Configuration Commands: g to z

gas-ap-rate-limit

To set the number of Generic Advertisement Service (GAS) or Access Network Query Protocol (ANQP) request action frames sent to the controller by an access point (AP) for a given duration, use the gas-ap-rate-limit command.

gas-ap-rate-limit number-of-requests request-limit-interval

Syntax Description

number-of-requests

Number of GAS or ANQP requests allowed in a given interval. Valid range is from 1-100.

request-limit-interval

Interval in which the maximum numbers of requests is applicable. Valid range is from 100-1000 milliseconds.

Command Default

Limit is not enabled.

Command Modes

AP Profile Configuration (config-ap-profile)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to configure the number of GAS or ANQP request action frames sent to the controller by an AP for a given duration:

Device(config)# ap profile hotspot
Device(config-ap-profile)# gas-ap-rate-limit 12 120 

group

To configure a group for a venue and a venue type, use the group command. To remove the group, use the no form of the command.

group venue-group venue-type

Syntax Description

venue-group

Venue group. Options are: assembly, business, educational, industrial, institutional, mercantile, outdoor, residential, storage, unspecified, utility, and vehicular.

venue-type

Venue type. The options vary based on the venue-group.

Command Default

None

Command Modes

Wireless ANQP Server Configuration (config-wireless-anqp-server)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to configure a group for a venue and a venue type:

Device(config)# wireless hotspot anqp-server my-server
Device(config-wireless-anqp-server)# group business bank   

gtk-randomize

To configure random-GTK for hole-196 mitigation, use the gtk-randomize command. Use the no form of the command to remove the icon.

gtk-randomize

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

WLAN Configuration (config-wlan)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Usage Guidelines

The GTK used for each mobile device should be different from every GTK used for the other mobile devices associated to the BSS.

Examples

The following example shows how to configure random-GTK for hole-196 mitigation.

Device(config-wlan)# security wpa wpa2 gtk-randomize  

hessid

To configure a homogenous extended service set, use the hessid command. To remove the service set, use the no form of the command.

hessid HESSID-value

Syntax Description

HESSID-value

HESSID value.

Command Default

None

Command Modes

Wireless ANQP Server Configuration (config-wireless-anqp-server)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to configure a homogenous extended service set:

Device(config)# wireless hotspot anqp-server my-server
Device(config-wireless-anqp-server)# hessid 00:40:96:b4:82:55  

hotspot anqp-server

To associate a hotspot server with a policy profile, use the hotspot anqp-server command. To remove the server, use the no form of the command.

hotspot anqp-server server-name

Syntax Description

server-name

Name of the Hotspot 2.0 ANQP server.

Command Default

None

Command Modes

Wireless Policy Configuration (config-wireless-policy)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to configure a Hotspot 2.0 ANQP server:

Device(config)# wireless profile policy hs-policy
Device(config-wireless-policy)# hotspot anqp-server test 

hyperlocation

To configure Hyperlocation and related parameters for an AP group, use the hyperlocation command in the WLAN AP Group configuration (Device(config-apgroup)#) mode. To disable Hyperlocation and related parameter configuration for the AP group, use the no form of the command.

[no] hyperlocation [ threshold { detection value-in-dBm | reset value-btwn-0-99 | trigger value-btwn-1-100} ]

Syntax Description

[no] hyperlocation

Enables or disables Hyperlocation for an AP group.

threshold detection value-in-dBm

Sets threshold to filter out packets with low RSSI. The [no] form of the command resets the threshold to its default value.

threshold reset value-btwn-0-99

Resets value in scan cycles after trigger. The [no] form of the command resets the threshold to its default value.

threshold trigger value-btwn-1-100

Sets the number of scan cycles before sending a BAR to clients. The [no] form of the command resets the threshold to its default value.

Note 

Ensure that the Hyperlocation threshold reset value is less than the threshold trigger value.

Command Modes

WLAN AP Group configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

  • This example shows how to set threshold to filter out packets with low RSSI:

    Device(config-apgroup)# [no] hyperlocation threshold detection -100
  • This example shows how to reset value in scan cycles after trigger:

    Device(config-apgroup)# [no] hyperlocation threshold reset 8
  • This example shows how to set the number of scan cycles before sending a BAR to clients:

    Device(config-apgroup)# [no] hyperlocation threshold trigger 10

icon

To configure an icon for an Online Sign-Up (OSU) provider, use the icon command. To remove the icon, use the no form of the command.

icon file-name

Syntax Description

file-name

File name of the icon.

Command Default

None

Command Modes

ANQP OSU Provider Configuration (config-anqp-osu-provider)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Usage Guidelines

The icon must be configured under the hotspot ANQP server.

Examples

The following example shows how to configure an icon for the OSU provider:

Device(config-wireless-anqp-server)# osu-provider my-osu 
Device(config-anqp-osu-provider)# icon test  

idle-timeout

To configure the idle-timeout value in seconds for a wireless profile policy, use the idle-timeout command.

idle-timeout value

Syntax Description

value

Sets the idle-timeout value. Valid range is 15 to 100000 seconds.

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to set the idle-timeout in a wireless profile policy:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless profile policy policy-profile-name
Device(config-wireless-policy)# idle-timeout 100

ids (mesh)

To configure IDS (Rogue/Signature Detection) reporting for outdoor mesh APs, use the ids command.

ids

Syntax Description

This command has no keywords or arguments.

Command Default

IDS is disabled.

Command Modes

config-wireless-mesh-profile

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

The following example shows how to configure IDS (Rogue/Signature Detection) reporting for outdoor mesh APs:

Device # configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device (config)# wireless profile mesh mesh-profile
Device (config-wireless-mesh-profile)# ids

inactive-timeout

To enable in-active timer, use the inactive-timeout command.

inactive-timeout timeout-in-seconds

Syntax Description

timeout-in-seconds

Specifies the inactive flow timeout value. The range is from 1 to 604800.

Command Default

None

Command Modes

ET-Analytics configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to enable in-active timer in the ET-Analytics configuration mode:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# et-analytics
Device(config-et-analytics)# inactive-timeout 15
Device(config-et-analytics)# end

install abort

To cancel an ongoing predownload or rolling access point (AP) upgrade operation, use the install abort command.

install abort

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to cancel a current predownload or install operation:

Device# install abort

install add file activate commit

To activate an installed SMU package and to commit the changes to the loadpath, use the install add file activate commit command.

install add file activate commit

Syntax Description

prompt-level

Sets the prompt level.

none

Prompting is not done.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to activate an installed package and commit the changes:

Device# install add file vwlc_apsp_16.11.1.0_74.bin activate commit

install add file flash activate issu commit

To activate the installed package using issu technique and to commit the changes to the loadpath, use the install add file flash activate issu commit command.

install add file flash activate issu commit

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

This example shows how to activate the installed package using issu technique and to commit the changes to the loadpath:

Device# install add file flash activate issu commit 

install add profile

To select the profile to rollback the AP images with AP image predownload support, use the install add profile command.

install add profile profile-name [ activate]

Syntax Description

profile-name

Profile name. The profile name can have a maximum of only 15 characters.

activate

Activates the installed package.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to select the profile to rollback the AP images:

Device# install add profile profile1

install activate

To activate an installed package, use the install activate command.

install activate { auto-abort-timer | file | profile| prompt-level}

Syntax Description

auto-abort-timer

Sets the cancel timer. The time range is between 30 and 1200 minutes.

file

Specifies the package to be activated.

profile

Specifies the profile to be activated.

prompt-level

Sets the prompt level.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.2s

This command was introduced.

Examples

The following example shows how to activate the installed package:

Device# install activate profile default
install_activate: START Thu Nov 24 20:14:53 UTC 2019

System configuration has been modified.
Press Yes(y) to save the configuration and proceed.
Press No(n) for proceeding without saving the configuration.
Press Quit(q) to exit, you may save configuration and re-enter the command. [y/n/q] y
Building configuration... 
[OK]Modified configuration has been saved 
Jan 24 20:15:02.745: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install activate
Jan 24 20:15:02.745 %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install activate 
install_activate: Activating PACKAGE

install activate profile

To activate an installed package, use the install activate profile command.

install activate profile

Syntax Description

profile

To activate the profile.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.2s

This command was introduced.

Examples

The following example shows how to activate the installed package:

Device#install activate profile default
install_activate: START Thu Nov 24 20:14:53 UTC 2019

System configuration has been modified.
Press Yes(y) to save the configuration and proceed.
Press No(n) for proceeding without saving the configuration.
Press Quit(q) to exit, you may save configuration and re-enter the command. [y/n/q] y
Building configuration... 
[OK]Modified configuration has been saved 
Jan 24 20:15:02.745: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install activate
Jan 24 20:15:02.745 %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install activate 
install_activate: Activating PACKAGE

install activate file

To activate an installed package, use the install activate file command.

install activate file file-name

Syntax Description

file-name

Specifies the package name. Options are: bootflash:, flash:, and webui:.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to use an auto cancel timer while activating an install package on a standby location:

Device# install activate file vwlc_apsp_16.11.1.0_74.bin 

install commit

To commit the changes to the loadpath, use the install commit command.

install commit

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to commit the changes to the loadpath:

Device# install commit  

install remove profile default

To specify an install package that is to be removed, use the install remove profile default command.

install remove profile default

Syntax Description

remove

Removes the install package.

profile

Specifies the profile to be removed.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to remove a default profile:

Device# install remove profile default

install deactivate

To specify an install package that is to be deactivated, use the install deactivate file command.

install deactivate file file-name

Syntax Description

file-name

Specifies the package name. Options are: bootflash:, flash:, and webui:.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to deactivate an install package:

Device# install deactivate file vwlc_apsp_16.11.1.0_74.bin

install deactivate

To specify an install package that is to be deactivated, use the install deactivate file command.

install deactivate file file-name

Syntax Description

file-name

Specifies the package name. Options are: bootflash:, flash:, and webui:.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to deactivate an install package:

Device# install deactivate file vwlc_apsp_16.11.1.0_74.bin

install prepare

To prepare a SMU package to cancel, activate, or deactivate an operation, use the install prepare command.

install prepare { abort | activate file file-name | deactivate file file-name }

Syntax Description

abort

Prepares a SMU package for cancel operation.

activate file

Prepares a SMU package for activation.

file-name

Package name.

deactivate file

Prepares a SMU package for deactivation.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to prepare a package for cancel, activate, or deactivate operation:

Device# install prepare abort
Device# install prepare activate file vwlc_apsp_16.11.1.0_74.bin 
Device# install prepare deactivate file vwlc_apsp_16.11.1.0_74.bin 

install prepare rollback

To prepare a SMU package for rollback operation, use the install prepare rollback command.

install prepare rollback to{ base | committed | id id| label label}

Syntax Description

base

Prepares to roll back to the base image.

committed

Prepares to roll back to the last committed installation point.

id

Prepares rollback to the last committed installation point.

id

The identifier of the install point to roll back to.

label

Prepares to roll back to a specific install point label.

label

Label name, with a maximum of 15 characters.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

This example shows how to prepare a package for roll back to a particular id:

Device# install prepare rollback to id 2

install rollback

To roll back to a particular installation point, use the install rollback command.

install rollback to { base | committed | id id | label label} [ prompt-level none]

Syntax Description

base

Rolls back to the base image.

prompt-level none

Sets the prompt level as none.

committed

Rolls back to the last committed installation point.

id

Rolls back to a specific install point ID.

label

Rolls back to a specific install point label.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to specify the ID of the install point to roll back to:

Device# install rollback to id 1 

interface vlan

To create or access a dynamic switch virtual interface (SVI) and to enter interface configuration mode, use the interface vlan command in global configuration mode. To delete an SVI, use the no form of this command.

interface vlan vlan-id

no interface vlan vlan-id

Syntax Description

vlan-id

VLAN number. The range is 1 to 4094.

