-
Cisco IOS Security Command Reference
-
Introduction
-
aaa accounting through aaa local authentication attempts max-fail
-
aaa max-sessions through algorithm
-
all (profile map configuration) through browser-proxy
-
ca trust-point through clear eou
-
clear ip access-list counters through crl-cache none
-
crypto aaa attribute list through crypto ipsec transform-set
-
crypto isakmp aggressive-mode disable through crypto mib ipsec flowmib history tunnel size
-
crypto pki authenticate through ctype
-
database archive through dns
-
dnsix-dmdp retries through dynamic
-
E
-
F through H
-
icmp idle-timeout through ip http ezvpn
-
ip inspect through ip security strip
-
ip source-track through ivrf
-
K through L
-
mac access-group through max-users (WebVPN)
-
message retry count through outgoing
-
parameter through port-misuse
-
ppp accounting through quit
-
radius attribute nas-port-type through rate-limit (firewall)
-
reauthentication time through rsa-pubkey
-
sa ipsec through sessions maximum
-
set aggressive-mode client-endpoint through show class-map type urlfilter
-
show crypto ace redundancy through show crypto vlan
-
show diameter peer through show object-group
-
show parameter-map type consent through show users
-
show vlan group through switchport port-security violation
-
tacacs-server administration through title-color
-
traffic-export through zone security
-
Feedback
Table Of Contents
dnsix-nat authorized-redirection
dot1x critical (global configuration)
dot1x critical (interface configuration)
dot1x re-authenticate (EtherSwitch)
dot1x re-authenticate (privileged EXEC)
dot1x re-authentication (EtherSwitch)
dnsix-dmdp retries
To set the retransmit count used by the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) Message Delivery Protocol (DMDP), use the dnsix-dmdp retries command in global configuration mode. To restore the default number of retries, use the no form of this command.
dnsix-dmdp retries count
no dnsix-dmdp retries count
Syntax Description
count
Number of times DMDP will retransmit a message. It can be an integer from 0 to 200. The default is 4 retries, or until acknowledged.
Defaults
Retransmits messages up to 4 times, or until acknowledged.
Command Modes
Global configuration
Command History
Examples
The following example sets the number of times DMDP will attempt to retransmit a message to 150:
dnsix-dmdp retries 150Related Commands
dnsix-nat authorized-redirection
To specify the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages, use the dnsix-nat authorized-redirection command in global configuration mode. To delete an address, use the no form of this command.
dnsix-nat authorized-redirection ip-address
no dnsix-nat authorized-redirection ip-address
Syntax Description
Defaults
An empty list of addresses.
Command Modes
Global configuration
Command History
Usage Guidelines
Use multiple dnsix-nat authorized-redirection commands to specify a set of hosts that are authorized to change the destination for audit messages. Redirection requests are checked against the configured list, and if the address is not authorized the request is rejected and an audit message is generated. If no address is specified, no redirection messages are accepted.
Examples
The following example specifies that the address of the collection center that is authorized to change the primary and secondary addresses is 192.168.1.1:
dnsix-nat authorization-redirection 192.168.1.1dnsix-nat primary
To specify the IP address of the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are sent, use the dnsix-nat primary command in global configuration mode. To delete an entry, use the no form of this command.
dnsix-nat primary ip-address
no dnsix-nat primary ip-address
Syntax Description
Defaults
Messages are not sent.
Command Modes
Global configuration
Command History
Usage Guidelines
An IP address must be configured before audit messages can be sent.
Examples
The following example configures an IP address as the address of the host to which DNSIX audit messages are sent:
dnsix-nat primary 172.16.1.1dnsix-nat secondary
To specify an alternate IP address for the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are sent, use the dnsix-nat secondary command in global configuration mode. To delete an entry, use the no form of this command.
dnsix-nat secondary ip-address
no dnsix-nat secondary ip-address
Syntax Description
Defaults
No alternate IP address is known.
Command Modes
Global configuration
Command History
Usage Guidelines
When the primary collection center is unreachable, audit messages are sent to the secondary collection center instead.
Examples
The following example configures an IP address as the address of an alternate host to which DNSIX audit messages are sent:
dnsix-nat secondary 192.168.1.1dnsix-nat source
To start the audit-writing module and to define the audit trail source address, use the dnsix-nat source command in global configuration mode. To disable the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit trail writing module, use the no form of this command.
dnsix-nat source ip-address
no dnsix-nat source ip-address
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
You must issue the dnsix-nat source command before any of the other dnsix-nat commands. The configured IP address is used as the source IP address for DMDP protocol packets sent to any of the collection centers.
Examples
The following example enables the audit trail writing module, and specifies that the source IP address for any generated audit messages should be the same as the primary IP address of Ethernet interface 0:
dnsix-nat source 192.168.2.5 interface ethernet 0 ip address 192.168.2.5 255.255.255.0dnsix-nat transmit-count
To have the audit writing module collect multiple audit messages in the buffer before sending the messages to a collection center, use the dnsix-nat transmit-count command in global configuration mode. To revert to the default audit message count, use the no form of this command.
dnsix-nat transmit-count count
no dnsix-nat transmit-count count
Syntax Description
count
Number of audit messages to buffer before transmitting to the server. It can be an integer from 1 to 200.
Defaults
One message is sent at a time.
Command Modes
Global configuration
Command History
Usage Guidelines
An audit message is sent as soon as the message is generated by the IP packet-processing code. The audit writing module can, instead, buffer up to several audit messages before transmitting to a collection center.
Examples
The following example configures the system to buffer five audit messages before transmitting them to a collection center:
dnsix-nat transmit-count 5dns-timeout
To specify the Domain Name System (DNS) idle timeout (the length of time for which a DNS lookup session will continue to be managed while there is no activity), use the dns-timeout command in parameter-map type inspect configuration mode. To disable the timeout, use the no form of this command.
dns-timeout seconds
no dns-timeout seconds
Syntax Description
seconds
Length of time, in seconds, for which a DNS name lookup session will still be managed while there is no activity. The default is 5.
Command Default
The DNS idle timeout is disabled.
Command Modes
Parameter-map type inspect configuration
Command History
Usage Guidelines
You can use the dns-timeout subcommand when you are creating an inspect type parameter map. You can enter the dns-timeout subcommand after you enter the parameter-map type inspect command.
Use the dns-timeout command if you have DNS inspection configured and want to control the timeout of DNS sessions.
If DNS inspection is not configured, but you enter the dns-timeout command, the command does not take effect (that is, it is not applied to a DNS session).
For more detailed information about creating a parameter map, see the parameter-map type inspect command.
