Table Of Contents

Security Command Reference

access-list

clear access-list counters

expert password

expire

ip access-group

password

role

show access-list

show ip access-group

show ssh key

show ssh server

show telnet server

show user-account

show users

ssh key

ssh server enable

telnet server enable

user

utils remote-account

Security Command Reference

---

Revised: September 2011

This chapter includes the Cisco MXE-OS commands used for configuring security features.

access-list

To create IPv4 access control list (ACL) rules that permit or deny a host and domain access to the Cisco MXE 5600, use the access-list command. To remove a rule, use the no form of this command.

access-list {acl-rule-number {permit | deny} ip-address netmask} [mgt1]

no access-list acl-rule-number

Syntax Description

acl-rule-number	Rule ID number. Range is from 1 to 256.
permit	Permit the access list.
deny	Deny the access list.
ip-address	IP address of the host that is to be allowed or denied access to the Cisco MXE 5600. Use A.B.C.D format.
netmask	Netmask for the host IP address. Use A.B.C.D format.
mgt1	(Optional) Interface on which to apply the access list.

Defaults

By default, the access-list is applied to all interfaces.

Command Modes

Global configuration

Supported User Roles

network-admin

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

IPv4 ACLs do not include implicit deny rule. The maximum number of rules supported is 256. An ACL rule cannot be deleted if it is applied to a kernel. An ACL rule must first be removed from the kernel before no access-list command can be applied.

Examples

This example shows how to create ACL rule 1 that permits access to 172.20.207.10:

mxe# configure terminal

mxe(config)# access-list 1 permit 172.20.207.10 255.255.255.255

Related Commands

Command	Description
ip access-group	Applies an IPv4 ACL rule to an interface.

clear access-list counters

To clear the counters for all IPv4 access control lists (ACLs), use the clear access-list counters command.

clear access-list counters

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

EXEC

Supported User Roles

network-admin
network-operator

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

None

Examples

This example shows how to clear counters for all IPv4 ACLs:

mxe# clear access-list counters

Related Commands

Command	Description
show access-list	Displays information about one or all IPv4 and MAC ACLs.
show ip access-group	Displays information about one or all IPv4 ACLs.

expert password

To configure the password for the default expert (root) account, use the expert password command. This command was deprecated in Cisco MXE-OS Release 1.3.

expert password password

Syntax Description

password

Configures a password. The password argument is a case-sensitive, alphanumeric character string with a minimum or 8 characters and a maximum length of 24 characters.

Defaults

None

Command Modes

user EXEC

Supported User Roles

admin

Command History

Release	Modification
1.2	This command was introduced.
1.3	This command was deprecated.

Usage Guidelines

Cisco MXE-OS ships with the one default expert user account. You cannot delete this account. The password is configured during the initial setup procedure. To change the expert user password, log in as the admin user and configure a new password in the user EXEC mode.

---

Note You must log in as the admin user to change the expert password.

---

All existing terminal sessions remain active during this procedure. There is no device restart required when changing the expert user password. The new password becomes active at the next terminal session.

The Cisco MXE-OS software accepts strong passwords. The characteristics of a strong password include the following:

•At least eight characters long

•Does not contain many consecutive characters (such as "abcd")

•Does not contain many repeating characters (such as "aaabbb")

•Does not contain dictionary words

•Does not contain proper names

•Contains both uppercase and lowercase characters

•Contains numbers

Examples

This example shows how to change the expert password:

mxe# expert password

Warning: Changing MXE expert password, proceed? (Yes/[N]o) : yes

Enter new MXE expert password:

Retype new MXE expert password:

Related Commands

Command	Description
role	Configures the user role for the user account.
setup	Enters the basic device setup mode.
user	Creates a user account.

expire

To configure the expire date for a user account, use the expire command. To revert to the default, use the no form of this command.

expire date

no expire

Syntax Description

date	Specifies the expire date for the user account. The format for the date argument is YYYY-MM-DD. Valid values for YYYY are 1902 to 2030.

Defaults

Unless specified, user names have no expiration date.

Command Modes

User configuration

Supported User Roles

network-admin

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

None

Examples

This example shows how to configure an expiration date of March 21, 2020 for a user1:

mxe# configure terminal

mxe(config)# user user1

mxe(config-usr)# expire 2020-03-21 

Related Commands

Command	Description
password	Configure a password for the user account.
role	Configures the user role for the user account.
show user-account	Displays the user account configuration.
user	Creates a user account.

ip access-group

To apply an IPv4 access control list (ACL) rule to an interface as a router ACL, use ip access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.

ip access-group acl-rule-number

no access-group acl-rule-number

Syntax Description

acl-rule-number

Number of the IPv4 ACL rule created with the access-list command.

Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

Before using this command, you must have created an ACL rule with the access-list command. You can use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface type:

•Layer 3 Ethernet interfaces

The device applies router ACLs on either outbound or inbound traffic. When the device applies an ACL to inbound traffic, the device checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the device continues to process the packet. If the first matching rule denies the packet, the device drops the packet and returns an ICMP host-unreachable message.

For outbound access lists, after receiving and routing a packet to an interface, the device checks the ACL. If the first matching rule permits the packet, the device sends the packet to its destination. If the first matching rule denies the packet, the device drops the packet and returns an ICMP host unreachable message.

If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.

Examples

This example shows how to configure an IP access group with access-list rule 1:

mxe# configure terminal

mxe(config)# ip access-group 1

Related Commands

Command	Description
show ip access-group	Displays all access groups to which IPv4 ACLs are applied.
show access-list	Displays all IPv4 ACLs or a specific IPv4 ACL.

password

To configure the password for a user account, use the password command. To remove the password from a user account, use the no form of this command.

password [0 | 5] password

no password [0 | 5] password

Syntax Description

0	(Optional) Specifies that the password is in clear text. Clear text passwords are encrypted before they are saved to the running configuration. The password has a maximum of 24 characters.
5	(Optional) Specifies that the password is in encrypted format. Encrypted passwords are not changed before they are saved to the running configuration. The password has a maximum of 64 characters.
password	Password string. The password is alphanumeric and case sensitive. Note Clear text passwords cannot contain dollar signs ($) or spaces anywhere in the password. Also, they cannot include these special characters at the beginning of the password: quotation marks (" or '), vertical bars (|), or right angle brackets (>).

Defaults

Unless specified, user names have no password.

Command Modes

EXEC

User configuration

Supported User Roles

network-admin
network-operator

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

A network operators can only access this command from the EXEC command mode and change their own passwords.

The Cisco MXE-OS software accepts strong passwords. The characteristics of a strong password include the following:

•At least eight characters long

•Does not contain many consecutive characters (such as "abcd")

•Does not contain many repeating characters (such as "aaabbb")

•Does not contain dictionary words

•Does not contain proper names

•Contains both uppercase and lowercase characters

•Contains numbers

---

Caution If you do not specify a password for the user account, the user cannot log in to the account.

---

Examples

This example shows how to create a clear text password for user1:

mxe# configure terminal

mxe(config)# user user1 

mxe(config-usr)# password 0 ABCD1234

Related Commands

Command	Description
expire	Configures the expire date for the user account.
role	Configures the user role for the user account.
show ip access-group	Displays the user account configuration.
user	Creates a user account.

role

To configure a user account as either network-admin or network-operator, use the role command. To revert to the default, use the no form of this command.

role {network-admin | network-operator}

no role

Syntax Description

network-admin	Specifies the network-admin role. Provides read-and-write access to the entire Cisco MXE-OS device.
network-operator	Specifies the network-admin role. Provides read-only access to the entire Cisco MXE-OS device.

Defaults

The default role is network-operator if the creating user has the network-admin role.

Command Modes

User configuration

Supported User Roles

network-admin

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

None

Examples

This example shows how to configure user1 with a supported user role of network-admin:

mxe# configure terminal

mxe(config)# user user1

mxe(config-usr)# role network-admin

Related Commands

Command	Description
show user-account	Displays the user account configuration.
user	Creates a user account.

show access-list

To display all IPv4 access control lists (ACLs) or a specific IPv4 ACL, use the show ip access-list command.

show access-list [acl-rule-number]

Syntax Description

acl-rule-number

(Optional) Number of the IPv4 ACL.

Defaults

None

Command Modes

EXEC

Supported User Roles

network-admin
network-operator

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

The device shows all IPv4 ACLs, unless you use the acl-rule-number argument to specify an ACL.

Examples

This example shows how to use the show ip access-list command to display all IPv4 ACLs on a device that has a single IPv4 ACL:

mxe# show access-list

IP access list ipv4-open-filter

        10 permit ip any any

This example shows how to use the show ip access-lists command to display an IPv4 ACL number 1:

mxe# show access-list 1

IP access list ipv4-RandD-outbound-web

        statistics per-entry

        1000 permit ahp any any [match=732]

        1005 permit tcp addrgroup MainLab any eq telnet

        1010 permit tcp any any eq www [match=820421]

Related Commands

Command	Description
access-list	Configures an IPv4 ACL.

show ip access-group

To display access-list rules applied to the Cisco MXE 5600 and information regarding the number of packets and bytes that were allowed and denied, use the show ip access-group command.

show ip access-group

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

EXEC

Supported User Roles

network-admin
network-operator

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

None

Examples

This example shows how to display ACL rules:

mxe# show ip access-group

Chain INPUT (policy ACCEPT 36080 packets, 4929K bytes)

 pkts bytes target     prot opt in     out     source               destination         

    7   371 DROP       0    --  eth2   *       171.70.104.12        0.0.0.0/0 

Related Commands

Command	Description
ip access-group	Applies an IPv4 access control list (ACL) to an interface as a router ACL.

show ssh key

To display information about the Secure Shell Protocol (SSH) key information, use the show ssh key command.

show ssh key [dsa | rsa]

Syntax Description

dsa	(Optional) Shows Digital Signal Algorithm (DSA) information.
rsa	(Optional) Shows Rivest Shamir Adleman (RSA) algorithm information.

