IP Security Options Commands
ErrorMessage : Error while constructing the Hinav

null
Downloads: This chapterpdf (PDF - 294.0KB) | Feedback

IP Security Options Commands

Table Of Contents

IP Security Options Commands

dnsix-dmdp retries

dnsix-nat authorized-redirection

dnsix-nat primary

dnsix-nat secondary

dnsix-nat source

dnsix-nat transmit-count

ip security add

ip security aeso

ip security dedicated

ip security eso-info

ip security eso-max

ip security eso-min

ip security extended-allowed

ip security first

ip security ignore-authorities

ip security ignore-cipso

ip security implicit-labelling

ip security multilevel

ip security reserved-allowed

ip security strip

show dnsix


IP Security Options Commands


This chapter describes IP Security Options (IPSO) commands. IPSO is generally used to comply with the U.S. government's Department of Defense security policy.

To find complete descriptions of other commands used when configuring IPSO, refer to the Cisco IOS Command Reference Master Index or search online.

For IPSO configuration information, refer to the "Configuring IP Security Options" chapter in the
Cisco IOS Security Configuration Guide.

dnsix-dmdp retries

To set the retransmit count used by the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) Message Delivery Protocol (DMDP), use the dnsix-dmdp retries command in global configuration mode. To restore the default number of retries, use the no form of this command.

dnsix-dmdp retries count

no dnsix-dmdp retries count

Syntax Description

count

Number of times DMDP will retransmit a message. It can be an integer from 0 to 200. The default is 4 retries, or until acknowledged.


Defaults

Retransmits messages up to 4 times, or until acknowledged.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Examples

The following example sets the number of times DMDP will attempt to retransmit a message to 150:

dnsix-dmdp retries 150

Related Commands

Command
Description

dnsix-nat authorized-redirection

Specifies the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages.

dnsix-nat primary

Specifies the IP address of the host to which DNSIX audit messages are sent.

dnsix-nat secondary

Specifies an alternate IP address for the host to which DNSIX audit messages are sent.

dnsix-nat source

Starts the audit-writing module and defines audit trail source address.

dnsix-nat transmit-count

Causes the audit-writing module to collect multiple audit messages in the buffer before sending the messages to a collection center.


dnsix-nat authorized-redirection

To specify the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages, use the dnsix-nat authorized-redirection global configuration command. To delete an address, use the no form of this command.

dnsix-nat authorized-redirection ip-address

no dnsix-nat authorized-redirection ip-address

Syntax Description

ip-address

IP address of the host from which redirection requests are permitted.


Defaults

An empty list of addresses.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Use multiple dnsix-nat authorized-redirection commands to specify a set of hosts that are authorized to change the destination for audit messages. Redirection requests are checked against the configured list, and if the address is not authorized the request is rejected and an audit message is generated. If no address is specified, no redirection messages are accepted.

Examples

The following example specifies that the address of the collection center that is authorized to change the primary and secondary addresses is 192.168.1.1:

dnsix-nat authorization-redirection 192.168.1.1.

dnsix-nat primary

To specify the IP address of the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are sent, use the dnsix-nat primary command in global configuration mode. To delete an entry, use the no form of this command.

dnsix-nat primary ip-address

no dnsix-nat primary ip-address

Syntax Description

ip-address

IP address for the primary collection center.


Defaults

Messages are not sent.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

An IP address must be configured before audit messages can be sent.

Examples

The following example configures an IP address as the address of the host to which DNSIX audit messages are sent:

dnsix-nat primary 172.1.1.1

dnsix-nat secondary

To specify an alternate IP address for the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are sent, use the dnsix-nat secondary command in global configuration mode. To delete an entry, use the no form of this command.

dnsix-nat secondary ip-address

no dnsix-nat secondary ip-address

Syntax Description

ip-address

IP address for the secondary collection center.


Defaults

No alternate IP address is known.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

When the primary collection center is unreachable, audit messages are sent to the secondary collection center instead.

