mobile device should be different from every GTK used for the other mobile devices associated to the BSS.

Usage Guidelines

The icon must be configured under the hotspot ANQP server.

Usage Guidelines

Prior to Cisco IOS XE Amsterdam 17.3.1, only one inner EAP authentication method was allowed. For example, inner-auth-eap eap-aka. If you use multiple inner EAP authentication methods such as inner-auth-eap eap-aka and inner-auth-eap eap-fast, then only the last method is used, and previous one was discarded. From Cisco IOS XE Amsterdam 17.3.1 onwards, you can configure multiple inner EAP authentication methods. For an example, see the code snippet given below:

wireless hotspot anqp-server my_anqp
nai-realm myvenue.cisco.com
eap-method eap-aka
credential certificate
credential usim
inner-auth-eap eap-aka
inner-auth-eap eap-fast
inner-auth-non-eap chap
inner-auth-non-eap pap
tunneled-eap-credential anonymous
tunneled-eap-credential softoken

Usage Guidelines

The install abort command ensures that the APs with or without the predownload image do not reboot and continue to have the image in their partition.

Usage Guidelines

SVIs are created the first time you enter the interface vlan vlan-id command for a particular VLAN. The vlan-id corresponds to the VLAN-tag associated with data frames on an IEEE 802.1Q encapsulated trunk or the VLAN ID configured for an access port.

Note	When you create an SVI, it does not become active until it is associated with a physical port.

If you delete an SVI using the no interface vlan vlan-id command, it is no longer visible in the output from the show interfaces privileged EXEC command.

Note	You cannot delete the VLAN 1 interface.

You can reinstate a deleted SVI by entering the interface vlan vlan-id command for the deleted interface. The interface comes back up, but the previous configuration is gone.

The interrelationship between the number of SVIs configured on a chassis or a chassis stack and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables.

You can verify your setting by entering the show interfaces and show interfaces vlan vlan-id privileged EXEC commands.

Usage Guidelines

You must disable the WLAN before using this command. See Related Commands section for more information on how to disable a WLAN.

Usage Guidelines

An interface can have one primary IP address and multiple secondary IP addresses. Packets generated by the Cisco IOS software always use the primary IP address. Therefore, all devices and access servers on a segment should share the same primary network number.

Hosts can determine subnet masks using the Internet Control Message Protocol (ICMP) mask request message. Devices respond to this request with an ICMP mask reply message.

You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the software detects another host using one of its IP addresses, it will print an error message on the console.

The optional secondary keyword allows you to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and Address Resolution Protocol (ARP) requests are handled properly, as are interface routes in the IP routing table.

Secondary IP addresses can be used in a variety of situations. The following are the most common applications:

• There may not be enough host addresses for a particular network segment. For example, your subnetting allows up to 254 hosts per logical subnet, but on one physical subnet you need 300 host addresses. Using secondary IP addresses on the devices or access servers allows you to have two logical subnets using one physical subnet.

• Many older networks were built using Level 2 bridges. The judicious use of secondary addresses can aid in the transition to a subnetted, device-based network. Devices on an older, bridged segment can be easily made aware that many subnets are on that segment.

• Two subnets of a single network might otherwise be separated by another network. This situation is not permitted when subnets are in use. In these instances, the first network is extended , or layered on top of the second network using secondary addresses.

Note

If any device on a network segment uses a secondary address, all other devices on that same segment must also use a secondary address from the same network or subnet. Inconsistent use of secondary addresses on a network segment can very quickly cause routing loops. When you are routing using the Open Shortest Path First (OSPF) algorithm, ensure that all secondary addresses of an interface fall into the same OSPF area as the primary addresses. If you configure a secondary IP address, you must disable sending ICMP redirect messages by entering the no ip redirects command, to avoid high CPU utilization.

Usage Guidelines

This command is only available in the following releases: Cisco IOS XE Amsterdam 17.3.5 and later, Cisco IOS XE Bengaluru 17.6.3 and later, and Cisco IOS XE Cupertino 17.8.1 and above.

For RLAN, the default values are used. You cannot change the values using this command.

Usage Guidelines

The ip admission command applies a web authentication rule to a switch port.

Usage Guidelines

During execution of this command, the configuration mode changes to DHCP pool configuration mode, which is identified by the (config-dhcp)# prompt. In this mode, the administrator can configure pool parameters, like the IP subnet number and default router list.

