Configuration Commands: g to z

idle-timeout

To configure the idle-timeout value in seconds for a wireless profile policy, use the idle-timeout command.

idle-timeout value

Syntax Description

value

Sets the idle-timeout value. Valid range is 15 to 100000 seconds.

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to set the idle-timeout in a wireless profile policy:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless profile policy policy-profile-name
Device(config-wireless-policy)# idle-timeout 100

image-download-mode

To configure image download using the HTTP, SFTP, TFTP, or CCO modes, use the image-download-mode command.

image-download-mode{ http| sftp| tftp| cco}

Syntax Description

http

Configures image download using the HTTP mode.

sftp

Configures image download using the SFTP mode.

tftp

Configures image download using the TFTP mode.

cco

Configures image download using the CCO mode.

Command Default

None

Command Modes

Wireless image download profile configuration mode

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.2s This command was introduced.

Cisco IOS XE Amsterdam 17.1.1s

The image-download-mode ccowas introduced.

Examples

Device(config)# wireless profile image-download default
Device(config-wireless-image-download-profile)# image-download-mode http

inactive-timeout

To enable in-active timer, use the inactive-timeout command.

inactive-timeout timeout-in-seconds

Syntax Description

timeout-in-seconds

Specifies the inactive flow timeout value. The range is from 1 to 604800.

Command Default

None

Command Modes

ET-Analytics configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

This example shows how to enable in-active timer in the ET-Analytics configuration mode:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# et-analytics
Device(config-et-analytics)# inactive-timeout 15
Device(config-et-analytics)# end

install add file tftp

To install a package file to the system, use the install add file tftp command.

install add file tftp: tftp file path

Syntax Description

install add file tftp:

The install add command copies the file from the external server to the backup_image directory on the embedded wireless controller.

Command Default

None

Command Modes

Privileged EXEC mode

Command History

Release Modification
Cisco IOS XE Amsterdam 17.1.1s

This command was introduced.

Examples

This example shows how to install a package file to the system:

Device#install add file tftp://<server-ip>/<path>/<smu-filename> 

install add profile default

To download the embedded wireless controller image from the external server, use the install add profile default command.

install add profile profile_nameactivatecommitprompt-level none

Syntax Description

add

Installs a package file to the system.

profile Selects a profile.
profile_name

Adds a profile name with a maximum of 15 characters. Specify default to trigger the default behaviour.

activate

Activates the installed profile.

commit

Commits the changes to the loadpath.

prompt-level

Sets the prompt-level to none.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.2s

This command was introduced.

Usage Guidelines

Ensure that you have the image-download-profile configured on embedded wireless controller. Extract the contents of the image bundle (.zip archive) to an external TFTP or HTTP(S) server. The .zip archive contains the controller image and various compatible AP images (apXgY).

Examples

The following example shows how to download the embedded wireless controller image:

Device#install add profile default

install_add: START Thu Jan 24 20:08:01 UTC 2019 
Jan 24 20:08:03.389: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install add
Jan 24 20:08:03.389 %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install add 
install_add: Default profile addition successful 
SUCCESS: install_add Thu Jan 24 20:08:03 UTC 2019 
Jan 24 20:08:04.358: %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_engine: Completed install add
Jan 24 20:08:04.358 %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_engine: Completed install add 
WLC# 
*Jan 24 20:08:03.350: %INSTALL-5-INSTALL_START_INFO: Chassis 1 R0/0: install_engine: Started install add
*Jan 24 20:08:04.335: %INSTALL-5-INSTALL_COMPLETED_INFO: Chassis 1 R0/0: install_engine: Completed install add

Note

The log Completed install add means that the command is successful and the download will start soon.


Examples

The following example verifies the the image download status:
Device#sh wireless ewc-ap predownload status

install activate

To activate an installed package, use the install activate command.

install activate { auto-abort-timer | file | profile| prompt-level}

Syntax Description

auto-abort-timer

Sets the cancel timer. The time range is between 30 and 1200 minutes.

file

Specifies the package to be activated.

profile

Specifies the profile to be activated.

prompt-level

Sets the prompt level.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.2s

This command was introduced.

Examples

The following example shows how to activate the installed package:

Device# install activate profile default
install_activate: START Thu Nov 24 20:14:53 UTC 2019

System configuration has been modified.
Press Yes(y) to save the configuration and proceed.
Press No(n) for proceeding without saving the configuration.
Press Quit(q) to exit, you may save configuration and re-enter the command. [y/n/q] y
Building configuration... 
[OK]Modified configuration has been saved 
Jan 24 20:15:02.745: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install activate
Jan 24 20:15:02.745 %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install activate 
install_activate: Activating PACKAGE

install activate auto-abort-timer

To set the abort timer, use the install activate auto-abort-timer command.

install activate auto-abort-timer <30-1200> prompt-level none

Syntax Description

auto-abort-timer

Sets the cancel timer. The time range is between 30 and 1200 minutes.

<30-1200>

Specifies the cancel timer time in minutes.

prompt-level

Specifies the prompt level.

none

Specifies no prompting.

Command Default

None

Command Modes

Privileged EXEC (#)

Task ID

Task ID Operation
Cisco IOS XE Gibraltar 16.12.2s

This command was introduced.

Examples

The following example shows how to activate the cancel timer:

Device#install activate auto-abort-timer 30 prompt-level none 

install activate file

To activate an installed package, use the install activate file command.

install activate file file-name

Syntax Description

file-name

Specifies the package name. Options are: bootflash:, flash:, and webui:.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to use an auto cancel timer while activating an install package on a standby location:

Device# install activate file vwlc_apsp_16.11.1.0_74.bin 

install auto-abort-timer stop

To stop the auto abort timer, use the install auto-abort-timer stop command.

install auto-abort-timer stop

Syntax Description

auto-abort-timer stop

Stops the auto-abort-timer

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Amsterdam 17.1.1s

This command was introduced.

Examples

This example shows how to stop the auto abort timer:

Device#install auto-abort-timer stop

install commit

To commit the changes to the loadpath, use the install commit command.

install commit

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.2s

This command was introduced.

Examples

The following example shows how to commit the changes to the loadpath:

Device# install commit  

install remove file backup_image

To remove installed packages, use the install remove file backup_image command.

install remove file backup_image filename

Syntax Description

filename

Specifes the file that needs to be removed.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Amsterdam 17.1.1s

This command was introduced.

Examples

This example shows how a file is removed from the package:

Device#install remove file backup_image: file_name

install remove profile default

To specify an install package that is to be removed, use the install remove profile default command.

install remove profile default

Syntax Description

remove

Removes the install package.

profile

Specifies the profile to be removed.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to remove a default profile:

Device# install remove profile default

install deactivate

To specify an install package that is to be deactivated, use the install deactivate file command.

install deactivate file file-name

Syntax Description

file-name

Specifies the package name. Options are: bootflash:, flash:, and webui:.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to deactivate an install package:

Device# install deactivate file vwlc_apsp_16.11.1.0_74.bin

install rollback

To roll back to a particular installation point, use the install rollback command.

install rollback to { base | committed | id id | label label} [ prompt-level none]

Syntax Description

base

Rolls back to the base image.

prompt-level none

Sets the prompt level as none.

committed

Rolls back to the last committed installation point.

id

Rolls back to a specific install point ID.

label

Rolls back to a specific install point label.

Command Default

None

Command Modes

Privileged EXEC (#)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Examples

The following example shows how to specify the ID of the install point to roll back to:

Device# install rollback to id 1 

interface vlan

To create or access a dynamic switch virtual interface (SVI) and to enter interface configuration mode, use the interface vlan command in global configuration mode. To delete an SVI, use the no form of this command.

interface vlan vlan-id

no interface vlan vlan-id

Syntax Description

vlan-id

VLAN number. The range is 1 to 4094.

Command Default

The default VLAN interface is VLAN 1.

Command Modes

Global configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Usage Guidelines

SVIs are created the first time you enter the interface vlan vlan-id command for a particular VLAN. The vlan-id corresponds to the VLAN-tag associated with data frames on an IEEE 802.1Q encapsulated trunk or the VLAN ID configured for an access port.


Note

When you create an SVI, it does not become active until it is associated with a physical port.


If you delete an SVI using the no interface vlan vlan-id command, it is no longer visible in the output from the show interfaces privileged EXEC command.


Note

You cannot delete the VLAN 1 interface.


You can reinstate a deleted SVI by entering the interface vlan vlan-id command for the deleted interface. The interface comes back up, but the previous configuration is gone.

The interrelationship between the number of SVIs configured on a and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables.

You can verify your setting by entering the show interfaces and show interfaces vlan vlan-id privileged EXEC commands.

Examples

This example shows how to create a new SVI with VLAN ID 23 and enter interface configuration mode:

Device(config)# interface vlan 23
Device(config-if)#

ip access-group

To configure WLAN access control group (ACL), use the ip access-group command. To remove a WLAN ACL group, use the no form of the command.

ip access-group [web] acl-name

no ip access-group [web]

Syntax Description

web

(Optional) Configures the IPv4 web ACL.

acl-name

Specify the preauth ACL used for the WLAN with the security type value as webauth.

Command Default

None

Command Modes

WLAN configuration

Usage Guidelines

You must disable the WLAN before using this command. See Related Commands section for more information on how to disable a WLAN.

Command History

Release Modification

Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

This example shows how to configure a WLAN ACL:

Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#wlan wlan1
Device(config-wlan)#ip access-group test-acl

This example shows how to configure an IPv4 WLAN web ACL:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wlan wlan1
Device(config-wlan)# ip access-group web test
Device(config-wlan)# 

ip access-list extended

To configure extended access list, use the ip access-list extended command.

ip access-list extended {<100-199> | <2000-2699> | access-list-name}

Syntax Description

<100-199>

Extended IP access-list number.

<2000-2699>

Extended IP access-list number (expanded range).

Command Default

None

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure extended access list:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# ip access-list extended access-list-name

ip address

To set a primary or secondary IP address for an interface, use the ip address command in interface configuration mode. To remove an IP address or disable IP processing, use the no form of this command.

ip address ip-address mask [secondary [vrf vrf-name]]

no ip address ip-address mask [secondary [vrf vrf-name]]

Syntax Description

ip-address

IP address.

mask

Mask for the associated IP subnet.

secondary

(Optional) Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.

Note 

If the secondary address is used for a VRF table configuration with the vrf keyword, the vrf keyword must be specified also.

vrf

(Optional) Name of the VRF table. The vrf-name argument specifies the VRF name of the ingress interface.

Command Default

No IP address is defined for the interface.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Usage Guidelines

An interface can have one primary IP address and multiple secondary IP addresses. Packets generated by the Cisco IOS software always use the primary IP address. Therefore, all devices and access servers on a segment should share the same primary network number.

Hosts can determine subnet masks using the Internet Control Message Protocol (ICMP) mask request message. Devices respond to this request with an ICMP mask reply message.

You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the software detects another host using one of its IP addresses, it will print an error message on the console.

The optional secondary keyword allows you to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and Address Resolution Protocol (ARP) requests are handled properly, as are interface routes in the IP routing table.

Secondary IP addresses can be used in a variety of situations. The following are the most common applications:

  • There may not be enough host addresses for a particular network segment. For example, your subnetting allows up to 254 hosts per logical subnet, but on one physical subnet you need 300 host addresses. Using secondary IP addresses on the devices or access servers allows you to have two logical subnets using one physical subnet.

  • Many older networks were built using Level 2 bridges. The judicious use of secondary addresses can aid in the transition to a subnetted, device-based network. Devices on an older, bridged segment can be easily made aware that many subnets are on that segment.

  • Two subnets of a single network might otherwise be separated by another network. This situation is not permitted when subnets are in use. In these instances, the first network is extended , or layered on top of the second network using secondary addresses.


Note

  • If any device on a network segment uses a secondary address, all other devices on that same segment must also use a secondary address from the same network or subnet. Inconsistent use of secondary addresses on a network segment can very quickly cause routing loops.

  • When you are routing using the Open Shortest Path First (OSPF) algorithm, ensure that all secondary addresses of an interface fall into the same OSPF area as the primary addresses.

  • If you configure a secondary IP address, you must disable sending ICMP redirect messages by entering the no ip redirects command, to avoid high CPU utilization.