Examples

The following example configures an IP address as the address of an alternate host to which DNSIX audit messages are sent:

dnsix-nat secondary 192.168.1.1

dnsix-nat source

To start the audit-writing module and to define the audit trail source address, use the dnsix-nat source command in global configuration mode. To disable the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit trail writing module, use the no form of this command.

dnsix-nat source ip-address

no dnsix-nat source ip-address

Syntax Description

ip-address

Source IP address for DNSIX audit messages.


Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

You must issue the dnsix-nat source command before any of the other dnsix-nat commands. The configured IP address is used as the source IP address for DMDP protocol packets sent to any of the collection centers.

Examples

The following example enables the audit trail writing module, and specifies that the source IP address for any generated audit messages should be the same as the primary IP address of Ethernet interface 0:

dnsix-nat source 192.168.2.5 
interface ethernet 0 
 ip address 192.168.2.5 255.255.255.0

dnsix-nat transmit-count

To have the audit writing module collect multiple audit messages in the buffer before sending the messages to a collection center, use the dnsix-nat transmit-count command in global configuration mode. To revert to the default audit message count, use the no form of this command.

dnsix-nat transmit-count count

no dnsix-nat transmit-count count

Syntax Description

count

Number of audit messages to buffer before transmitting to the server. It can be an integer from 1 to 200.


Defaults

One message is sent at a time.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

An audit message is sent as soon as the message is generated by the IP packet-processing code. The audit writing module can, instead, buffer up to several audit messages before transmitting to a collection center.

Examples

The following example configures the system to buffer five audit messages before transmitting them to a collection center:

dnsix-nat transmit-count 5

ip security add

To add a basic security option to all outgoing packets, use the ip security add command in interface configuration mode. To disable the adding of a basic security option to all outgoing packets, use the no form of this command.

ip security add

no ip security add

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is enabled.

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

If an outgoing packet does not have a security option present, this interface configuration command will add one as the first IP option. The security label added to the option field is the label that was computed for this packet when it first entered the router. Because this action is performed after all the security tests have been passed, this label will either be the same or will fall within the range of the interface.

Examples

The following example adds a basic security option to each packet leaving Ethernet interface 0:

interface ethernet 0
 ip security add

Related Commands

Command
Description

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security aeso

To attach Auxiliary Extended Security Options (AESOs) to an interface, use the ip security aeso command in interface configuration mode. To disable AESO on an interface, use the no form of this command.

ip security aeso source compartment-bits

no ip security aeso source compartment-bits

Syntax Description

source

Extended Security Option (ESO) source. This can be an integer from 0 to 255.

compartment-bits

Number of compartment bits in hexadecimal.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Compartment bits are specified only if this AESO is to be inserted in a packet. On every incoming packet at this level on this interface, these AESOs should be present.

Beyond being recognized, no further processing of AESO information is performed. AESO contents are not checked and are assumed to be valid if the source is listed in the configurable AESO table.

Configuring any per-interface extended IP Security Option (IPSO) information automatically enables ip security extended-allowed (disabled by default).

Examples

The following example defines the Extended Security Option source as 5 and sets the compartments bits to 5:

interface ethernet 0
 ip security aeso 5 5 

Related Commands

Command
Description

ip security eso-info

Configures system-wide defaults for extended IPSO information.

ip security eso-max

Specifies the maximum sensitivity level for an interface.

ip security eso-min

Configures the minimum sensitivity level for an interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.


ip security dedicated

To set the level of classification and authority on the interface, use the ip security dedicated command in interface configuration mode. To reset the interface to the default classification and authorities, use the no form of this command.

ip security dedicated level authority [authority...]

no ip security dedicated level authority [authority...]

Syntax Description

level

Degree of sensitivity of information. The level keywords are listed in Table 29.

authority

Organization that defines the set of security levels that will be used in a network. The authority keywords are listed in Table 30.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

All traffic entering the system on this interface must have a security option that exactly matches this label. Any traffic leaving via this interface will have this label attached to it.

The following definitions apply to the descriptions of the IP Security Option (IPSO) in this section:

level—The degree of sensitivity of information. For example, data marked TOPSECRET is more sensitive than data marked SECRET. The level keywords and their corresponding bit patterns are shown in Table 29.