Usage Guidelines

The ip dhcp-relay information option server-override command adds the following suboptions into the relay agent information option when DHCP broadcasts are forwarded by the relay agent from clients to a DHCP server:

• Server ID override suboption

• Link selection suboption

When this command is configured, the gateway address (giaddr) will be set to the IP address of the outgoing interface, which is the interface that is reachable by the DHCP server.

If the ip dhcp relay information option server-id-override command is configured on an interface, it overrides the global configuration on that interface only.

Usage Guidelines

The ip dhcp-relay source-interface command allows the network administrator to specify a stable, hardware-independent IP address (such as a loopback interface) for the relay agent to use as a source IP address for relayed messages.

If the ip dhcp-relay source-interface global configuration command is configured and the ip dhcp relay source-interface command is also configured, the ip dhcp relay source-interface command takes precedence over the global configuration command. However, the global configuration is applied to interfaces without the interface configuration.

Usage Guidelines

Usage Guidelines

If this command is enabled on a device and you execute the show tcp brief command, the output may be displayed very slowly.

When both IP and ISO CLNS are enabled on a device, the ip domain lookup nsap command allows you to discover a CLNS address without having to specify a full CLNS address, given a hostname.

This command is useful for the ping (ISO CLNS) command, and for CLNS Telnet connections.

If you configure the ip domain lookup source-interface interface-type-number command on a Layer 3 physical interface, note the following: If the port mode is changed or in case of a device reload, the command is automatically removed from running configuration (Refer to the output of the show running-configuration privileged EXEC command when this happens). Removal of the command causes DNS queries that use the specified source interface, to be dropped. The only available workaround is to reconfigure the command. Starting with Cisco IOS XE Dublin 17.12.1, this issue is resolved.

Usage Guidelines

The ip forward-protocol command along with the ip helper-address command allows you to control broadcast packets and protocols that are forwarded.

One common application that requires helper addresses is DHCP, which is defined in RFC 1531. To enable BOOTP or DHCP broadcast forwarding for a set of clients, configure a helper address on the router interface connected to the client. The helper address must specify the address of the BOOTP or DHCP server. If you have multiple servers, configure one helper address for each server.

The following conditions must be met for a UDP or IP packet to be able to use the ip helper-address command:

• The MAC address of the received frame must be all-ones broadcast address (ffff.ffff.ffff).

• The IP destination address must be one of the following: all-ones broadcast (255.255.255.255), subnet broadcast for the receiving interface, or major-net broadcast for the receiving interface if the no ip classless command is also configured.

• The IP time-to-live (TTL) value must be at least 2.

• The IP protocol must be UDP (17).

• The UDP destination port must be for TFTP, Domain Name System (DNS), Time, NetBIOS, ND, BOOTP or DHCP packet, or a UDP port specified by the ip forward-protocol udp command in global configuration mode.

If the DHCP server resides in a VPN or global space that is different from the interface VPN, then the vrf name or the global option allows you to specify the name of the VRF or global space in which the DHCP server resides.

The ip helper-address vrf name address option uses the address associated with the VRF name regardless of the VRF of the incoming interface. If the ip helper-address vrf name address command is configured and later the VRF is deleted from the configuration, then all IP helper addresses associated with that VRF name will be removed from the interface configuration.

If the ip helper-address address command is already configured on an interface with no VRF name configured, and later the interface is configured with the ip helper-address vrf name address command, then the previously configured ip helper-address address command is considered to be global.

Note	The ip helper-address command does not work on an X.25 interface on a destination router because the router cannot determine if the packet was intended as a physical broadcast.

The service dhcp command must be configured on the router to enable IP helper statements to work with DHCP. If the command is not configured, the DHCP packets will not be relayed through the IP helper statements. The service dhcp command is configured by default.

Usage Guidelines

The ip http authentication command specifies the authentication method to be used for login when a client connects to the HTTP server. Use of the aaa option is recommended. The enable, local, and tacacs methods should be specified using the aaa authentication login command.

The “enable” password method is the default HTTP server authentication method. If the enable password is used as the HTTP server login authentication method, the client connects to the HTTP server with a default privilege level of 15.

Usage Guidelines

Use the ip http active-session-modules command to selectively enable HTTP applications, for servicing incoming HTTP requests from remote clients. With this command, a selected list of applications can be enabled. All the applications can be enabled or none of the applications can be enabled, in other words, all disabled. Use the ip http session-module-list command to define a list of HTTP or secure HTTP (HTTPS) application names to be enabled. If an HTTP request is made for a service that is disabled, a 404 error message is displayed in the remote client browser.

Usage Guidelines

This command allows you to restrict the list of CipherSuites (encryption algorithms) that the client offers when connecting to a secure HTTP server. For example, you may want to allow only the most secure CipherSuites to be used.

Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default). The no form of this command returns the list of available CipherSuites to the default (that is, all CipherSuites supported on your device are available for negotiation).

Usage Guidelines

This command is used to restrict the list of CipherSuites (encryption algorithms) that should be used for encryption over the HTTPS connection. For example, you may want to allow only the most secure CipherSuites to be used.

Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default).

The supported CipherSuites vary by Cisco IOS software image. For example, “IP Sec56” (“k8”) images support only the SSL_RSA_WITH_DES_CBC_SHA CipherSuite in Cisco IOS Release 12.2(15)T.

In terms of router processing load (speed), the following list ranks the CipherSuites from fastest to slowest (slightly more processing time is required for the more secure and more complex CipherSuites):

1. SSL_RSA_WITH_DES_CBC_SHA

2. SSL_RSA_WITH_RC4_128_MD5

3. SSL_RSA_WITH_RC4_128_SHA

4. SSL_RSA_WITH_3DES_EDE_CBC_SHA

Additional information about these CipherSuites can be found online from sources that document the Secure Sockets Layer (SSL) 3.0 protocol.

Usage Guidelines

The HTTPS server uses the Secure Sockets Layer (SSL) version 3.0 protocol.

Caution

When enabling an HTTPS server, you should always disable the standard HTTP server to prevent unsecured connections to the same services. Disable the standard HTTP server using the no ip http server command in global configuration mode (this step is precautionary; typically, the HTTP server is disabled by default).

If a certificate authority (CA) is used for certification, you should declare the CA trustpoint on the routing device before enabling the HTTPS server.

To close HTTP/TCP port 8090, you must disable both the HTTP and HTTPS servers. Enter the no http server and the no http secure-server commands, respectively.

Usage Guidelines

The command enables both IPv4 and IPv6 access to the HTTP server. However, an access list configured with the ip http access-class command is applied only to IPv4 traffic. IPv6 traffic filtering is not supported.

Caution

The standard HTTP server and the secure HTTP (HTTPS) server can run on a system at the same time. If you enable the HTTPS server using the ip http secure-server command, disable the standard HTTP server using the no ip http server command to ensure that secure data cannot be accessed through the standard HTTP connection.

To close HTTP/TCP port 8090, you must disable both the HTTP and HTTPS servers. Enter the no http server and the no http secure-server commands, respectively.

Usage Guidelines

Use this command to define a list of HTTP or HTTPS application names. The defined list can then be used by the ip http active-session-modules or ip http secure-active-session-modules commands to selectively enable HTTP or HTTPS applications, respectively, for servicing incoming HTTP and HTTPS requests from remote clients.

When defining a list of HTTP or HTTPS application names, use the following guidelines:

• A maximum of four lists can be defined on a controller. Attempts to define more than four lists will fail and an error message will be displayed stating the limit restrictions.

• An existing list can be removed using the no ip http session-module-list command.

• You cannot reconfigure an existing list. Instead of reconfiguring an existing list, remove the existing list and create a new list with the same name.

• There is no limit to how many application names can be in the list. However, the maximum number of sessions that can be registered with the Cisco IOS HTTP or HTTPS server is 32.

Usage Guidelines

When IGMP snooping is enabled globally, it is enabled in all of the existing VLAN interfaces. When IGMP snooping is globally disabled, it is disabled on all of the existing VLAN interfaces.

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs, and cannot be used in IGMP snooping.

Usage Guidelines

When non-Cisco WGB devices (that do not perform a dot11 association for the wired clients behind them) are connected to a Cisco Catalyst 9800 Series Wireless Controller, the wired clients behind the WGB may not get IP addresses. In such instances, run no ip mac-binding and ipv4 dhcp required commands on the policy profile. The ipv4 dhcp required command ensures that the WGB device performs a DHCP to get the IP address. Besides, you must also enable Passive Client feature and ARP broadcast on the client VLAN.

If WGB and Wired client are configured with Static IP address, then the data received from WGB will not be forwarded. We recommend that you enable DHCP on the WGB (enabling DHCP on the wired client is optional).

A sample configuration is given below:

Device# configure terminal
Device(config)# wireless profile policy default-policy-profile
Device(config-wireless-policy)# ipv4 dhcp required
Device(config-wireless-policy)# no ip mac-binding
Device(config-wireless-policy)# passive-client
Device(config-wireless-policy)# exit
Device(config)# vlan configuration 1
Device(config-vlan)# arp broadcast

Usage Guidelines

None

Usage Guidelines

Usage Guidelines

Before you configure SSH on your router, you must enable the SSH server using the crypto key generate rsa command.