Command Default

The default VLAN interface is VLAN 1.

Command Modes

Global configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

SVIs are created the first time you enter the interface vlan vlan-id command for a particular VLAN. The vlan-id corresponds to the VLAN-tag associated with data frames on an IEEE 802.1Q encapsulated trunk or the VLAN ID configured for an access port.


Note

When you create an SVI, it does not become active until it is associated with a physical port.


If you delete an SVI using the no interface vlan vlan-id command, it is no longer visible in the output from the show interfaces privileged EXEC command.


Note

You cannot delete the VLAN 1 interface.


You can reinstate a deleted SVI by entering the interface vlan vlan-id command for the deleted interface. The interface comes back up, but the previous configuration is gone.

The interrelationship between the number of SVIs configured on a chassis or a chassis stack and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables.

You can verify your setting by entering the show interfaces and show interfaces vlan vlan-id privileged EXEC commands.

Examples

This example shows how to create a new SVI with VLAN ID 23 and enter interface configuration mode:

Device(config)# interface vlan 23
Device(config-if)#

ip access-group

To configure WLAN access control group (ACL), use the ip access-group command. To remove a WLAN ACL group, use the no form of the command.

ip access-group [web] acl-name

no ip access-group [web]

Syntax Description

web

(Optional) Configures the IPv4 web ACL.

acl-name

Specify the preauth ACL used for the WLAN with the security type value as webauth.

Command Default

None

Command Modes

WLAN configuration

Usage Guidelines

You must disable the WLAN before using this command. See Related Commands section for more information on how to disable a WLAN.

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to configure a WLAN ACL:

Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wlan wlan1
Device(config-wlan)#ip access-group test-acl

This example shows how to configure an IPv4 WLAN web ACL:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wlan wlan1
Device(config-wlan)# ip access-group web test
Device(config-wlan)# 

ip access-list extended

To configure extended access list, use the ip access-list extended command.

ip access-list extended {<100-199> | <2000-2699> | access-list-name}

Syntax Description

<100-199>

Extended IP access-list number.

<2000-2699>

Extended IP access-list number (expanded range).

Command Default

None

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure extended access list:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# ip access-list extended access-list-name

ip address

To set a primary or secondary IP address for an interface, use the ip address command in interface configuration mode. To remove an IP address or disable IP processing, use the no form of this command.

ip address ip-address mask [secondary [vrf vrf-name]]

no ip address ip-address mask [secondary [vrf vrf-name]]

Syntax Description

ip-address

IP address.

mask

Mask for the associated IP subnet.

secondary

(Optional) Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.

Note 

If the secondary address is used for a VRF table configuration with the vrf keyword, the vrf keyword must be specified also.

vrf

(Optional) Name of the VRF table. The vrf-name argument specifies the VRF name of the ingress interface.

Command Default

No IP address is defined for the interface.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

An interface can have one primary IP address and multiple secondary IP addresses. Packets generated by the Cisco IOS software always use the primary IP address. Therefore, all devices and access servers on a segment should share the same primary network number.

Hosts can determine subnet masks using the Internet Control Message Protocol (ICMP) mask request message. Devices respond to this request with an ICMP mask reply message.

You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the software detects another host using one of its IP addresses, it will print an error message on the console.

The optional secondary keyword allows you to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and Address Resolution Protocol (ARP) requests are handled properly, as are interface routes in the IP routing table.

Secondary IP addresses can be used in a variety of situations. The following are the most common applications:

  • There may not be enough host addresses for a particular network segment. For example, your subnetting allows up to 254 hosts per logical subnet, but on one physical subnet you need 300 host addresses. Using secondary IP addresses on the devices or access servers allows you to have two logical subnets using one physical subnet.

  • Many older networks were built using Level 2 bridges. The judicious use of secondary addresses can aid in the transition to a subnetted, device-based network. Devices on an older, bridged segment can be easily made aware that many subnets are on that segment.

  • Two subnets of a single network might otherwise be separated by another network. This situation is not permitted when subnets are in use. In these instances, the first network is extended , or layered on top of the second network using secondary addresses.


Note

  • If any device on a network segment uses a secondary address, all other devices on that same segment must also use a secondary address from the same network or subnet. Inconsistent use of secondary addresses on a network segment can very quickly cause routing loops.

  • When you are routing using the Open Shortest Path First (OSPF) algorithm, ensure that all secondary addresses of an interface fall into the same OSPF area as the primary addresses.

  • If you configure a secondary IP address, you must disable sending ICMP redirect messages by entering the no ip redirects command, to avoid high CPU utilization.


Examples

In the following example, 192.108.1.27 is the primary address and 192.31.7.17 is the secondary address for GigabitEthernet interface 1/0/1:

Device# enable 
Device# configure terminal
Device(config)# interface GigabitEthernet 1/0/1
Device(config-if)# ip address 192.108.1.27 255.255.255.0
Device(config-if)# ip address 192.31.7.17 255.255.255.0 secondary


ip admission

To enable web authentication, use the ip admission command in interface configuration mode. You can also use this command in fallback-profile configuration mode. To disable web authentication, use the no form of this command.

ip admission rule

no ip admission rule

Syntax Description

rule

IP admission rule name.

Command Default

Web authentication is disabled.

Command Modes

Interface configuration

Fallback-profile configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

The ip admission command applies a web authentication rule to a switch port.

Examples

This example shows how to apply a web authentication rule to a switchport:


Device# configure terminal
Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip admission rule1

This example shows how to apply a web authentication rule to a fallback profile for use on an IEEE 802.1x enabled switch port.


Device# configure terminal
Device(config)# fallback profile profile1
Device(config-fallback-profile)# ip admission rule1

ip dhcp pool

To configure a Dynamic Host Configuration Protocol (DHCP) address pool on a DHCP server and enter DHCP pool configuration mode, use the ip dhcp pool command in global configuration mode. To remove the address pool, use the no form of this command.

ip dhcp pool name

no ip dhcp pool name

Syntax Description

name

Name of the pool. Can either be a symbolic string (such as engineering) or an integer (such as 0).

Command Default

DHCP address pools are not configured.

Command Modes

Global configuration

Command History

Release

Modification

12.0(1)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

During execution of this command, the configuration mode changes to DHCP pool configuration mode, which is identified by the (config-dhcp)# prompt. In this mode, the administrator can configure pool parameters, like the IP subnet number and default router list.

Examples

The following example configures pool1 as the DHCP address pool:


ip dhcp pool pool1

ip dhcp-relay information option server-override

To enable the system to globally insert the server ID override and link selection suboptions into the DHCP relay agent information option in forwarded BOOTREQUEST messages to a Dynamic Host Configuration Protocol (DHCP) server, use the ip dhcp-relay information option server-override command in global configuration mode. To disable inserting the server ID override and link selection suboptions into the DHCP relay agent information option, use the no form of this command.

ip dhcp-relay information option server-override

no ip dhcp-relay information option server-override

Syntax Description

This command has no arguments or keywords.

Command Default

The server ID override and link selection suboptions are not inserted into the DHCP relay agent information option.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Aggregation Services Routers.

12.2(33)SRE

This command was integrated into Cisco IOS Release 12.2(33)SRE.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

The ip dhcp-relay information option server-override command adds the following suboptions into the relay agent information option when DHCP broadcasts are forwarded by the relay agent from clients to a DHCP server:

  • Server ID override suboption

  • Link selection suboption

When this command is configured, the gateway address (giaddr) will be set to the IP address of the outgoing interface, which is the interface that is reachable by the DHCP server.

If the ip dhcp relay information option server-id-override command is configured on an interface, it overrides the global configuration on that interface only.

Examples

In the following example, the DHCP relay will insert the server ID override and link selection suboptions into the relay information option of the DHCP packet. The loopback interface IP address is configured to be the source IP address for the relayed messages.


Device(config)# ip dhcp-relay information option server-override
Device(config)# ip dhcp-relay source-interface loopback 0
Device(config)# interface Loopback 0
Device(config-if)# ip address 10.2.2.1 255.255.255.0

ip dhcp-relay source-interface

To globally configure the source interface for the relay agent to use as the source IP address for relayed messages, use the ip dhcp-relay source-interface command in global configuration mode. To remove the source interface configuration, use the no form of this command.

ip dhcp-relay source-interface type number

no ip dhcp-relay source-interface type number

Syntax Description

type

Interface type. For more information, use the question mark (?) online help function.

number

Interface or subinterface number. For more information about the numbering system for your networking device, use the question mark (?) online help function.

Command Default

The source interface is not configured.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Aggregation Services Routers.

12.2(33)SRE

This command was integrated into Cisco IOS Release 12.2(33)SRE.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Usage Guidelines

The ip dhcp-relay source-interface command allows the network administrator to specify a stable, hardware-independent IP address (such as a loopback interface) for the relay agent to use as a source IP address for relayed messages.

If the ip dhcp-relay source-interface global configuration command is configured and the ip dhcp relay source-interface command is also configured, the ip dhcp relay source-interface command takes precedence over the global configuration command. However, the global configuration is applied to interfaces without the interface configuration.

Examples

In the following example, the loopback interface IP address is configured to be the source IP address for the relayed messages:


Device(config)# ip dhcp-relay source-interface loopback 0
Device(config)# interface loopback 0
Device(config-if)# ip address 10.2.2.1 255.255.255.0

ip domain-name

To configure the host domain on the device, use the ip domain-name command.

ip domain-name domain-name [vrf vrf-name]

Syntax Description

domain-name

Default domain name.

vrf-name

Specifies the virtual routing and forwarding (VRF) to use to resolve the domain name.

Command Default

None

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure a host domain in a device:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# ip domain-name domain-name

ip flow monitor

To configure IP NetFlow monitoring, use the ip flow monitor command. To remove IP NetFlow monitoring, use the no form of this command.

ip flow monitor ip-monitor-name {input | output}

no ip flow monitor ip-monitor-name {input | output}

Syntax Description

ip-monitor-name

Flow monitor name.

input

Enables a flow monitor for ingress traffic.

output

Enables a flow monitor for egress traffic.

Command Default

None

Command Modes

WLAN configuration

Usage Guidelines

You must disable the WLAN before using this command.

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to configure an IP flow monitor for the ingress traffic:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wlan wlan1
Device(config-wlan)# ip flow monitor test input

This example shows how to disable an IP flow monitor:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wlan wlan1
Device(config-wlan)# no ip flow monitor test input

ip flow-export destination

To configure ETA flow export destination, use the ip flow-export destination command.

ip flow-export destination ip_address port_number

Syntax Description

port_number

Port number. The range is from 1 to 65535.

Command Default

None

Command Modes

ET-Analytics configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to configure ETA flow export destination in the ET-Analytics configuration mode:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# et-analytics
Device(config-et-analytics)# ip flow-export
destination 120.0.0.1 2055
Device(config-et-analytics)# end

ip helper-address

To enable forwarding of User Datagram Protocol (UDP) broadcasts, including Bootstrap Protocol (BOOTP), received on an interface, use the ip helper-address command in interface configuration mode. To disable forwarding of broadcast packets to specific addresses, use theno form of this command.

ip helper-address [vrf name | global] address { [redundancy vrg-name]}

no ip helper-address [vrf name | global] address { [redundancy vrg-name]}

Syntax Description

vrf name

(Optional) Enables the VPN routing and forwarding (VRF) instance and the VRF name.

global

(Optional) Configures a global routing table.

address

Destination broadcast or host address to be used when forwarding UDP broadcasts. There can be more than one helper address per interface.

redundancy vrg-name

(Optional) Defines the Virtual Router Group (VRG) name.

