Cisco IOS Security Command Reference, Release 12.3 T
Security Commands: ip port-map through issuer name

Table Of Contents

ip port-map

ip radius source-interface

ip reflexive-list timeout

ip scp server enable

ip sdee events

ip sdee subscriptions

ip security add

ip security aeso

ip security dedicated

ip security eso-info

ip security eso-max

ip security eso-min

ip security extended-allowed

ip security first

ip security ignore-authorities

ip security ignore-cipso

ip security implicit-labelling

ip security multilevel

ip security reserved-allowed

ip security strip

ip source-track

ip source-track address-limit

ip source-track export-interval

ip source-track syslog-interval

ip ssh

ip ssh break-string

ip ssh port

ip ssh rsa keypair-name

ip ssh source-interface

ip ssh version

ip tacacs source-interface

ip tcp intercept connection-timeout

ip tcp intercept drop-mode

ip tcp intercept finrst-timeout

ip tcp intercept list

ip tcp intercept max-incomplete high

ip tcp intercept max-incomplete low

ip tcp intercept mode

ip tcp intercept one-minute high

ip tcp intercept one-minute low

ip tcp intercept watch-timeout

ip traffic-export apply profile

ip traffic-export profile

ip trigger-authentication (global)

ip trigger-authentication (interface)

ip urlfilter alert

ip urlfilter allowmode

ip urlfilter audit-trail

ip urlfilter cache

ip urlfilter exclusive-domain

ip urlfilter max-request

ip urlfilter max-resp-pak

ip urlfilter server vendor

ip urlfilter urlf-server-log

ip verify unicast source reachable-via

ip virtual-reassembly

ip vrf forwarding (server-group)

isakmp authorization list

issuer-name


ip port-map

To establish port-to-application mapping (PAM), use the ip port-map command in global configuration mode. To delete user-defined PAM entries, use the no form of this command.

ip port-map appl-name port [tcp | udp] [ port_num | from begin_port_num to end_port_num] [list acl-num] [description description_string]

no ip port-map appl-name port [tcp | udp] [ port_num | from begin_port_num to end_port_num] [list acl-num] [description description_string]

Syntax Description

appl-name

Specifies the name of the application with which to apply the port mapping. An application name can contain an underscore or a hyphen. An application can also be system or user-defined. However, a user-defined application must have the prefix user- in it; for example, user-payroll, user-sales, or user-10. Otherwise, the following error message appears: "Unable to add port-map entry. Names for user-defined applications must start with 'user-'."

port

Indicates that a port number maps to the application. You can specify up to five port numbers for each port.

tcp | udp

(Optional) Specifies the protocol for the application. For well-known applications (and those existing already under PAM), you can omit these keywords and the system assumes the standard protocol for that application. However, for user-defined applications, you must specify either tcp or udp.

port_num

(Optional) Identifies a port number in the range 1 to 65535.

from begin_port_num to end_port_num

(Optional) Specifies a range of port numbers. You must use the from and to keywords together.

list acl-num

(Optional) Indicates that the port mapping information applies to a specific host or subnet by associating it to an access control list (ACL) number used with PAM.

description description_string

(Optional) Specifies a description of up to 40 characters.

Note Write the text string in the following format: "C description_string C," where "C" is a delimiting character.


Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(1)

Skinny Client Control Protocol (SCCP) support was added.

12.3(14)T

Support was added for the following:

User-defined application names

User-specified descriptions

Port ranges

tcp and udp keywords

from begin_port_num to end_port_num keyword-argument combination

description description_string keyword-argument combination


Usage Guidelines

The ip port-map command associates TCP or User Datagram Protocol (UDP) port numbers with applications or services, establishing a table of default port mapping information at the firewall. This information is used to support network environments that run services using ports that are different from the registered or well-known ports associated with a service or application.

When you issue the no form of the command, include all the parameters needed to remove the entry matching that specific set of parameters. For example, if you issued no ip port-map appl-name, then all entries for that application are removed.