Examples

In the following example, 192.108.1.27 is the primary address and 192.31.7.17 is the secondary address for GigabitEthernet interface 1/0/1:

Device# enable 
Device# configure terminal
Device(config)# interface GigabitEthernet 1/0/1
Device(config-if)# ip address 192.108.1.27 255.255.255.0
Device(config-if)# ip address 192.31.7.17 255.255.255.0 secondary


ip dhcp pool

To configure a Dynamic Host Configuration Protocol (DHCP) address pool on a DHCP server and enter DHCP pool configuration mode, use the ip dhcp pool command in global configuration mode. To remove the address pool, use the no form of this command.

ip dhcp pool name

no ip dhcp pool name

Syntax Description

name

Name of the pool. Can either be a symbolic string (such as engineering) or an integer (such as 0).

Command Default

DHCP address pools are not configured.

Command Modes

Global configuration

Command History

Release

Modification

12.0(1)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

During execution of this command, the configuration mode changes to DHCP pool configuration mode, which is identified by the (config-dhcp)# prompt. In this mode, the administrator can configure pool parameters, like the IP subnet number and default router list.

Examples

The following example configures pool1 as the DHCP address pool:


ip dhcp pool pool1

ip dhcp-relay information option server-override

To enable the system to globally insert the server ID override and link selection suboptions into the DHCP relay agent information option in forwarded BOOTREQUEST messages to a Dynamic Host Configuration Protocol (DHCP) server, use the ip dhcp-relay information option server-override command in global configuration mode. To disable inserting the server ID override and link selection suboptions into the DHCP relay agent information option, use the no form of this command.

ip dhcp-relay information option server-override

no ip dhcp-relay information option server-override

Syntax Description

This command has no arguments or keywords.

Command Default

The server ID override and link selection suboptions are not inserted into the DHCP relay agent information option.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Aggregation Services Routers.

12.2(33)SRE

This command was integrated into Cisco IOS Release 12.2(33)SRE.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Usage Guidelines

The ip dhcp-relay information option server-override command adds the following suboptions into the relay agent information option when DHCP broadcasts are forwarded by the relay agent from clients to a DHCP server:

  • Server ID override suboption

  • Link selection suboption

When this command is configured, the gateway address (giaddr) will be set to the IP address of the outgoing interface, which is the interface that is reachable by the DHCP server.

If the ip dhcp relay information option server-id-override command is configured on an interface, it overrides the global configuration on that interface only.

Examples

In the following example, the DHCP relay will insert the server ID override and link selection suboptions into the relay information option of the DHCP packet. The loopback interface IP address is configured to be the source IP address for the relayed messages.


Device(config)# ip dhcp-relay information option server-override
Device(config)# ip dhcp-relay source-interface loopback 0
Device(config)# interface Loopback 0
Device(config-if)# ip address 10.2.2.1 255.255.255.0

ip dhcp-relay source-interface

To globally configure the source interface for the relay agent to use as the source IP address for relayed messages, use the ip dhcp-relay source-interface command in global configuration mode. To remove the source interface configuration, use the no form of this command.

ip dhcp-relay source-interface type number

no ip dhcp-relay source-interface type number

Syntax Description

type

Interface type. For more information, use the question mark (?) online help function.

number

Interface or subinterface number. For more information about the numbering system for your networking device, use the question mark (?) online help function.

Command Default

The source interface is not configured.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Aggregation Services Routers.

12.2(33)SRE

This command was integrated into Cisco IOS Release 12.2(33)SRE.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Usage Guidelines

The ip dhcp-relay source-interface command allows the network administrator to specify a stable, hardware-independent IP address (such as a loopback interface) for the relay agent to use as a source IP address for relayed messages.

If the ip dhcp-relay source-interface global configuration command is configured and the ip dhcp relay source-interface command is also configured, the ip dhcp relay source-interface command takes precedence over the global configuration command. However, the global configuration is applied to interfaces without the interface configuration.

Examples

In the following example, the loopback interface IP address is configured to be the source IP address for the relayed messages:


Device(config)# ip dhcp-relay source-interface loopback 0
Device(config)# interface loopback 0
Device(config-if)# ip address 10.2.2.1 255.255.255.0

ip domain-name

To configure the host domain on the device, use the ip domain-name command.

ip domain-name domain-name [vrf vrf-name]

Syntax Description

domain-name

Default domain name.

vrf-name

Specifies the virtual routing and forwarding (VRF) to use to resolve the domain name.

Command Default

None

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure a host domain in a device:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# ip domain-name domain-name

ip flow monitor

To configure IP NetFlow monitoring, use the ip flow monitor command. To remove IP NetFlow monitoring, use the no form of this command.

ip flow monitor ip-monitor-name {input | output}

no ip flow monitor ip-monitor-name {input | output}

Syntax Description

ip-monitor-name

Flow monitor name.

input

Enables a flow monitor for ingress traffic.

output

Enables a flow monitor for egress traffic.

Command Default

None

Command Modes

WLAN configuration

Usage Guidelines

You must disable the WLAN before using this command.

Command History

Release Modification

Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

This example shows how to configure an IP flow monitor for the ingress traffic:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wlan wlan1
Device(config-wlan)# ip flow monitor test input

This example shows how to disable an IP flow monitor:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wlan wlan1
Device(config-wlan)# no ip flow monitor test input

ip flow-export destination

To configure ETA flow export destination, use the ip flow-export destination command.

ip flow-export destination ip_address port_number

Syntax Description

port_number

Port number. The range is from 1 to 65535.

Command Default

None

Command Modes

ET-Analytics configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

This example shows how to configure ETA flow export destination in the ET-Analytics configuration mode:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# et-analytics
Device(config-et-analytics)# ip flow-export
destination 120.0.0.1 2055
Device(config-et-analytics)# end

ip helper-address

To enable forwarding of User Datagram Protocol (UDP) broadcasts, including Bootstrap Protocol (BOOTP), received on an interface, use the ip helper-address command in interface configuration mode. To disable forwarding of broadcast packets to specific addresses, use theno form of this command.

ip helper-address [vrf name | global] address { [redundancy vrg-name]}

no ip helper-address [vrf name | global] address { [redundancy vrg-name]}

Syntax Description

vrf name

(Optional) Enables the VPN routing and forwarding (VRF) instance and the VRF name.

global

(Optional) Configures a global routing table.

address

Destination broadcast or host address to be used when forwarding UDP broadcasts. There can be more than one helper address per interface.

redundancy vrg-name

(Optional) Defines the Virtual Router Group (VRG) name.

Command Default

UDP broadcasts are not forwarded.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

10.0

This command was introduced.

12.2(4)B

This command was modified. The vrf name keyword and argument pair and the global keyword were added.

12.2(15)T

This command was modified. The redundancy vrg-name keyword and argument pair was added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

The ip forward-protocol command along with the ip helper-address command allows you to control broadcast packets and protocols that are forwarded.

One common application that requires helper addresses is DHCP, which is defined in RFC 1531. To enable BOOTP or DHCP broadcast forwarding for a set of clients, configure a helper address on the router interface connected to the client. The helper address must specify the address of the BOOTP or DHCP server. If you have multiple servers, configure one helper address for each server.

The following conditions must be met for a UDP or IP packet to be able to use the ip helper-address command:

  • The MAC address of the received frame must be all-ones broadcast address (ffff.ffff.ffff).

  • The IP destination address must be one of the following: all-ones broadcast (255.255.255.255), subnet broadcast for the receiving interface, or major-net broadcast for the receiving interface if the no ip classless command is also configured.

  • The IP time-to-live (TTL) value must be at least 2.

  • The IP protocol must be UDP (17).

  • The UDP destination port must be for TFTP, Domain Name System (DNS), Time, NetBIOS, ND, BOOTP or DHCP packet, or a UDP port specified by the ip forward-protocol udp command in global configuration mode.

If the DHCP server resides in a VPN or global space that is different from the interface VPN, then the vrf name or the global option allows you to specify the name of the VRF or global space in which the DHCP server resides.

The ip helper-address vrf name address option uses the address associated with the VRF name regardless of the VRF of the incoming interface. If the ip helper-address vrf name address command is configured and later the VRF is deleted from the configuration, then all IP helper addresses associated with that VRF name will be removed from the interface configuration.

If the ip helper-address address command is already configured on an interface with no VRF name configured, and later the interface is configured with the ip helper-address vrf name address command, then the previously configured ip helper-address address command is considered to be global.


Note

The ip helper-address command does not work on an X.25 interface on a destination router because the router cannot determine if the packet was intended as a physical broadcast.


The service dhcp command must be configured on the router to enable IP helper statements to work with DHCP. If the command is not configured, the DHCP packets will not be relayed through the IP helper statements. The service dhcp command is configured by default.

Examples

The following example shows how to define an address that acts as a helper address:


Router(config)# interface ethernet 1
Router(config-if)# ip helper-address 10.24.43.2

The following example shows how to define an address that acts as a helper address and is associated with a VRF named host1:


Router(config)# interface ethernet 1/0
Router(config-if)# ip helper-address vrf host1 10.25.44.2

The following example shows how to define an address that acts as a helper address and is associated with a VRG named group1:


Router(config)# interface ethernet 1/0
Router(config-if)# ip helper-address 10.25.45.2 redundancy group1

ip http client secure-ciphersuite

To specify the CipherSuite that should be used for encryption over the secure HTTP connection from the client to a remote server, use the ip http client secure-ciphersuite command in global configuration mode. To remove a previously configured CipherSuite specification for the client, use the no form of this command.

ip http client secure-ciphersuite [3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]

no ip http client secure-ciphersuite

Syntax Description

3des-ede-cbc-sha

SSL_RSA_WITH_3DES_EDE_CBC_SHA--Rivest, Shamir, and Adleman (RSA) key exchange with 3DES and DES-EDE3-CBC for message encryption and Secure Hash Algorithm (SHA) for message digest.

rc4-128-sha

SSL_RSA_WITH_RC4_128_SHA--RSA key exchange (RSA Public Key Cryptography) with RC4 128-bit encryption for message encryption and SHA for message digest.

rc4-128-md5

SSL_RSA_WITH_RC4_128_MD5--RSA key exchange (RSA Public Key Cryptography) with RC4 128-bit encryption for message encryption and Message Digest 5 (MD5) for message digest.

des-cbc-sha

SSL_RSA_WITH_DES_CBC_SHA--RSA key exchange with DES-CBC for message encryption and SHA for message digest.

Command Default

The client and server negotiate the best CipherSuite that they both support from the list of available CipherSuites.

Command Modes


Global configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE

Usage Guidelines

This command allows you to restrict the list of CipherSuites (encryption algorithms) that the client offers when connecting to a secure HTTP server. For example, you may want to allow only the most secure CipherSuites to be used.

Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default). The no form of this command returns the list of available CipherSuites to the default (that is, all CipherSuites supported on your device are available for negotiation).

Examples

The following example shows how to configure the HTTPS client to use only the SSL_RSA_WITH_3DES_EDE_CBC_SHA CipherSuite:


Router(config)# ip http client secure-ciphersuite 3des-ede-cbc-sha

ip http secure-ciphersuite

To specify the CipherSuites that should be used by the secure HTTP server when negotiating a connection with a remote client, use the ip http secure-ciphersuite command in global configuration mode. To return the configuration to the default set of CipherSuites, use the no form of this command.

ip http secure-ciphersuite [3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]

no ip http secure-ciphersuite

Syntax Description

3des-ede-cbc-sha

SSL_RSA_WITH_3DES_EDE_CBC_SHA--Rivest, Shamir, and Adleman (RSA) key exchange with 3DES and DES-EDE3-CBC for message encryption and Secure Hash Algorithm (SHA) for message digest.

rc4-128-sha

SSL_RSA_WITH_RC4_128_SHA --RSA key exchange (RSA Public Key Cryptography) with RC4 128-bit encryption for message encryption and SHA for message digest.

rc4-128-md5

SSL_RSA_WITH_RC4_128_MD5 --RSA key exchange (RSA Public Key Cryptography) with RC4 128-bit encryption for message encryption and Message Digest 5 (MD5) for message digest.

des-cbc-sha

SSL_RSA_WITH_DES_CBC_SHA--RSA key exchange with DES-CBC for message encryption and SHA for message digest.

Command Default

The HTTPS server negotiates the best CipherSuite using the list received from the connecting client.

Command Modes


Global configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE

Usage Guidelines

This command is used to restrict the list of CipherSuites (encryption algorithms) that should be used for encryption over the HTTPS connection. For example, you may want to allow only the most secure CipherSuites to be used.

Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default).

The supported CipherSuites vary by Cisco IOS software image. For example, “IP Sec56” (“k8”) images support only the SSL_RSA_WITH_DES_CBC_SHA CipherSuite in Cisco IOS Release 12.2(15)T.