Table 29 IPSO Level Keywords and Bit Patterns 

Level Keyword
Bit Pattern

Reserved4

0000 0001

TopSecret

0011 1101

Secret

0101 1010

Confidential

1001 0110

Reserved3

0110 0110

Reserved2

1100 1100

Unclassified

1010 1011

Reserved1

1111 0001


authority—An organization that defines the set of security levels that will be used in a network. For example, the Genser authority consists of level names defined by the U.S. Defense Communications Agency (DCA). The authority keywords and their corresponding bit patterns are shown in Table 30.

Table 30 IPSO Authority Keywords and Bit Patterns 

Authority Keyword
Bit Pattern

Genser

1000 0000

Siop-Esi

0100 0000

DIA

0010 0000

NSA

0001 0000

DOE

0000 1000


label—A combination of a security level and an authority or authorities.

Examples

The following example sets a confidential level with Genser authority:

ip security dedicated confidential Genser

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security eso-info

To configure system-wide defaults for extended IP Security Option (IPSO) information, use the ip security eso-info command in global configuration mode. To return to the default settings, use the no form of this command.

ip security eso-info source compartment-size default-bit

no ip security eso-info source compartment-size default-bit

Syntax Description

source

Hexadecimal or decimal value representing the extended IPSO source. This is an integer from 0 to 255.

compartment-size

Maximum number of bytes of compartment information allowed for a particular extended IPSO source. This is an integer from 1 to 16.

default-bit

Default bit value for any unsent compartment bits.


Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

This command configures Extended Security Option (ESO) information, including Auxiliary Extended Security Option (AESO). Transmitted compartment information is padded to the size specified by the compartment-size argument.

Examples

The following example sets system-wide defaults for source, compartment size, and the default bit value:

ip security eso-info 100 5 1 

Related Commands

Command
Description

ip security eso-max

Specifies the maximum sensitivity level for an interface.

ip security eso-min

Configures the minimum sensitivity level for an interface.


ip security eso-max

To specify the maximum sensitivity level for an interface, use the ip security eso-max command in interface configuration mode. To return to the default, use the no form of this command.

ip security eso-max source compartment-bits

no ip security eso-max source compartment-bits

Syntax Description

source

Extended Security Option (ESO) source. This is an integer from 1 to 255.

compartment-bits

Number of compartment bits in hexadecimal.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The command is used to specify the maximum sensitivity level for a particular interface. Before the per-interface compartment information for a particular Network-Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.

On every incoming packet on the interface, these Extended Security Options should be present at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.

On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.

When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.

A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.

Examples

In the following example, the specified ESO source is 240 and the compartment bits are specified as 500:

interface ethernet 0
 ip security eso-max 240 500

Related Commands

Command
Description

ip security eso-info

Configures system-wide defaults for extended IPSO information.

ip security eso-min

Configures the minimum sensitivity level for an interface.


ip security eso-min

To configure the minimum sensitivity for an interface, use the ip security eso-min command in interface configuration mode. To return to the default, use the no form of this command.

ip security eso-min source compartment-bits

no ip security eso-min source compartment-bits

Syntax Description

source

Extended Security Option (ESO) source. This is an integer from 1 to 255.

compartment-bits

Number of compartment bits in hexadecimal.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The command is used to specify the minimum sensitivity level for a particular interface. Before the per-interface compartment information for a particular Network Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.

On every incoming packet on this interface, these Extended Security Options should be present at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.

On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.

When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.

A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.

Examples

In the following example, the specified ESO source is 5, and the compartment bits are specified as 5:

interface ethernet 0
 ip security eso-min 5 5

Related Commands

Command
Description

ip security eso-info

Configures system-wide defaults for extended IPSO information.

ip security eso-max

Specifies the maximum sensitivity level for an interface.


ip security extended-allowed

To accept packets on an interface that has an extended security option present, use the ip security extended-allowed command in interface configuration mode. To restore the default, use the no form of this command.

ip security extended-allowed

no ip security extended-allowed

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Packets containing extended security options are rejected.