Examples
The following example specifies that if there is no activity, a DNS lookup session will continue to be managed for 25 seconds:
parameter-map type inspect insp-paramsdns-timeout 25Related Commands
domain (AAA)
To configure username domain options for the RADIUS application, use the domain command in dynamic authorization local server configuration mode. To disable the username domain options configured, use the no form of this command.
domain {delimiter character | stripping [right-to-left]}
no domain {delimiter character | stripping [right-to-left]}
Syntax Description
Command Default
No username domain options are configured.
Command Modes
Dynamic authorization local server configuration (config-locsvr-da-radius)
Command History
Usage Guidelines
If domain stripping is not configured, the full username provided in the authentication, authorization, and accounting (AAA) packet of disconnect (POD) messages is compared with the online subscribers. Configuring domain stripping allows you to send disconnect messages with only the username present before the @ domain delimiter. The network access server (NAS) compares and matches this username with any online subscriber with a potential domain.
For instance, when domain stripping is configured and you send a POD message with the username "test," a comparison between the POD message and online subscribers takes place, and subscribers with the username "test@cisco.com" or "test" match the specified username "test."
Examples
The following configuration example is used to match a username from right to left. If the username is user1@cisco.com@test.com, then the username to be matched by the POD message is user1@cisco.com.
Router# configure terminalRouter(config)# aaa server radius dynamic-authorRouter(config-locsvr-da-radius)# domain stripping right-to-leftRouter(config-locsvr-da-radius)# domain delimiter @Router(config-locsvr-da-radius)# endThe following configuration example is used to match a username from left to right. If the username is user1@cisco.com@test.com, then the username to be matched by the POD message is user1.
Router# configure terminalRouter(config)# aaa server radius dynamic-authorRouter(config-locsvr-da-radius)# domain strippingRouter(config-locsvr-da-radius)# domain delimiter @Router(config-locsvr-da-radius)# endRelated Commands
aaa server radius dynamic-author
Configures a device as a AAA server to facilitate interaction with an external policy server.
domain (isakmp-group)
To specify the Domain Name Service (DNS) domain to which a group belongs, use the domain command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove this command from your configuration, use the no form of this command.
domain name
no domain name
Syntax Description
Defaults
A DNS domain is not specified.
Command Modes
ISAKMP group configuration (config-isakmp-group)
Command History
Usage Guidelines
Use the domain command to specify group domain membership.
You must enable the crypto isakmp configuration group command, which specifies group policy information that has to be defined or changed, before enabling the domain command.
Examples
The following example shows that members of the group "cisco" also belong to the domain "cisco.com":
crypto isakmp client configuration group ciscokey ciscodns 10.2.2.2 10.3.2.3pool dogacl 199domain cisco.comRelated Commands
dot1x control-direction
Note
Effective with Cisco IOS Release 12.2(33)SXI, the dot1x control-direction command is replaced by the authentication control-direction command. See the authentication control-direction command for more information.
To change an IEEE 802.1X controlled port to unidirectional or bidirectional, use the dot1x control-direction command in interface configuration mode. To return to the default setting, use the no form of this command.
dot1x control-direction {both | in}
no dot1x control-direction
Syntax Description
Command Default
The port is set to bidirectional mode.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. 802.1x controls network access by creating two distinct virtual access points at each port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. 802.1x authenticates each user device that is connected to a switch port and assigns the port to a VLAN before making available any services that are offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the device is connected. After authentication is successful, normal traffic can pass through the port.
Unidirectional State
When you configure a port as unidirectional with the dot1x control-direction in interface configuration command, the port changes to the spanning-tree forwarding state.
When Unidirectional Controlled Port is enabled, the connected host is in the sleeping mode or power-down state. The host does not exchange traffic with other devices in the network. The host connected to the unidirectional port cannot send traffic to the network, the host can only receive traffic from other devices in the network.
Bidirectional State
When you configure a port as bidirectional with the dot1x control-direction both interface configuration command, the port is access-controlled in both directions. In this state, the switch port receives or sends only EAPOL packets; all other packets are dropped.
Using the both keyword or using the no form of this command changes the port to its bidirectional default setting.
Catalyst 6500 Series Switch
Setting the port as bidirectional enables 802.1X authentication with wake-on-LAN (WoL).
Cisco IOS Release 12.4(4)XC
For Cisco IOS Release 12.4(4)XC, on Cisco 870 ISRs only, this command can be configured on
Layer 2 (for switch ports) and Layer 3 (for switched virtual interfaces). However, the command can function at only one layer at a time; that is, if it is configured on Layer 2, it cannot also be configured on Layer 3 and vice versa.Examples
The following example shows how to enable unidirectional control:
Switch(config-if)# dot1x control-direction inThe following examples show how to enable bidirectional control:
Switch(config-if)# dot1x control-direction bothor
Switch(config-if)# no dot1x control-directionYou can verify your settings by entering the show dot1x all privileged EXEC command. The show dot1x all command output is the same for all devices except for the port names and the state of the port. If a host is attached to the port but is not yet authenticated, a display similar to the following appears:
Supplicant MAC 0002.b39a.9275AuthSM State = CONNECTINGBendSM State = IDLEPortStatus = UNAUTHORIZEDIf you enter the dot1x control-direction in command to enable unidirectional control, the following appears in the show dot1x all command output:
ControlDirection = InIf you enter the dot1x control-direction in command and the port cannot support this mode because of a configuration conflict, the following appears in the show dot1x all command output:
ControlDirection = In (Disabled due to port settings):The following example shows how to reset the global 802.1X parameters:
Switch(config)# dot1x defaultCatalyst 6500 Series Switch
The following example shows how to enable 802.1X authentication with WoL and set the port as bidirectional:
Switch(config)# interface gigabitethernet 5/1Switch(config-if)# dot1x control-direction both802.1X Support on a Cisco 870 ISR for Cisco IOS Release 12.4(4)X
The following example shows Layer 3 802.1X support on a switched virtual interface (using a Cisco 870 ISR):
interface FastEthernet0description switchport connect to a client!interface FastEthernet1description switchport connect to a client!interface FastEthernet2description switchport connect to a client!interface FastEthernet3description switchport connect to a client!interface FastEthernet4description Connect to the public network!interface Vlan1description Apply 802.1x functionality on SVIdot1x pae authenticatordot1x port-control autodot1x reauthenticationdot1x control-direction inRelated Commands
dot1x credentials
To specify which 802.1X credential profile to use when configuring a supplicant (client) or to apply a credentials structure to an interface and to enter dot1x credentials configuration mode, use the dot1x credentials command in global configuration or interface configuration mode. To remove the credential profile, use the no form of this command.
dot1x credentials name
no dot1x credentials
Syntax Description
Command Default
A credentials profile is not specified.
Command Modes
Global configuration
Interface configurationCommand History
Usage Guidelines
An 802.1X credential structure is necessary when configuring a supplicant. This credentials structure may contain a username, password, and description.