In terms of router processing load (speed), the following list ranks the CipherSuites from fastest to slowest (slightly more processing time is required for the more secure and more complex CipherSuites):

  1. SSL_RSA_WITH_DES_CBC_SHA

  2. SSL_RSA_WITH_RC4_128_MD5

  3. SSL_RSA_WITH_RC4_128_SHA

  4. SSL_RSA_WITH_3DES_EDE_CBC_SHA

Additional information about these CipherSuites can be found online from sources that document the Secure Sockets Layer (SSL) 3.0 protocol.

Examples

The following exampleshows how to restrictsthe CipherSuites offered to a connecting secure web client:


Router(config)# ip http secure-ciphersuite rc4-128-sha rc4-128-md5
 

ip http secure-server

To enable a secure HTTP (HTTPS) server, enter the ip http secure-server command in global configuration mode. To disable the HTTPS server, use the no form of this command..

ip http secure-server

no ip http secure-server

Syntax Description

This command has no arguments or keywords.

Command Default

The HTTPS server is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Usage Guidelines

The HTTPS server uses the Secure Sockets Layer (SSL) version 3.0 protocol.


Caution

When enabling an HTTPS server, you should always disable the standard HTTP server to prevent unsecured connections to the same services. Disable the standard HTTP server using the no ip http server command in global configuration mode (this step is precautionary; typically, the HTTP server is disabled by default).

If a certificate authority (CA) is used for certification, you should declare the CA trustpoint on the routing device before enabling the HTTPS server.

To close HTTP/TCP port 8090, you must disable both the HTTP and HTTPS servers. Enter the no http server and the no http secure-server commands, respectively.

Examples

In the following example the HTTPS server is enabled, and the (previously configured) CA trustpoint CA-trust-local is specified:


Device#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)#ip http secure-server
Device(config)#ip http secure-trustpoint CA-trust-local
Device(config)#end

Device#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12a
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint: CA-trust-local

ip http server

To enable the HTTP server on your IP or IPv6 system, including the Cisco web browser user interface, enter the ip http server command in global configuration mode. To disable the HTTP server, use the no form of this command..

ip http server

no ip http server

Syntax Description

This command has no arguments or keywords.

Command Default

The HTTP server uses the standard port 80 by default.

HTTP/TCP port 8090 is open by default.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Usage Guidelines

The command enables both IPv4 and IPv6 access to the HTTP server. However, an access list configured with the ip http access-class command is applied only to IPv4 traffic. IPv6 traffic filtering is not supported.


Caution

The standard HTTP server and the secure HTTP (HTTPS) server can run on a system at the same time. If you enable the HTTPS server using the ip http secure-server command, disable the standard HTTP server using the no ip http server command to ensure that secure data cannot be accessed through the standard HTTP connection.

To close HTTP/TCP port 8090, you must disable both the HTTP and HTTPS servers. Enter the no http server and the no http secure-server commands, respectively.

Examples

The following example shows how to enable the HTTP server on both IPv4 and IPv6 systems.

After enabling the HTTP server, you can set the base path by specifying the location of the HTML files to be served. HTML files used by the HTTP web server typically reside in system flash memory. Remote URLs can be specified using this command, but use of remote path names (for example, where HTML files are located on a remote TFTP server) is not recommended.


Device(config)#ip http server
Device(config)#ip http path flash:

ip ssh

To configure Secure Shell (SSH) control parameters on your router, use the ip ssh command in global configuration mode. To restore the default value, use the no form of this command.

ip ssh [timeout seconds | authentication-retries integer]

no ip ssh [timeout seconds | authentication-retries integer]

Syntax Description

timeout

(Optional) The time interval that the router waits for the SSH client to respond.

This setting applies to the SSH negotiation phase. Once the EXEC session starts, the standard timeouts configured for the vty apply. By default, there are 5 vtys defined (0-4), therefore 5 terminal sessions are possible. After the SSH executes a shell, the vty timeout starts. The vty timeout defaults to 10 minutes.

seconds

(Optional) The number of seconds until timeout disconnects, with a maximum of 120 seconds. The default is 120 seconds.

authentication- retries

(Optional) The number of attempts after which the interface is reset.

integer

(Optional) The number of retries, with a maximum of 5 authentication retries. The default is 3.

Command Default

SSH control parameters are set to default router values.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.0(5)S

This command was introduced.

12.1(1)T

This command was integrated into Cisco IOS Release 12.1(1) T.

12.2(17a)SX

This command was integrated into Cisco IOS Release 12.2(17a)SX.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

Cisco IOS XE Release 2.4

This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

Before you configure SSH on your router, you must enable the SSH server using the crypto key generate rsa command.

Examples

The following examples configure SSH control parameters on your router:


ip ssh timeout 120
ip ssh authentication-retries 3

ip ssh version

To specify the version of Secure Shell (SSH) to be run on a router, use the ip ssh version command in global configuration mode. To disable the version of SSH that was configured and to return to compatibility mode, use the no form of this command.

ip ssh version [1 | 2]

no ip ssh version [1 | 2]

Syntax Description

1

(Optional) Router runs only SSH Version 1.

2

(Optional) Router runs only SSH Version 2.

Command Default

If this command is not configured, SSH operates in compatibility mode, that is, Version 1 and Version 2 are both supported.

Command Modes


Global configuration

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.3(2)XE

This command was integrated into Cisco IOS Release 12.3(2)XE.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.3(7)JA

This command was integrated into Cisco IOS Release 12.3(7)JA.

12.0(32)SY

This command was integrated into Cisco IOS Release 12.0(32)SY.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

15.2(2)SA2

This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.

Usage Guidelines

You can use this command with the 2 keyword to ensure that your router will not inadvertently establish a weaker SSH Version 1 connection.

Examples

The following example shows that only SSH Version 1 support is configured:


Router (config)# ip ssh version 1

The following example shows that only SSH Version 2 is configured:


Router (config)# ip ssh version 2

The following example shows that SSH Versions 1 and 2 are configured:


Router (config)# no ip ssh version

ip tftp blocksize

To specify TFTP client blocksize, use the ip tftp blocksize command.

ip tftp blocksize blocksize-value

Syntax Description

blocksize-value

Blocksize value. Valid range is from 512-8192 Kbps.

Command Default

TFTP client blocksize is not configured.

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

Use this command to change the default blocksize to decrease the image download time.

Examples

The following example shows how to specify TFTP client blocksize:

Device(config)# ip tftp blocksize 512

ip verify source

To enable IP source guard on an interface, use the ip verify source command in interface configuration mode. To disable IP source guard, use the no form of this command.

ip verify source

no ip verify source

Command Default

IP source guard is disabled.

Command Modes

Interface configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Usage Guidelines

To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.

Examples

This example shows how to enable IP source guard with source IP address filtering on an interface:


Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip verify source

You can verify your settings by entering the show ip verify source privileged EXEC command.

ipv4 acl

To create ACL configuration for wireless IPv4, use the ipv4 acl command.

configuration.

ipv4 acl ipv4-acl-name

Syntax Description

ipv4 acl

Creates ACL configuration for wireless IPv4.

ipv4-acl-name

Specifies the IPv4 ACL name.

Command Default

None

Command Modes

Wireless policy confirguration mode

Command History

Release Modification
Cisco IOS XE Amsterdam 17.1.1s

This command was introduced.

Examples

This example shows how to create an ACL configuration for wireless IPv4:

Device(config-wireless-policy)#ipv4 acl ipv4-acl-name

ipv4 dhcp

To configure the DHCP parameters for a WLAN, use the ipv4 dhcp command.

ipv4 dhcp {opt82 | {ascii | rid | format | {ap_ethmac | ap_location | apmac | apname | policy_tag | ssid | vlan_id }} | required | server | dhcp-ip-addr}

Syntax Description

opt82

Sets DHCP option 82 for wireless clients on this WLAN

required

Specifies whether DHCP address assignment is required

server

Configures the WLAN's IPv4 DHCP Server

ascii

Supports ASCII for DHCP option 82

rid

Supports adding Cisco 2 byte RID for DHCP option 82

format

Sets RemoteID format

ap_ethmac

Enables DHCP AP Ethernet MAC address

ap_location

Enables AP location

apmac

Enables AP MAC address

apname

Enables AP name

policy_tag

Enables Policy tag

ssid

Enables SSID

vlan_id

Enables VLAN ID

dhcp-ip-addr

Enter the override DHCP server's IP Address.

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure DHCP address assignment as a requirement:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless profile policy demo-profile-name
Device(config-wireless-policy)# ipv4 dhcp required

ipv4 flow monitor

To configure the IPv4 traffic ingress flow monitor for a WLAN profile policy, use the ipv4 flow monitor input command.

ipv4 flow monitor monitor-name input

Syntax Description

monitor-name

Flow monitor name.

input

Enables flow monitor on ingress traffic.

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure the IPv4 traffic ingress flow monitor for a WLAN profile policy:
Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless profile policy policy-profile-name
Device(config-wireless-policy)# ipv4 flow monitor flow-monitor-name input

ipv4 flow monitor output

To configure the IPv4 traffic egress flow monitor for a WLAN profile policy, use the ipv4 flow monitor output command.

ipv4 flow monitor monitor-name output

Syntax Description

monitor-name

Flow monitor name.

output

Enables flow monitor on egress traffic.

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Amsterdam 17.2.1

This command was introduced in a release earlier than Cisco IOS XE Amsterdam 17.2.1.

Examples

The following example shows how to configure the IPv4 traffic egress flow monitor for a WLAN profile policy:
Device(config-wireless-policy)#ipv4 flow monitor flow-monitor-name output

ipv6 flow monitor input

To configure the IPv6 traffic ingress flow monitor for a WLAN profile policy, use the ipv6 flow monitor input command.

ipv6 flow monitor monitor-name input

Syntax Description

monitor-name

Flow monitor name.

input

Enables flow monitor on ingress traffic.

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Amsterdam 17.2.1

This command was introduced in a release earlier than Cisco IOS XE Amsterdam 17.2.1.

Examples

The following example shows how to configure the IPv6 traffic ingress flow monitor for a WLAN profile policy:
Device(config-wireless-policy)#ipv6 flow monitor flow-monitor-name input

ipv6 flow monitor output

To configure the IPv6 traffic egress flow monitor for a WLAN profile policy, use the ipv6 flow monitor output command.

ipv6 flow monitor monitor-name output

Syntax Description

monitor-name

Flow monitor name.

output

Enables flow monitor on egress traffic.

Command Default

None

Command Modes

config-wireless-policy

Command History

Release Modification

Cisco IOS XE Amsterdam 17.2.1

This command was introduced in a release earlier than Cisco IOS XE Amsterdam 17.2.1.

Examples

The following example shows how to configure the IPv6 traffic egress flow monitor for a WLAN profile policy:
Device(config-wireless-policy)#ipv6 flow monitor flow-monitor-name output

ipv6 access-list

To define an IPv6 access list and to place the device in IPv6 access list configuration mode, use the ipv6 access-list command in global configuration mode. To remove the access list, use the no form of this command.

ipv6 access-list access-list-name | match-local-traffic | log-update threshold threshold-in-msgs | role-based list-name

noipv6 access-list access-list-name | client permit-control-packets| log-update threshold | role-based list-name

Syntax Description

ipv6 access-list-name

Creates a named IPv6 ACL (up to 64 characters in length) and enters IPv6 ACL configuration mode.

access-list-name - Name of the IPv6 access list. Names cannot contain a space or quotation mark, or begin with a numeric.

match-local-traffic

Enables matching for locally-generated traffic.

log-update threshold threshold-in-msgs

Determines how syslog messages are generated after the initial packet match.

threshold-in-msgs - Number of packets generated.

role-based list-name

Creates a role-based IPv6 ACL.

Command Default

No IPv6 access list is defined.

Command Modes


Global configuration

Command History

Release

Modification

Usage Guidelines

IPv6 ACLs are defined by using the ipv6 access-list command in global configuration mode and their permit and deny conditions are set by using the deny and permit commands in IPv6 access list configuration mode. Configuring the ipv6 access-list command places the device in IPv6 access list configuration mode--the device prompt changes to Device(config-ipv6-acl)#. From IPv6 access list configuration mode, permit and deny conditions can be set for the defined IPv6 ACL.


Note

IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and an IPv6 ACL cannot share the same name.


IPv6 is automatically configured as the protocol type in permit any any and deny any any statements that are translated from global configuration mode to IPv6 access list configuration mode.

Every IPv6 ACL has implicit permit icmp any any nd-na , permit icmp any any nd-ns , and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take effect. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.

Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply an IPv6 ACL to an IPv6 interface. Use the ipv6 access-class line configuration command with the access-list-name argument to apply an IPv6 ACL to incoming and outgoing IPv6 virtual terminal connections to and from the device.

An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded, not originated, by the device.

Examples

The example configures the IPv6 ACL list named list1 and places the device in IPv6 access list configuration mode.


Device(config)# ipv6 access-list list1
Device(config-ipv6-acl)#

The following example configures the IPv6 ACL named list2 and applies the ACL to outbound traffic on Ethernet interface 0. Specifically, the first ACL entry keeps all packets from the network FEC0:0:0:2::/64 (packets that have the site-local prefix FEC0:0:0:2 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0. The second entry in the ACL permits all other traffic to exit out of Ethernet interface 0. The second entry is necessary because an implicit deny all condition is at the end of each IPv6 ACL.


Device(config)# ipv6 access-list list2 deny FEC0:0:0:2::/64 any
Device(config)# ipv6 access-list list2 permit any any
Device(config)# interface ethernet 0
Device(config-if)# ipv6 traffic-filter list2 out

ipv6 acl

To create ACL configuration for wireless IPv6, use the ipv6 acl command.

configuration.

ipv6 acl ipv6-acl-name

Syntax Description

ipv6 acl

Creates ACL configuration for wireless IPv6.

ipv6-acl-name

Specifies the IPv6 ACL name.

Command Default

None

Command Modes

Wireless policy confirguration mode

Command History

Release Modification
Cisco IOS XE Amsterdam 17.1.1s

This command was introduced.

Examples

This example shows how to create an ACL configuration for wireless IPv6:

Device(config-wireless-policy)#ipv6 acl ipv6-acl-name

ipv6-address-type

To configure the 802.11u IPv6 address type, use the ipv6-address-type command. To remove the address type, use the no form of the command.

ipv6-address-type { available| not-available| not-known}

Syntax Description

available

Sets IPv6 address type as available.

not-available

Sets IPv6 address type as not available.

not-known

Sets IPv6 address type availability as not known.

Command Default

None

Command Modes

Wireless ANQP Server Configuration (config-wireless-anqp-server)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

The following example shows how to configure a 802.11u IPv6 address type:

Device(config)# wireless hotspot anqp-server my-server
Device(config-wireless-anqp-server)# ipv4-address-type available   

ipv6 address

To configure an IPv6 address based on an IPv6 general prefix and enable IPv6 processing on an interface, use the ipv6 address command in interface configuration mode. To remove the address from the interface, use the no form of this command.

ipv6 address {ipv6-prefix/prefix-length | prefix-name sub-bits/prefix-length}

no ipv6 address {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}

Syntax Description

ipv6-address

The IPv6 address to be used.

/ prefix-length

The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

prefix-name

A general prefix, which specifies the leading bits of the network to be configured on the interface.

sub-bits

The subprefix bits and host bits of the address to be concatenated with the prefixes provided by the general prefix specified with the prefix-name argument.

The sub-bits argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

Command Default

No IPv6 addresses are defined for any interface.

Command Modes


Interface configuration

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was integrated into Cisco ASR 1000 Series devices.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

15.2(2)SNG

This command was implemented on the Cisco ASR 901 Series Aggregation Services devices.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The ipv6 address command allows multiple IPv6 addresses to be configured on an interface in various different ways, with varying options. The most common way is to specify the IPv6 address with the prefix length.

Addresses may also be defined using the general prefix mechanism, which separates the aggregated IPv6 prefix bits from the subprefix and host bits. In this case, the leading bits of the address are defined in a general prefix, which is globally configured or learned (for example, through use of Dynamic Host Configuration Protocol-Prefix Delegation (DHCP-PD)), and then applied using the prefix-name argument. The subprefix bits and host bits are defined using the sub-bits argument.

Using the no ipv6 address autoconfig command without arguments removes all IPv6 addresses from an interface.

IPv6 link-local addresses must be configured and IPv6 processing must be enabled on an interface by using the ipv6 address link-local command.

Examples

The following example shows how to enable IPv6 processing on the interface and configure an address based on the general prefix called my-prefix and the directly specified bits:

Device(config-if) ipv6 address my-prefix 0:0:0:7272::72/64

Assuming the general prefix named my-prefix has the value of 2001:DB8:2222::/48, then the interface would be configured with the global address 2001:DB8:2222:7272::72/64.

ipv6 dhcp pool

To configure a Dynamic Host Configuration Protocol (DHCP) for IPv6 server configuration information pool and enter DHCP for IPv6 pool configuration mode, use the ipv6 dhcp pool command in global configuration mode. To delete a DHCP for IPv6 pool, use the no form of this command.

ipv6 dhcp pool poolname

no ipv6 dhcp pool poolname

Syntax Description

poolname

User-defined name for the local prefix pool. The pool name can be a symbolic string (such as "Engineering") or an integer (such as 0).

Command Default

DHCP for IPv6 pools are not configured.

Command Modes


Global configuration

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.4(24)T

This command was integrated into Cisco IOS Release 12.4(24)T.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

12.2(33)SRE

This command was modified. It was integrated into Cisco IOS Release 12.2(33)SRE.

12.2(33)XNE

This command was modified. It was integrated into Cisco IOS Release 12.2(33)XNE.

Usage Guidelines

Use the ipv6 dhcp pool command to create a DHCP for IPv6 server configuration information pool. When the ipv6 dhcp pool command is enabled, the configuration mode changes to DHCP for IPv6 pool configuration mode. In this mode, the administrator can configure pool parameters, such as prefixes to be delegated and Domain Name System (DNS) servers, using the following commands:

  • address prefix IPv6-prefix [lifetime {valid-lifetime preferred-lifetime | infinite }] sets an address prefix for address assignment. This address must be in hexadecimal, using 16-bit values between colons.

  • link-address IPv6-prefix sets a link-address IPv6 prefix. When an address on the incoming interface or a link-address in the packet matches the specified IPv6-prefix, the server uses the configuration information pool. This address must be in hexadecimal, using 16-bit values between colons.

  • vendor-specific vendor-id enables DHCPv6 vendor-specific configuration mode. Specify a vendor identification number. This number is the vendor IANA Private Enterprise Number. The range is 1 to 4294967295. The following configuration command is available:
    • suboption number sets vendor-specific suboption number. The range is 1 to 65535. You can enter an IPv6 address, ASCII text, or a hex string as defined by the suboption parameters.

Note

The hex value used under the suboption keyword allows users to enter only hex digits (0-f). Entering an invalid hex value does not delete the previous configuration.


Once the DHCP for IPv6 configuration information pool has been created, use the ipv6 dhcp server command to associate the pool with a server on an interface. If you do not configure an information pool, you need to use the ipv6 dhcp server interface configuration command to enable the DHCPv6 server function on an interface.

When you associate a DHCPv6 pool with an interface, only that pool services requests on the associated interface. The pool also services other interfaces. If you do not associate a DHCPv6 pool with an interface, it can service requests on any interface.

Not using any IPv6 address prefix means that the pool returns only configured options.

The link-address command allows matching a link-address without necessarily allocating an address. You can match the pool from multiple relays by using multiple link-address configuration commands inside a pool.

Since a longest match is performed on either the address pool information or the link information, you can configure one pool to allocate addresses and another pool on a subprefix that returns only configured options.

Examples

The following example specifies a DHCP for IPv6 configuration information pool named cisco1 and places the router in DHCP for IPv6 pool configuration mode:


Router(config)# ipv6 dhcp pool cisco1
Router(config-dhcpv6)#

The following example shows how to configure an IPv6 address prefix for the IPv6 configuration pool cisco1:


Router(config-dhcpv6)# address prefix 2001:1000::0/64
Router(config-dhcpv6)# end

The following example shows how to configure a pool named engineering with three link-address prefixes and an IPv6 address prefix:


Router# configure terminal
Router(config)# ipv6 dhcp pool engineering
Router(config-dhcpv6)# link-address 2001:1001::0/64
Router(config-dhcpv6)# link-address 2001:1002::0/64
Router(config-dhcpv6)# link-address 2001:2000::0/48
Router(config-dhcpv6)# address prefix 2001:1003::0/64
Router(config-dhcpv6)# end

The following example shows how to configure a pool named 350 with vendor-specific options:


Router# configure terminal
Router(config)# ipv6 dhcp pool 350
Router(config-dhcpv6)# vendor-specific 9
Router(config-dhcpv6-vs)# suboption 1 address 1000:235D::1
Router(config-dhcpv6-vs)# suboption 2 ascii "IP-Phone"
Router(config-dhcpv6-vs)# end

ipv6 enable

To enable IPv6 processing on an interface that has not been configured with an explicit IPv6 address, use the ipv6 enable command in interface configuration mode. To disable IPv6 processing on an interface that has not been configured with an explicit IPv6 address, use the no form of this command.

ipv6 enable

no ipv6 enable

Syntax Description

This command has no arguments or keywords.

Command Default

IPv6 is disabled.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

15.2(2)SNG

This command was implemented on the Cisco ASR 901 Series Aggregation Services devices.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

15.2(2)SA2

This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.

Usage Guidelines

The ipv6 enable command automatically configures an IPv6 link-local unicast address on the interface while also enabling the interface for IPv6 processing. The no ipv6 enable command does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address.

Examples

The following example enables IPv6 processing on Ethernet interface 0/0:


Device(config)# interface ethernet 0/0
Device(config-if)# ipv6 enable

ipv6 mld snooping

To enable Multicast Listener Discovery version 2 (MLDv2) protocol snooping globally, use the ipv6 mld snooping command in global configuration mode. To disable the MLDv2 snooping globally, use the no form of this command.

ipv6 mld snooping

no ipv6 mld snooping

Syntax Description

This command has no arguments or keywords.

Command Default

This command is enabled.

Command Modes


Global configuration

Command History

Release

Modification

12.2(18)SXE

This command was introduced on the Supervisor Engine 720.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

15.4(2)S

This command was implemented on the Cisco ASR 901 Series Aggregation Services Router.

Usage Guidelines

MLDv2 snooping is supported on the Supervisor Engine 720 with all versions of the Policy Feature Card 3 (PFC3).

To use MLDv2 snooping, configure a Layer 3 interface in the subnet for IPv6 multicast routing or enable the MLDv2 snooping querier in the subnet.

Examples

This example shows how to enable MLDv2 snooping globally:


Router(config)# ipv6 mld snooping 

ipv6 nd managed-config-flag

To set the managed address configuration flag in IPv6 router advertisements, use the ipv6 nd managed-config-flag command in an appropriate configuration mode. To clear the flag from IPv6 router advertisements, use the no form of this command.

ipv6 nd managed-config-flag

no ipv6 nd managed-config-flag

Syntax Description

This command has no keywords or arguments.

Command Default

The managed address configuration flag is not set in IPv6 router advertisements.

Command Modes

Interface configuration

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

Setting the managed address configuration flag in IPv6 router advertisements indicates to attached hosts whether they should use stateful autoconfiguration to obtain addresses. If the flag is set, the attached hosts should use stateful autoconfiguration to obtain addresses. If the flag is not set, the attached hosts should not use stateful autoconfiguration to obtain addresses.

Hosts may use stateful and stateless address autoconfiguration simultaneously.

Examples

This example shows how to configure the managed address configuration flag in IPv6 router advertisements:
Device(config)# interface 
Device(config-if)# ipv6 nd managed-config-flag

ipv6 nd other-config-flag

To set the other stateful configuration flag in IPv6 router advertisements, use the ipv6 nd other-config-flag command in an appropriate configuration mode. To clear the flag from IPv6 router advertisements, use the no form of this command.

ipv6 nd other-config-flag

Syntax Description

This command has no keywords or arguments.

Command Default

The other stateful configuration flag is not set in IPv6 router advertisements.

Command Modes

Interface configuration

Dynamic template configuration

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

The setting of the other stateful configuration flag in IPv6 router advertisements indicates to attached hosts how they can obtain autoconfiguration information other than addresses. If the flag is set, the attached hosts should use stateful autoconfiguration to obtain the other (nonaddress) information.


Note

If the managed address configuration flag is set using the ipv6 nd managed-config-flag command, then an attached host can use stateful autoconfiguration to obtain the other (nonaddress) information regardless of the setting of the other stateful configuration flag.