The port mapping information in the PAM table is of one of three types:

System-defined

User-defined

Host-specific

System-Defined Port Mapping

Initially, PAM creates a set of system-defined entries in the mapping table using well-known or registered port mapping information set up during the system start-up. The Cisco IOS Firewall Context-Based Access Control (CBAC) feature requires the system-defined port mapping information to function properly.

You can delete or modify system-defined port mapping information. Use the no form of the command for deletion and the regular form of the command to remap information to another application.

You can also add new port numbers to system-defined applications. However, for some system-defined applications like HTTP and Simple Mail Transfer Protocol (SMTP), in which the firewall inspects deeper into packets, their protocol (UDP or TCP) cannot be changed from that defined in the system. In those instances, error messages display.

Table 26 lists some default system-defined services and applications in the PAM table. (Use the show ip port-map command for the complete list.)

Table 26 System-Defined Port Mapping 

Application Name
Well-Known or Registered Port Number
Protocol Description

cuseeme

7648

CU-SeeMe Protocol

exec

512

Remote Process Execution

ftp

21

File Transfer Protocol (control port)

h323

1720

H.323 Protocol (for example, MS NetMeeting, Intel Video Phone)

http

80

Hypertext Transfer Protocol

login

513

Remote login

msrpc

135

Microsoft Remote Procedure Call

netshow

1755

Microsoft NetShow

real-audio-video

7070

RealAudio and RealVideo

sccp

2000

Skinny Client Control Protocol (SCCP)

smtp

25

Simple Mail Transfer Protocol (SMTP)

sql-net

1521

SQL-NET

streamworks

1558

StreamWorks Protocol

sunrpc

111

SUN Remote Procedure Call

tftp

69

Trivial File Transfer Protocol

vdolive

7000

VDOLive Protocol



Note You can override system-defined entries for a specific host or subnet using the list acl-num option in the ip port-map command.


User-Defined Port Mapping

Network applications that use nonstandard ports require user-defined entries in the mapping table. Use the ip port-map command to create default user-defined entries in the PAM table. These entries automatically appear as an option for the ip inspect name command to facilitate the creation of inspection rules.

You can specify up to five separate port numbers for each port-map in a single entry. You can also specify a port range in a single entry. However, you may not specify both single port numbers and port ranges in the same entry.


Note If you try to map an application to a system-defined port, a message appears warning you of a mapping conflict. Delete the system-defined entry before mapping it to another application. Deleted system defined mappings appear in the running-configuration in their no ip port-map form.


Use the no form of the ip port-map command to delete user-defined entries from the PAM table. To remove a single mapping, use the no form of the command with all its parameters.

To overwrite an existing user-defined port mapping, use the ip port-map command to associate another service or application with the specific port.

Multiple commands for the same application name are cumulative.

If you assign the same port number to a new application, the new entry replaces the existing entry and it no longer appears in the running configuration. You receive a message about the remapping.

You cannot specify a port number that is in a range assigned to another application; however, you can specify a range that takes over one singly allocated port, or fully overlaps another range.

You cannot specify overlapping port ranges.

Host-Specific Port Mapping

User-defined entries in the mapping table can include host-specific mapping information, which establishes port mapping information for specific hosts or subnets. In some environments, it might be necessary to override the default port mapping information for a specific host or subnet, including a system-defined default port mapping information. Use the list acl-num option for the ip port-map command to specify an ACL for a host or subnet that uses PAM.


Note If the host-specific port mapping information is the same as existing system-defined or user-defined default entries, host-specific port changes have no effect.


Examples

The following example provides examples for adding and removing user-defined PAM configuration entries at the firewall.