Examples
The following example shows which credentials profile should be used when configuring a supplicant:
dot1x credentials basic-userusername routerpassword secretdescription This credentials profile should be used for most configured portsThe credentials structure can be applied to an interface, along with the dot1x pae supplicant command and keyword, to enable supplicant functionality on that interface.
interface fastethernet 0/1dot1x credentials basic-userdot1x pae supplicantRelated Commands
dot1x critical (global configuration)
To configure the IEEE 802.1X critical authentication parameters, use the dot1x critical command in global configuration mode.
dot1x critical {eapol | recovery delay milliseconds}
Syntax Description
Command Default
The default settings are as follows:
•
•
Command Modes
Global configuration (config)
Command History
12.2(33)SXH
This command was introduced.
12.2(33)SXI
The recovery delay keyword was replaced by the authentication critical recovery delay command.
Examples
This example shows how to specify that the switch sends an EAPOL-Success message when the switch successfully authenticates the critical port:
Switch(config)# dot1x critical eapolThis example shows how to set the recovery delay period that the switch waits to reinitialize a critical port when an unavailable RADIUS server becomes available:
Switch(config)# dot1x critical recovery delay 1500Related Commands
dot1x critical (interface configuration)
Enables 802.1X critical authentication on an interface.
dot1x critical (interface configuration)
To enable 802.1X critical authentication, and optionally, 802.1X critical authentication recovery and authentication, on an interface, use the dot1x critical command in interface configuration mode. To disable 802.1X critical authentication, and optionally, 802.1X critical authentication recovery and authentication, use the no form of this command.
dot1x critical [recovery action reinitialize]
no dot1x critical [recovery action reinitialize]
Syntax Description
recovery action reinitialize
(Optional) Enables 802.1X critical authentication recovery and specifies that the port is authenticated when an authentication server is available.
Command Default
The 802.1X critical authentication is enabled on an interface.
Command Modes
Interface configuration (config-if)
Command History
Examples
This example shows how to enable 802.1X critical authentication on an interface:
Router(config-if)# dot1x criticalThis example shows how to enable 802.1X critical authentication recovery and authenticate the port when an authentication server is available:
Router(config-if)# dot1x critical recovery action reinitializeThis example shows how to disable 802.1X critical authentication on an interface:
Router(config-if)# no dot1x criticalRelated Commands
dot1x critical (global configuration)
Configures the 802.1X critical authentication parameters.
dot1x default
To reset the global 802.1X authentication parameters to their default values as specified in the latest IEEE 802.1X standard, use the dot1x default command in global configuration or interface configuration mode.
dot1x default
Syntax Description
This command has no arguments or keywords.
Defaults
The default values are as follows:
•
•
•
•
•
•
•
•
Command Modes
Global configuration (config)
Interface configuration (config-if)Command History
Usage Guidelines
The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. 802.1x controls network access by creating two distinct virtual access points at each port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. 802.1x authenticates each user device that is connected to a switch port and assigns the port to a VLAN before making available any services that are offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol (EAP) over LAN (EAPOL) traffic through the port to which the device is connected. After authentication is successful, normal traffic can pass through the port.
Use the show dot1x command to verify your current 802.1X settings.
Cisco IOS Release 12.4(4)XC
For Cisco IOS Release 12.4(4)XC, on Cisco 870 ISRs only, this command can be configured on
Layer 2 (for switch ports) and Layer 3 (for switched virtual interfaces). However, the command can function at only one layer at a time; that is, if it is configured on Layer 2, it cannot also be configured on Layer 3 and vice versa.Examples
The following example shows how to reset the global 802.1X parameters:
Router(config)# dot1x defaultThe following example show how to reset the global 802.1X parameters on FastEthernet interface 0:
Router(config)# interface FastEthernet0Router(config-if)# dot1x defaultRelated Commands
dot1x guest-vlan
To specify an active VLAN as an IEEE 802.1x guest VLAN, use the dot1x guest-vlan command in interface configuration mode. To return to the default setting, use the no form of this command.
dot1x guest-vlan vlan-id
no dot1x guest-vlan
Syntax Description
Command Default
No guest VLAN is configured.
Command Modes
Interface configuration
Command History
Usage Guidelines
You can configure a guest VLAN on a static-access port.
For each IEEE 802.1x port, you can configure a guest VLAN to provide limited services to clients (a device or workstation connected to the switch) not running IEEE 802.1x authentication. These users might be upgrading their systems for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x capable.
When you enable a guest VLAN on an IEEE 802.1x port, the software assigns clients to a guest VLAN when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL) request/identity frame or when EAPOL packets are not sent by the client.
With Cisco IOS Release 12.4(11)T and later, the switch port maintains the EAPOL packet history. If another EAPOL packet is detected on the interface during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest VLAN state, the port returns to the unauthorized state, and authentication restarts. The EAPOL history is reset upon loss of link.
Any number of non-IEEE 802.1x-capable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the RADIUS-configured or user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on IEEE 802.1x switch ports in single-host or multi-host mode.
You can configure any active VLAN except a Remote Switched Port Analyzer (RSPAN) VLAN or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.
After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected, you might need to get a host IP address from a DHCP server. You can change the settings for restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server. You should decrease the settings for the IEEE 802.1x authentication process using the dot1x max-reauth-req and dot1x timeout tx-period interface configuration commands. The amount of decrease depends on the connected IEEE 802.1x client type.
Examples
This example shows how to specify VLAN 5 as an IEEE 802.1x guest VLAN:
Switch(config-if)# dot1x guest-vlan 5This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request, and to enable VLAN 2 as an IEEE 802.1x guest VLAN when an IEEE 802.1x port is connected to a DHCP client:
Switch(config-if)# dot1x timeout max-reauth-req 3Switch(config-if)# dot1x timeout tx-period 15Switch(config-if)# dot1x guest-vlan 2You can display the IEEE 802.1x administrative and operational status for the device or for the specified interface by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
dot1x guest-vlan supplicant
To allow the 802.1x-capable supplicants to enter the guest VLAN, use the dot1x guest-vlan supplicant command in global configuration mode. To prevent the 802.1x-capable supplicants from entering the guest VLAN, use the no form of this command.
dot1x guest-vlan supplicant
no dot1x guest-vlan supplicant
Syntax Description
This command has no arguments or keywords.
Command Default
The 802.1x-capable supplicants are prevented from entering the guest VLAN.
Command Modes
Global configuration (config)
Command History
Examples
This example shows how to allow the 802.1x-capable supplicants to enter the guest VLAN:
Router(config)# dot1x guest-vlan supplicantThis example shows how to prevent the 802.1x-capable supplicants from entering the guest VLAN:
Router(config)# no dot1x guest-vlan supplicantRelated Commands
dot1x host-mode
Note
To allow hosts on an IEEE 802.1X-authorized port, use the dot1x host-mode command in interface configuration mode. To return to the default setting, use the no form of this command.
dot1x host-mode {multi-auth | multi-host | single-host}
no dot1x host-mode {multi-auth | multi-host | single-host}
Syntax Description
Command Default
Hosts are not allowed on an 802.1X-authorized port.