Examples

This example (not applicable for BNG) configures the “other stateful configuration” flag in IPv6 router advertisements:

Device(config)# interface 
Device(config-if)# ipv6 nd other-config-flag

ipv6 nd ra throttler attach-policy

To configure a IPv6 policy for feature RA throttler, use the ipv6 nd ra-throttler attach-policy command.

ipv6 nd ra-throttler attach-policy policy-name

Syntax Description

ipv6

IPv6 root chain.

ra-throttler

Configure RA throttler on the VLAN.

attach-policy

Apply a policy for feature RA throttler.

policy-name

Policy name for feature RA throttler

Command Default

None

Command Modes

config-vlan

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure configure a IPv6 policy for feature RA throttler:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# vlan configuration vlan-id
Device(config-vlan-config)# ipv6 nd ra-throttler attach-policy

ipv6 nd raguard policy

To define the router advertisement (RA) guard policy name and enter RA guard policy configuration mode, use the ipv6 nd raguard policy command in global configuration mode.

ipv6 nd raguardpolicy policy-name

Syntax Description

policy-name

IPv6 RA guard policy name.

Command Default

An RA guard policy is not configured.

Command Modes


Global configuration (config)#

Command History

Release

Modification

12.2(50)SY

This command was introduced.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

15.0(2)SE

This command was integrated into Cisco IOS Release 15.0(2)SE.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

Use the ipv6 nd raguard policy command to configure RA guard globally on a router. Once the device is in ND inspection policy configuration mode, you can use any of the following commands:

  • device-role

  • drop-unsecure

  • limit address-count

  • sec-level minimum

  • trusted-port

  • validate source-mac

After IPv6 RA guard is configured globally, you can use the ipv6 nd raguard attach-policy command to enable IPv6 RA guard on a specific interface.

Examples

The following example shows how to define the RA guard policy name as policy1 and place the device in policy configuration mode:


Device(config)# ipv6 nd raguard policy policy1
Device(config-ra-guard)#

ipv6 snooping policy


Note

All existing IPv6 Snooping commands (prior to ) now have corresponding SISF-based device-tracking commands that allow you to apply your configuration to both IPv4 and IPv6 address families.


To configure an IPv6 snooping policy and enter IPv6 snooping configuration mode, use the ipv6 snooping policy command in global configuration mode. To delete an IPv6 snooping policy, use the no form of this command.

ipv6 snooping policy snooping-policy

no ipv6 snooping policy snooping-policy

Syntax Description

snooping-policy

User-defined name of the snooping policy. The policy name can be a symbolic string (such as Engineering) or an integer (such as 0).

Command Default

An IPv6 snooping policy is not configured.

Command Modes

Global configuration

Command History

Release

Modification

This command was introduced.

Usage Guidelines

Use the ipv6 snooping policy command to create an IPv6 snooping policy. When the ipv6 snooping policy command is enabled, the configuration mode changes to IPv6 snooping configuration mode. In this mode, the administrator can configure the following IPv6 first-hop security commands:

  • The device-role command specifies the role of the device attached to the port.

  • The limit address-count maximum command limits the number of IPv6 addresses allowed to be used on the port.

  • The protocol command specifies that addresses should be gleaned with Dynamic Host Configuration Protocol (DHCP) or Neighbor Discovery Protocol (NDP).

  • The security-level command specifies the level of security enforced.

  • The tracking command overrides the default tracking policy on a port.

  • The trusted-port command configures a port to become a trusted port; that is, limited or no verification is performed when messages are received.

Examples

This example shows how to configure an IPv6 snooping policy:


Device(config)# ipv6 snooping policy policy1
Device(config-ipv6-snooping)# 

ipv6 traffic-filter

This command enables IPv6 traffic filter.

To enable the filtering of IPv6 traffic on an interface, use the ipv6 traffic-filter command. To disable the filtering of IPv6 traffic on an interface, use the no form of the command.

Use the ipv6 traffic-filter interface configuration command on the switch stack or on a standalone switch to filter IPv6 traffic on an interface. The type and direction of traffic that you can filter depends on the feature set running on the switch stack. Use the no form of this command to disable the filtering of IPv6 traffic on an interface.

ipv6 traffic-filter [web] acl-name

no ipv6 traffic-filter [web]

Syntax Description

web

(Optional) Specifies an IPv6 access name for the WLAN Web ACL.

acl-name

Specifies an IPv6 access name.

Command Default

Filtering of IPv6 traffic on an interface is not configured.

Command Modes

wlan

Command History

Release Modification

This command was introduced.

Usage Guidelines

To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 {default | vlan} global configuration command and reload the switch.

You can use the ipv6 traffic-filter command on physical interfaces (Layer 2 or Layer 3 ports), Layer 3 port channels, or switch virtual interfaces (SVIs).

You can apply an ACL to outbound or inbound traffic on Layer 3 interfaces (port ACLs), or to inbound traffic on Layer 2 interfaces (router ACLs).

If any port ACL (IPv4, IPv6, or MAC) is applied to an interface, that port ACL is used to filter packets, and any router ACLs attached to the SVI of the port VLAN are ignored.

Examples

This example shows how to filter IPv6 traffic on an interface:

Device(config-wlan)# ipv6 traffic-filter TestDocTrafficFilter
                                            
                                             

key chain

To create or modify a keychain, use the key chain command. To disable this feature, use the no form of this command.

key chainkey-chain name{ macsec| tcp}

no key chainkey-chain name{ macsec | tcp}

Syntax Description

key-chain name

Specifies the name of the key chain.

macsec

Specifies a MacSEC key chain.

tcp

Specifies the tcp key chain.

Command Default

No default.

Command Modes

Global configuration mode.

Examples

The following example shows how to specify a key chain to identify authentication on a key-chain:


Device(config)# key chain key-chain-name macsec

key config-key

To set a private configuration key for private use, use the key config-key command. To disable this feature, use the no form of this command.

key config-key{ 1 LINE | newpass config-key | password-encrypt LINE}

no key config-key{ 1 LINE | newpass config-key | password-encrypt LINE}

Syntax Description

1

Sets a private configuration key for private use.

newpass

Specifies a new password without space or tabs.

config-key

Specifies the config key, with a minimum of 8 characters, and not beginning with the IOS special characters - !, #, and ;.

password-encrypt

Sets a private configuration key for password encryption.

Command Default

None

Command Modes

Global configuration mode.

Examples

The following example shows how to specify a config-key:


Device(config)# key config-key password-encrypt config-key

key config-key password-encrypt

To set a private configuration key for password encryption, use the key config-key password-encrypt command. To disable this feature, use the no form of this command.

key config-key password-encrypt <config-key>

Syntax Description

config-key

Enter a value with minimum 8 characters.

Note 

The value must not begin with the following special characters:

!, #, and ;

Command Default

None

Command Modes

Global configuration mode

Command History

Release Modification

Cisco IOS XE Gibraltar 17.6.1

This command was introduced.

Examples

The following example shows how to set a username and password for AP management:

Device# enable
Device# configure terminal
Device(config)# key config-key password-encryption 12345678
Device(config-ap-profile)# password encryption aes
Device(config-ap-profile)# end

license air level

To configure AIR licenses on a wireless controller, enter the license air level command in global configuration mode. To revert to the default setting, use the no form of this command.

license air level { air-network-advantage [ addon air-dna-advantage ] | air-network-essentials [ addon air-dna-essentials ] }

no license air level

Syntax Description

air-network-advantage

Configures the AIR Network Advantage license level.

addon air-dna-advantage

(Optional) Configures the add-on AIR DNA Advantage license level.

This add-on option is available with the AIR Network Advantage license.

air-network-essentials

Configures the AIR Network Essentials license level.

addon air-dna-essentials

(Optional) Configures the add-on AIR DNA Essentials license level.

This add-on option is available with the AIR Network Essential license.

Command Default

For all Cisco Catalyst 9800 Wireless controllers the default license is AIR DNA Advantage.

For EWC-APs:

  • Prior to Cisco IOS XE Bengaluru 17.4.1, the default license is AIR DNA Essentials.

  • Starting with Cisco IOS XE Bengaluru 17.4.1, the default license is AIR Network Essentials

Command Modes

Global configuration (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Cisco IOS XE Amsterdam 17.3.2a

This command continues to be available and applicable with the introduction of Smart Licensing Using Policy.

Cisco IOS XE Bengaluru 17.4.1

Only for EWC-APs, the default license was changed from AIR DNA Essentials to AIR Network Essentials.

Usage Guidelines

In the Smart Licensing Using Policy environment, you can use the license air level command to change the license level being used on the product instance, or to additionally configure an add-on license on the product instance. The change is effective after a reload.

The licenses that can be configured are:

  • AIR Network Essential

  • AIR Network Advantage

  • AIR DNA Essential

  • AIR DNA Advantage

You can configure AIR DNA Essential or AIR DNA Advantage license level and on term expiry, you can move to the Network Advantage or Network Essentials license level, if you do not want to renew the DNA license.

Every connecting AP requires a Cisco DNA Center License to leverage the unique value properties of the controller.

Specifics for EWC-APs

Starting with Cisco IOS XE Bengaluru 17.4.1, only for EWC-APs, you can opt-out of purchasing an AIR DNA license. The option to opt-out of AIR DNA licenses is available only through the Cisco Commerce portal. When you opt-out, Smart Licensing Using Policy functionality is disabled.

For a new product instance, this means:

Condition

Required Action

Outcome or Result

You opt-out of AIR DNA licenses

None.

Use only AIR Network Essentials.

Smart Licensing Using Policy functionality is disabled on the product instance and for your Smart Account and Virtual Account in CSSM. License usage is not recorded, and no reporting requirements apply.

You purchase AIR DNA licenses

Enter the license air level command in global configuration mode and configure the corresponding AIR DNA license. Reload to use the corresponding license.

Implement one of the supported topologies and fulfill reporting requirements. For information about implementing a topology, For information about implementing a topology, see the Supported Topologies section in the software configuration guide of the required release.

Use the purchased AIR DNA and AIR Network license.

Smart Licensing Using Policy functionality is enabled on the product instance and for your Smart Account and Virtual Account in CSSM.

For an existing product instance, this means:

Condition

Required Action

Outcome or Result

You are using an AIR DNA license

None.

No change.

You are already in the Smart Licensing Using Policy environment.

You do not want to renew the DNA license on term expiry

On term expiry, enter the license air level command in global configuration mode and configure AIR Network Essentials or AIR Network Advantage. Reload to use the corresponding license.

If you had AIR DNA Essentials, you now use AIR Network Essentials.

If you had AIR DNA Advantage, you now use AIR Network Advantage.

Smart Licensing Using Policy functionality is disabled on the product instance and for your Smart Account and Virtual Account in CSSM. License usage is not recorded, and no reporting requirements apply.

Examples

The following example show how to configure the AIR DNA Essential license level:
Device# configure terminal
Device(config)# license air level network-essentials addon air-dna-essentials

The following example shows how the AIR DNA Advantage license level is configured to begin with and then changed to AIR DNA Essentials:

Current configuration as AIR DNA Advantage:

Device# show version
Cisco IOS XE Software, Version 17.03.02
Cisco IOS Software [Amsterdam], C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.3.2, RELEASE SOFTWARE
<output truncated>
AIR License Level: AIR DNA Advantage
Next reload AIR license Level: AIR DNA Advantage

Smart Licensing Status: Registration Not Applicable/Not Applicable
<output truncated>
Configuration of AIR DNA Essentials :
Device# configure terminal
Device(config)# license air level air-network-essentials addon air-dna-essentials
Device# exit
Device# show version
Cisco IOS XE Software, Version 17.03.02
Cisco IOS Software [Amsterdam], C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.3.2, RELEASE SOFTWARE 
<output truncated>
AIR License Level: AIR DNA Advantage
Next reload AIR license Level: AIR DNA Essentials          
Smart Licensing Status: Registration Not Applicable/Not Applicable
<output truncated>

Device# write memory
Device# reload
After reload:
Device# show version
Cisco IOS XE Software, Version 17.03.02
Cisco IOS Software [Amsterdam], C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.3.2, RELEASE SOFTWARE 
<output truncated>
AIR License Level: AIR DNA Essentials
Next reload AIR license Level: AIR DNA Essentials

Smart Licensing Status: Registration Not Applicable/Not Applicable
<output truncated>

license smart (global config)

To configure licensing-related settings such as the mode of transport and the URL that the product instance uses to communicate with Cisco Smart Software Manager (CSSM), or Cisco Smart Licensing Utility (CSLU), or Smart Software Manager On-Prem (SSM On-Prem), to configure the usage reporting interval, to configure the information that must be exluded or included in a license usage report (RUM report), enter the license smart command in global configuration mode. Use the no form of the command to revert to default values.

license smart { custom_id ID | enable | privacy { all | hostname | version } | proxy { address address_hostname | port port } | reservation | server-identity-check | transport { automatic | callhome | cslu | off | smart } | url { url | cslu cslu_or_on-prem_url | default | smart smart_url | utility secondary_url } | usage { customer-tags { tag1 | tag2 | tag3 | tag4 } tag_value | interval interval_in_days } | utility [ customer_info { city city | country country | postalcode postalcode | state state | street street } ] }

no license smart { custom_id | enable | privacy { all | hostname | version } | proxy { address address_hostname | port port } | reservation | server-identity-check | transport | url { url | cslu cslu_or_on-prem_url | default | smart smart_url | utility secondary_url } | usage { customer-tags { tag1 | tag2 | tag3 | tag4 } tag_value | interval interval_in_days } | utility [ customer_info { city city | country country | postalcode postalcode | state state | street street } ] }

Syntax Description

custom_id ID

Although available on the CLI, this option is not supported.

enable

Although visible on the CLI, configuring this keyword has no effect. Smart licensing is always enabled.

privacy { all | hostname | version }

Enables you to leave out certain information from the usage reports that are send to CSSM. Choose from the following options:

  • all : Sends only the minimal licensing information in any communication.