Syntax Description

Displays both DSA and RSA.

Defaults

None

Command Modes

EXEC

Supported User Roles

network-admin
network-operator

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

None

Examples

This example shows how to display the SSH key status for DSA and RSA:

mxe# show ssh key

**************************************

rsa Keys generated:Fri Sep 11 04:15:36 2009

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1SLgTJO3DohovUJOSxW8KRV/CPKZqVBRARpcVWn1RKiQ

OJS+60w5+9yRdSZsaIycB9lsc49E3aBiTAC4EKVLUEGoVZvX6maj38DiRuFsoc2xuSKZ7tOmDQ7PYDBN

bitcount:1024

fingerprint:

f6:19:4d:c7:3b:d9:b3:a1:60:20:c3:89:86:47:d2:39

**************************************

could not retrieve dsa key information

**************************************

Related Commands

Command	Description
ssh key	Configures Cisco MXE-OS to generate SSH key.

show ssh server

To display information about the Secure Shell Protocol (SSH) server status, use the show ssh server command.

show ssh server

Syntax Description

None

Defaults

None

Command Modes

EXEC

Supported User Roles

network-admin
network-operator

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

Use this command to see if the SSH is enabled.

Examples

This example shows how to display the SSH server status:

mxe# show ssh server

ssh version 2 is enabled

Related Commands

Command	Description
ssh server enable	Enables SSH server.

show telnet server

To display information about the status of the Telnet server, use the show telnet server command.

show telnet server

Syntax Description

None

Defaults

None

Command Modes

EXEC

Supported User Roles

network-admin
network-operator

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

None

Examples

This example shows how to display the Telnet server status:

mxe# show telnet server

Telnet service is enabled

Related Commands

Command	Description
show telnet server	Enables Telnet server.
show running-config ssh	Displays Secure Shell Protocol (SSH) and Telnet configurations in the running configuration.

show user-account

To display information for all user accounts or a specific user, use the show user-account command.

show user-account [user-id]

Syntax Description

user-id

(Optional) Specific user name created with the user command. The user name is case sensitive.

Defaults

None

Command Modes

EXEC

Supported User Roles

network-admin
network-operator

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

Configured user-ids can be displayed with the show users command.

Examples

This example shows how to display information for all user accounts:

mxe# show user-account

user:admin

        this user account has no expiry date

        role: network-admin

user:adminbackup

        this user account has no expiry date

        role: network-operator

This example shows how to display information for one user account:

mxe# show user-account admin

User: admin

       Role: network-admin

       Expiry: This user has no expiry date.

Related Commands

Command	Description
show users	Displays session information for user accounts or a specific user.
user	Creates and configures a user account.

show users

To display session information for user accounts or a specific user, use the show users command.

show users [user-id]

Syntax Description

user-id

(Optional) Displays a user ID created with the user command.The user ID is case sensitive.

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

EXEC

Supported User Roles

network-admin
network-operator

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

None

Examples

This example shows how to display user-session information for all users:

mxe# show users

User                     Line    Login Time                       Role

admin                    console Feb   26 08:48                   network-admin

admin                    pts/0   Feb   26 08:47 (10.19.226.170)   network-admin

Related Commands

Command	Description
user	Configures a user account.

ssh key

To configure Cisco MXE-OS to generate Secure Shell Protocol (SSH) key, use the ssh key command. To remove the SSH key configuration, use the no form of this command.

ssh key {dsa [force] | rsa [bits [force] ]}

no ssh key {dsa [force] | rsa [bits [force] ]}

Syntax Description

dsa	Generates Digital Signal Algorithm (DSA).
force	(Optional) Overwrites existing key.
rsa	Generates Rivest Shamir Adleman (RSA) algorithm.
bits	(Optional) Number of bits used to generate the key. The range is 768 to 2048. The default value is 1024.

Defaults

The default bits value is 1024.

Command Modes

Global configuration

Supported User Roles

network-admin

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

An SSH key must not be configured with the SSH server enabled. Prior to executing this command disable the SSH server with the no ssh server enable command. After executing the ssh key command, enable the SSH server with the ssh server enable command.