Command Modes
Interface configuration
Command History
Usage Guidelines
Before you use this command, use the dot1x port-control auto command to enables IEEE 802.1X port-based authentication, and cause the port to begin in the unauthorized state.
The multi-auth mode authenticates each new client separately.
In multi-host mode, only one of the attached hosts has to be successfully authorized for all hosts to be granted network access (the multi-host mode authenticates one client, but after the client is authenticated, traffic is allowed from all other MAC addresses.). If the port becomes unauthorized (reauthentication fails or an Extensible Authentication Protocol over LAN [EAPOL] logoff message is received), all attached clients are denied access to the network.
The single-host mode allows only one client per port; that is, one MAC address is authenticated, and all others are blocked.
Cisco IOS Release 12.4(4)XC
For Cisco IOS Release 12.4(4)XC, on Cisco 870 ISRs only, this command can be configured on Layer 2 (for switch ports) and Layer 3 (for switched virtual interfaces). However, the command can function at only one layer at a time; that is, if it is configured on Layer 2, it cannot also be configured on Layer 3 and vice versa.
Examples
The following example shows how to enable IEEE 802.1X globally, to enable IEEE 802.1x on a port, and to enable multiple-hosts mode:
Switch(config)# dot1x system-auth-controlSwitch(config)# interface gigabitethernet2/0/1Switch(config-if)# dot1x port-control autoSwitch(config-if)# dot1x host-mode multi-host:802.1X Support on a Cisco 870 ISR for Cisco IOS Release 12.4(4)XC
The following example shows Layer 3 802.1X support on a switched virtual interface (using a Cisco 870 ISR):
interface FastEthernet0description switchport connect to a client!interface FastEthernet1description switchport connect to a client!interface FastEthernet2description switchport connect to a client!interface FastEthernet3description switchport connect to a client!interface FastEthernet4description Connect to the public network!interface Vlan1description Apply 802.1x functionality on SVIdot1x pae authenticatordot1x port-control autodot1x reauthenticationRelated Commands
dot1x port-control
Enables 802.1X port-based authentication.
show dot1x
Displays details for an identity profile.
dot1x initialize
Note
To initialize 802.1X clients on all 802.1X-enabled interfaces, use the dot1x initialize command in privileged EXEC mode. This command does not have a no form.
dot1x initialize [interface interface-name]
Syntax Description
interface interface-name
(Optional) Specifies an interface to be initialized. If this keyword is not entered, all interfaces are initialized.
Defaults
State machines are not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to initialize the 802.1X state machines and to set up a fresh environment for authentication. After you enter this command, the port status becomes unauthorized.
Examples
The following example shows how to manually initialize a port:
Router# dot1x initialize interface gigabitethernet2/0/2You can verify the unauthorized port status by entering the show dot1x [interface interface-name] command.
Related Commands
dot1x mac-auth-bypass
To enable a switch to authorize clients based on the client MAC address, use the dot1x mac-auth-bypass command in interface configuration mode. To disable MAC authentication bypass, use the no form of this command.
dot1x mac-auth-bypass [eap]
no dot1x mac-auth-bypass
Syntax Description
eap
(Optional) Configures the switch to use Extensible Authentication Protocol (EAP) for authorization.
Command Default
MAC authentication bypass is disabled.
Command Modes
Interface configuration (config-if)
Command History
12.2(33)SXH
This command was introduced.
15.1(4)M
This command was integrated into Cisco IOS Release 15.1(4)M.
Usage Guidelines
Note
When the MAC authentication bypass feature is enabled on an 802.1X port, the switch uses the MAC address as the client identity. The authentication server has a database of client MAC addresses that are allowed network access. If authorization fails, the switch assigns the port to the guest VLAN if a VLAN is configured.
Examples
This example shows how to enable MAC authentication bypass:
Router(config)# interface fastethernet 5/1Router(config-if)# dot1x mac-auth-bypassThis example shows how to configure the switch to use EAP for authorization:
Router(config)# interface fastethernet 5/1Router(config-if)# dot1x mac-auth-bypass eapThis example shows how to disable MAC authentication bypass:
Router(config)# interface fastethernet 5/1Router(config-if)# no dot1x mac-auth-bypassRelated Commands
dot1x max-reauth-req
To set the maximum number of times the authenticator sends an Extensible Authentication Protocol (EAP) request/identity frame (assuming that no response is received) to the client , use the dot1x max-reauth-req command in interface configuration mode. To set the maximum number of times to the default setting of 2, use the no form of this command.
dot1x max-reauth-req number
no dot1x max-reauth-req
Syntax Description
Command Default
The command default is 2.
Command Modes
Interface configuration
Command History
Usage Guidelines
You should change the default value of this command only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.
Cisco IOS Release 12.4(4)XC
For Cisco IOS Release 12.4(4)XC, on Cisco 870 ISRs only, this command can be configured on Layer 2 (for switch ports) and Layer 3 (for switched virtual interfaces). However, the command can function at only one layer at a time, that is, if it is configured on Layer 2, it cannot also be configured on Layer 3 and vice versa.
Verifying Settings
You can verify your settings by entering the show dot1x [interface interface-id] command.
Examples
The following example shows how to set 4 as the number of times that the authentication process is restarted before changing to the unauthorized state:
Router(config-if)# dot1x max-reauth-req 4802.1X Support on a Cisco 870 ISR for Cisco IOS Release 12.4(4)XC
The following example shows Layer 3 802.1X support on a switched virtual interface (using a Cisco 870 ISR):
interface FastEthernet0description switchport connect to a client!interface FastEthernet1description switchport connect to a client!interface FastEthernet2description switchport connect to a client!interface FastEthernet3description switchport connect to a client!interface FastEthernet4description Connect to the public network!interface Vlan1description Apply 802.1x functionality on SVIdot1x pae authenticatordot1x port-control autodot1x reauthenticationRelated Commands
dot1x max-req
To set the maximum number of times that a networking device or Ethernet switch network module can send an Extensible Authentication Protocol (EAP) request/identity frame to a client (assuming that a response is not received) before restarting the authentication process, use the dot1x max-req command in interface configuration or global configuration mode. To set the number of times to the default setting of 2, use the no form of this command.
dot1x max-req retry-number
no dot1x max-req
Syntax Description
retry-number
Maximum number of retries. The value is from 1 through 10. The default value is 2. The value is applicable to all EAP packets except for Request ID.
Defaults
The default number of retries is 2.