Command Default

UDP broadcasts are not forwarded.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

10.0

This command was introduced.

12.2(4)B

This command was modified. The vrf name keyword and argument pair and the global keyword were added.

12.2(15)T

This command was modified. The redundancy vrg-name keyword and argument pair was added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

The ip forward-protocol command along with the ip helper-address command allows you to control broadcast packets and protocols that are forwarded.

One common application that requires helper addresses is DHCP, which is defined in RFC 1531. To enable BOOTP or DHCP broadcast forwarding for a set of clients, configure a helper address on the router interface connected to the client. The helper address must specify the address of the BOOTP or DHCP server. If you have multiple servers, configure one helper address for each server.

The following conditions must be met for a UDP or IP packet to be able to use the ip helper-address command:

  • The MAC address of the received frame must be all-ones broadcast address (ffff.ffff.ffff).

  • The IP destination address must be one of the following: all-ones broadcast (255.255.255.255), subnet broadcast for the receiving interface, or major-net broadcast for the receiving interface if the no ip classless command is also configured.

  • The IP time-to-live (TTL) value must be at least 2.

  • The IP protocol must be UDP (17).

  • The UDP destination port must be for TFTP, Domain Name System (DNS), Time, NetBIOS, ND, BOOTP or DHCP packet, or a UDP port specified by the ip forward-protocol udp command in global configuration mode.

If the DHCP server resides in a VPN or global space that is different from the interface VPN, then the vrf name or the global option allows you to specify the name of the VRF or global space in which the DHCP server resides.

The ip helper-address vrf name address option uses the address associated with the VRF name regardless of the VRF of the incoming interface. If the ip helper-address vrf name address command is configured and later the VRF is deleted from the configuration, then all IP helper addresses associated with that VRF name will be removed from the interface configuration.

If the ip helper-address address command is already configured on an interface with no VRF name configured, and later the interface is configured with the ip helper-address vrf name address command, then the previously configured ip helper-address address command is considered to be global.


Note

The ip helper-address command does not work on an X.25 interface on a destination router because the router cannot determine if the packet was intended as a physical broadcast.


The service dhcp command must be configured on the router to enable IP helper statements to work with DHCP. If the command is not configured, the DHCP packets will not be relayed through the IP helper statements. The service dhcp command is configured by default.

Examples

The following example shows how to define an address that acts as a helper address:


Router(config)# interface ethernet 1
Router(config-if)# ip helper-address 10.24.43.2

The following example shows how to define an address that acts as a helper address and is associated with a VRF named host1:


Router(config)# interface ethernet 1/0
Router(config-if)# ip helper-address vrf host1 10.25.44.2

The following example shows how to define an address that acts as a helper address and is associated with a VRG named group1:


Router(config)# interface ethernet 1/0
Router(config-if)# ip helper-address 10.25.45.2 redundancy group1

ip http secure-server

To enable a secure HTTP (HTTPS) server, enter the ip http secure-server command in global configuration mode. To disable the HTTPS server, use the no form of this command..

ip http secure-server

no ip http secure-server

Syntax Description

This command has no arguments or keywords.

Command Default

The HTTPS server is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

The HTTPS server uses the Secure Sockets Layer (SSL) version 3.0 protocol.


Caution

When enabling an HTTPS server, you should always disable the standard HTTP server to prevent unsecured connections to the same services. Disable the standard HTTP server using the no ip http server command in global configuration mode (this step is precautionary; typically, the HTTP server is disabled by default).

If a certificate authority (CA) is used for certification, you should declare the CA trustpoint on the routing device before enabling the HTTPS server.

To close HTTP/TCP port 8090, you must disable both the HTTP and HTTPS servers. Enter the no http server and the no http secure-server commands, respectively.

Examples

In the following example the HTTPS server is enabled, and the (previously configured) CA trustpoint CA-trust-local is specified:


Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#ip http secure-server
Device(config)#ip http secure-trustpoint CA-trust-local
Device(config)#end

Device#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12a
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint: CA-trust-local

ip http server

To enable the HTTP server on your IP or IPv6 system, including the Cisco web browser user interface, enter the ip http server command in global configuration mode. To disable the HTTP server, use the no form of this command..

ip http server

no ip http server

Syntax Description

This command has no arguments or keywords.

Command Default

The HTTP server uses the standard port 80 by default.

HTTP/TCP port 8090 is open by default.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

The command enables both IPv4 and IPv6 access to the HTTP server. However, an access list configured with the ip http access-class command is applied only to IPv4 traffic. IPv6 traffic filtering is not supported.


Caution

The standard HTTP server and the secure HTTP (HTTPS) server can run on a system at the same time. If you enable the HTTPS server using the ip http secure-server command, disable the standard HTTP server using the no ip http server command to ensure that secure data cannot be accessed through the standard HTTP connection.

To close HTTP/TCP port 8090, you must disable both the HTTP and HTTPS servers. Enter the no http server and the no http secure-server commands, respectively.

Examples

The following example shows how to enable the HTTP server on both IPv4 and IPv6 systems.

After enabling the HTTP server, you can set the base path by specifying the location of the HTML files to be served. HTML files used by the HTTP web server typically reside in system flash memory. Remote URLs can be specified using this command, but use of remote path names (for example, where HTML files are located on a remote TFTP server) is not recommended.


Device(config)#ip http server
Device(config)#ip http path flash:

ip igmp snooping

To globally enable Internet Group Management Protocol (IGMP) snooping on the device or to enable it on a per-VLAN basis, use the ip igmp snooping global configuration command on the device stack or on a standalone device. To return to the default setting, use the no form of this command.

ip igmp snooping [ vlan vlan-id]

no ip igmp snooping [ vlan vlan-id]

Syntax Description

vlan vlan-id

(Optional) Enables IGMP snooping on the specified VLAN. Ranges are 1—1001 and 1006—4094.

Command Default

IGMP snooping is globally enabled on the device.

IGMP snooping is enabled on VLAN interfaces.

Command Modes

Global configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

When IGMP snooping is enabled globally, it is enabled in all of the existing VLAN interfaces. When IGMP snooping is globally disabled, it is disabled on all of the existing VLAN interfaces.

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs, and cannot be used in IGMP snooping.

Examples

The following example shows how to globally enable IGMP snooping:

Device(config)# ip igmp snooping

The following example shows how to enable IGMP snooping on VLAN 1:

Device(config)# ip igmp snooping vlan 1

You can verify your settings by entering the show ip igmp snooping command in privileged EXEC mode.

ip multicast vlan

To configure IP multicast on a single VLAN, use the ip multicast vlan command in global configuration mode. To remove the VLAN from the WLAN, use the no form of the command.

ip multicast vlan {vlan-name | vlan-id}

no ip multicast vlan {vlan-name | vlan-id}

Syntax Description

vlan-name

Specifies the VLAN name.

vlan-id

Specifies the VLAN ID.

Command Default

Disabled.

Command Modes

WLAN configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

None

Examples

This example configures vlan_id01 as a multicast VLAN.


Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless multicast
Device(config)# wlan test-wlan 1
Device(config-wlan)# ip multicast vlan vlan_id01

ip nbar protocol-discovery

To configure application recognition on the wireless policy on enabling the NBAR2 engine, use the ip nbar protocol-discovery command.

ip nbar protocol-discovery

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure application recognition on the wireless policy:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless profile policy profile-policy-name
Device(config-wireless-policy)# ip nbar protocol-discovery

ip nbar protocol-pack

To load the protocol pack from bootflash, use the ip nbar protocol-pack command.

ip nbar protocol-pack bootflash: [force]

Syntax Description

bootflash:

Load the protocol pack from bootflash:

force

Force load the Load protocol pack from the selected source.

Command Default

None

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to load the NBAR2 protocol pack from bootflash:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# ip nbar protocol-pack bootflash:

ip ssh

To configure Secure Shell (SSH) control parameters on your router, use the ip ssh command in global configuration mode. To restore the default value, use the no form of this command.

ip ssh [timeout seconds | authentication-retries integer]

no ip ssh [timeout seconds | authentication-retries integer]

Syntax Description

timeout

(Optional) The time interval that the router waits for the SSH client to respond.

This setting applies to the SSH negotiation phase. Once the EXEC session starts, the standard timeouts configured for the vty apply. By default, there are 5 vtys defined (0-4), therefore 5 terminal sessions are possible. After the SSH executes a shell, the vty timeout starts. The vty timeout defaults to 10 minutes.

seconds

(Optional) The number of seconds until timeout disconnects, with a maximum of 120 seconds. The default is 120 seconds.

authentication- retries

(Optional) The number of attempts after which the interface is reset.

integer

(Optional) The number of retries, with a maximum of 5 authentication retries. The default is 3.

Command Default

SSH control parameters are set to default router values.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.0(5)S

This command was introduced.

12.1(1)T

This command was integrated into Cisco IOS Release 12.1(1) T.

12.2(17a)SX

This command was integrated into Cisco IOS Release 12.2(17a)SX.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

Cisco IOS XE Release 2.4

This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

Before you configure SSH on your router, you must enable the SSH server using the crypto key generate rsa command.

Examples

The following examples configure SSH control parameters on your router:


ip ssh timeout 120
ip ssh authentication-retries 3

ip ssh version

To specify the version of Secure Shell (SSH) to be run on a router, use the ip ssh version command in global configuration mode. To disable the version of SSH that was configured and to return to compatibility mode, use the no form of this command.

ip ssh version [1 | 2]

no ip ssh version [1 | 2]

Syntax Description

1

(Optional) Router runs only SSH Version 1.

2

(Optional) Router runs only SSH Version 2.

Command Default

If this command is not configured, SSH operates in compatibility mode, that is, Version 1 and Version 2 are both supported.

Command Modes


Global configuration

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.3(2)XE

This command was integrated into Cisco IOS Release 12.3(2)XE.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.3(7)JA

This command was integrated into Cisco IOS Release 12.3(7)JA.

12.0(32)SY

This command was integrated into Cisco IOS Release 12.0(32)SY.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

15.2(2)SA2

This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.

Usage Guidelines

You can use this command with the 2 keyword to ensure that your router will not inadvertently establish a weaker SSH Version 1 connection.

Examples

The following example shows that only SSH Version 1 support is configured:


Router (config)# ip ssh version 1

The following example shows that only SSH Version 2 is configured:


Router (config)# ip ssh version 2

The following example shows that SSH Versions 1 and 2 are configured:


Router (config)# no ip ssh version

ip tftp blocksize

To specify TFTP client blocksize, use the ip tftp blocksize command.

ip tftp blocksize blocksize-value

Syntax Description

blocksize-value

Blocksize value. Valid range is from 512-8192 Kbps.

Command Default

TFTP client blocksize is not configured.

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

Use this command to change the default blocksize to decrease the image download time.

Examples

The following example shows how to specify TFTP client blocksize:

Device(config)# ip tftp blocksize 512

ip verify source

To enable IP source guard on an interface, use the ip verify source command in interface configuration mode. To disable IP source guard, use the no form of this command.

ip verify source

no ip verify source

Command Default

IP source guard is disabled.