  • hostname : Excludes the hostname from any communication.

  • version : Excludes the product instance agent version from any communication.

proxy { address address_hostname | port port }

Configures a proxy for license usage synchronization with CSLU or CSSM. This means that you can use this option to configure a proxy only if the transport mode is license smart transport smart (CSSM), or license smart transport cslu (CSLU).

However, you cannot configure a proxy for license usage synchronization in an SSM On-Prem deployment, which also uses license smart transport cslu as the transport mode.

Configure the following options:

  • address address_hostname : Configures the proxy address.

    For address_hostname , enter the enter the IP address or hostname of the proxy.

  • portport : Configures the proxy port.

    For port, enter the proxy port number.

reservation

Enables or disables a license reservation feature.

Note 

Although available on the CLI, this option is not applicable because license reservation is not applicable in the Smart Licensing Using Policy environment.

server-identity-check

Enables or disables the HTTP secure server identity check.

transport { automatic | callhome | cslu | off | smart }

Configures the mode of transport the product instance uses to communicate with CSSM. Choose from the following options:

  • automatic : Sets the transport mode cslu .

    Note 

    The automatic keyword is not supported on Cisco Catalyst Wireless Controllers.

  • callhome : Enables Call Home as the transport mode.

  • cslu : Enables CSLU as the transport mode. This is the default transport mode.

    The same keyword applies to both CSLU and SSM On-Prem, but the URLs are different. See cslucslu_or_on-prem_url in the following row.

  • off : Disables all communication from the product instance.

  • smart : Enables Smart transport.

url { url | cslu cslu_url | default | smart smart_url | utility secondary_url }

Sets URL that is used for the configured transport mode. Choose from the following options:

  • url : If you have configured the transport mode as callhome, configure this option. Enter the CSSM URL exactly as follows:

    https://tools.cisco.com/its/service/oddce/services/DDCEService

    The no license smart url url command reverts to the default URL.

  • cslu cslu_or_on-prem_url : If you have configured the transport mode as cslu, configure this option, with the URL for CSLU or SSM On-Prem, as applicable:

    • If you are using CSLU, enter the URL as follows:

      http://<cslu_ip_or_host>:8182/cslu/v1/pi

      For <cslu_ip_or_host>, enter the hostname or the IP address of the windows host where you have installed CSLU. 8182 is the port number and it is the only port number that CSLU uses.

      The no license smart url cslu cslu_or_on-prem_url command reverts to http://cslu-local:8182/cslu/v1/pi

    • If you are using SSM On-Prem, enter the URL as follows:

      http://<ip>/cslu/v1/pi/<tenant ID>

      For <ip>, enter the hostname or the IP address of the server where you have installed SSM On-Prem. The <tenantID> must be the default local virtual account ID.

      Tip 
      You can retrieve the entire URL from SSM On-Prem. In the software configuration guide (17.3.x and later), see Smart Licensing Using Policy > Task Library for Smart Licensing Using Policy > Retrieving the Transport URL (SSM On-Prem UI).

      The no license smart url cslu cslu_or_on-prem_url command reverts to http://cslu-local:8182/cslu/v1/pi

  • default : Depends on the configured transport mode. Only the smart and cslu transport modes are supported with this option.

    If the transport mode is set to cslu, and you configure license smart url default , the CSLU URL is configured automatically (https://cslu-local:8182/cslu/v1/pi).

    If the transport mode is set to smart, and you configure license smart url default , the Smart URL is configured automatically (https://smartreceiver.cisco.com/licservice/license).

  • smart smart_url : If you have configured the transport type as smart, configure this option. Enter the URL exactly as follows:

    https://smartreceiver.cisco.com/licservice/license

    When you configure this option, the system automatically creates a duplicate of the URL in license smart url url . You can ignore the duplicate entry, no further action is required.

    The no license smart url smartsmart_url command reverts to the default URL.

  • utility smart_url : Although available on the CLI, this option is not supported.

usage { customer-tags { tag1 | tag2 | tag3 | tag4 } tag_value | interval interval_in_days }

Configures usage reporting settings. You can set the following options:

  • customer-tags{ tag1| tag2| tag3| tag4} tag_value : Defines strings for inclusion in data models, for telemetry. Up to 4 strings (or tags) may be defined.

    For tag_value , enter the string value for each tag that you define.

  • interval interval_in_days : Sets the reporting interval in days. By default the RUM report is sent every 30 days. The valid value range is 1 to 3650.

    If you set the value to zero, RUM reports are not sent, regardless of what the applied policy specifies - this applies to topologies where CSLU or CSSM may be on the receiving end.

    If you set a value that is greater than zero and the transport type is set to off, then, between the interval_in_days and the policy value for Ongoing reporting frequency(days):, the lower of the two values is applied. For example, if interval_in_days is set to 100, and the value in the in the policy says Ongoing reporting frequency (days):90, RUM reports are sent every 90 days.

    If you do not set an interval, and the default is effective, the reporting interval is determined entirely by the policy value. For example, if the default value is effective and only unenforced licenses are in use, if the policy states that reporting is not required, then RUM reports are not sent.

utility [ customer_info { city city | country country | postalcode postalcode | state state | street street } ]

Although visible on the CLI, this option is not supported.

Command Default

Cisco IOS XE Amsterdam 17.3.1 or earlier: Smart Licensing is enabled by default.

Cisco IOS XE Amsterdam 17.3.2a and later: Smart Licensing Using Policy is enabled by default.

Command Modes

Global config (config)

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Cisco IOS XE Amsterdam 17.3.2a

The following keywords and variables were introduced with Smart Licensing Using Policy:

  • Under the url keyword, these options were introduced:

    { cslu cslu_url | smart smart_url }

  • Under the transport keyword, these options were introduced:

    { cslu | off }

    Further, the default transport type was changed from callhome , to cslu .

  • usage { customer-tags { tag1 | tag2 | tag3 | tag4 } tag_value | interval interval_in_days }

The following keywords and variables under the license smart command are deprecated and no longer available on the CLI: enable and conversion automatic .

Cisco IOS XE Amsterdam 17.3.3

SSM On-Prem support was introduced. For product instance-initiated communication in an SSM On-Prem deployment, the existing [no ]license smart url cslucslu_or_on-prem_url command supports the configuration of a URL for SSM On-Prem as well. But the required URL format for SSM On-Prem is: http://<ip>/cslu/v1/pi/<tenant ID>.

The corresponding transport mode that must be configured is also an existing command (license smart transport cslu ).

Usage Guidelines

The reporting interval that you configure (license smart usage interval interval_in_days command), determines the date and time at which the product instance sends out the RUM report. If the scheduled interval coincides with a communication failure, the product instance attempts to send out the RUM report for up to four hours after the scheduled time has expired. If it is still unable to send out the report (because the communication failure persists), the system resets the interval to 15 minutes. Once the communication failure is resolved, the system reverts the reporting interval to the value that you last configured.

The system message you may see in case of a communicatin failure is %SMART_LIC-3-COMM_FAILED. For information about resolving this error and restoring the reporting interval value, in the software configuration guide of the required release (17.3.x onwards), see System Configuration > Smart Licensing Using Policy > Troubleshooting Smart Licensing Using Policy.

Examples

Examples

The following examples show how to configure data privacy related information using license smart privacy command in global configuration mode. The accompanying show license status output displays configured information.

No private information is sent:
Device# configure terminal
Device(config)# license smart privacy all  
Device(config)# license smart transport callhome 
Device(config)# license smart url https://tools.cisco.com/its/service/oddce/services/DDCEService
Device(config)# exit
Device# show license status
<output truncated>
Data Privacy:
  Sending Hostname: no
    Callhome hostname privacy: ENABLED
    Smart Licensing hostname privacy: ENABLED
  Version privacy: ENABLED

Transport:
  Type: Callhome
<output truncated>
Agent version on the product instance is not sent:
Device# configure terminal
Device(config)# license smart privacy version 
Device(config)# license smart transport callhome 
Device(config)# license smart url https://tools.cisco.com/its/service/oddce/services/DDCEService
Device(config)# exit
Device# show license status
<output truncated>
Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: ENABLED

Transport:
  Type: Callhome
<output truncated>

Examples

The following examples show how to configure some of the transport types using the license smart transport and the license smart url commands in global configuration mode. The accompanying show license all output displays configured information.

Transport cslu :
Device# configure terminal
Device(config)# license smart transport cslu 
Device(config)# license smart url default
Device(config)# exit
Device# show license all
<output truncated>
Transport:
  Type: cslu
  Cslu address: http://192.168.0.1:8182/cslu/v1/pi
  Proxy:
    Not Configured
<output truncated>
Transport smart :
Device# configure terminal
Device(config)# license smart transport smart 
Device(config)# license smart url smart https://smartreceiver.cisco.com/licservice/license
Device(config)# exit
Device# show license all
<output truncated>
Transport:
  Type: Smart
  URL: https://smartreceiver-stage.cisco.com/licservice/license
  Proxy:
    Not Configured
<output truncated>

Examples

The following examples show how to configure some of the usage reporting settings using the license smart usage command in global configuration mode. The accompanying show running-config output displays configured information.

Configuring the customer-tag option:
Device# configure terminal
Device(config)# license smart usage customer-tags tag1 SA/VA:01 
Device(config)# exit
Device# show running-config | include tag1
license smart usage customer-tags tag1 SA/VA:01
Configuring a narrower reporting interval than the currently applied policy:
Device# show license status
<output truncated>
Usage Reporting:
Last ACK received: Sep 22 13:49:38 2020 PST
Next ACK deadline: Dec 21 12:02:21 2020 PST
Reporting push interval: 30 days
Next ACK push check: Sep 22 12:20:34 2020 PST
Next report push: Oct 22 12:05:43 2020 PST
Last report push: Sep 22 12:05:43 2020 PST
Last report file write: <none>
<output truncated>

Device# configure terminal
Device(config)# license smart usage interval 20 
Device(config)# exit
Device# show license status
<output truncated>

Usage Reporting:
Last ACK received: Sep 22 13:49:38 2020 PST
Next ACK deadline: Nov 22 12:02:21 2020 PST
Reporting push interval: 20 days
Next ACK push check: Sep 22 12:20:34 2020 PST
Next report push: Oct 12 12:05:43 2020 PST
Last report push: Sep 22 12:05:43 2020 PST
Last report file write: <none>
<output truncated>

license smart (privileged EXEC)

To configure licensing functions such as requesting or returning authorization codes, saving Resource Utilization Measurement reports (RUM reports), importing a file on to a product instance, establishing trust with Cisco Smart Software Manager (CSSM), synchronizing the product instance with CSSM, or Cisco Smart License Utility (CSLU), or Smart Software Manager On-Prem (SSM On-Prem), and removing licensing information from the product instance, enter the license smart command in privileged EXEC mode with the corresponding keyword or argument.

license smart { authorization { request { add | replace } feature_name { all | local } | return { all | local } { offline [ path ] | online } } | clear eventlog | export return { all | local } feature_name | factory reset | import file_path | save { trust-request filepath_filename | usage { all | days days | rum-id rum-ID | unreported } { file file_path } } | sync { all | local } | trust idtoken id_token_value { local | all } [ force ] }

Syntax Description

smart

Provides options for Smart Licensing.

authorization

Provides the option to request for, or return, authorization codes.