In the following example, nonstandard port 8000 is established as the user-defined default port for HTTP services:

ip port-map http port 8000

The following example shows PAM entries that establish a range of nonstandard ports for HTTP services:

ip port-map http 8001
ip port-map http 8002
ip port-map http 8003
ip port-map http 8004

In the following example the command fails because it tries to map port 21, which is the system-defined default port for FTP, with HTTP:

ip port-map http port 21

In the following example, a specific host uses port 8000 for FTP services. ACL 10 identifies the server address (192.168.32.43), while port 8000 is mapped with FTP services:

access-list 10 permit 192.168.32.43
ip port-map ftp port 8000 list 10

In the following example, port 21, which is normally reserved for FTP services, is mapped to the RealAudio application for the hosts in list 10. In this configuration, hosts in list 10 do not recognize FTP activity on port 21.

ip port-map realaudio port 21 list 10 

In the following example, the ip port-map command fails and generates an error message:

ip port-map netshow port 21
Command fail: the port 21 has already been defined for ftp by the system.
              No change can be made to the system defined port mappings.

In the following example, the no form of this command deletes user-defined entries from the PAM table. It has no effect on the system-defined port mappings. This command deletes the host-specific port mapping of FTP.

no ip port-map ftp port 1022 list 10

Note All no forms of the ip port-map command appear before other entries in the running configuration.


In the following example, the command fails because it tries to delete the system-defined default port for HTTP:

no ip port-map http port 80

In the following example, a specific host uses port 8000 for FTP services. ACL 10 identifies the server address (192.168.32.43), while port 8000 is mapped with FTP services.

access-list 10 permit 192.168.32.43
ip port-map ftp port 8000 list 10

In the following example, a specific subnet runs HTTP services on port 8080. ACL 50 identifies the subnet, while the PAM entry maps port 8080 with HTTP services.

access-list 50 permit 192.168.92.0
ip port-map http 8080 list 50

In the following example, a specific host runs HTTP services on port 25, which is the system-defined port number for SMTP services. This requires a host-specific PAM entry that overrides the system-defined default port mapping for HTTP, which is port 80. ACL 15 identifies the host address (192.168.33.43), while port 25 is mapped with HTTP services.

access-list 15 permit 192.168.33.43
ip port-map http port 25 list 15

In the following example, the same port number is required by different services running on different hosts. Port 8000 is required for HTTP services by host 192.168.3.4, while port 8000 is required for FTP services by host 192.168.5.6. ACL 10 and ACL 20 identify the specific hosts, while PAM maps the ports with the services for each ACL.

access-list 10 permit 192.168.3.4
access-list 20 permit 192.168.5.6
ip port-map http port 8000 list 10
ip port-map http ftp 8000 list 20

In the following example, five separate port numbers are specified:

ip port-map user-my-app port tcp 8085 8087 8092 8093 8094

In the following example, multiple commands for the same application name are cumulative and both ports map to the myapp application:

ip port-map user-myapp port tcp 3400
ip port-map user-myapp port tcp 3500

In the following example, the same port number is assigned to a new application. The new entry replaces the existing entry, meaning that port 5670 gets mapped to user-my-new-app and its mapping to myapp is removed. As a result, the first command no longer appears in the running configuration and you receive a message about the remapping.

ip port-map user-myapp port tcp 5670
ip port-map user-my-new-app port tcp 5670

In the following example, the second command assigns port 8085 to user-my-new-app because you cannot specify a port number that is in a range assigned to another application. As a result, the first command no longer appears in the running configuration, and you receive a message about the port being moved from one application to another.

ip port-map user-my-app port tcp 8085
ip port-map user-my-new-app port tcp from 8080 to 8090

Similarly, in the following example the second command assigns port range 8080 to 8085 to user-my-new-app and the first command no longer appears in the running configuration. You receive a message about the remapping.

ip port-map user-my-app port tcp from 8080 to 8085
ip port-map user-my-new-app port tcp from 8080 to 8090

Related Commands

Command
Description

show ip port-map

Displays the PAM information.


ip radius source-interface

To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface command in global configuration mode. To prevent RADIUS from using the IP address of a specified interface for all outgoing RADIUS packets, use the no form of this command.

ip radius source-interface subinterface-name [vrf vrf-name]

no ip radius source-interface

Syntax Description

subinterface-name

Name of the interface that RADIUS uses for all of its outgoing packets.

vrf vrf-name

(Optional) Per Virtual Route Forwarding (VRF) configuration.


Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release
Modification

11.3

This command was introduced.

12.2(1)DX

The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.


Usage Guidelines

Use this command to set the IP address of a subinterface to be used as the source address for all outgoing RADIUS packets. The IP address is used as long as the subinterface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.

This command is especially useful in cases where the router has many subinterfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.

The specified subinterface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the subinterface to the up state.

Use the vrf vrf-name keyword and argument to configure this command per VRF, which allows multiple disjoined routing or forwarding tables, where the routes of a user have no correlation with the routes of another user.

Examples

The following example shows how to configure RADIUS to use the IP address of subinterface s2 for all outgoing RADIUS packets:

ip radius source-interface s2

The following example shows how to configure RADIUS to use the IP address of subinterface Ethernet0 for VRF definition:

ip radius source-interface Ethernet 0 vrf water

Related Commands

Command
Description

ip tacacs source-interface

Uses the IP address of a specified interface for all outgoing TACACS packets.

ip telnet source-interface

Allows a user to select an address of an interface as the source address for Telnet connections.

ip tftp source-interface

Allows a user to select the interface whose address will be used as the source address for TFTP connections.


ip reflexive-list timeout

To specify the length of time that reflexive access list entries will continue to exist when no packets in the session are detected, use the ip reflexive-list timeout command in global configuration mode. To reset the timeout period to the default timeout, use the no form of this command.

ip reflexive-list timeout seconds

no ip reflexive-list timeout

Syntax Description

seconds

Specifies the number of seconds to wait (when no session traffic is being detected) before temporary access list entries expire. Use a positive integer from 0 to 2,147,483. The default is 300 seconds.


Defaults

300 seconds

Command Modes

Global configuration

Command History

Release
Modification

11.3

This command was introduced.


Usage Guidelines

This command is used with reflexive filtering, a form of session filtering.

This command specifies when a reflexive access list entry will be removed after a period of no traffic for the session (the timeout period).

With reflexive filtering, when an IP upper-layer session begins from within your network, a temporary entry is created within the reflexive access list, and a timer is set. Whenever a packet belonging to this session is forwarded (inbound or outbound) the timer is reset. When this timer counts down to zero without being reset, the temporary reflexive access list entry is removed.

The timer is set to the timeout period. Individual timeout periods can be defined for specific reflexive access lists, but for reflexive access lists that do not have individually defined timeout periods, the global timeout period is used. The global timeout value is 300 seconds by default; however, you can change the global timeout to a different value at any time using this command.

This command does not take effect for reflexive access list entries that were already created when the command is entered; this command only changes the timeout period for entries created after the command is entered.

Examples

The following example sets the global timeout period for reflexive access list entries to 120 seconds:

ip reflexive-list timeout 120

The following example returns the global timeout period to the default of 300 seconds:

no ip reflexive-list timeout

Related Commands

Command
Description

evaluate

Nests a reflexive access list within an access list.

ip access-list

Defines an IP access list by name.

permit (reflexive)

Creates a reflexive access list and enables its temporary entries to be automatically generated.


ip scp server enable

To enable the router to securely copy files from a remote workstation, use the ip scp server enable command in global configuration mode. To disable secure copy functionality (the default), use the no form of this command.

ip scp server enable

no ip scp server enable

Syntax Description

This command has no arguments or keywords.

Defaults

The secure copy function is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(2)T

This command was introduced.

12.0(21)S

This command was integrated into Cisco IOS Release 12.0(21)S and support for the Cisco 7500 series and Cisco 12000 series routers was added.