Command Modes

Interface configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.

Examples

This example shows how to enable IP source guard with source IP address filtering on an interface:


Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip verify source

You can verify your settings by entering the show ip verify source privileged EXEC command.

ipv4-address-type

To configure the 802.11u IPv4 address type, use the ipv4-address-type command. To remove the address type, use the no form of the command.

ipv4-address-type { double-nated-private| not-available| not-known| port-restricted| port-restricted-double-nated| port-restricted-single-nated| public| single-nated-private}

Syntax Description

double-nated-private

Sets IPv4 address as double network address translation (NAT) private.

not-available

Sets IPv4 address type as not available.

not-known

Sets IPv4 address type availability as not known.

port-restricted

Sets IPv4 address type as port-restricted.

port-restricted-double-nated

Sets IPv4 address type as port-restricted and double NATed.

port-restricted-single-nated

Sets IPv4 address type as port-restricted and single NATed.

public

Sets IPv4 address type as public.

single-nated-private

Sets IPv4 address as single NATed private.

Command Default

None

Command Modes

Wireless ANQP Server Configuration (config-wireless-anqp-server)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to configure a a 802.11u IPv4 address type:

Device(config)# wireless hotspot anqp-server my-server
Device(config-wireless-anqp-server)# ipv4-address-type public   

ipv4 dhcp

To configure the DHCP parameters for a WLAN, use the ipv4 dhcp command.

ipv4 dhcp {opt82 | {ascii | rid | format | {ap_ethmac | ap_location | apmac | apname | policy_tag | ssid | vlan_id }} | required | server | dhcp-ip-addr}

Syntax Description

opt82

Sets DHCP option 82 for wireless clients on this WLAN

required

Specifies whether DHCP address assignment is required

server

Configures the WLAN's IPv4 DHCP Server

ascii

Supports ASCII for DHCP option 82

rid

Supports adding Cisco 2 byte RID for DHCP option 82

format

Sets RemoteID format

ap_ethmac

Enables DHCP AP Ethernet MAC address

ap_location

Enables AP location

apmac

Enables AP MAC address

apname

Enables AP name

policy_tag

Enables Policy tag

ssid

Enables SSID

vlan_id

Enables VLAN ID

dhcp-ip-addr

Enter the override DHCP server's IP Address.

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure DHCP address assignment as a requirement:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless profile policy demo-profile-name
Device(config-wireless-policy)# ipv4 dhcp required

ipv4 flow monitor

To configure the IPv4 traffic ingress flow monitor for a WLAN profile policy, use the ipv4 flow monitor input command.

ipv4 flow monitor monitor-name input

Syntax Description

monitor-name

Flow monitor name.

input

Enables flow monitor on ingress traffic.

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure the IPv4 traffic ingress flow monitor for a WLAN profile policy:
Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless profile policy policy-profile-name
Device(config-wireless-policy)# ipv4 flow monitor flow-monitor-name input

ipv6 access-list

To define an IPv6 access list and to place the device in IPv6 access list configuration mode, use the ipv6 access-list command in global configuration mode. To remove the access list, use the no form of this command.

ipv6 access-list access-list-name | match-local-traffic | log-update threshold threshold-in-msgs | role-based list-name

noipv6 access-list access-list-name | client permit-control-packets| log-update threshold | role-based list-name

Syntax Description

ipv6 access-list-name

Creates a named IPv6 ACL (up to 64 characters in length) and enters IPv6 ACL configuration mode.

access-list-name - Name of the IPv6 access list. Names cannot contain a space or quotation mark, or begin with a numeric.

match-local-traffic

Enables matching for locally-generated traffic.

log-update threshold threshold-in-msgs

Determines how syslog messages are generated after the initial packet match.

threshold-in-msgs - Number of packets generated.

role-based list-name

Creates a role-based IPv6 ACL.

Command Default

No IPv6 access list is defined.

Command Modes


Global configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

IPv6 ACLs are defined by using the ipv6 access-list command in global configuration mode and their permit and deny conditions are set by using the deny and permit commands in IPv6 access list configuration mode. Configuring the ipv6 access-list command places the device in IPv6 access list configuration mode--the device prompt changes to Device(config-ipv6-acl)#. From IPv6 access list configuration mode, permit and deny conditions can be set for the defined IPv6 ACL.


Note

IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and an IPv6 ACL cannot share the same name.


IPv6 is automatically configured as the protocol type in permit any any and deny any any statements that are translated from global configuration mode to IPv6 access list configuration mode.

Every IPv6 ACL has implicit permit icmp any any nd-na , permit icmp any any nd-ns , and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take effect. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.

Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply an IPv6 ACL to an IPv6 interface. Use the ipv6 access-class line configuration command with the access-list-name argument to apply an IPv6 ACL to incoming and outgoing IPv6 virtual terminal connections to and from the device.

An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded, not originated, by the device.

Examples

The example configures the IPv6 ACL list named list1 and places the device in IPv6 access list configuration mode.


Device(config)# ipv6 access-list list1
Device(config-ipv6-acl)#

The following example configures the IPv6 ACL named list2 and applies the ACL to outbound traffic on Ethernet interface 0. Specifically, the first ACL entry keeps all packets from the network FEC0:0:0:2::/64 (packets that have the site-local prefix FEC0:0:0:2 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0. The second entry in the ACL permits all other traffic to exit out of Ethernet interface 0. The second entry is necessary because an implicit deny all condition is at the end of each IPv6 ACL.


Device(config)# ipv6 access-list list2 deny FEC0:0:0:2::/64 any
Device(config)# ipv6 access-list list2 permit any any
Device(config)# interface ethernet 0
Device(config-if)# ipv6 traffic-filter list2 out

ipv6-address-type

To configure the 802.11u IPv6 address type, use the ipv6-address-type command. To remove the address type, use the no form of the command.

ipv6-address-type { available| not-available| not-known}

Syntax Description

available

Sets IPv6 address type as available.

not-available

Sets IPv6 address type as not available.

not-known

Sets IPv6 address type availability as not known.

Command Default

None

Command Modes

Wireless ANQP Server Configuration (config-wireless-anqp-server)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to configure a 802.11u IPv6 address type:

Device(config)# wireless hotspot anqp-server my-server
Device(config-wireless-anqp-server)# ipv4-address-type available   

ipv6 address

To configure an IPv6 address based on an IPv6 general prefix and enable IPv6 processing on an interface, use the ipv6 address command in interface configuration mode. To remove the address from the interface, use the no form of this command.

ipv6 address {ipv6-prefix/prefix-length | prefix-name sub-bits/prefix-length}

no ipv6 address {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}

Syntax Description

ipv6-address

The IPv6 address to be used.

/ prefix-length

The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

prefix-name

A general prefix, which specifies the leading bits of the network to be configured on the interface.

sub-bits

The subprefix bits and host bits of the address to be concatenated with the prefixes provided by the general prefix specified with the prefix-name argument.

The sub-bits argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

Command Default

No IPv6 addresses are defined for any interface.

Command Modes


Interface configuration

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was integrated into Cisco ASR 1000 Series devices.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

15.2(2)SNG

This command was implemented on the Cisco ASR 901 Series Aggregation Services devices.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The ipv6 address command allows multiple IPv6 addresses to be configured on an interface in various different ways, with varying options. The most common way is to specify the IPv6 address with the prefix length.

Addresses may also be defined using the general prefix mechanism, which separates the aggregated IPv6 prefix bits from the subprefix and host bits. In this case, the leading bits of the address are defined in a general prefix, which is globally configured or learned (for example, through use of Dynamic Host Configuration Protocol-Prefix Delegation (DHCP-PD)), and then applied using the prefix-name argument. The subprefix bits and host bits are defined using the sub-bits argument.

Using the no ipv6 address autoconfig command without arguments removes all IPv6 addresses from an interface.

IPv6 link-local addresses must be configured and IPv6 processing must be enabled on an interface by using the ipv6 address link-local command.

Examples

The following example shows how to enable IPv6 processing on the interface and configure an address based on the general prefix called my-prefix and the directly specified bits:

Device(config-if) ipv6 address my-prefix 0:0:0:7272::72/64

Assuming the general prefix named my-prefix has the value of 2001:DB8:2222::/48, then the interface would be configured with the global address 2001:DB8:2222:7272::72/64.

ipv6 dhcp pool

To configure a Dynamic Host Configuration Protocol (DHCP) for IPv6 server configuration information pool and enter DHCP for IPv6 pool configuration mode, use the ipv6 dhcp pool command in global configuration mode. To delete a DHCP for IPv6 pool, use the no form of this command.

ipv6 dhcp pool poolname

no ipv6 dhcp pool poolname

Syntax Description

poolname

User-defined name for the local prefix pool. The pool name can be a symbolic string (such as "Engineering") or an integer (such as 0).

Command Default

DHCP for IPv6 pools are not configured.

Command Modes


Global configuration

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.4(24)T

This command was integrated into Cisco IOS Release 12.4(24)T.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

12.2(33)SRE

This command was modified. It was integrated into Cisco IOS Release 12.2(33)SRE.

12.2(33)XNE

This command was modified. It was integrated into Cisco IOS Release 12.2(33)XNE.

Usage Guidelines

Use the ipv6 dhcp pool command to create a DHCP for IPv6 server configuration information pool. When the ipv6 dhcp pool command is enabled, the configuration mode changes to DHCP for IPv6 pool configuration mode. In this mode, the administrator can configure pool parameters, such as prefixes to be delegated and Domain Name System (DNS) servers, using the following commands:

  • address prefix IPv6-prefix [lifetime {valid-lifetime preferred-lifetime | infinite }] sets an address prefix for address assignment. This address must be in hexadecimal, using 16-bit values between colons.

  • link-address IPv6-prefix sets a link-address IPv6 prefix. When an address on the incoming interface or a link-address in the packet matches the specified IPv6-prefix, the server uses the configuration information pool. This address must be in hexadecimal, using 16-bit values between colons.

  • vendor-specific vendor-id enables DHCPv6 vendor-specific configuration mode. Specify a vendor identification number. This number is the vendor IANA Private Enterprise Number. The range is 1 to 4294967295. The following configuration command is available:
    • suboption number sets vendor-specific suboption number. The range is 1 to 65535. You can enter an IPv6 address, ASCII text, or a hex string as defined by the suboption parameters.

Note

The hex value used under the suboption keyword allows users to enter only hex digits (0-f). Entering an invalid hex value does not delete the previous configuration.


Once the DHCP for IPv6 configuration information pool has been created, use the ipv6 dhcp server command to associate the pool with a server on an interface. If you do not configure an information pool, you need to use the ipv6 dhcp server interface configuration command to enable the DHCPv6 server function on an interface.

When you associate a DHCPv6 pool with an interface, only that pool services requests on the associated interface. The pool also services other interfaces. If you do not associate a DHCPv6 pool with an interface, it can service requests on any interface.

Not using any IPv6 address prefix means that the pool returns only configured options.

The link-address command allows matching a link-address without necessarily allocating an address. You can match the pool from multiple relays by using multiple link-address configuration commands inside a pool.

Since a longest match is performed on either the address pool information or the link information, you can configure one pool to allocate addresses and another pool on a subprefix that returns only configured options.

