|
|
To configure an interface type and enter interface configuration mode, use the interface global configuration command.
interface type card/subcard/portTo configure a subinterface, use the interface global configuration command.
interface type card/subcard/port .vpt#| type | Type of interface to be configured. Refer to Table 9-1 for a list of keywords. |
| number | Integer used to identify the interface. |
| card | Interface card number. The numbers are assigned at the factory at the time of installation or when added to a system, and can be displayed with the show interface command. |
| subcard | Backplane slot number. The value can be 0 or 1. The slots are numbered from left to right. |
| port | Port number of the interface. |
| .vpt | Virtual path tunnel number for subinterface on physical ATM ports. |
| .subinterface | Subinterface number in the range 1 to 4294967293. The number that precedes the periods (.) must match the number where this subinterface belongs. |
| multipoint | Specifies a multipoint subinterface. This option only applies to the ASP interface ATM 2/0/0. |
| point-to-point | Specifies a point-to-point subinterface. The default is multipoint. This option only applies to the ASP interface ATM 2/0/0. |
Global configuration
Multiple subinterfaces can be configured on a single ASP interface.
The ASP and Ethernet interfaces address is 2/0/0 in the LightStream 1010 ATM switch environment and 13/0/0 in the Catalyst 5500 switch environment.
Multiple subinterfaces for VP tunneling can be configured on a single ATM interface (other than an ASP interface). VP tunnels are useful when you want to run signaling, ILMI, and possibly PNNI routing between two switches that are not directly connected to each other. Prior to configuring the subinterface, a permanent virtual path must be configured on the ATM interface using the atm pvp command. Then the subinterface for the VP tunnel can be created, specifying the VPI used to define the PVP as the subinterface number.
| Keyword | Interface Type |
|---|---|
| async | Auxiliary port line used as an asynchronous interface. |
| atm | ATM interface. |
| cbr | Circuit emulation ports. |
| dialer | Dialer interface number. |
| ethernet | Ethernet IEEE 802.3 interface. |
| group-async | Master asynchronous interface. |
| loopback | Software-only loopback interface that emulates an interface that is always running. It is a virtual interface supported on all platforms. The interface number is the number of the loopback interface you want to create or configure. There is no limit on the number of loopback interfaces you can create. |
| null | Null interface. |
The following example begins configuration of the ATM interface on card 0, subcard 0, and port 1 using the interface global configuration command.
Switch(config)# interface atm 0/0/1
Switch(config-if)#
The following example creates a VP tunnel with VPI 50 an card 0, subcard 0, and port 1, and enters the subinterface configuration mode for the VP tunnel, using the interface global configuration command.
Switch(config)#interface atm 0/0/1Switch(config-if)#atm pvp 50Switch(config-if)#interface atm 0/0/1.50Switch(config-subif)#
The following example begins configuration of the ASP interface, on LightStream 1010, using the interface global configuration command.
Switch(config)# interface atm 2/0/0
Switch(config-if)#
The following example creates a point-to-point subinterface on the SAP port and enters the subinterface configuration mode, using the interface global configuration command.
Switch(config)# interface atm 2/0/0.1 point-to-point
Switch(config-subif)#
The following example begins configuration of the Ethernet interface on the LightStream 1010 switch, using the interface global configuration command.
Switch(config)# interface ethernet 2/0/0
Switch(config-if)#
The following command begins configuration of a CBR interface using the interface global configuration command.
Switch(config)# interface cbr 1/1/1
Switch(config-if)#
To set a primary or secondary IP address for an interface, use the ip address interface configuration command. To remove an IP address or disable IP processing, use the no form of this command.
ip address ip-address mask [secondary]| ip-address | IP address. |
| mask | Mask for the associated IP subnet. |
| secondary | (Optional) Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address. |
No IP address is defined for the interface.
Interface configuration
This command only applies to the interfaces on the ASP card: Ethernet 2/0/0 or ATM 2/0/0 (or the 13/0/0 in the Catalyst 5500). An interface can have one primary IP address and multiple secondary IP addresses. Packets generated by the switch always use the primary IP address. Therefore, all switches on a segment should share the same primary network number.
Hosts can determine subnet masks using the Internet Control Message Protocol (ICMP) Mask Request message. Switches respond to this request with an ICMP Mask Reply message.
You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the switch detects another host using one of its IP addresses, it prints an error message on the console.
The optional keyword secondary allows you to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and ARP requests are handled properly, as are interface routes in the IP routing table.
Secondary IP addresses can be used in a variety of situations. The following are the most common applications:
In the following example, 131.108.1.27 is the primary address and 192.31.7.17 and 192.31.8.17 are secondary addresses for Ethernet interface 2/0/0.