Usage Guidelines

Use this command to enable secure copying of files from systems using the Secure Shell (SSH) application. This secure copy function is accomplished by an addition to the copy command in the Cisco IOS software, which takes care of using the secure copy protocol (scp) to copy to and from a router while logged in to the router itself. Because copying files is generally a restricted operation in the Cisco IOS software, a user attempting to copy such files needs to be at the correct enable level.

The Cisco IOS software must also allow files to be copied to or from itself from a remote workstation running the SSH application (which is supported by both the Microsoft Windows and UNIX operating systems). To get this information, the Cisco IOS software must have authentication and authorization configured in the authentication, authorization, and accounting (AAA) feature. SSH already relies on AAA authentication to authenticate the user username and password. Scp adds the requirement that AAA authorization be turned on so that the operating system can determine whether or not the user is at the correct privilege level.

Examples

The following example shows a typical configuration that allows the router to securely copy files from a remote workstation. Because scp relies on AAA authentication and authorization to function properly, AAA must be configured.

aaa new-model
aaa authentication login default tac-group tacacs+
aaa authorization exec default local
username user1 privilege 15 password 0 lab
ip scp server enable

The following example shows how to use scp to copy a system image from Flash memory to a server that supports SSH:

Router# copy flash:c4500-ik2s-mz.scp scp://user1@host1/

Address or name of remote host [host1]?
Destination username [user1]?
Destination filename [c4500-ik2s-mz.scp]?
Writing c4500-ik2s-mz.scp
Password:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Note When using scp, you cannot enter the password into the copy command; enter the password when prompted.


Related Commands

Command
Description

aaa authentication login

Sets AAA authentication at login.

aaa authorization

Sets parameters that restrict user access to a network.

copy

Copies any file from a source to a destination.

debug ip scp

Troubleshoots scp authentication problems.

ip ssh port

Enables secure network access to the tty lines.

username

Establishes a username-based authentication system.


ip sdee events

To set the maximum number of Security Device Event Exchange (SDEE) events that can be stored in the event buffer, use the ip sdee events command in global configuration mode. To change the buffer size or return to the default buffer size, use the no form of this command.

ip sdee events events

no ip sdee events events

Syntax Description

events

Maximum number of events; maximum number of allowable events: 1000.


Defaults

200 events

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

When SDEE notification is enabled (via the ip ips notify sdee command), 200 hundred events can automatically be stored in the buffer. When SDEE notification is disabled, all stored events are lost. A new buffer is allocated when the notifications are reenabled.

When specifying the size of an events buffer, note the following functionality:

It is circular. When the end of the buffer is reached, the buffer will start overwriting the earliest stored events. (If overwritten events have not yet been reported, you will receive a buffer overflow notice.)

If a new, smaller buffer is requested, all events that are stored in the previous buffer will be lost.

If a new, larger buffer is requested, all existing events will be saved.

Examples

The following example shows how to set the maximum buffer events size to 500:

configure terminal
 ip ips notify sdee
 ip sdee events 500

Related Commands

Command
Description

ip ips notify

Specifies the method of event notification.


ip sdee subscriptions

To set the maximum number of Security Device Event Exchange (SDEE) subscriptions that can be open simultaneously, use the ip sdee subscriptions command in global configuration mode. To change the current selection or return to the default, use the no form of this command.

ip sdee subscriptions subscriptions

no ip sdee subscriptions subscriptions

Syntax Description

subscriptions

Maximum number of subscriptions; valid value ranges from 1 to 3.


Defaults

1 subscription

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

After you have enabled SDEE to receive and process events from Intrusion Prevention System (IPS) unless SDEE, you can issue the ip sdee subscriptions command to modify the number of allowed open SDEE subscriptions.

Examples

The following example shows how to change the number of allowed open subscriptions to 2:

configure terminal
 ip ips notify sdee
 ip sdee events 500
 ip sdee subscriptions 2

Related Commands

Command
Description

ip ips notify

Specifies the method of event notification.


ip security add

To add a basic security option to all outgoing packets, use the ip security add command in interface configuration mode. To disable the adding of a basic security option to all outgoing packets, use the no form of this command.

ip security add

no ip security add

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is enabled.