Examples

The following example allows interface Ethernet 0 to accept packets that have an extended security option present:

interface ethernet 0
 ip security extended-allowed

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security first

To prioritize the presence of security options on a packet, use the ip security first command in interface configuration mode. To prevent packets that include security options from moving to the front of the options field, use the no form of this command.

ip security first

no ip security first

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

If a basic security option is present on an outgoing packet, but it is not the first IP option, then the packet is moved to the front of the options field when this interface configuration command is used.

Examples

The following example ensures that, if a basic security option is present in the options field of a packet exiting interface Ethernet 0, the packet is moved to the front of the options field:

interface ethernet 0
 ip security first

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security ignore-authorities

To have the Cisco IOS software ignore the authorities field of all incoming packets, use the ip security ignore-authorities command in interface configuration mode. To disable this function, use the no form of this command.

ip security ignore-authorities

no ip security ignore-authorities

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

When the packet's authority field is ignored, the value used in place of this field is the authority value declared for the specified interface. The ip security ignore-authorities can be configured only on interfaces that have dedicated security levels.

Examples

The following example causes interface Ethernet 0 to ignore the authorities field on all incoming packets:

interface ethernet 0
 ip security ignore-authorities

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security ignore-cipso

To enable Cisco IOS software to ignore the Commercial IP Security Option (CIPSO) field of all incoming packets at the interface, use the ip security ignore-cipso command in interface configuration mode. To disable this function, use the no form of this command.

ip security ignore-cipso

no ip security ignore-cipso

Syntax Description

This command has no arguments or keywords.

Command Default

Cisco IOS software cannot ignore the CIPSO field.

Command Modes

Interface configuration

Command History

Release
Modification

11.2

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Usage Guidelines

The ip security ignore-cipso command allows a router running Cisco IOS software to ignore the CIPSO field in the IP packet and forward the packet as if the field was not present.

Examples

The following example shows how to enable Cisco IOS software to ignore the CIPSO field for all incoming packets at the Ethernet interface:

interface ethernet 0
 ip security ignore-cipso

The following sample output from the show ip interface command can be used to verify that the ip security ignore-cipso option has been enabled. If this option is enabled, the output will display the text "Commercial security options are ignored."

Router# show ip interface ethernet 0

Ethernet0 is up, line protocol is up
Internet address is 172.16.0.0/28
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is enabled
Secondary address 172.19.56.31/24
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Commercial security options are ignored
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP multicast fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
Probe proxy name replies are disabled
Gateway Discovery is disabled
Policy routing is disabled
Network address translation is disabled 

The following sample outputs from the show ip traffic command can be used to verify that the ip security ignore-cipso command has been enabled:

Sample Output Before the ip security ignore-cipso Command Was Introduced

Router# show ip traffic

IP statistics:
Rcvd: 153 total, 129 local destination
0 format errors, 0 checksum errors, 0 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 34 bad options, 44 with options
Opts: 10 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 couldn't fragment
Bcast: 108 received, 1 sent
Mcast: 0 received, 4 sent
Sent: 30 generated, 0 forwarded
2 encapsulation failed, 0 no route 

Sample Output with the ip security ignore-cipso Command Enabled

Router# show ip traffic

IP statistics:
Rcvd: 153 total, 129 local destination
0 format errors, 0 checksum errors, 0 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 34 bad options, 44 with options
Opts: 10 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 44 cipso
0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 couldn't fragment
Bcast: 108 received, 1 sent
Mcast: 0 received, 4 sent
Sent: 30 generated, 0 forwarded
2 encapsulation failed, 0 no route

Related Commands

Command
Description

show ip interfaces

Displays the usability status of interfaces configured for IP.

show ip traffic

Displays statistics about IP traffic.


ip security implicit-labelling

To force the Cisco IOS software to accept packets on the interface, even if they do not include a security option, use the ip security implicit-labelling command in interface configuration mode. To require security options, use the no form of this command.

ip security implicit-labelling [level authority [authority...]]

no ip security implicit-labelling [level authority [authority...]]