Examples

This example shows how to configure an SSH key that uses an RSA algorithm encryption and 2040 bits to generate the key:

mxe# configure terminal

mxe(config)# no ssh server enable

mxe(config)# ssh key rsa 2040

mxe(config)# ssh server enable

Related Commands

Command	Description
show ssh server	Displays information about the SSH server status.

ssh server enable

To enable the Secure Shell Protocol (SSH) in the Cisco MXE-OS, use the ssh server enable command. To disable the SSH, use the no form of this command.

ssh server enable

no ssh server enable

Syntax Description

None

Defaults

Enabled

Command Modes

Global configuration

Supported User Roles

network-admin

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

SSH version 2.0 is supported.

Examples

This example shows how to enable an SSH:

mxe# configure terminal

mxe(config)# ssh server enable

Related Commands

Command	Description
show ssh server	Displays information about the SSH server status.

telnet server enable

To enable the Telnet server daemon in the Cisco MXE-OS, use the telnet server enable command. To disable Telnet, use the no form of this command.

telnet server enable

no telnet server enable

Syntax Description

None

Defaults

Disabled

Command Modes

Global configuration

Supported User Roles

network-admin

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

None

Examples

This example shows how to enable Telnet:

mxe# configure terminal

mxe(config)# telnet server enable

Related Commands

Command	Description
show telnet server	Displays status information about the Telnet status.

user

To create a user account and enter the user configuration mode, use the user command. To remove a user account, use the no form of this command.

user user-id

no user-id

Syntax Description

user-id

Unique identifier. Up to 24 case-sensitive, alphanumeric characters are allowed.

Defaults

The Cisco MXE-OS software creates one default user account: admin.

Command Modes

Global configuration

Supported User Roles

network-admin

Command History

Release	Modification
1.0	This command was introduced.

Usage Guidelines

A user-id must be alpha numeric and cannot start with a digit. It should not contain upper case letters. The following words are reserved and cannot be used for the user-id argument: adm, ais, backup, bin, daemon, ftp, ftpuser, games, gdm, gopher, halt, http, lp, mail, mailnull, man, mtsuser, news, nobody, nscd, ntp, operator, proxy, root, rpc, rpcuser, shutdown, sshd, sync, sys, telnet, uucp, www, and xfs.

A user-id cannot be used for login unless it has a password. See the password command.

Neither the root user nor a user-id that is currently logged in can be deleted.

Examples

This example shows how to create a user account called user1:

mxe# configure terminal

mxe(config)# user user1 

Related Commands

Command	Description
expire	Configures the expire date for the user account.
password	Configure a password for the user account.
role	Configures the user role for the user account.
show users	Displays session information for user accounts or a specific user.

utils remote-account

To create or modify a remote support account, use the utils remote-account command.

utils remote-account {create {name expiry_days} | delete {name} | disable | enable | status}

Syntax Description

create	Creates a remote support account.
name expiry_days	Specifies an account name and account life in number of days. The name range is up 24 lower-case letters. No upper-case letters, numbers, or special characters are allowed. The number of days is 1 to 30.
delete	Deletes a remote support account.
disable	Disables the remote support account.
enable	Enables the remote support account.
status	Displays the remote support account status.

Defaults

None

Command Modes

EXEC

Supported User Roles

network-admin

Command History

Release	Modification
1.3	This command was introduced.

Usage Guidelines

For advanced troubleshooting access to the Cisco MXE-OS, you can create a remote support account for use by Cisco TAC. The utils remote-account create command is used to create or modify the remote support account. You can create only one account that is active from 1 to 30 days.

Use the utils remote-account status command to display the current status of an account and to display the passphrase. The passphrase is converted to a password by using the Cisco Unified Remote Support Tool.

The utils remote-account disable command disables the account even if the account has not yet expired. The utils remote-account delete name command deletes the account regardless of the expiry date.

When a remote support account expires it can take up to an hour for the change to appear in the CLI. You cannot log in to the Cisco MXE-OS as a remote-account user immediately following the expiration of the account.

Examples

This example shows how to display the remote support account status, how to enable the feature, and how to verify the status:

mxe# utils remote-account status

Remote Account

            Status : Disabled

   Decoder Version : 1

mxe# utils remote-account enable

mxe# utils remote-account status

Remote Account

            Status : Enabled

   Decoder Version : 1

           Account : 

        Passphrase : 

            Expiry : 

This example shows how to create a remote support account called expert with an expiry of 30 days, and how to display the account status and passphrase:

mxe# utils remote-account create expert 30

mxe# utils remote-account status

Remote Account

            Status : Enabled

   Decoder Version : 1

           Account : expert

        Passphrase : 4YAGJCAGAF

            Expiry : 2011-8-8

This example shows how to delete the expert remote support account:

mxe# utils remote-account delete expert

Remote Account

            Status : Disabled

   Decoder Version : 1