Authorization codes are required only if you use licenses with enforcement type: export-controlled or enfored.

request

Requests an authorization code from CSSM, CSLU (CSLU in-turn fetches it from CSSM), or SSM On-Prem and installs it on the product instance.

add

Adds the requested license to the existing authorization code. The new authorization code will contain all the licenses of the existing authorization code and the requested license.

replace

Replaces the existing authorization code. The new authorization code will contain only the requested license. All licenses in the current authorization code are returned.

When you enter this option, the product instance verifies if licenses that correspond to the authorization codes that will be removed, are in-use. If licenses are being used, an error message tells you to first disable the corresponding features.

feature_name

Name of the license for which you are requesting an authorization code.

all

Performs the action for all product instances in a High Availability configuration.

local

Performs the action for the active product instance. This is the default option.

return

Returns an authorization code back to the license pool in CSSM.

offline file_path

Means the product instance is not connected to CSSM. The authorization code is returned offline. This option requires you to print the return code to a file.

Optionally, you can also specify a path to save the file. The file format can be any readable format, such as .txt

If you choose the offline option, you must complete the additional step of copying the return code from the CLI or the saved file and entering it in CSSM.

online

Means that the product instance is in a connected mode. The authorization code is returned to CSLU or CSSM directly.

clear eventlog

Clears all event log files from the product instance.

export return

Returns the authorization key for an export-controlled license.

factory reset

Clears all saved licensing information from the product instance.

import filepath_filename

Imports a file on to the product instance. The file may be that of an authorization code, a trust code, or, or a policy.

For filepath_filename , specify the location, including the filename.

save

Provides options to save RUM reports or trust code requests.

trust-request filepath_filename

Saves the trust code request for the active product instance in the specified location.

For filepath_filename , specify the absolute path to the file, including the filename.

usage { all | days days | rum-id rum-ID | unreported } { file file_path }

Saves RUM reports (license usage information) in the specified location. You must specify one of these options:

  • all : Saves all RUM reports.

  • days days : Saves RUM report for the last n number of days (excluding the current day). Enter a number. The valid range is 0 to 4294967295.

    For example, if you enter 3, RUM reports of the last three days are saved.

  • rum-Id rum-ID : Saves a specified RUM ID. The valid value range is 0 to 18446744073709551615.

  • unreported : Saves all unreported RUM reports.

file filepath_filename : Saves the specified usage information to a file. Specify the absolute path to the file, including the filename.

sync { all | local }

Synchronizes with CSSM or CSLU, or SSM On-Prem, to send and receive any pending data. This includes uploading pending RUM reports, downloading the ACK response, any pending authorization codes, trust codes, and policies for the product instance.

Specify the product instance by entering one of these options:

  • all : Performs synchronization for all the product instances in a High Availability set-up. If you choose this option, the product instance also sends the list of all the UDIs in the synchronization request.

  • local : Performs synchronization only for the active product instance sending the request, that is, its own UDI. This is the default option.

trust idtoken id_token_value

Establishes a trusted connection with CSSM.

To use this option, you must first generate a token in the CSSM portal. Provide the generated token value for id_token_value .

force

Submits a trust code request even if a trust code already exists on the product instance.

A trust code is node-locked to the UDI of a product instance. If the UDI is already registered, CSSM does not allow a new registration for the same UDI. Entering the force keyword overrides this behavior.

Command Default

Cisco IOS XE Amsterdam 17.3.1 or earlier: Smart Licensing is enabled by default.

Cisco IOS XE Amsterdam 17.3.2a and later: Smart Licensing Using Policy is enabled by default.

Command Modes

Privileged EXEC

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Cisco IOS XE Amsterdam 17.3.2a

The following keywords and variables were introduced with Smart Licensing Using Policy:

  • authorization { request { add | replace } feature_name { all | local } | return { all | local } { offline [ path ] | online } }

  • import file_path

  • save { trust-request filepath_filename | usage { all | days days | rum-id rum-ID | unreported } { file file_path } }

  • sync { all | local }

  • trust idtoken id_token_value { local | all } [ force ]

The following keywords and variables under the license smart command are deprecated and no longer available on the CLI:

  • register idtoken token_id [ force ]

  • renew id { ID | auth }

  • debug { error | debug | trace | all }

  • reservation { cancel [ all | local ] | install [ file ] key | request { all | local | universal } | return [ all | authorization { auth_code | file filename } | Local ] key }

  • mfg reservation { request | install | install file | cancel }

  • conversion { start | stop }

Cisco IOS XE Amsterdam 17.3.3

Support for SSM On-Prem was introduced. You can perform licensing-related tasks such as saving Resource Utilization Measurement reports (RUM reports), importing a file on to a product instance, synchronizing the product instance, returning authorization codes, and removing licensing information from the product instance in an SSM On-Prem deployment.

Usage Guidelines

Overwriting a Trust Code

Use case for the force option when configuring the license smart trust idtoken command: You use same token for all the product instances that are part of one Virtual Account. If the product instance has moved from one account to another (for instance, because it was added to a High Availability set-up, which is part of another Virtual Account), then there may be an existing trust code you have to overwrite.

Removing Licensing Information

Entering the licence smart factory reset command removes all licensing information (except the licenses in-use) from the product instance, including any authorization codes, RUM reports etc. Therefore, we recommend the use of this command only if the product instance is being returned (Return Material Authrization, or RMA), or being decommissioned permanently. We also recommend that you send a RUM report to CSSM, before you remove licensing information from the product instance - this is to ensure that CSSM has up-to-date usage information.

Authorization Codes and License Reservations:

Options relating to authorization codes and license reservations:

  • Since there are no export-controlled or enforced licenses on any of the Cisco Catalyst Wireless Controllers, and the notion of reserved licenses is not applicable in the Smart Licensing Using Policy environment, the following commands are not applicable:

    • license smart authorization request { add | replace } feature_name { all | local }

    • license smart export return

  • The following option is applicable and required for any SLR authorization codes you may want to return:

    license smart authorization return { all | local } { offline [ path ] | online }

Examples

Examples

The following example shows how you can save license usage information on the product instance. You can use this option to fulfil reporting requirements in an air-gapped network. In the example, the file is first save to flash memory and then copied to a TFTP location:
 Device> enable
Device# license smart save usage unreported file flash:RUM-unrep.txt
Device# dir
Directory of bootflash:/

33      -rw-             5994   Nov 2 2020 03:58:04 +05:00  RUM-unrep.txt

Device# copy flash:RUM-unrep.txt tftp://192.168.0.1//auto/tftp-user/user01/
Address or name of remote host [192.168.0.1]?
Destination filename [//auto/tftp-user/user01/RUM-unrep.txt]?
!!
15128 bytes copied in 0.161 secs (93963 bytes/sec)

After you save RUM reports to a file, you must upload it to CSSM (from a workstation that has connectivity to the internet, and Cisco).

Examples

The following example shows how to install a trust code even if one is already installed on the product instance. This requires connectivity to CSSM. The accompanying show license status output shows sample output after successful installation:

Before you can install a trust code, you must generate a token and download the corresponding file from CSSM.

Use the show license status command (Trust Code Installed:) to verify results.
Device> enable
Device# license smart trust idtoken 
NGMwMjk5mYtNZaxMS00NzMZmtgWm local force

Device# show license status
<output truncated>
Trust Code Installed:
  Active: PID:C9800-CL-K9,SN:93BBAH93MGS
    INSTALLED on Nov 02 05:19:05 2020 IST
  Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN
    INSTALLED on Nov 02 05:19:05 2020 IST
<output truncated>

Examples

The following example shows how to remove and return an SLR authorization code. Here the code is returned offline (no connectivity to CSSM). The accompanying show license all output shows sample output after successful return:
Device> enable
Device# show license all
<output truncated>
License Authorizations
======================
Overall status:
  Active: PID:C9800-CL-K9,SN:93BBAH93MGS
      Status: SPECIFIC INSTALLED on Nov 02 03:16:01 2020 IST
      Last Confirmation code: 102fc949
  Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN
      Status: SPECIFIC INSTALLED on Nov 02 03:15:45 2020 IST
      Last Confirmation code: ad4382fe
<output truncated>

Device# license smart authorization return local offlline
Enter this return code in Cisco Smart Software Manager portal:
UDI: PID:C9800-CL-K9,SN:93BBAH93MGS
    Return code: CqaUPW-WSPYiq-ZNU2ci-SnWydS-hBCXHP-MuyPqy-PJ1GiG-tPTGQj-S2h
UDI: PID:C9800-CL-K9,SN:9XECPSUU4XN
    Return code: CNLwxR-eWiAEJ-XaTEQg-j4rrYW-dSRz9j-37VpcP-imjuLD-mNeA4k-TXA 

Device# show license all
<output truncated>
License Authorizations
======================
Overall status:
  Active: PID:C9800-CL-K9,SN:93BBAH93MGS
      Status: NOT INSTALLED
      Last return code: CqaUPW-WSPYiq-ZNU2ci-SnWydS-hBCXHP-MuyPqy-PJ1GiG-tPTGQj-S2h
  Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN
      Status: NOT INSTALLED
      Last return code: CNLwxR-eWiAEJ-XaTEQg-j4rrYW-dSRz9j-37VpcP-imjuLD-mNeA4k-TXA
<output truncated>

If you choose the offline option, you must complete the additional step of copying the return code from the CLI or the saved file and entering it in CSSM.

local-admin-mac deny

To deny association of clients using Locally Administered Addresses, use the local-admin-mac deny command. Use the no form of this command to disable the feature.

local-admin-mac deny

no local-admin-mac deny

Syntax Description

local-admin-mac

Specifies the locally administered MAC addresses.

deny

Denies the association of clients using Locally Administered Addresses

Command Default

None

Command Modes

WLAN configuration mode (config-wlan)

Command History

Release Modification
Cisco IOS XE Bengaluru 17.5.1

This command was introduced.

Examples

The following example shows how to deny association of clients using Locally Administered Addresses:

Device# configure terminal
Device(config)# wlan wlan-test 3 ssid-test
Device(config-wlan)# shutdownDevice(config-wlan)# [no] local-admin-mac deny
Device(config-wlan)# no shutdown 

local-auth ap eap-fast

To configure Flex policy local authentication using EAP Fast method, use the local-auth ap eap-fast command.

local-auth ap eap-fast profile-name

Syntax Description

profile-name

Enter eap-fast profile name.

Command Default

None

Command Modes

config-wireless-flex-profile

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure EAP Fast method authentication on a Flex policy:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless profile flex profile-name
Device(config-wireless-flex-profile)# local-auth ap eap-fast eap-fast-profile-name

local-site

To configure the site as local site, use the local-site command.

local-site

Syntax Description

local-site

Configure this site as local site.

Command Default

None

Command Modes

config-site-tag

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to set the current site as local site:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wireless tag site tag-name
Device(config-site-tag)# local-site

location expiry

To configure the location expiry duration, use the location expiry command in global configuration mode.

location expiry { calibrating-client | client | tags } timeout-duration

Syntax Description

calibrating-client

Timeout value for calibrating clients.

client

Timeout value for clients.

tags

Timeout value for RFID tags.

timeout-duration

Timeout duration, in seconds.

Command Default

Timeout value is not configured.

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.10.1

This command was introduced.

Examples

This example shows how to configure the location expiry duration:

Device(config)# location expiry tags 50 

location notify-threshold

To configure the NMSP notification threshold for RSSI measurements, use the location notify-threshold command in global configuration mode. To remove the NMSP notification threshold for RSSI measurements, use the no form of this command.

location notify-threshold {client | rogue-aps | tags } db

no location notify-threshold {client | rogue-aps | tags }

Syntax Description

client

Specifies the NMSP notification threshold (in dB) for clients and rogue clients.

The valid range for the threshold parameter is 0 to 10 dB, and the default value is 0 dB.

rogue-aps

Specifies the NMSP notification threshold (in dB) for rogue access points.

The valid range for the threshold parameter is 0 to 10 dB, and the default value is 0 dB.

tags

Specifies the NMSP notification threshold (in dB) for RFID tags.

The valid range for the threshold parameter is 0 to 10 dB, and the default value is 0 dB.

db

The valid range for the threshold parameter is 0 to 10 dB, and the default value is 0 dB.

Command Default

No default behavior or values.

Command Modes

Global configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

This example shows how to configure the NMSP notification threshold to 10 dB for clients. A notification NMSP message is sent to MSE as soon as the client RSSI changes by 10 dB:


Device# configure terminal
Device(config)# location notify-threshold client 10
Device(config)# end
                                                   
                                                   

log-export-mode

To configure the log export using FTP, STP and TFTP, use the log-export-mode command. Use the no command to negate the command or to set the command to its default.

log-export-mode{ ftp| stp| tftp}

no log-export-mode{ ftp| stp| tftp}

Syntax Description

ftp

Configures the log export using FTP.

stp

Configures the log export using STP.

tftp

Configures the log export using TFTP.