Command Modes
Interface configuration (config-if)
Global configuration (config)Command History
Usage Guidelines
The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. 802.1x controls network access by creating two distinct virtual access points at each port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. 802.1x authenticates each user device that is connected to a switch port and assigns the port to a VLAN before making available any services that are offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol (EAP) over LAN (EAPOL) traffic through the port to which the device is connected. After authentication is successful, normal traffic can pass through the port.
Note
Cisco IOS Release 12.4(4)XC
For Cisco IOS Release 12.4(4)XC, on Cisco 870 ISRs only, this command can be configured on Layer 2 (for switch ports) and Layer 3 (for switched virtual interfaces). However, the command can function at only one layer at a time, that is, if it is configured on Layer 2, it cannot also be configured on Layer 3 and vice versa.
Examples
The following example shows that the maximum number of times that the networking device will send an EAP request or identity message to the client PC is 6:
Router(config) configure terminalRouter(config)# interface ethernet 0Router(config-if)# dot1x max-req 6The following example shows how to set the number of times that a switch sends an EAP request or identity frame to 5 before restarting the authentication process:
Router(config-if)# dot1x max-req 5Related Commands
dot1x max-start
To set the maximum number of Extensible Authentication Protocol (EAP) start frames that a supplicant sends (assuming that no response is received) to the client before concluding that the other end is 802.1X unaware, use the dot1x max-start command in global configuration or interface configuration mode. To remove the maximum number-of-times setting, use the no form of this command.
dot1x max-start number
no dot1x max-start
Syntax Description
number
Maximum number of times that the router sends an EAP start frame. The value is from 1 to 65535. The default is 3.
Defaults
The default maximum number setting is 3.
Command Modes
Global configuration
Interface configurationCommand History
Usage Guidelines
For Cisco IOS Release 12.4(4)XC, on Cisco 870 ISRs only, this command can be configured on
Layer 2 (for switch ports) and Layer 3 (for switched virtual interfaces). However, the command can function at only one layer at a time, that is, if it is configured on Layer 2, it cannot also be configured on Layer 3 and vice versa.Examples
The following example shows that the maximum number of EAP over LAN- (EAPOL-) Start requests has been set to 5:
Router (config)# interface Ethernet1Router (config-if)# dot1x pae supplicantRouter (config-if)# dot1x max-start 5802.1X Support on a Cisco 870 ISR for Cisco IOS Release 12.4(4)XC
The following example shows Layer 3 802.1X support on a switched virtual interface (using a Cisco 870 ISR):
interface FastEthernet0description switchport connect to a client!interface FastEthernet1description switchport connect to a client!interface FastEthernet2description switchport connect to a client!interface FastEthernet3description switchport connect to a client!interface FastEthernet4description Connect to the public network!interface Vlan1description Apply 802.1x functionality on SVIdot1x pae authenticatordot1x port-control autodot1x reauthentication
Related Commands
dot1x pae
Sets the PAE type during 802.1X authentication.
interface
Configures an interface type.
dot1x multi-hosts
To allow multiple hosts (clients) on an 802.1X-authorized port in interface configuration command mode, use the dot1x multi-hosts command. Use the no form of this command to disallow multiple hosts.
dot1x multi-hosts
no dot1x multi-hosts
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
Before entering this command, ensure that the dot1x port-control command is set to auto for the specified interface.
Examples
This example shows how to allow multiple hosts:
Router(config-if)# dot1x multi-hostsRouter(config-if)#This example shows how to disallow multiple hosts:
Router(config-if)# no dot1x multi-hostsRouter(config-if)#Related Commands
dot1x port-control
Sets the port control value.
show dot1x
Displays 802.1X information.
dot1x multiple-hosts
Note
Release 12.1(14)EA1 and Release 12.4(6)T.To allow multiple hosts (clients) on an 802.1X-authorized switch port that has the dot1x port-control interface configuration command set to auto, use the dot1x multiple-hosts command in interface configuration mode. To return to the default setting, use the no form of this command.
dot1x multiple-hosts
no dot1x multiple-hosts
Syntax Description
This command has no arguments or keywords.
Defaults
Multiple hosts are disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
This command is supported only on switch ports.
This command enables you to attach multiple clients to a single 802.1X-enabled port. In this mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (reauthentication fails or an Extensible Authentication Protocol over LAN [EAPOL]-logoff message is received), all attached clients are denied access to the network.
Use the show dot1x (EtherSwitch) privileged EXEC command with the interface keyword to verify your current 802.1X multiple host settings.
Examples
The following example shows how to enable 802.1X on Fast Ethernet interface 0/1 and to allow multiple hosts:
Router(config)# interface fastethernet0/1Router(config-if)# dot1x port-control autoRouter(config-if)# dot1x multiple-hostsRelated Commands
dot1x pae
To set the Port Access Entity (PAE) type, use the dot1x pae command in interface configuration mode. To disable the PAE type that was set, use the no form of this command.
dot1x pae [supplicant | authenticator | both]
no dot1x pae [supplicant | authenticator | both]
Syntax Description
Defaults
PAE type is not set.
Command Modes
Interface configuration
Command History
Usage Guidelines
If the dot1x system-auth-control command has not been configured, the supplicant keyword will be the only keyword available for use with this command. (That is, if the dot1x system-auth-control command has not been configured, you cannot configure the interface as an authenticator.)
Cisco IOS Release 12.4(4)XC
For Cisco IOS Release 12.4(4)XC, on Cisco 870 ISRs only, this command can be configured on
Layer 2 (for switch ports) and Layer 3 (for switched virtual interfaces). However, the command can function at only one layer at a time, that is, if it is configured on Layer2, it cannot also be configured on Layer 3 and vice versa.Examples
The following example shows that the interface has been set to act as a supplicant:
Router (config)# interface Ethernet1Router (config-if)# dot1x pae supplicant802.1X Support on a Cisco 870 ISR for Cisco IOS Release 12.4(4)XC
The following example shows Layer 3 802.1X support on a switched virtual interface (using a Cisco 870 ISR):
interface FastEthernet0description switchport connect to a client!interface FastEthernet1description switchport connect to a client!interface FastEthernet2description switchport connect to a client!interface FastEthernet3description switchport connect to a client!interface FastEthernet4description Connect to the public network!interface Vlan1description Apply 802.1x functionality on SVIdot1x pae authenticatordot1x port-control autodot1x reauthentication
Related Commands
dot1x system-auth-control
Enables 802.1X SystemAuthControl (port-based authentication).
interface
Configures an interface type.
dot1x port-control
Note
To enable manual control of the authorization state of a controlled port, use the dot1x port-control command in interface configuration mode. To disable the port-control value, use the no form of this command.
dot1x port-control {auto | force-authorized | force-unauthorized}
no dot1x port-control
Syntax Description
Defaults
The default is force-authorized.
Command Modes
Interface configuration
Command History
Usage Guidelines
For Ethernet Switch Network Modules
The following guidelines apply to Ethernet switch network modules:
•
•
–
–
–
To globally disable 802.1X on the device, you must disable it on each port. There is no global configuration command for this task.