Examples

The following example specifies a DHCP for IPv6 configuration information pool named cisco1 and places the router in DHCP for IPv6 pool configuration mode:


Router(config)# ipv6 dhcp pool cisco1
Router(config-dhcpv6)#

The following example shows how to configure an IPv6 address prefix for the IPv6 configuration pool cisco1:


Router(config-dhcpv6)# address prefix 2001:1000::0/64
Router(config-dhcpv6)# end

The following example shows how to configure a pool named engineering with three link-address prefixes and an IPv6 address prefix:


Router# configure terminal
Router(config)# ipv6 dhcp pool engineering
Router(config-dhcpv6)# link-address 2001:1001::0/64
Router(config-dhcpv6)# link-address 2001:1002::0/64
Router(config-dhcpv6)# link-address 2001:2000::0/48
Router(config-dhcpv6)# address prefix 2001:1003::0/64
Router(config-dhcpv6)# end

The following example shows how to configure a pool named 350 with vendor-specific options:


Router# configure terminal
Router(config)# ipv6 dhcp pool 350
Router(config-dhcpv6)# vendor-specific 9
Router(config-dhcpv6-vs)# suboption 1 address 1000:235D::1
Router(config-dhcpv6-vs)# suboption 2 ascii "IP-Phone"
Router(config-dhcpv6-vs)# end

ipv6 enable

To enable IPv6 processing on an interface that has not been configured with an explicit IPv6 address, use the ipv6 enable command in interface configuration mode. To disable IPv6 processing on an interface that has not been configured with an explicit IPv6 address, use the no form of this command.

ipv6 enable

no ipv6 enable

Syntax Description

This command has no arguments or keywords.

Command Default

IPv6 is disabled.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

15.2(2)SNG

This command was implemented on the Cisco ASR 901 Series Aggregation Services devices.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

15.2(2)SA2

This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.

Usage Guidelines

The ipv6 enable command automatically configures an IPv6 link-local unicast address on the interface while also enabling the interface for IPv6 processing. The no ipv6 enable command does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address.

Examples

The following example enables IPv6 processing on Ethernet interface 0/0:


Device(config)# interface ethernet 0/0
Device(config-if)# ipv6 enable

ipv6 flow-export destination

To configure IPv6 ETA flow export destination, use the ipv6 flow-export destination command.

ipv6 flow-export destination ipv6_address port_number [ source-interface interface-name ] [ ipfix]

Syntax Description

ip_address

Flow destination address.

port_number

Flow destination port number. The range is from 1 to 65535.

source-interface

(Optional) The source interface name of the exported ETA record.

interface-number

(Optional) The source address of the exported ETA record. The IP address of the interface is used as source IP address of the exported ETA record packet.

ipfix

(Optional) The format of the exported ETA records.

Command Default

None

Command Modes

ET-Analytics configuration

Command History

Release Modification

Cisco IOS XE Amsterdam 17.1.1s

This command was introduced.

Examples

This example shows how to configure ETA flow export destination:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# et-analytics
Device(config-et-analytics)# ipv6 flow-export destination 2001:181:181::1 22 source-interface loopback0 ipfix
Device(config-et-analytics)# end

ipv6 mld snooping

To enable Multicast Listener Discovery version 2 (MLDv2) protocol snooping globally, use the ipv6 mld snooping command in global configuration mode. To disable the MLDv2 snooping globally, use the no form of this command.

ipv6 mld snooping

no ipv6 mld snooping

Syntax Description

This command has no arguments or keywords.

Command Default

This command is enabled.

Command Modes


Global configuration

Command History

Release

Modification

12.2(18)SXE

This command was introduced on the Supervisor Engine 720.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

15.4(2)S

This command was implemented on the Cisco ASR 901 Series Aggregation Services Router.

Usage Guidelines

MLDv2 snooping is supported on the Supervisor Engine 720 with all versions of the Policy Feature Card 3 (PFC3).

To use MLDv2 snooping, configure a Layer 3 interface in the subnet for IPv6 multicast routing or enable the MLDv2 snooping querier in the subnet.

Examples

This example shows how to enable MLDv2 snooping globally:


Router(config)# ipv6 mld snooping 

ipv6 nd managed-config-flag

To set the managed address configuration flag in IPv6 router advertisements, use the ipv6 nd managed-config-flag command in an appropriate configuration mode. To clear the flag from IPv6 router advertisements, use the no form of this command.

ipv6 nd managed-config-flag

no ipv6 nd managed-config-flag

Syntax Description

This command has no keywords or arguments.

Command Default

The managed address configuration flag is not set in IPv6 router advertisements.

Command Modes

Interface configuration

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

Setting the managed address configuration flag in IPv6 router advertisements indicates to attached hosts whether they should use stateful autoconfiguration to obtain addresses. If the flag is set, the attached hosts should use stateful autoconfiguration to obtain addresses. If the flag is not set, the attached hosts should not use stateful autoconfiguration to obtain addresses.

Hosts may use stateful and stateless address autoconfiguration simultaneously.

Examples

This example shows how to configure the managed address configuration flag in IPv6 router advertisements:
Device(config)# interface 
Device(config-if)# ipv6 nd managed-config-flag

ipv6 nd other-config-flag

To set the other stateful configuration flag in IPv6 router advertisements, use the ipv6 nd other-config-flag command in an appropriate configuration mode. To clear the flag from IPv6 router advertisements, use the no form of this command.

ipv6 nd other-config-flag

Syntax Description

This command has no keywords or arguments.

Command Default

The other stateful configuration flag is not set in IPv6 router advertisements.

Command Modes

Interface configuration

Dynamic template configuration

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

The setting of the other stateful configuration flag in IPv6 router advertisements indicates to attached hosts how they can obtain autoconfiguration information other than addresses. If the flag is set, the attached hosts should use stateful autoconfiguration to obtain the other (nonaddress) information.


Note

If the managed address configuration flag is set using the ipv6 nd managed-config-flag command, then an attached host can use stateful autoconfiguration to obtain the other (nonaddress) information regardless of the setting of the other stateful configuration flag.


Examples

This example (not applicable for BNG) configures the “other stateful configuration” flag in IPv6 router advertisements:

Device(config)# interface 
Device(config-if)# ipv6 nd other-config-flag

ipv6 nd ra throttler attach-policy

To configure a IPv6 policy for feature RA throttler, use the ipv6 nd ra-throttler attach-policy command.

ipv6 nd ra-throttler attach-policy policy-name

Syntax Description

ipv6

IPv6 root chain.

ra-throttler

Configure RA throttler on the VLAN.

attach-policy

Apply a policy for feature RA throttler.

policy-name

Policy name for feature RA throttler

Command Default

None

Command Modes

config-vlan

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure configure a IPv6 policy for feature RA throttler:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# vlan configuration vlan-id
Device(config-vlan-config)# ipv6 nd ra-throttler attach-policy

ipv6 nd raguard policy

To define the router advertisement (RA) guard policy name and enter RA guard policy configuration mode, use the ipv6 nd raguard policy command in global configuration mode.

ipv6 nd raguardpolicy policy-name

Syntax Description

policy-name

IPv6 RA guard policy name.

Command Default

An RA guard policy is not configured.

Command Modes


Global configuration (config)#

Command History

Release

Modification

12.2(50)SY

This command was introduced.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

15.0(2)SE

This command was integrated into Cisco IOS Release 15.0(2)SE.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

Use the ipv6 nd raguard policy command to configure RA guard globally on a router. Once the device is in ND inspection policy configuration mode, you can use any of the following commands:

  • device-role

  • drop-unsecure

  • limit address-count

  • sec-level minimum

  • trusted-port

  • validate source-mac

After IPv6 RA guard is configured globally, you can use the ipv6 nd raguard attach-policy command to enable IPv6 RA guard on a specific interface.

Examples

The following example shows how to define the RA guard policy name as policy1 and place the device in policy configuration mode:


Device(config)# ipv6 nd raguard policy policy1
Device(config-ra-guard)#

ipv6 snooping policy


Note

All existing IPv6 Snooping commands (prior to ) now have corresponding SISF-based device-tracking commands that allow you to apply your configuration to both IPv4 and IPv6 address families. For more information, see device-tracking policy.


To configure an IPv6 snooping policy and enter IPv6 snooping configuration mode, use the ipv6 snooping policy command in global configuration mode. To delete an IPv6 snooping policy, use the no form of this command.

ipv6 snooping policy snooping-policy

no ipv6 snooping policy snooping-policy

Syntax Description

snooping-policy

User-defined name of the snooping policy. The policy name can be a symbolic string (such as Engineering) or an integer (such as 0).

Command Default

An IPv6 snooping policy is not configured.

Command Modes

Global configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

Use the ipv6 snooping policy command to create an IPv6 snooping policy. When the ipv6 snooping policy command is enabled, the configuration mode changes to IPv6 snooping configuration mode. In this mode, the administrator can configure the following IPv6 first-hop security commands:

  • The device-role command specifies the role of the device attached to the port.

  • The limit address-count maximum command limits the number of IPv6 addresses allowed to be used on the port.

  • The protocol command specifies that addresses should be gleaned with Dynamic Host Configuration Protocol (DHCP) or Neighbor Discovery Protocol (NDP).

  • The security-level command specifies the level of security enforced.

  • The tracking command overrides the default tracking policy on a port.

  • The trusted-port command configures a port to become a trusted port; that is, limited or no verification is performed when messages are received.

Examples

This example shows how to configure an IPv6 snooping policy:


Device(config)# ipv6 snooping policy policy1
Device(config-ipv6-snooping)# 

ipv6 traffic-filter

This command enables IPv6 traffic filter.

To enable the filtering of IPv6 traffic on an interface, use the ipv6 traffic-filter command. To disable the filtering of IPv6 traffic on an interface, use the no form of the command.

Use the ipv6 traffic-filter interface configuration command on the switch stack or on a standalone switch to filter IPv6 traffic on an interface. The type and direction of traffic that you can filter depends on the feature set running on the switch stack. Use the no form of this command to disable the filtering of IPv6 traffic on an interface.

ipv6 traffic-filter [web] acl-name

no ipv6 traffic-filter [web]

Syntax Description

web

(Optional) Specifies an IPv6 access name for the WLAN Web ACL.

acl-name

Specifies an IPv6 access name.

Command Default

Filtering of IPv6 traffic on an interface is not configured.

Command Modes

wlan

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 {default | vlan} global configuration command and reload the switch.

You can use the ipv6 traffic-filter command on physical interfaces (Layer 2 or Layer 3 ports), Layer 3 port channels, or switch virtual interfaces (SVIs).

You can apply an ACL to outbound or inbound traffic on Layer 3 interfaces (port ACLs), or to inbound traffic on Layer 2 interfaces (router ACLs).

If any port ACL (IPv4, IPv6, or MAC) is applied to an interface, that port ACL is used to filter packets, and any router ACLs attached to the SVI of the port VLAN are ignored.

Examples

This example shows how to filter IPv6 traffic on an interface:

Device(config-wlan)# ipv6 traffic-filter TestDocTrafficFilter
                                            
                                             

key

To identify an authentication key on a key chain, use the key command in key-chain configuration mode. To remove the key from the key chain, use the no form of this command.

key key-id

no key key-id

Syntax Description

key-id

Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.

Command Default

No key exists on the key chain.

Command Modes

Command Modes Key-chain configuration (config-keychain)

Usage Guidelines

It is useful to have multiple keys on a key chain so that the software can sequence through the keys as they become invalid after time, based on the accept-lifetime and send-lifetime key chain key command settings.