Command Default

None

Command Modes

Wireless trace export profile configuration

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.2s This command was introduced.

Examples

Device(config)# wireless profile transfer trace-export trace-export-name
Device(config-wireless-trace-export-profile)# log-export-mode tftp

mab request format attribute

To configure the delimiter while configuring MAC filtering on a WLAN, use the mab request format attribute command.

mab request format attribute username password nas-identifier ]

Syntax Description

username

Username format used for MAB requests

password

Global Password used for all MAB requests

Nas-identifier

NAS-Identifier attribute

Command Default

Global Configuration

Command Modes

MAC is sent without any delimiter.

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Usage Guidelines

MAC is sent without any delimiter.

Examples

The following example shows how to configure delimiter while configuring MAC filtering:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# mab request format attribute 1 groupsize 4

mac-filtering

To enable MAC filtering on a WLAN, use the mac-filtering command.

mac-filtering [ mac-authorization-list ]

Syntax Description

mac-authorization-list

Name of the Authorization list.

Command Default

None

Command Modes

config-wlan

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to enable MAC filtering on a WLAN:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# wlan wlan-name wlan-index SSID-name
Device(config-wlan)# mac-filtering

match activated-service-template

To create a condition that evaluates true based on the service template activated on a session, use the match activated-service-template command in control class-map filter configuration mode. To create a condition that evaluates true if the service template activated on a session does not match the specified template, use the no-match activated-service-template command in control class-map filter configuration mode. To remove the condition, use the no form of this command.

match activated-service-template template-name

no-match activated-service-template template-name

no {match | no-match} activated-service-template template-name

Syntax Description

template-name

Name of a configured service template as defined by the service-template command.

Command Default

The control class does not contain a condition based on the service template.

Command Modes

Control class-map filter configuration (config-filter-control-classmap)

Command History

Release

Modification

Cisco IOS XE Release 3.2SE

This command was introduced.

Usage Guidelines

The match activated-service-template command configures a match condition in a control class based on the service template applied to a session. A control class can contain multiple conditions, each of which will evaluate as either true or false. The control class defines whether all, any, or none of the conditions must evaluate true for the actions of the control policy to be executed.

The no-match form of this command specifies a value that results in an unsuccessful match. All other values of the specified match criterion result in a successful match. For example, if you configure the no-match activated-service-template SVC_1 command, all template values except SVC_1 are accepted as a successful match.

The class command associates a control class with a control policy.

Examples

The following example shows how to configure a control class that evaluates true if the service template named VLAN_1 is activated on the session:

class-map type control subscriber match-all CLASS_1
 match activated-service-template VLAN_1

match any

To perform a match on any protocol that passes through the device, use the match any command.

match any

Command Default

None

Command Modes

config-cmap

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to match any packet passing through the device:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# class-map cmap-name
Device(config-cmap)# match any

match message-type

To set a message type to match a service list, use the match message-type command.

match message-type {announcement | | any | | query}

Syntax Description

announcement

Allows only service advertisements or announcements for the Device.

any

Allows any match type.

query

Allows only a query from the client for a certain Device in the network.

Command Default

None

Command Modes

Service list configuration.

Command History

Release Modification

Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Usage Guidelines

Multiple service maps of the same name with different sequence numbers can be created, and the evaluation of the filters will be ordered on the sequence number. Service lists are an ordered sequence of individual statements, with each one having a permit or deny result. The evaluation of a service list consists of a list scan in a predetermined order, and an evaluation of the criteria of each statement that matches. A list scan is stopped once the first statement match is found and a permit/deny action associated with the statement match is performed. The default action after scanning through the entire list is to deny.


Note

It is not possible to use the match command if you have used the service-list mdns-sd service-list-name query command. The match command can be used only for the permit or deny option.

Examples

The following example shows how to set the announcement message type to be matched:

Device(config-mdns-sd-sl)# match message-type announcement

match non-client-nrt

To match non-client NRT (non-real-time), use the match non-client-nrt command in class-map configuration mode. Use the no form of this command to return to the default setting.

match non-client-nrt

no match non-client-nrt

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Class-map

Command History

Release Modification

Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Usage Guidelines

None

Examples

This example show how you can configure non-client NRT:

Device(config)# class-map test_1000
Device(config-cmap)# match non-client-nrt

match protocol

To configure the match criterion for a class map on the basis of a specified protocol, use the match protocol command in class-map configuration or policy inline configuration mode. To remove the protocol-based match criterion from the class map, use the no form of this command. For more information about the match protocol command, refer to the Cisco IOS Quality of Service Solutions Command Reference.

match protocol {protocol-name | attribute category category-name | attribute sub-category sub-category-name | attribute application-group application-group-name}

Syntax Description

protocol-name

Name of the protocol (for example, bgp) used as a matching criterion.

category-name

Name of the application category used as a matching criterion.

sub-category-name

Name of the application subcategory used as a matching criterion.

application-group-name

Name of the application group as a matching criterion. When the application name is specified, the application is configured as the match criterion instead of the application group.

Command Default

No match criterion is configured.

Command Modes

Class-map configuration

Command History

Release Modification

Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Examples

This example shows how to create class maps with apply match protocol filters for application name, category, and sub category:

Device# configure terminal
Device(config)# class-map cat-browsing
Device(config-cmap)# match protocol attribute category browsing
Device(config-cmap)#end

Device# configure terminal
Device(config)# class-map cat-fileshare
Device(config-cmap)# match protocol attribute category file-sharing
Device(config-cmap)#end

Device# configure terminal
Device(config)# class-map match-any subcat-terminal
Device(config-cmap)# match protocol attribute sub-category terminal
Device(config-cmap)#end

Device# configure terminal
Device(config)# class-map match-any webex-meeting
Device(config-cmap)# match protocol webex-meeting
Device(config-cmap)#end

This example shows how to create policy maps and define existing class maps for upstream QoS:


Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class cat-browsing
Device(config-pmap-c)# police 150000
Device(config-pmap-c)# set dscp 12
Device(config-pmap-c)#end


Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class cat-fileshare
Device(config-pmap-c)# police 1000000
Device(config-pmap-c)# set dscp 20
Device(config-pmap-c)#end


Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class subcat-terminal
Device(config-pmap-c)# police 120000
Device(config-pmap-c)# set dscp 15
Device(config-pmap-c)#end

Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class webex-meeting
Device(config-pmap-c)# police 50000000
Device(config-pmap-c)# set dscp 21
Device(config-pmap-c)#end

This example shows how to create policy maps and define existing class maps for downstream QoS:


Device# configure terminal
Device(config)# policy-map test-avc-down
Device(config-pmap)# class cat-browsing
Device(config-pmap-c)# police 200000
Device(config-pmap-c)# set dscp 10
Device(config-pmap-c)#end


Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class cat-fileshare
Device(config-pmap-c)# police 300000
Device(config-pmap-c)# set wlan user-priority 2
Device(config-pmap-c)# set dscp 20
Device(config-pmap-c)#end


Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class subcat-terminal
Device(config-pmap-c)# police 100000
Device(config-pmap-c)# set dscp 25
Device(config-pmap-c)#end

Device# configure terminal
Device(config)# policy-map test-avc-up
Device(config-pmap)# class webex-meeting
Device(config-pmap-c)# police 60000000
Device(config-pmap-c)# set dscp 41
Device(config-pmap-c)#end

This example shows how to apply defined QoS policy on a WLAN:


Device# configure terminal
Device(config)#wlan  alpha
Device(config-wlan)#shut
Device(config-wlan)#end
Device(config-wlan)#service-policy client input test-avc-up
Device(config-wlan)#service-policy client output test-avc-down
Device(config-wlan)#no shut
Device(config-wlan)#end

match service-instance

To set a service instance to match a service list, use the match service-instance command.

match service-instance line

Syntax Description

line

Regular expression to match the service instance in packets.

Command Default

None

Command Modes

Service list configuration

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Usage Guidelines

It is not possible to use the match command if you have used the service-list mdns-sd service-list-name query command. The match command can be used only for the permit or deny option.

Examples

The following example shows how to set the service instance to match:

Device(config-mdns-sd-sl)# match service-instance servInst 1

match service-type

To set the value of the mDNS service type string to match, use the match service-type command.

match service-type line

Syntax Description

line

Regular expression to match the service type in packets.

Command Default

None

Command Modes

Service list configuration

Command History

Release Modification
Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Usage Guidelines

It is not possible to use the match command if you have used the service-list mdns-sd service-list-name query command. The match command can be used only for the permit or deny option.

Examples

The following example shows how to set the value of the mDNS service type string to match:

Device(config-mdns-sd-sl)# match service-type _ipp._tcp

match user-role

To configure the class-map attribute filter criteria, use the match user-role command.

match user-role user-role

Command Default

None

Command Modes

config-filter-control-classmap

Command History

Release Modification

Cisco IOS XE Gibraltar 16.10.1

This command was introduced in a release earlier than Cisco IOS XE Gibraltar 16.10.1.

Examples

The following example shows how to configure a class-map attribute filter criteria:

Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# class-map type control subscriber match-any map-name
Device(config-filter-control-classmap)# match user-role user-role

match username

To create a condition that evaluates true based on an event’s username, use the match username command in control class-map filter configuration mode. To create a condition that evaluates true if an event’s username does not match the specified username, use the no-match username command in control class-map filter configuration mode. To remove the condition, use the no form of this command.

match username username

no-match username username

no {match | no-match} username username

Syntax Description

username

Username.

Command Default

The control class does not contain a condition based on the event’s username.

Command Modes

Control class-map filter configuration (config-filter-control-classmap)

Command History

Release

Modification

Cisco IOS XE Release 3.2SE

This command was introduced.

Usage Guidelines

The match username command configures a match condition in a control class based on the username. A control class can contain multiple conditions, each of which will evaluate as either true or false. The control class defines whether all, any, or none of the conditions must evaluate true to execute the actions of the control policy.

The no-match form of this command specifies a value that results in an unsuccessful match. All other values of the specified match criterion result in a successful match. For example, if you configure the no-match username josmithe command, the control class accepts any username value except josmithe as a successful match.

The class command associates a control class with a control policy.

Examples

The following example shows how to configure a control class that evaluates true if the username is josmithe:

class-map type control subscriber match-all CLASS_1
 match username josmithe

match (access-map configuration)

To set the VLAN map to match packets against one or more access lists, use the match command in access-map configuration mode. Use the no form of this command to remove the match parameters.

{match ip address {name | number} [name | number] [name | number]. . . | mac address name [name] [name] . . . }

{no match ip address {name | number} [name | number] [name | number]. . . | mac address name [name] [name] . . . }

Syntax Description

ip address

Set the access map to match packets against an IP address access list.

mac address

Set the access map to match packets against a MAC address access list.

name

Name of the access list to match packets against.

number

Number of the access list to match packets against. This option is not valid for MAC access lists.

Command Default

The default action is to have no match parameters applied to a VLAN map.

Command Modes

Access-map configuration

Command History

Release

Modification

Cisco IOS XE Gibraltar 16.12.1

This command was introduced.

Usage Guidelines

You enter access-map configuration mode by using the vlan access-map global configuration command.

You must enter one access list name or number; others are optional. You can match packets against one or more access lists. Matching any of the lists counts as a match of the entry.

In access-map configuration mode, use the match command to define the match conditions for a VLAN map applied to a VLAN. Use the action command to set the action that occurs when the packet matches the conditions.

Packets are matched only against access lists of the same protocol type; IP packets are matched against IP access lists, and all other packets are matched against MAC access lists.

Both IP and MAC addresses can be specified for the same map entry.

Examples

This example shows how to define and apply a VLAN access map vmap4 to VLANs 5 and 6 that will cause the interface to drop an IP packet if the packet matches the conditions defined in access list al2.


Device(config)# vlan access-map vmap4
Device(config-access-map)# match ip address al2
Device(config-access-map)# action drop
Device(config-access-map)# exit
Device(config)# vlan filter vmap4 vlan-list 5-6

You can verify your settings by entering the show vlan access-map privileged EXEC command.

match (class-map configuration)

To define the match criteria to classify traffic, use the match command in class-map configuration mode. Use the no form of this command to remove the match criteria.

Cisco IOS XE Everest 16.5.x and Earlier Releases

match {access-group