Usage Guidelines

You can use this command with the 2 keyword to ensure that your router will not inadvertently establish a weaker SSH Version 1 connection.

Usage Guidelines

Use this command to change the default blocksize to decrease the image download time.

Usage Guidelines

To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.

Usage Guidelines

Proxy-ARP is applicable to only in central switching mode.

Usage Guidelines

IPv6 ACLs are defined by using the ipv6 access-list command in global configuration mode and their permit and deny conditions are set by using the deny and permit commands in IPv6 access list configuration mode. Configuring the ipv6 access-list command places the device in IPv6 access list configuration mode--the device prompt changes to Device(config-ipv6-acl)#. From IPv6 access list configuration mode, permit and deny conditions can be set for the defined IPv6 ACL.

Note	IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and an IPv6 ACL cannot share the same name.

IPv6 is automatically configured as the protocol type in permit any any and deny any any statements that are translated from global configuration mode to IPv6 access list configuration mode.

Every IPv6 ACL has implicit permit icmp any any nd-na , permit icmp any any nd-ns , and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take effect. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.

Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply an IPv6 ACL to an IPv6 interface. Use the ipv6 access-class line configuration command with the access-list-name argument to apply an IPv6 ACL to incoming and outgoing IPv6 virtual terminal connections to and from the device.

An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded, not originated, by the device.

Usage Guidelines

The ipv6 address command allows multiple IPv6 addresses to be configured on an interface in various different ways, with varying options. The most common way is to specify the IPv6 address with the prefix length.

Addresses may also be defined using the general prefix mechanism, which separates the aggregated IPv6 prefix bits from the subprefix and host bits. In this case, the leading bits of the address are defined in a general prefix, which is globally configured or learned (for example, through use of Dynamic Host Configuration Protocol-Prefix Delegation (DHCP-PD)), and then applied using the prefix-name argument. The subprefix bits and host bits are defined using the sub-bits argument.

Using the no ipv6 address autoconfig command without arguments removes all IPv6 addresses from an interface.

IPv6 link-local addresses must be configured and IPv6 processing must be enabled on an interface by using the ipv6 address link-local command.

Usage Guidelines

Use the ipv6 dhcp pool command to create a DHCP for IPv6 server configuration information pool. When the ipv6 dhcp pool command is enabled, the configuration mode changes to DHCP for IPv6 pool configuration mode. In this mode, the administrator can configure pool parameters, such as prefixes to be delegated and Domain Name System (DNS) servers, using the following commands:

• address prefix IPv6-prefix [lifetime {valid-lifetime preferred-lifetime | infinite }] sets an address prefix for address assignment. This address must be in hexadecimal, using 16-bit values between colons.

• link-address IPv6-prefix sets a link-address IPv6 prefix. When an address on the incoming interface or a link-address in the packet matches the specified IPv6-prefix, the server uses the configuration information pool. This address must be in hexadecimal, using 16-bit values between colons.

• vendor-specific vendor-id enables DHCPv6 vendor-specific configuration mode. Specify a vendor identification number. This number is the vendor IANA Private Enterprise Number. The range is 1 to 4294967295. The following configuration command is available:

  • suboption number sets vendor-specific suboption number. The range is 1 to 65535. You can enter an IPv6 address, ASCII text, or a hex string as defined by the suboption parameters.

Note	The hex value used under the suboption keyword allows users to enter only hex digits (0-f). Entering an invalid hex value does not delete the previous configuration.

Once the DHCP for IPv6 configuration information pool has been created, use the ipv6 dhcp server command to associate the pool with a server on an interface. If you do not configure an information pool, you need to use the ipv6 dhcp server interface configuration command to enable the DHCPv6 server function on an interface.

When you associate a DHCPv6 pool with an interface, only that pool services requests on the associated interface. The pool also services other interfaces. If you do not associate a DHCPv6 pool with an interface, it can service requests on any interface.

Not using any IPv6 address prefix means that the pool returns only configured options.

The link-address command allows matching a link-address without necessarily allocating an address. You can match the pool from multiple relays by using multiple link-address configuration commands inside a pool.

Since a longest match is performed on either the address pool information or the link information, you can configure one pool to allocate addresses and another pool on a subprefix that returns only configured options.

Usage Guidelines

The ipv6 enable command automatically configures an IPv6 link-local unicast address on the interface while also enabling the interface for IPv6 processing. The no ipv6 enable command does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address.

Usage Guidelines

DAD proxy is applicable only in central switching mode.