Each key has its own key identifier, which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and Message Digest 5 (MD5) authentication key in use. Only one authentication packet is sent, regardless of the number of valid keys. The software starts looking at the lowest key identifier number and uses the first valid key.

If the last key expires, authentication will continue and an error message will be generated. To disable authentication, you must manually delete the last valid key.

To remove all keys, remove the key chain by using the no key chain command.

Examples

The following example shows how to specify a key to identify authentication on a key-chain:

Device(config-keychain)#key 1

key config-key password-encrypt

To set a private configuration key for password encryption, use the key config-key password-encrypt command. To disable this feature, use the no form of this command.

key config-key password-encrypt <config-key>

Syntax Description

config-key

Enter a value with minimum 8 characters.

Note 

The value must not begin with the following special characters:

!, #, and ;

Command Default

None

Command Modes

Global configuration mode

Command History

Release Modification

Cisco IOS XE Gibraltar 17.6.1

This command was introduced.

Examples

The following example shows how to set a username and password for AP management:

Device# enable
Device# configure terminal
Device(config)# key config-key password-encryption 12345678
Device(config-ap-profile)# password encryption aes
Device(config-ap-profile)# end

ldap attribute-map

To configure a dynamic attribute map on an SLDAP server, use the ldap attribute-map command.

ldap attribute-map map-name

Command Default

None

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to configure a dynamic attribute map on an SLDAP server:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# ldap attribute-map map1
Device(config-attr-map)# map type department supplicant-group
Device(config-attr-map)# exit

ldap server

To configure secure LDAP, use the ldap server command.

ldap server name

Syntax Description

name

Server name.

Command Default

None

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to configure secure LDAP:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# ldap server server1
Device(config-ldap-server)# ipv4 9.4.109.20
Device(config-ldap-server)# timeout retransmit 20
Device(config-ldap-server)# bind authenticate root-dn CN=ldapipv6user,CN=Users,DC=ca,DC=ssh2,DC=com password Cisco12345
Device(config-ldap-server)# base-dn CN=Users,DC=ca,DC=ssh2,DC=com
Device(config-ldap-server)# mode secure no- negotiation
Device(config-ldap-server)# end

license air level

To configure AIR licenses on a wireless controller, enter the license air level command in global configuration mode. To revert to the default setting, use the no form of this command.

license air level { air-network-advantage [ addon air-dna-advantage ] | air-network-essentials [ addon air-dna-essentials ] }

no license air level

Syntax Description

air-network-advantage

Configures the AIR Network Advantage license level.

addon air-dna-advantage

(Optional) Configures the add-on AIR DNA Advantage license level.

This add-on option is available with the AIR Network Advantage license.

air-network-essentials

Configures the AIR Network Essentials license level.

addon air-dna-essentials

(Optional) Configures the add-on AIR DNA Essentials license level.

This add-on option is available with the AIR Network Essential license.

Command Default

For all Cisco Catalyst 9800 Wireless controllers the default license is AIR DNA Advantage.

For EWC-APs:

  • Prior to Cisco IOS XE Bengaluru 17.4.1, the default license is AIR DNA Essentials.

  • Starting with Cisco IOS XE Bengaluru 17.4.1, the default license is AIR Network Essentials

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Cisco IOS XE Amsterdam 17.3.2a

This command continues to be available and applicable with the introduction of Smart Licensing Using Policy.

Cisco IOS XE Bengaluru 17.4.1

Only for EWC-APs, the default license was changed from AIR DNA Essentials to AIR Network Essentials.

Usage Guidelines

In the Smart Licensing Using Policy environment, you can use the license air level command to change the license level being used on the product instance, or to additionally configure an add-on license on the product instance. The change is effective after a reload.

The licenses that can be configured are:

  • AIR Network Essential

  • AIR Network Advantage

  • AIR DNA Essential

  • AIR DNA Advantage

You can configure AIR DNA Essential or AIR DNA Advantage license level and on term expiry, you can move to the Network Advantage or Network Essentials license level, if you do not want to renew the DNA license.

Every connecting AP requires a Cisco DNA Center License to leverage the unique value properties of the controller.

Examples

The following example show how to configure the AIR DNA Essential license level:
Device# configure terminal
Device(config)# license air level network-essentials addon air-dna-essentials

The following example shows how the AIR DNA Advantage license level is configured to begin with and then changed to AIR DNA Essentials:

Current configuration as AIR DNA Advantage:

Device# show version
Cisco IOS XE Software, Version 17.03.02
Cisco IOS Software [Amsterdam], C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.3.2, RELEASE SOFTWARE
<output truncated>
AIR License Level: AIR DNA Advantage
Next reload AIR license Level: AIR DNA Advantage

Smart Licensing Status: Registration Not Applicable/Not Applicable
<output truncated>
Configuration of AIR DNA Essentials :
Device# configure terminal
Device(config)# license air level air-network-essentials addon air-dna-essentials
Device# exit
Device# show version
Cisco IOS XE Software, Version 17.03.02
Cisco IOS Software [Amsterdam], C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.3.2, RELEASE SOFTWARE 
<output truncated>
AIR License Level: AIR DNA Advantage
Next reload AIR license Level: AIR DNA Essentials          
Smart Licensing Status: Registration Not Applicable/Not Applicable
<output truncated>

Device# write memory
Device# reload
After reload:
Device# show version
Cisco IOS XE Software, Version 17.03.02
Cisco IOS Software [Amsterdam], C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.3.2, RELEASE SOFTWARE 
<output truncated>
AIR License Level: AIR DNA Essentials
Next reload AIR license Level: AIR DNA Essentials

Smart Licensing Status: Registration Not Applicable/Not Applicable
<output truncated>

license smart (global config)

To configure licensing-related features and functions, enter the license smart command in global configuration mode. Use the no form of the command to revert to default values.

license smart { custom_id ID | enable | privacy { all | hostname | version } | proxy { address address_hostname | port port } | reservation | server-identity-check | transport { automatic | callhome | cslu | off | smart } | url { url | cslu cslu_url | default | smart smart_url | utility secondary_url } | usage { customer-tags { tag1 | tag2 | tag3 | tag4 } tag_value | interval interval_in_days } | utility [ customer_info { city city | country country | postalcode postalcode | state state | street street } ] }

no license smart { custom_id | enable | privacy { all | hostname | version } | proxy { address address_hostname | port port } | reservation | server-identity-check | transport | url { url | cslu cslu_url | default | smart smart_url | utility secondary_url } | usage { customer-tags { tag1 | tag2 | tag3 | tag4 } tag_value | interval interval_in_days } | utility [ customer_info { city city | country country | postalcode postalcode | state state | street street } ] }

Syntax Description

custom_id ID

Although available on the CLI, this option is not supported.

enable

Although visible on the CLI, configuring this keyword has no effect. Smart licensing is always enabled.

privacy { all | hostname | version }

Enables you to leave out certain information from the usage reports that are send to CSSM. Choose from the following options:

  • all : Sends only the minimal licensing information in any communication.

  • hostname : Excludes the hostname from any communication.

  • version : Excludes the product instance agent version from any communication.

proxy { address address_hostname | port port }

Configures a proxy. You can use this option to configure a proxy only if the transport mode is license smart transport smart , or license smart transport cslu .

When a proxy is configured, messages are sent to the proxy along with the final destination URL (CSSM). The proxy sends the message on to CSSM.

Configure the following options:

  • address address_hostname : Configures the proxy address.

    For address_hostname , enter the enter the IP address or hostname of the proxy.

  • portport : Configures the proxy port.

    For port, enter the proxy port number.

reservation

Enables or disables a license reservation feature.

Note 

Although available on the CLI, this option is not applicable because license reservation is not applicable in the Smart Licensing Using Policy environment.

server-identity-check

Enables or disables the HTTP secure server identity check.

transport { automatic | callhome | cslu | off | smart }

Configures the mode of transport the product instance uses to communicate with CSSM. Choose from the following options:

  • automatic : Sets the transport mode cslu .

    Note 

    The automatic keyword is not supported on Cisco Catalyst Wireless Controllers.

  • callhome : Enables Call Home as the transport mode.

  • cslu : Enables CSLU as the transport mode. This is the default transport mode.

  • off : Disables all communication from the product instance.

  • smart : Enables Smart transport.

url { url | cslu cslu_url | default | smart smart_url | utility secondary_url }

Sets URL that is used for the configured transport mode. Choose from the following options:

  • url : If you have configured the transport mode as callhome, configure this option. Enter the CSSM URL exactly as follows:

    https://tools.cisco.com/its/service/oddce/services/DDCEService

    The no license smart url url command reverts to the default URL.

  • cslu cslu_url : If you have configured the transport mode as cslu, configure this option. Enter the CSLU URL as follows:

    http://<cslu_ip_or_host>:8182/cslu/v1/pi

    For <cslu_ip_or_host>, enter the hostname or the IP address of the windows host where you have installed CSLU. 8182 is the port number and it is the only port number that CSLU uses.

    The no license smart url cslu cslu_url command reverts to http://cslu-local:8182/cslu/v1/pi

  • default : Depends on the configured transport mode. Only the smart and cslu transport modes are supported with this option.

    If the transport mode is set to cslu, and you configure license smart url default , the CSLU URL is configured automatically (https://cslu-local:8182/cslu/v1/pi).

    If the transport mode is set to smart, and you configure license smart url default , the Smart URL is configured automatically (https://smartreceiver.cisco.com/licservice/license).

  • smart smart_url : If you have configured the transport type as smart, configure this option. Enter the URL exactly as follows:

    https://smartreceiver.cisco.com/licservice/license

    When you configure this option, the system automatically creates a duplicate of the URL in license smart url url . You can ignore the duplicate entry, no further action is required.

    The no license smart url smartsmart_url command reverts to the default URL.

  • utility smart_url : Although available on the CLI, this option is not supported.

usage { customer-tags { tag1 | tag2 | tag3 | tag4 } tag_value | interval interval_in_days }

Configures usage reporting settings. You can set the following options:

  • customer-tags{ tag1| tag2| tag3| tag4} tag_value : Defines strings for inclusion in data models, for telemetry. Up to 4 strings (or tags) may be defined.

    For tag_value , enter the string value for each tag that you define.

  • interval interval_in_days : Sets the reporting interval in days. By default the RUM report is sent every 30 days. The valid value range is 1 to 3650.

    If you set the value to zero, RUM reports are not sent, regardless of what the applied policy specifies - this applies to topologies where CSLU or CSSM may be on the receiving end.

    If you set a value that is greater than zero and the transport type is set to off, then, between the interval_in_days and the policy value for Ongoing reporting frequency(days):, the lower of the two values is applied. For example, if interval_in_days is set to 100, and the value in the in the policy says Ongoing reporting frequency (days):90, RUM reports are sent every 90 days.

    If you do not set an interval, and the default is effective, the reporting interval is determined entirely by the policy value. For example, if the default value is effective and only unenforced licenses are in use, if the policy states that reporting is not required, then RUM reports are not sent.

utility [ customer_info { city city | country country | postalcode postalcode | state state | street street } ]

Although visible on the CLI, this option is not supported.

Command Default

Cisco IOS XE Amsterdam 17.3.1 or earlier: Smart Licensing is enabled by default.

Cisco IOS XE Amsterdam 17.3.2a and later: Smart Licensing Using Policy is enabled by default.

Command Modes

Global config (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Cisco IOS XE Amsterdam 17.3.2a

The following keywords and variables were introduced with Smart Licensing Using Policy:

  • Under the url keyword, these options were introduced:

    { cslu cslu_url | smart smart_url }

  • Under the transport keyword, these options were introduced:

    { cslu | off }

    Further, the default transport type was changed from callhome , to cslu .