For Cisco IOS Release 12.4(4)XC
For Cisco IOS Release 12.4(4)XC, on Cisco 870 ISRs only, this command can be configured on
Layer 2 (for switch ports) and Layer 3 (for switched virtual interfaces). However, the command can function at only one layer at a time; that is, if it is configured on Layer 2, it cannot also be configured on Layer 3 and vice versa.Verifying Settings
You can verify your settings by entering the show dot1x command and checking the Status column in the 802.1X Port Summary section of the display. An enabled status means that the port-control value is set to auto or to force-unauthorized.
Examples
The following example shows that the authentication status of the client PC will be determined by the authentication process:
Switch(config)# configure terminalSwitch(config)# interface ethernet 0Switch(config-if)# dot1x port-control auto802.1X Support on a Cisco 870 ISR for Cisco IOS Release 12.4(4)XC
The following example shows Layer 3 802.1X support on a switched virtual interface (using a Cisco 870 ISR):
interface FastEthernet0description switchport connect to a client!interface FastEthernet1description switchport connect to a client!interface FastEthernet2description switchport connect to a client!interface FastEthernet3description switchport connect to a client!interface FastEthernet4description Connect to the public network!interface Vlan1description Apply 802.1x functionality on SVIdot1x pae authenticatordot1x port-control autodot1x reauthentication
Related Commands
dot1x re-authenticate (EtherSwitch)
To manually initiate a reauthentication of all 802.1X-enabled ports or the specified 802.1X-enabled port on a router with an Ethernet switch network module installed, use the dot1x re-authenticate command in privileged EXEC mode.
dot1x re-authenticate [interface interface-type interface-number]
Syntax Description
interface interface-type interface-number
(Optional) Specifies the slot and port number of the interface to reauthenticate.
Defaults
There is no default setting.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can use this command to reauthenticate a client without waiting for the configured number of seconds between reauthentication attempts (reauthperiod) and automatic reauthentication.
Examples
The following example shows how to manually reauthenticate the device connected to Fast Ethernet interface 0/1:
Router# dot1x re-authenticate interface fastethernet 0/1Starting reauthentication on FastEthernet0/1.dot1x re-authenticate (privileged EXEC)
Note
To manually initiate a reauthentication of the specified 802.1X-enabled ports, use the dot1x re-authenticate command in privileged EXEC mode.
dot1x re-authenticate [interface interface-name interface-number]
Syntax Description
interface interface-name interface-number
(Optional) Interface on which reauthentication is to be initiated.
Command Default
There is no default setting.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can use this command to reauthenticate a client without having to wait for the configured number of seconds between reauthentication attempts (re-authperiod) and automatic reauthentication.
Cisco IOS Release 12.4(4)XC
For Cisco IOS Release 12.4(4)XC, on Cisco 870 ISRs only, this command can be configured on
Layer 2 (for switch ports) and Layer 3 (for switched virtual interfaces). However, the command can function at only one layer at a time, that is, if it is configured on Layer 2, it cannot also be configured on Layer 3 and vice versa.Examples
The following example shows how to manually reauthenticate the device that is connected to a port:
Router# dot1x re-authenticate interface gigabitethernet2/0/1802.1X Support on a Cisco 870 ISR for Cisco IOS Release 12.4(4)XC
The following example shows Layer 3 802.1X support on a switched virtual interface (using a Cisco 870 ISR):
interface FastEthernet0description switchport connect to a client!interface FastEthernet1description switchport connect to a client!interface FastEthernet2description switchport connect to a client!interface FastEthernet3description switchport connect to a client!interface FastEthernet4description Connect to the public network!interface Vlan1description Apply 802.1x functionality on SVIdot1x pae authenticatordot1x port-control autodot1x reauthentication
Related Commands
dot1x reauthentication
Globally enables periodic reauthentication of the client PCs on the 802.1X interface.
dot1x timeout
Sets retry timeouts.
dot1x reauthentication
Note
To enable periodic reauthentication of the client PCs on the 802.1X interface, use the dot1x reauthentication command in interface configuration mode. To disable periodic reauthentication, use the no form of this command.
dot1x reauthentication
no dot1x reauthentication
Syntax Description
This command has no arguments or keywords.
Defaults
Periodic reauthentication is not set.
Command Modes
Interface configuration
Command History
Usage Guidelines
The reauthentication period can be set using the dot1x timeout command.
Cisco IOS Release 12.4(4)XC
For Cisco IOS Release 12.4(4)XC, on Cisco 870 ISRs only, this command can be configured on
Layer 2 (for switch ports) and Layer 3 (for switched virtual interfaces). However, the command can function at only one layer at a time; that is, if it is configured on Layer 2, it cannot also be configured on Layer 3 and vice versa.Examples
The following example shows that reauthentication has been enabled and the reauthentication period as been set for 1800 seconds:
Router(config)# configure terminalRouter(config)# interface ethernet 0Router(config-if)# dot1x reauthenticationRouter(config-if)# dot1x timeout reauth-period 1800802.1X Support on a Cisco 870 ISR for Cisco IOS Release 12.4(4)X
The following example shows Layer 3 802.1X support on a switched virtual interface using a Cisco 870 ISR:
interface FastEthernet0description switchport connect to a client!interface FastEthernet1description switchport connect to a client!interface FastEthernet2description switchport connect to a client!interface FastEthernet3description switchport connect to a client!interface FastEthernet4description Connect to the public network!interface Vlan1description Apply 802.1x functionality on SVIdot1x pae authenticatordot1x port-control autodot1x reauthentication
Cisco 7600 Series
The following example shows how to enable periodic reauthentication of the client:
Router(config-if)# dot1x reauthenticationRouter(config-if)#The following example shows how to disable periodic reauthentication of the client:
Router(config-if)# no dot1x reauthenticationRouter(config-if)#Related Commands
dot1x re-authentication (EtherSwitch)
To enable periodic reauthentication of the client for an Ethernet switch network module, use the dot1x re-authentication command in global configuration mode. To disable periodic reauthentication, use the no form of this command.
dot1x re-authentication
no dot1x re-authentication
Syntax Description
This command has no arguments or keywords.
Defaults
Periodic reauthentication is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
You configure the amount of time between periodic reauthentication attempts by using the dot1x timeout re-authperiod global configuration command.
Examples
The following example shows how to disable periodic reauthentication of the client:
Router(config)# no dot1x re-authenticationThe following example shows how to enable periodic reauthentication and set the number of seconds between reauthentication attempts to 4000 seconds:
Router(config)# dot1x re-authenticationRouter(config)# dot1x timeout re-authperiod 4000Related Commands
dot1x supplicant interface
To configure the dot1x supplicant for a given interface, use the dot1x supplicant interface command in privileged EXEC mode. To disable the configuration, use the no form of this command.
dot1x supplicant {start | stop} profile-name interface type number
Syntax Description
start
Starts the supplicant for a given interface.
stop
Stops the supplicant for a given interface.
profile-name
Profile name.
type number
Interface type and number.