Switch(config)#interface ethernet 2/0/0Switch(config-if)#ip address 131.108.1.27 255.255.255.0Switch(config-if)#ip address 192.31.7.17 255.255.255.0 secondarySwitch(config-if)#ip address 192.31.8.17 255.255.255.0 secondary
To define a broadcast address for an interface, use the ip broadcast-address interface configuration command. To restore the default IP broadcast address, use the no form of this command.
ip broadcast-address [ip-address]| ip-address | (Optional) IP broadcast address for a network. |
Default address: 255.255.255.255 (all ones).
Interface configuration
This command only applies to the interfaces on the ASP card: Ethernet 2/0/0 or ATM 2/0/0 (or 13/0/0 in the Catalyst 5500).
The following example specifies an IP broadcast address of 172.10.50.4.
Switch(config)# ip broadcast-address 172.10.50.4
To define a default gateway, use the ip default-gateway global configuration command. To disable this function, use the no form of this command.
ip default-gateway ip-address| ip-address | IP address of the gateway. |
Disabled
Global configuration
The switch sends any packets that need the assistance of a gateway to the address you specify. If another gateway has a better route to the requested host, the default gateway sends an ICMP redirect message to the switch. The ICMP redirect message indicates which gateway the switch uses.
The following example defines the gateway on IP address 192.31.7.18 as the default gateway.
Switch(config)# ip default-gateway 192.31.7.18
To enable the translation of directed broadcast to physical broadcasts, use the ip directed-broadcast interface configuration command. To disable this function, use the no form of this command.
ip directed-broadcast [access-list-number]| access-list-number | (Optional) Number of the access list. If specified, a broadcast must pass the access list to be forwarded. If not specified, all broadcasts are forwarded. |
Enabled with no list specified.
Interface configuration
This command only applies to the interfaces on the ASP card: Ethernet 2/0/0 or ATM 2/0/0 (or 13/0/0 in the Catalyst 5500). This feature is enabled only for those protocols configured using the ip forward-protocol global configuration command. An access list might be specified to control which broadcasts are forwarded. When an access list is specified, only those IP packets permitted by the access list are eligible to be translated from directed broadcasts to physical broadcasts.
The following example enables forwarding of IP directed broadcasts on Ethernet interface 2/0/0.
Switch(config)#interface ethernet 2/0/0Switch(config-if)#ip directed-broadcast
To define a list of default domain names to complete unqualified host names, use the ip domain-list global configuration command. To delete a name from a list, use the no form of this command.
ip domain-list name| name | Domain name. Do not include the initial period that separates an unqualified name from the domain name. |
No domain names are defined.
Global configuration
If there is no domain list, the domain name that you specified with the ip domain-name global configuration command is used. If there is a domain list, the default domain name is not used. The ip domain-list command is similar to the ip domain-name command, except that with ip domain-list you can define a list of domains, each to be tried in turn.
The following example adds several domain names to a list.
Switch(config)#ip domain-list martinez.comSwitch(config)#ip domain-list stanford.edu
The following example adds a name to and then deletes a name from the list.
Switch(config)#ip domain-list sunya.eduSwitch(config)#no ip domain-list stanford.edu
To enable the IP Domain Name System-based host name-to-address translation, use the ip domain-lookup global configuration command. To disable the Domain Name System, use the no form of this command.
ip domain-lookupThis command has no arguments or keywords.
Enabled
Global configuration
The following example enables the IP Domain Name System-based host name-to-address translation.
Switch(config)# ip domain-lookup
To define a default domain name that the switch uses to complete unqualified host names (names without a dotted-decimal domain name), use the ip domain-name global configuration command. To disable use of the Domain Name System, use the no form of this command.
ip domain-name name| name | Default domain name used to complete unqualified host names. Do not include the initial period that separates an unqualified name from the domain name. |
Enabled
Global configuration
Any IP host name that does not contain a domain name (that is, any name without a dot), has the dot and cisco.com appended to it before being added to the host table.
The following example defines cisco.com as the default domain name.
Switch(config)# ip domain-name cisco.com
ip domain-lookup
ip forward-protocol
ip name-server
To define a static host name-to-address mapping in the host cache, use the ip host global configuration command. To remove the name-to-address mapping, use the no form of this command.
ip host name [tcp-port-number] address1 [address2...address8]| name | Name of the host. The first character can be either a letter or a number, but if you use a number, the operations you can perform are limited. |
| tcp-port-number | (Optional) TCP port number to connect to when using the defined host name in conjunction with an EXEC connect or telnet command. The default is Telnet (port 23). |
| address1 | Associated IP address. |
| address2...address8 | (Optional) Additional associated IP address. You can bind up to eight addresses to a host name. |
Disabled
Global configuration
The first character can be either a letter or a number, but if you use a number, the operations you can perform (such as ping) are limited.
The following example defines two static mappings.