Syntax Description

level

(Optional) Degree of sensitivity of information. If your interface has multilevel security set, you must specify this argument. (See the level keywords listed in Table 29 in the ip security dedicated command section.)

authority

(Optional) Organization that defines the set of security levels that will be used in a network. If your interface has multilevel security set, you must specify this argument. You can specify more than one. (See the authority keywords listed in Table 30 in the ip security dedicated command section.)


Defaults

Enabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is disabled.

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

If your interface has multilevel security set, you must use the expanded form of the command (with the optional arguments as noted in brackets) because the arguments are used to specify the precise level and authority to use when labeling the packet. If your interface has dedicated security set, the additional arguments are ignored.

Examples

In the following example, an interface is set for security and will accept unlabeled packets:

ip security dedicated confidential genser
ip security implicit-labelling

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security multilevel

To set the range of classifications and authorities on an interface, use the ip security multilevel command in interface configuration mode. To remove security classifications and authorities, use the no form of this command.

ip security multilevel level1 [authority1...] to level2 authority2 [authority2...]

no ip security multilevel

Syntax Description

level1

Degree of sensitivity of information. The classification level of incoming packets must be equal to or greater than this value for processing to occur. (See the level keywords found in Table 29 in the ip security dedicated command section.)

authority1

(Optional) Organization that defines the set of security levels that will be used in a network. The authority bits must be a superset of this value. (See the authority keywords listed in Table 30 in the ip security dedicated command section.)

to

Separates the range of classifications and authorities.

level2

Degree of sensitivity of information. The classification level of incoming packets must be equal to or less than this value for processing to occur. (See the level keywords found in Table 29 in the ip security dedicated command section.)

authority2

Organization that defines the set of security levels that will be used in a network. The authority bits must be a proper subset of this value. (See the authority keywords listed in Table 30 in the ip security dedicated command section.)


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

All traffic entering or leaving the system must have a security option that falls within this range. Being within range requires that the following two conditions be met:

The classification level must be greater than or equal to level1 and less than or equal to level2.

The authority bits must be a superset of authority1 and a proper subset of authority2. That is, authority1 specifies those authority bits that are required on a packet, and authority2 specifies the required bits plus any optional authorities that also can be included. If the authority1 field is the empty set, then a packet is required to specify any one or more of the authority bits in authority2.

Examples

The following example specifies levels Unclassified to Secret and NSA authority:

ip security multilevel unclassified to secret nsa

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security reserved-allowed

To treat as valid any packets that have Reserved1 through Reserved4 security levels, use the ip security reserved-allowed command in interface configuration mode. To disallow packets that have security levels of Reserved3 and Reserved2, use the no form of this command.

ip security reserved-allowed

no ip security reserved-allowed

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.3

This command was introduced.


Usage Guidelines

When you set multilevel security on an interface, and indicate, for example, that the highest range allowed is Confidential, and the lowest is Unclassified, the Cisco IOS software neither allows nor operates on packets that have security levels of Reserved3 and Reserved2 because they are undefined.

If you use the IP Security Option (IPSO) to block transmission out of unclassified interfaces, and you use one of the Reserved security levels, you must enable this feature to preserve network security.

Examples

The following example allows a security level of Reserved through Ethernet interface 0:

interface ethernet 0
 ip security reserved-allowed

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security strip

To remove any basic security option on outgoing packets on an interface, use the ip security strip command in interface configuration mode. To restore security options, use the no form of this command.

ip security strip

no ip security strip

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The removal procedure is performed after all security tests in the router have been passed. This command is not allowed for multilevel interfaces.

Examples

The following example removes any basic security options on outgoing packets on Ethernet interface 0:

interface ethernet 0
 ip security strip

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.


show dnsix

To display state information and the current configuration of the DNSIX audit writing module, use the show dnsix command in privileged EXEC mode.

show dnsix

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release
Modification

10.0

This command was introduced.


Examples

The following is sample output from the show dnsix command:

Router# show dnsix
   
Audit Trail Enabled with Source 192.168.2.5 
          State: PRIMARY
          Connected to 192.168.2.4 
          Primary 192.168.2.4 
          Transmit Count 1 
          DMDP retries 4
          Authorization Redirection List:
               192.168.2.4
          Record count: 0 
          Packet Count: 0 
          Redirect Rcv: 0