Command Default
The dot1x supplicant interface is not configured.
Command Modes
Privileged EXEC (#)
Command History
15.0(1)M
This command was introduced in a release earlier than Cisco IOS Release 15.0(1)M.
Examples
The following example shows how to configure the dot1x supplicant for a Gigabit Ethernet interface:
Router# dot1x supplicant start n1 interface GigabitEthernet 0/0/1Related Commands
dot1x default
Resets the global 802.1X authentication parameters to their default values as specified in the latest IEEE 802.1X standard.
dot1x system-auth-control
To globally enable 802.1X SystemAuthControl (port-based authentication), use the dot1x system-auth-control command in global configuration mode. To disable SystemAuthControl, use the no form of this command.
dot1x system-auth-control
no dot1x system-auth-control
Syntax Description
This command has no arguments or keywords.
Defaults
System authentication is disabled by default. If this command is disabled, all ports behave as if they are force authorized.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. 802.1x controls network access by creating two distinct virtual access points at each port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. 802.1x authenticates each user device that is connected to a switch port and assigns the port to a VLAN before making available any services that are offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol (EAP) over LAN (EAPOL) traffic through the port to which the device is connected. After authentication is successful, normal traffic can pass through the port.
The no form of the command removes any 802.1X-related configurations.
Catalyst 6500 Series Switch and Cisco 7600 Series
You must enable Authentication, Authorization, and Accounting (AAA) and specify the authentication method list before enabling 802.1X. A method list describes the sequence and authentication methods to be queried to authenticate a user.
Examples
The following example shows how to enable SystemAuthControl:
Router(config)# dot1x system-auth-controlRelated Commands
dot1x timeout
To configure the value for retry timeouts, use the dot1x timeout command in global configuration or interface configuration mode. To return to the default value for retry timeouts to, use the no form of this command.
All Platforms Except the Cisco 7600 Series Switch
dot1x timeout {auth-period seconds | held-period seconds | quiet-period seconds | ratelimit-period seconds | reauth-period {seconds | server} | server-timeout seconds | start-period seconds | supp-timeout seconds | tx-period seconds}
no dot1x timeout {auth-period seconds | held-period seconds | quiet-period seconds | ratelimit-period seconds | reauth-period {seconds | server} | server-timeout seconds | start-period seconds | supp-timeout seconds | tx-period seconds}
Cisco 7600 Series Switch
dot1x timeout {reauth-period seconds | quiet-period seconds | tx-period seconds | supp-timeout seconds | server-timeout seconds}
no dot1x timeout {reauth-period | quiet-period | tx-period | supp-timeout | server-timeout}
Syntax Description
Defaults
Periodic reauthentication and periodic rate-limiting are not done.
Command Modes
Global configuration
Interface configurationCisco 7600 Switch
Interface configuration
Command History
Usage Guidelines
For Cisco IOS Release 12.4(4)XC, on Cisco 870 ISRs only, this command can be configured on
Layer 2 (for switch ports) and Layer 3 (for switched virtual interfaces). However, the command can function at only one layer at a time; that is, if it is configured on Layer 2, it cannot also be configured on Layer 3 and vice versa.Cisco 7600 Switch
You must enable periodic reauthentication before you enter the dot1x timeout reauth-period command. Enter the dot1x reauthentication command to enable periodic reauthentication. The dot1x timeout reauth-period command affects the behavior of the system only if periodic reauthentication is enabled.
Examples
The following example shows that various 802.1X retransmission and timeout periods have been set:
Switch(config)# configure terminalSwitch(config)# interface ethernet 0Switch(config-if)# dot1x port-control autoSwitch(config-if)# dot1x reauthenticationSwitch(config-if)# dot1x timeout auth-period 2000Switch(config-if)# dot1x timeout held-period 2400Switch(config-if)# dot1x timeout reauth-period 1800Switch(config-if)# dot1x timeout quiet-period 600Switch(config-if)# dot1x timeout start-period 90Switch(config-if)# dot1x timeout supp-timeout 300Switch(config-if)# dot1x timeout tx-period 60Switch(config-if)# dot1x timeout server-timeout 60The following example shows how to return to the default reauthorization period:
Switch(config-if)# no dot1x timeout reauth-periodCisco 7600 Switch
The following example shows how to set 802.1X retransmission and timeout periods on the Cisco 7600 Switch:
Switch(config-if)# dot1x timeout reauth-period 4000Switch(config-if)# dot1x timeout tx-period 60Switch(config-if)# dot1x timeout supp-timeout 25Switch(config-if)# dot1x timeout server-timeout 25802.1X Support on a Cisco 870 ISR for Cisco IOS Release 12.4(4)XC
The following example shows Layer 3 802.1X support on a switched virtual interface (using a Cisco 870 ISR):
interface FastEthernet0description switchport connect to a client!interface FastEthernet1description switchport connect to a client!interface FastEthernet2description switchport connect to a client!interface FastEthernet3description switchport connect to a client!interface FastEthernet4description Connect to the public network!interface Vlan1description Apply 802.1x functionality on SVIdot1x pae authenticatordot1x port-control autodot1x reauthentication
Related Commands
dot1x timeout (EtherSwitch)
To set the number of retry seconds between 802.1X authentication exchanges when an Ethernet switch network module is installed in the router, use the dot1x timeout command in global configuration mode. To return to the default setting, use the no form of this command.
dot1x timeout {quiet-period seconds | re-authperiod seconds | tx-period seconds}
no dot1x timeout {quiet-period seconds | re-authperiod seconds | tx-period seconds}
Syntax Description
Defaults
quiet-period: 60 seconds
re-authperiod: 3660 seconds
tx-period: 30 secondsCommand Modes
Global configuration
Command History
Usage Guidelines
You should change the default values of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients or authentication servers.
quiet-period Keyword
During the quiet period, the Ethernet switch network module does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a smaller number than the default.
re-authperiod Keyword
The re-authperiod keyword affects the behavior of the the Ethernet switch network module only if you have enabled periodic reauthentication by using the dot1x re-authentication global configuration command.
Examples
The following example shows how to set the quiet time on the switch to 30 seconds:
Router(config)# dot1x timeout quiet-period 30The following example shows how to enable periodic reauthentication and set the number of seconds between reauthentication attempts to 4000 seconds:
Router(config)# dot1x re-authenticationRouter(config)# dot1x timeout re-authperiod 4000The following example shows how to set 60 seconds as the amount of time that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request:
Router(config)# dot1x timeout tx-period 60Related Commands
dpd
To configure Dead Peer Detection (DPD), use the dpd command in IKEv2 profile configuration mode. To delete DPD, use the no form of this command.
dpd interval retry-interval {on-demand | periodic}
no dpd
Syntax Description
Command Default
DPD is disabled by default.