Switch(config)#ip host croff 192.31.7.18Switch(config)#ip host bisso-gw 10.2.0.2 192.31.7.33
To configure your switch to use host routing methods to forward IP packets to the destination, use the ip host-routing global configuration command.
ip host-routingThis command has no arguments or keywords.
Global configuration
This command configures the switch to use host routing methods to send packets to devices and networks.
The following example uses the ip host-routing command to configure the switch to use host routing methods to forward packets and devices.
Switch(config)# ip host-routing
To have the switch to respond to Internet Control Message Protocol (ICMP) mask requests by sending ICMP Mask Reply messages, use the ip mask-reply interface configuration command. To disable this function, use the no form of this command.
ip mask-replyThis command has no arguments or keywords.
Disabled
Interface configuration
This command only applies to the interfaces on the ASP card: Ethernet 2/0/0 or ATM 2/0/0 (or 13/0/0 in the Catalyst 5500).
The following example enables the sending of ICMP Mask Reply messages on Ethernet interface 2/0/0.
Switch(config)#interface ethernet 2/0/0Switch(config-if)#ip address 131.108.1.0 255.255.255.0Switch(config-if)#ip mask-reply
To set the maximum transmission unit (MTU) size of IP packets sent on an interface, use the ip mtu interface configuration command. To restore the default MTU size, use the no form of this command.
ip mtu bytes| bytes | MTU in bytes. |
Minimum is 128 bytes; maximum depends on interface medium.
Interface configuration
This command only applies to the interfaces on the ASP card: Ethernet 2/0/0 or ATM 2/0/0 (or 13/0/0 in the Catalyst 5500). If an IP packet exceeds the MTU set for the switch's interface, the switch fragments the packet.
All devices on a physical medium must have the same protocol MTU in order to operate.
The following example sets the maximum IP packet size for the first interface to 300 bytes.
Switch(config)#interface ethernet 2/0/0Switch(config-if)#ip mtu 300
To specify the address of one or more name servers to use for name and address resolution, use the ip name-server global configuration command. To remove the addresses specified, use the no form of this command.
ip name-server server-address1 [[server-address2]... server-address6]| server-address1 | IP addresses of name server. |
| server-address2...server-address6 | (Optional) IP addresses of additional name servers (a maximum of six name servers). |
No name server addresses are specified.
Global configuration
The following example specifies host 131.108.1.111 as the primary name server and host 131.108.1.2 as the secondary server.
Switch(config)# ip name-server 131.108.1.111 131.108.1.2
This command is reflected in the configuration file as follows:
ip name-server 131.108.1.111 ip name-server 131.108.1.2
ip domain-lookup
ip domain-name
To specify the format in which netmasks are displayed in show command output, use the ip netmask-format line configuration command. To restore the default display format, use the no form of this command.
ip netmask-format {bitcount | decimal | hexadecimal}| bitcount | Addresses are followed by a slash and the total number of bits in the netmask. For example, 131.108.11.0/24 indicates that the netmask is 24 bits. |
| decimal | Network masks are displayed in dotted decimal notation (for example, 255.255.255.0). |
| hexadecimal | Network masks are displayed in hexadecimal format, as indicated by the leading 0X (for example, 0XFFFFFF00). |
Netmasks are displayed in dotted decimal format.
Line configuration
IP uses a 32-bit mask that indicates which address bits belong to the network and subnetwork fields and which bits belong to the host field. This is called a netmask. By default, show commands display an IP address and then its netmask in dotted decimal notation. For example, a subnet is displayed as 131.108.11.0 255.255.255.0.
However, you can specify that the display of the network mask appear in hexadecimal format or bit-count format instead. The hexadecimal format is commonly used on UNIX systems. The above example is displayed as 131.108.11.0 0XFFFFFF00.
The bitcount format for displaying network masks is to append a slash (/) and the total number of bits in the netmask to the address itself. The above example is displayed as 131.108.11.0/24.
The following example configures network masks for the specified line to be displayed in bitcount notation in the output of show commands.
Switch(config)#line vty 0 4Switch(config-line)#ip netmask-format bitcount
To enable proxy ARP on an interface, use the ip proxy-arp interface configuration command. To disable proxy ARP on the interface, use the no form of this command.
ip proxy-arpThis command has no arguments or keywords.
Enabled
Interface configuration
This command only applies to the interfaces on the ASP card: Ethernet 2/0/0 or ATM 2/0/0 (or 13/0/0 in the Catalyst 5500).
The following example enables proxy ARP on Ethernet interface 2/0/0.