  • usage { customer-tags { tag1 | tag2 | tag3 | tag4 } tag_value | interval interval_in_days }

The following keywords and variables under the license smart command are deprecated and no longer available on the CLI: enable and conversion automatic .

Usage Guidelines

The reporting interval that you configure (license smart usage interval interval_in_days command), determines the date and time at which the product instance sends out the RUM report. If the scheduled interval coincides with a communication failure, the product instance attempts to send out the RUM report for up to four hours after the scheduled time has expired. If it is still unable to send out the report (because the communication failure persists), the system resets the interval to 15 minutes. Once the communication failure is resolved, the system reverts the reporting interval to the value that you last configured.

The system message you may see in case of a communicatin failure is %SMART_LIC-3-COMM_FAILED. For information about resolving this error and restoring the reporting interval value, in the software configuration guide of the required release (17.3.x onwards), see System Configuration > Smart Licensing Using Policy > Troubleshooting Smart Licensing Using Policy.

Examples

Examples

The following examples show how to configure data privacy related information using license smart privacy command in global configuration mode. The accompanying show license status output displays configured information.

No private information is sent:
Device# configure terminal
Device(config)# license smart privacy all  
Device(config)# license smart transport callhome 
Device(config)# license smart url https://tools.cisco.com/its/service/oddce/services/DDCEService
Device(config)# exit
Device# show license status
<output truncated>
Data Privacy:
  Sending Hostname: no
    Callhome hostname privacy: ENABLED
    Smart Licensing hostname privacy: ENABLED
  Version privacy: ENABLED

Transport:
  Type: Callhome
<output truncated>
Agent version on the product instance is not sent:
Device# configure terminal
Device(config)# license smart privacy version 
Device(config)# license smart transport callhome 
Device(config)# license smart url https://tools.cisco.com/its/service/oddce/services/DDCEService
Device(config)# exit
Device# show license status
<output truncated>
Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: ENABLED

Transport:
  Type: Callhome
<output truncated>

Examples

The following examples show how to configure some of the transport types using the license smart transport and the license smart url commands in global configuration mode. The accompanying show license all output displays configured information.

Transport: cslu :
Device# configure terminal
Device(config)# license smart transport cslu 
Device(config)# license smart url default
Device(config)# exit
Device# show license all
<output truncated>
Transport:
  Type: cslu
  Cslu address: http://192.168.0.1:8182/cslu/v1/pi
  Proxy:
    Not Configured
<output truncated>
Transport: smart :
Device# configure terminal
Device(config)# license smart transport smart 
Device(config)# license smart url smart https://smartreceiver.cisco.com/licservice/license
Device(config)# exit
Device# show license all
<output truncated>
Transport:
  Type: Smart
  URL: https://smartreceiver-stage.cisco.com/licservice/license
  Proxy:
    Not Configured
<output truncated>

Examples

The following examples show how to configure some of the usage reporting settings using the license smart usage command in global configuration mode. The accompanying show running-config output displays configured information.

Configuring the customer-tag option:
Device# configure terminal
Device(config)# license smart usage customer-tags tag1 SA/VA:01 
Device(config)# exit
Device# show running-config | include tag1
license smart usage customer-tags tag1 SA/VA:01
Configuring a narrower reporting interval than the currently applied policy:
Device# show license status
<output truncated>
Usage Reporting:
Last ACK received: Sep 22 13:49:38 2020 PST
Next ACK deadline: Dec 21 12:02:21 2020 PST
Reporting push interval: 30 days
Next ACK push check: Sep 22 12:20:34 2020 PST
Next report push: Oct 22 12:05:43 2020 PST
Last report push: Sep 22 12:05:43 2020 PST
Last report file write: <none>
<output truncated>

Device# configure terminal
Device(config)# license smart usage interval 20 
Device(config)# exit
Device# show license status
<output truncated>

Usage Reporting:
Last ACK received: Sep 22 13:49:38 2020 PST
Next ACK deadline: Nov 22 12:02:21 2020 PST
Reporting push interval: 20 days
Next ACK push check: Sep 22 12:20:34 2020 PST
Next report push: Oct 12 12:05:43 2020 PST
Last report push: Sep 22 12:05:43 2020 PST
Last report file write: <none>
<output truncated>

license smart (privileged EXEC)

To configure licensing functions such as requesting or returning authorization codes, saving Resource Utilization Measurement reports (RUM reports), importing files on to a product instance, establishing trust with Cisco Smart Software Manager (CSSM), synchronizing the product instance with CSSM or Cisco Smart License Utility (CSLU), and removing licensing information from the product instance, enter the license smart command in privileged EXEC mode with the corresponding keyword or argument.

license smart { authorization { request { add | replace } feature_name { all | local } | return { all | local } { offline [ path ] | online } } | clear eventlog | export return { all | local } feature_name | factory reset | import file_path | save { trust-request filepath_filename | usage { all | days days | rum-id rum-ID | unreported } { file file_path } } | sync { all | local } | trust idtoken id_token_value { local | all } [ force ] }

Syntax Description

smart

Provides options for Smart Licensing.

authorization

Provides the option to request for, or return, authorization codes.

Authorization codes are required only if you use licenses with enforcement type: export-controlled or enfored.

request

Requests an authorization code from CSSM or CSLU (CSLU in-turn fetches it from CSSM) and installs it on the product instance.

add

Adds the requested license to the existing authorization code. The new authorization code will contain all the licenses of the existing authorization code and the requested license.

replace

Replaces the existing authorization code. The new authorization code will contain only the requested license. All licenses in the current authorization code are returned.

When you enter this option, the product instance verifies if licenses that correspond to the authorization codes that will be removed, are in-use. If licenses are being used, an error message tells you to first disable the corresponding features.

feature_name

Name of the license for which you are requesting an authorization code.

all

Performs the action for all product instances in a High Availability configuration.

local

Performs the action for the active product instance. This is the default option.

return

Returns an authorization code back to the license pool in CSSM.

offline file_path

Means the product instance is not connected to CSSM. The authorization code is returned offline. This option requires you to print the return code to a file.

Optionally, you can also specify a path to save the file. The file format can be any readable format, such as .txt

If you choose the offline option, you must complete the additional step of copying the return code from the CLI or the saved file and entering it in CSSM.

online

Means that the product instance is in a connected mode. The authorization code is returned to CSLU or CSSM directly.

clear eventlog

Clears all event log files from the product instance.

export return

Returns the authorization key for an export-controlled license.

factory reset

Clears all saved licensing information from the product instance.

import filepath_filename

Imports a file on to the product instance. The file may be that of an authorization code, a trust code, or, or a policy.

For filepath_filename , specify the location, including the filename.

save

Provides options to save RUM reports or trust code requests.

trust-request filepath_filename

Saves the trust code request for the active product instance in the specified location.

For filepath_filename , specify the absolute path to the file, including the filename.

usage { all | days days | rum-id rum-ID | unreported } { file file_path }

Saves RUM reports (license usage information) in the specified location. You must specify one of these options:

  • all : Saves all RUM reports.

  • days days : Saves RUM report for the last n number of days (excluding the current day). Enter a number. The valid range is 0 to 4294967295.

    For example, if you enter 3, RUM reports of the last three days are saved.

  • rum-Id rum-ID : Saves a specified RUM ID. The valid value range is 0 to 18446744073709551615.

  • unreported : Saves all unreported RUM reports.

file filepath_filename : Saves the specified usage information to a file. Specify the absolute path to the file, including the filename.

sync { all | local }

Synchronizes with CSLU or CSSM, to send and receive any pending data. This includes uploading pending RUM reports, downloading the ACK response, any pending authorization codes, trust codes, and policies for the product instance.

Specify the product instance by entering one of these options:

  • all : Performs synchronization for all the product instances in a High Availability set-up. If you choose this option, the product instance also sends the list of all the UDIs in the synchronization request.

  • local : Performs synchronization only for the active product instance sending the request, that is, its own UDI. This is the default option.

trust idtoken id_token_value

Establishes a trusted connection with CSSM.

To use this option, you must first generate a token in the CSSM portal. Provide the generated token value for id_token_value .

force

Submits a trust code request even if a trust code already exists on the product instance.

A trust code is node-locked to the UDI of a product instance. If the UDI is already registered, CSSM does not allow a new registration for the same UDI. Entering the force keyword overrides this behavior.

Command Default

Cisco IOS XE Amsterdam 17.3.1 or earlier: Smart Licensing is enabled by default.

Cisco IOS XE Amsterdam 17.3.2a and later: Smart Licensing Using Policy is enabled by default.

Command Modes

Privileged EXEC

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Cisco IOS XE Amsterdam 17.3.2a

The following keywords and variables were introduced with Smart Licensing Using Policy:

  • authorization { request { add | replace } feature_name { all | local } | return { all | local } { offline [ path ] | online } }

  • import file_path

  • save { trust-request filepath_filename | usage { all | days days | rum-id rum-ID | unreported } { file file_path } }

  • sync { all | local }

  • trust idtoken id_token_value { local | all } [ force ]

The following keywords and variables under the license smart command are deprecated and no longer available on the CLI:

  • register idtoken token_id [ force ]

  • renew id { ID | auth }

  • debug { error | debug | trace | all }

  • reservation { cancel [ all | local ] | install [ file ] key | request { all | local | universal } | return [ all | authorization { auth_code | file filename } | Local ] key }

  • mfg reservation { request | install | install file | cancel }

  • conversion { start | stop }

Usage Guidelines

Smart Licensing Using Policy is enabled by default.

Use case for the force option when configuring the license smart trust idtoken command: You use same token for all the product instances that are part of one Virtual Account. If the product instance has moved from one account to another (for instance, because it was added to a High Availability set-up, which is part of another Virtual Account), then there may be an existing trust code you have to overwrite.

Entering the licence smart factory reset command removes all licensing information (except the licenses in-use) from the product instance, including any authorization codes, RUM reports etc. Therefore, we recommend the use of this command only if the product instance is being returned (Return Material Authrization, or RMA), or being decommissioned permanently. We also recommend that you send a RUM report to CSSM, before you remove licensing information from the product instance - this is to ensure that CSSM has up-to-date usage information.

Options relating to authorization codes and license reservations:

  • Since there are no export-controlled or enforced licenses on any of the Cisco Catalyst Wireless Controllers, and the notion of reserved licenses is not applicable in the Smart Licensing Using Policy environment, the following commands are not applicable:

    • license smart authorization request { add | replace } feature_name { all | local }

    • license smart export return

  • The following option is applicable and required for any SLR authorization codes you may want to return:

    license smart authorization return { all | local } { offline [ path ] | online }

Examples

Examples

The following example shows how you can save license usage information on the product instance. You can use this option to fulfil reporting requirements in an air-gapped network. In the example, the file is first save to flash memory and then copied to a TFTP location:
 Device> enable
Device# license smart save usage unreported file flash:RUM-unrep.txt
Device# dir
Directory of bootflash:/

33      -rw-             5994   Nov 2 2020 03:58:04 +05:00  RUM-unrep.txt

Device# copy flash:RUM-unrep.txt tftp://192.168.0.1//auto/tftp-user/user01/
Address or name of remote host [192.168.0.1]?
Destination filename [//auto/tftp-user/user01/RUM-unrep.txt]?
!!
15128 bytes copied in 0.161 secs (93963 bytes/sec)

After you save RUM reports to a file, you must upload it to CSSM (from a workstation that has connectivity to the internet, and Cisco).