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

If an outgoing packet does not have a security option present, this interface configuration command will add one as the first IP option. The security label added to the option field is the label that was computed for this packet when it first entered the router. Because this action is performed after all the security tests have been passed, this label will either be the same or will fall within the range of the interface.

Examples

The following example adds a basic security option to each packet leaving Ethernet interface 0:

interface ethernet 0
 ip security add

Related Commands

Command
Description

ip security dedicated

Sets the level of classification and authority on the interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security aeso

To attach Auxiliary Extended Security Options (AESOs) to an interface, use the ip security aeso command in interface configuration mode. To disable AESO on an interface, use the no form of this command.

ip security aeso source compartment-bits

no ip security aeso source compartment-bits

Syntax Description

source

Extended Security Option (ESO) source. This can be an integer from 0 to 255.

compartment-bits

Number of compartment bits in hexadecimal.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Compartment bits are specified only if this AESO is to be inserted in a packet. On every incoming packet at this level on this interface, these AESOs should be present.

Beyond being recognized, no further processing of AESO information is performed. AESO contents are not checked and are assumed to be valid if the source is listed in the configurable AESO table.

Configuring any per-interface extended IP Security Option (IPSO) information automatically enables ip security extended-allowed (disabled by default).

Examples

The following example defines the Extended Security Option source as 5 and sets the compartments bits to 5:

interface ethernet 0
 ip security aeso 5 5 

Related Commands

Command
Description

ip security eso-info

Configures system-wide defaults for extended IPSO information.

ip security eso-max

Specifies the maximum sensitivity level for an interface.

ip security eso-min

Configures the minimum sensitivity level for an interface.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.


ip security dedicated

To set the level of classification and authority on the interface, use the ip security dedicated command in interface configuration mode. To reset the interface to the default classification and authorities, use the no form of this command.

ip security dedicated level authority [authority...]

no ip security dedicated level authority [authority...]

Syntax Description

level

Degree of sensitivity of information. The level keywords are listed in Table 27.

authority

Organization that defines the set of security levels that will be used in a network. The authority keywords are listed in Table 28.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

All traffic entering the system on this interface must have a security option that exactly matches this label. Any traffic leaving via this interface will have this label attached to it.

The following definitions apply to the descriptions of the IP Security Option (IPSO) in this section:

level—The degree of sensitivity of information. For example, data marked TOPSECRET is more sensitive than data marked SECRET. The level keywords and their corresponding bit patterns are shown in Table 27.

Table 27 IPSO Level Keywords and Bit Patterns 

Level Keyword
Bit Pattern

Reserved4

0000 0001

TopSecret

0011 1101

Secret

0101 1010

Confidential

1001 0110

Reserved3

0110 0110

Reserved2

1100 1100

Unclassified

1010 1011

Reserved1

1111 0001


authority—An organization that defines the set of security levels that will be used in a network. For example, the Genser authority consists of level names defined by the U.S. Defense Communications Agency (DCA). The authority keywords and their corresponding bit patterns are shown in Table 28.

Table 28 IPSO Authority Keywords and Bit Patterns 

Authority Keyword
Bit Pattern

Genser

1000 0000

Siop-Esi

0100 0000

DIA

0010 0000

NSA

0001 0000

DOE

0000 1000


label—A combination of a security level and an authority or authorities.

Examples

The following example sets a confidential level with Genser authority:

ip security dedicated confidential Genser

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security extended-allowed

Accepts packets on an interface that has an Extended Security Option present.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security eso-info

To configure system-wide defaults for extended IP Security Option (IPSO) information, use the ip security eso-info command in global configuration mode. To return to the default settings, use the no form of this command.

ip security eso-info source compartment-size default-bit

no ip security eso-info source compartment-size default-bit

Syntax Description

source

Hexadecimal or decimal value representing the extended IPSO source. This is an integer from 0 to 255.

compartment-size

Maximum number of bytes of compartment information allowed for a particular extended IPSO source. This is an integer from 1 to 16.

default-bit

Default bit value for any unsent compartment bits.


Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

This command configures Extended Security Option (ESO) information, including Auxiliary Extended Security Option (AESO). Transmitted compartment information is padded to the size specified by the compartment-size argument.

Examples

The following example sets system-wide defaults for source, compartment size, and the default bit value:

ip security eso-info 100 5 1 

Related Commands

Command
Description

ip security eso-max

Specifies the maximum sensitivity level for an interface.

ip security eso-min

Configures the minimum sensitivity level for an interface.


ip security eso-max

To specify the maximum sensitivity level for an interface, use the ip security eso-max command in interface configuration mode. To return to the default, use the no form of this command.

ip security eso-max source compartment-bits

no ip security eso-max source compartment-bits

Syntax Description

source

Extended Security Option (ESO) source. This is an integer from 1 to 255.

compartment-bits

Number of compartment bits in hexadecimal.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The command is used to specify the maximum sensitivity level for a particular interface. Before the per-interface compartment information for a particular Network-Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.

On every incoming packet on the interface, these Extended Security Options should be present at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.

On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.

When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.

A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.

Examples

In the following example, the specified ESO source is 240 and the compartment bits are specified as 500:

interface ethernet 0
 ip security eso-max 240 500

Related Commands

Command
Description

ip security eso-info

Configures system-wide defaults for extended IPSO information.

ip security eso-min

Configures the minimum sensitivity level for an interface.


ip security eso-min

To configure the minimum sensitivity for an interface, use the ip security eso-min command in interface configuration mode. To return to the default, use the no form of this command.

ip security eso-min source compartment-bits

no ip security eso-min source compartment-bits

Syntax Description

source

Extended Security Option (ESO) source. This is an integer from 1 to 255.

compartment-bits

Number of compartment bits in hexadecimal.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The command is used to specify the minimum sensitivity level for a particular interface. Before the per-interface compartment information for a particular Network Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.

On every incoming packet on this interface, these Extended Security Options should be present at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.

On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.

When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.

A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.

Examples

In the following example, the specified ESO source is 5, and the compartment bits are specified as 5:

interface ethernet 0
 ip security eso-min 5 5

Related Commands

Command
Description

ip security eso-info

Configures system-wide defaults for extended IPSO information.

ip security eso-max

Specifies the maximum sensitivity level for an interface.


ip security extended-allowed

To accept packets on an interface that has an extended security option present, use the ip security extended-allowed command in interface configuration mode. To restore the default, use the no form of this command.

ip security extended-allowed

no ip security extended-allowed

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Packets containing extended security options are rejected.

Examples

The following example allows interface Ethernet 0 to accept packets that have an extended security option present:

interface ethernet 0
 ip security extended-allowed

Related Commands

Command
Description

ip security add

Adds a basic security option to all outgoing packets.

ip security dedicated

Sets the level of classification and authority on the interface.

ip security first

Prioritizes the presence of security options on a packet.

ip security ignore-authorities

Causes the Cisco IOS software to ignore the authorities field of all incoming packets.

ip security implicit-labelling

Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.

ip security multilevel

Sets the range of classifications and authorities on an interface.

ip security reserved-allowed

Treats as valid any packets that have Reserved1 through Reserved4 security levels.

ip security strip

Removes any basic security option on outgoing packets on an interface.


ip security first

To prioritize the presence of security options on a packet, use the ip security first command in interface configuration mode. To prevent packets that include security options from moving to the front of the options field, use the no form of this command.

ip security first

no ip security first

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

If a basic security option is present on an outgoing packet, but it is not the first IP option, then the packet is moved to the front of the options field when this interface configuration comm