Command Modes
IKEv2 profile configuration (config-ikev2-profile)
Command History
15.1(1)T
This command was introduced.
Cisco IOS XE Release 3.3S
This command was integrated into Cisco IOS XE Release 3.3S.
Usage Guidelines
Use this command to configure DPD globally for peers matching a profile. The DPD configuration in an Internet Key Exchange Version 2 (IKEv2) profile overrides the global DPD configuration.
Examples
The following example shows how to configure the periodic mode for DPD:
Router(config)# crypto ikev2 profile prf1Router(config-ikev2-profile)# dpd 1000 250 periodicRelated Commands
crypto ikev2 dpd
Defines DPD globally for all peers.
crypto ikev2 profile
Defines IKEv2 profile.
drop (type access-control)
To configure a traffic class to discard packets belonging to a specific class, use the drop command in policy-map class configuration mode. To disable the packet discarding action in a traffic class, use the no form of this command.
drop [all]
no drop [all]
Syntax Description
Defaults
The packet discarding action in a traffic class is disabled.
Command Modes
Policy-map class configuration (config-pmap-c)
Command History
Usage Guidelines
Once the match criteria are applied to packets belonging to the specific traffic class using the match class session command in a class map, these packets can be discarded by configuring the drop command with the all keyword in a policy map. Packets match only on the packet session (flow) entry of the Flexible Packet Matching (FPM) access control list (ACL) pattern matching tool, and skip user-configured classification filters. When the drop command is specified with the all keyword, this command can only be associated with a class map that was created with the class-map command and type access-control keyword and used in a policy map that can be attached to one or more interfaces to specify a service policy that is created with the policy-map command and type access-control keyword.
Examples
The following example shows how to create and configure a traffic class called class1 for use in a policy map called policy1. The policy map (service policy) is attached to output serial interface 2/0. All packets that match access group 101 are placed in class1. Packets that belong to this class are discarded.
Router(config)# class-map class1Router(config-cmap)# match access-group 101Router(config-cmap)# exitRouter(config)# policy-map policy1Router(config-pmap)# class class1Router(config-pmap-c)# dropRouter(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface serial2/0Router(config-if)# service-policy output policy1Router(config-if)# endThe following example shows how to configure a class map and policy map to specify the protocol stack class, the match criteria and action to take, and a combination of classes using session-based (flow-based) and nonsession-based actions. The drop all command is associated with the action to be taken on the policy.
Router(config)# class-map type access-control match-all my-HTTPRouter(config-cm)# match field tcp destport eq 8080Router(config-cm)# match start tcp payload-start offset 20 size 10 regex "GET"Router(config)# class-map type access-control match-all my-FTPRouter(config-cmap)# match field tcp destport eq 21Router(config)# class-map type access-control match all class1Router(config-cmap)# match class my-HTTP sessionRouter(config-cmap)# match start tcp payload-start offset 40 size 20 regex "abc.*def"Router(config)# policy-map type access-control my_http_policyRouter(config-pmap)# class class1Router(config-pmap-c)# drop allRouter(config)# interface gigabitEthernet 0/1Router(config-if)# service-policy type access-control input my_http_policyRelated Commands
drop (zone-based policy)
To drop packets that are sent to the router, use the drop command in policy-map-class configuration mode.
drop [log]
Syntax Description
Command Default
Packets are not dropped.
Command Modes
Policy-map-class configuration
Command History
12.4(6)T
This command was introduced.
15.1(1)S
This command was introduced into Cisco IOS Release 15.1(1)S.
Usage Guidelines
You can use this command only after entering the policy-map type inspect and class type inspect commands.
Examples
The following example creates an inspect policy map named p1 and specifies that packets will be dropped on the traffic at c1:
policy-map type inspect p1class type inspect c1dropThe following example defines a policy map that will drop HTTP traffic:
access-list 101 permit ip 192.168.1 0.0.0.255 anyclass-map type inspect match-all c1match access-group 101match protocol httppolicy-map type inspect p1class type inspect c1dropRelated Commands
class type inspect
Specifies the traffic (class) on which an action is to be performed.
policy-map type inspect
Creates Layer 3 and Layer 4 inspect type policy maps.
dtls port
To configure a desired port for the Datagram Transport Layer Security (DTLS) to listen, use the dtls port command in WebVPN gateway configuration mode. To disable the port, use the no form of this command.
dtls port port-number
no dtls port port-number
Syntax Description
Command Default
The default DTLS port is 443.
Command Modes
WebVPN gateway configuration (config-webvpn-gateway)
Command History
Usage Guidelines
DTLS listens on port 443 by default. You can configure the desired DTLS port using the dtls port command.
Examples
The following example shows how to configure 1055 as the DTLS port for a WebVPN gateway "gateway1":
Router# configure terminalRouter(config)# webvpn gateway gateway1Router(config-webvpn-gateway)# dtls port 1055Related Commands
dynamic
To define a named dynamic IP access list, use the dynamic command in access-list configuration mode. To remove the access lists, use the no form of this command.
dynamic dynamic-name [timeout minutes] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [fragments]
no dynamic dynamic-name
Internet Control Message Protocol (ICMP)
dynamic dynamic-name [timeout minutes] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [fragments]
Internet Group Management Protocol (IGMP)
dynamic dynamic-name [timeout minutes] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [fragments]
Transmission Control Protocol (TCP)
dynamic dynamic-name [timeout minutes] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [fragments]
User Datagram Protocol (UDP)
dynamic dynamic-name [timeout minutes] {deny | permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [fragments]
Syntax Description
Defaults
An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.
Command Modes
Access-list configuration
Command History
Usage Guidelines
You can use named access lists to control the transmission of packets on an interface and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control vty access or restrict the contents of routing updates must not match against the TCP source port, the ToS value, or the precedence of the packet.
Note
Note
The following is a list of precedence names:
•
•
•
•
•
•
•
•
The following is a list of ToS names:
•
•
•
•
•
The following is a list of ICMP message type and code names:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following is a list of IGMP message names:
•
•
•
•
•
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Access List Processing of Fragments
The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
Be aware that you should not simply add the fragments keyword to every access-list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access-list entry, and so on, until it is either permitted or denied by an access-list entry that does not contain the fragments keyword. Therefore, you may need two access-list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access-list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.
Note
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.
By using the fragments keyword in access-list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.
Examples
The following example defines a dynamic access list named abclist:
ip access-group abclist in!ip access-list extended abclistdynamic testlist timeout 5permit ip any anypermit tcp any host 10.302.21.2 eq 23Related Commands