Examples

The following example shows how to install a trust code even if one is already installed on the product instance. This requires connectivity to CSSM. The accompanying show license status output shows sample output after successful installation:

Before you can install a trust code, you must generate a token and download the corresponding file from CSSM.

Use the show license status command (Trust Code Installed:) to verify results.
Device> enable
Device# license smart trust idtoken 
NGMwMjk5mYtNZaxMS00NzMZmtgWm local force

Device# show license status
<output truncated>
Trust Code Installed:
  Active: PID:C9800-CL-K9,SN:93BBAH93MGS
    INSTALLED on Nov 02 05:19:05 2020 IST
  Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN
    INSTALLED on Nov 02 05:19:05 2020 IST
<output truncated>

Examples

The following example shows how to remove and return an SLR authorization code. Here the code is returned offline (no connectivity to CSSM). The accompanying show license all output shows sample output after successful return:
Device> enable
Device# show license all
<output truncated>
License Authorizations
======================
Overall status:
  Active: PID:C9800-CL-K9,SN:93BBAH93MGS
      Status: SPECIFIC INSTALLED on Nov 02 03:16:01 2020 IST
      Last Confirmation code: 102fc949
  Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN
      Status: SPECIFIC INSTALLED on Nov 02 03:15:45 2020 IST
      Last Confirmation code: ad4382fe
<output truncated>

Device# license smart authorization return local offlline
Enter this return code in Cisco Smart Software Manager portal:
UDI: PID:C9800-CL-K9,SN:93BBAH93MGS
    Return code: CqaUPW-WSPYiq-ZNU2ci-SnWydS-hBCXHP-MuyPqy-PJ1GiG-tPTGQj-S2h
UDI: PID:C9800-CL-K9,SN:9XECPSUU4XN
    Return code: CNLwxR-eWiAEJ-XaTEQg-j4rrYW-dSRz9j-37VpcP-imjuLD-mNeA4k-TXA 

Device# show license all
<output truncated>
License Authorizations
======================
Overall status:
  Active: PID:C9800-CL-K9,SN:93BBAH93MGS
      Status: NOT INSTALLED
      Last return code: CqaUPW-WSPYiq-ZNU2ci-SnWydS-hBCXHP-MuyPqy-PJ1GiG-tPTGQj-S2h
  Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN
      Status: NOT INSTALLED
      Last return code: CNLwxR-eWiAEJ-XaTEQg-j4rrYW-dSRz9j-37VpcP-imjuLD-mNeA4k-TXA
<output truncated>

If you choose the offline option, you must complete the additional step of copying the return code from the CLI or the saved file and entering it in CSSM.

license wireless high-performance

To upgrade the scale and capacity of a Cisco Catalyst C9800-L-K9 Wireless Controller, use the license wireless high-performance command. To unconfigure the high-performance license, use the no form of this command.

license wireless high-performance

no license wireless high-performance

Syntax Description

This command has no keywords or arguments

Command Default

High-performance license is not configured

Command Modes

Global(config)

Command History

Release Modification
Cisco IOS XE Amsterdam 17.1.1s

This command was introduced.

Cisco IOS XE Amsterdam 17.3.2

This command continues to be available and applicable with the introduction of Smart Licensing Using Policy in this release.

Usage Guidelines

This command is synchronized with the standby controller. However, the standby controller should also have a performance license to get the upgraded capacity.

The license can be released back to the license pool by unconfiguring the high-performance license. This releases the license to the license pool so that another controller can make use of it, if needed.

In the case of RMA, the customer should call Cisco Technical Assistance Center (TAC) to remove the product instances from the customer's virtual account so that all the licenses used by the controller are returned to the license pool and can be used on the new hardware.

Examples

To upgrade the scale and capacity of a controller, use the following command:

Device# configure terminal
Device(config#) license wireless high-performance 

local-auth ap eap-fast

To configure Flex policy local authentication using EAP Fast method, use the local-auth ap eap-fast command.

local-auth ap eap-fast profile-name

Syntax Description

profile-name

Enter eap-fast profile name.

Command Default

None

Command Modes

config-wireless-flex-profile

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure EAP Fast method authentication on a Flex policy:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless profile flex profile-name
Device(config-wireless-flex-profile)# local-auth ap eap-fast eap-fast-profile-name

local-site

To configure the site as local site, use the local-site command.

local-site

Syntax Description

local-site

Configure this site as local site.

Command Default

None

Command Modes

config-site-tag

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to set the current site as local site:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless tag site tag-name
Device(config-site-tag)# local-site

location expiry

To configure the location expiry duration, use the location expiry command in global configuration mode.

location expiry { calibrating-client | client | tags } timeout-duration

Syntax Description

calibrating-client

Timeout value for calibrating clients.

client

Timeout value for clients.

tags

Timeout value for RFID tags.

timeout-duration

Timeout duration, in seconds.

Command Default

Timeout value is not configured.

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to configure the location expiry duration:

Device(config)# location expiry tags 50 

location notify-threshold

To configure the NMSP notification threshold for RSSI measurements, use the location notify-threshold command in global configuration mode. To remove the NMSP notification threshold for RSSI measurements, use the no form of this command.

location notify-threshold {client | rogue-aps | tags } db

no location notify-threshold {client | rogue-aps | tags }

Syntax Description

client

Specifies the NMSP notification threshold (in dB) for clients and rogue clients.

The valid range for the threshold parameter is 0 to 10 dB, and the default value is 0 dB.

rogue-aps

Specifies the NMSP notification threshold (in dB) for rogue access points.

The valid range for the threshold parameter is 0 to 10 dB, and the default value is 0 dB.

tags

Specifies the NMSP notification threshold (in dB) for RFID tags.

The valid range for the threshold parameter is 0 to 10 dB, and the default value is 0 dB.

db

The valid range for the threshold parameter is 0 to 10 dB, and the default value is 0 dB.

Command Default

No default behavior or values.

Command Modes

Global configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to configure the NMSP notification threshold to 10 dB for clients. A notification NMSP message is sent to MSE as soon as the client RSSI changes by 10 dB:


Device# configure terminal
Device(config)# location notify-threshold client 10
Device(config)# end
                                                   
                                                   

lsc-only-auth (mesh)

To configure mesh security to Locally Significant Certificate (LSC) only MAP authentication, use the lsc-only-auth command.

lsc-only-auth

Syntax Description

This command has no keywords or arguments.

Command Default

LSC only authentication is enabled.

Command Modes

config-wireless-mesh-profile

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

The following example shows how to configure mesh security to LSC only MAP authentication:

Device # configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device (config)# wireless profile mesh mesh-profile
Device (config-wireless-mesh-profile)# lsc-only-auth

management gateway-failover enable

To enable gateway monitoring, use the management gateway-failover enable command. To disable gateway monitoring, use the no form of this command.

management gateway-failover enable

no management gateway-failover enable

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Global configuration

Command History

Release Modification

Cisco IOS XE Amsterdam 17.1.1s

This command was introduced.

Examples

This example shows how to enable gateway monitoring:


Device# configure terminal
Device(config)# management gateway-failover enable
Device(config)# end

mab request format attribute

To configure the delimiter while configuring MAC filtering on a WLAN, use the mab request format attribute command.

mab request format attribute username password nas-identifier ]

Syntax Description

username

Username format used for MAB requests

password

Global Password used for all MAB requests

Nas-identifier

NAS-Identifier attribute

Command Default

Global Configuration

Command Modes

MAC is sent without any delimiter.

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

MAC is sent without any delimiter.

Examples

The following example shows how to configure delimiter while configuring MAC filtering:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# mab request format attribute 1 groupsize 4

mac-filtering

To enable MAC filtering on a WLAN, use the mac-filtering command.

mac-filtering [ mac-authorization-list ]

Syntax Description

mac-authorization-list

Name of the Authorization list.

Command Default

None

Command Modes

config-wlan

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to enable MAC filtering on a WLAN:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wlan wlan-name wlan-index SSID-name
Device(config-wlan)# mac-filtering

match (access-map configuration)

To set the VLAN map to match packets against one or more access lists, use the match command in access-map configuration mode on the switch stack or on a standalone switch. To remove the match parameters, use the no form of this command.

match {ip address {name | number} [name | number] [name | number]... | ipv6 address {name | number} [name | number] [name | number]... | mac address {name} [name] [name]... }

no match {ip address {name | number} [name | number] [name | number]... | ipv6 address {name | number} [name | number] [name | number]... | mac address {name} [name] [name]... }

Syntax Description

ip address

Sets the access map to match packets against an IP address access list.

ipv6 address

Sets the access map to match packets against an IPv6 address access list.

mac address

Sets the access map to match packets against a MAC address access list.

name

Name of the access list to match packets against.

number

Number of the access list to match packets against. This option is not valid for MAC access lists.

Command Default

The default action is to have no match parameters applied to a VLAN map.

Command Modes

Access-map configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

You enter access-map configuration mode by using the vlan access-map global configuration command.

You must enter one access list name or number; others are optional. You can match packets against one or more access lists. Matching any of the lists counts as a match of the entry.

In access-map configuration mode, use the match command to define the match conditions for a VLAN map applied to a VLAN. Use the action command to set the action that occurs when the packet matches the conditions.

Packets are matched only against access lists of the same protocol type; IP packets are matched against IP access lists, IPv6 packets are matched against IPv6 access lists, and all other packets are matched against MAC access lists.

IP, IPv6, and MAC addresses can be specified for the same map entry.

Examples

This example shows how to define and apply a VLAN access map vmap4 to VLANs 5 and 6 that will cause the interface to drop an IP packet if the packet matches the conditions defined in access list al2:

Device(config)# vlan access-map vmap4
Device(config-access-map)# match ip address al2
Device(config-access-map)# action drop
Device(config-access-map)# exit
Device(config)# vlan filter vmap4 vlan-list 5-6

You can verify your settings by entering the show vlan access-map privileged EXEC command.

match activated-service-template

To create a condition that evaluates true based on the service template activated on a session, use the match activated-service-template command in control class-map filter configuration mode. To create a condition that evaluates true if the service template activated on a session does not match the specified template, use the no-match activated-service-template command in control class-map filter configuration mode. To remove the condition, use the no form of this command.

match activated-service-template template-name

no-match activated-service-template template-name

no {match | no-match} activated-service-template template-name

Syntax Description

template-name

Name of a configured service template as defined by the service-template command.

Command Default

The control class does not contain a condition based on the service template.

Command Modes

Control class-map filter configuration (config-filter-control-classmap)

Command History

Release

Modification

Cisco IOS XE Release 3.2SE

This command was introduced.

Usage Guidelines

The match activated-service-template command configures a match condition in a control class based on the service template applied to a session. A control class can contain multiple conditions, each of which will evaluate as either true or false. The control class defines whether all, any, or none of the conditions must evaluate true for the actions of the control policy to be executed.

The no-match form of this command specifies a value that results in an unsuccessful match. All other values of the specified match criterion result in a successful match. For example, if you configure the no-match activated-service-template SVC_1 command, all template values except SVC_1 are accepted as a successful match.

The class command associates a control class with a control policy.

Examples

The following example shows how to configure a control class that evaluates true if the service template named VLAN_1 is activated on the session:

class-map type control subscriber match-all CLASS_1
 match activated-service-template VLAN_1

match any

To perform a match on any protocol that passes through the device, use the match any command.