Switch(config)#interface ethernet 2/0/0Switch(config-if)#ip proxy-arp
Use the ip rarp-server interface configuration command to allow the switch to act as a Reverse Address Resolution Protocol (RARP) server. Use the no form of this command to restore the interface to the default of no RARP server support.
ip rarp-server ip-address| ip-address | IP address that is to be provided in the source protocol address field of the RARP response packet. Normally, this is set to whatever address you configure as the primary address for the interface. |
Disabled
Interface configuration
This command only applies to the interfaces on the ASP card: Ethernet 2/0/0 or ATM 2/0/0 (or 13/0/0 in the Catalyst 5500). This feature makes diskless booting of clients possible between network subnets where the client and server are on separate subnets.
RARP server support can be configured on a per-interface basis so the switch does not interfere with RARP traffic on subnets that do not need RARP assistance from the switch.
The switch answers incoming RARP requests only if both of the following two conditions are met:
Use the show ip arp EXEC command to display the contents of the IP ARP cache.
Sun Microsystems, Inc. makes use of RARP-based and UDP-based network services to facilitate network-based booting of SunOS on their workstations. By bridging RARP packets and using both the ip helper-address interface configuration command and the ip forward-protocol global configuration command, the switch should be able to perform the necessary packet switching to enable booting of Sun workstations across subnets. However, some Sun workstations assume that the sender of the RARP response, in this case the switch, is the host that the client can contact to TFTP-load the bootstrap image. This causes the workstations to fail to boot.
By using the ip rarp-server feature, the switch can be configured to answer these RARP requests, and the client machine should be able to reach its server by having its TFTP requests forwarded through the switch that acts as the RARP server.
In the case of RARP responses to Sun workstations attempting to diskless boot, the IP address specified in the ip rarp-server interface configuration command should be the IP address of the TFTP server. In addition to configuring RARP service, the switch must also be configured to forward UDP-based Sun portmapper requests to completely support diskless booting of Sun workstations. This can be accomplished using configuration commands of the form:
Switch(config)#ip forward-protocol udp 111Switch(config)#interface atm3/1/0Switch(config-if)#ip helper-address target-address
RFC 903 documents the Reverse Address Resolution Protocol.
The following partial example configures the switch to act as a RARP server. The switch is configured to use the primary address of the specified interface in its RARP responses.
Switch(config)#arp 128.105.2.5 0800.2002.ff5b arpaSwitch(config)#interface ethernet 2/0/0Switch(config-if)#ip address 128.105.3.100 255.255.255.0Switch(config-if)#ip rarp-server 128.105.3.100
In the following example, the switch is configured to act as a RARP server, with TFTP and portmapper requests forwarded to the Sun server.
! Allow the switch to forward broadcast portmapper requests Switch(config)#ip forward-protocol udp 111! Provide the switch with the IP address of the diskless sun Switch(config)#arp 128.105.2.5 0800.2002.ff5b arpaSwitch(config)#interface ethernet 2/0/0! Configure the switch to act as a RARP server, using the Sun Server's IP ! address in the RARP response packet. Switch(config-if)#ip rarp-server 128.105.3.100! Portmapper broadcasts from this interface are sent to the Sun Server. Switch(config-if)#ip helper-address 128.105.3.100
ip forward-protocol
ip helper-address
Use the ip rcmd domain-lookup global configuration command to enable Domain Name System (DNS) security for RCP and RSH. To bypass DNS security for RCP and RSH, use the no form of this command.
ip rcmd domain-lookupThis command has no arguments or keywords.
Enabled
Global configuration
If you do not want to use DNS for rcmd queries, but DNS has been enabled with the ip domain-lookup command, use the no ip rcmd domain-lookup command.
This command turns off DNS lookups for RSH and RCP only. The no ip domain-lookup command takes precedence over the ip rcmd domain-lookup command. If ip domain-lookup is disabled with the no ip domain-lookup command, DNS is bypassed for RCP and RSH, even if ip rcmd domain-lookup is enabled.
In the following example, DNS security is enabled for RCP and RSH.
Switch(config)# ip rcmd domain-lookup
To configure the switch to allow remote users to copy files to and from the switch, use the ip rcmd rcp-enable global configuration command. Use the no form of this command to disable a switch that is enabled for RCP.
ip rcmd rcp-enableThis command has no arguments or keywords.
To ensure security, the switch is not enabled for RCP by default.
Global configuration
To allow a remote user to execute rcp commands on the switch, you must also create an entry for the remote user in the local switch's authentication database.
The no ip rcmd rcp-enable command does not prohibit a local user from using RCP to copy system images and configuration files to and from the switch.
To protect against unwanted users copying the system image or configuration files without consent, the switch is not enabled for RCP by default.
The following example shows how to enable the switch for RCP.
Switch(config)# rcp-enable
To allow remote users to execute commands on the switch using RSH or RCP, use the ip rcmd remote-host global configuration command to create an entry for the remote user in a local authentication database. Use the no form of this command to remove an entry for a remote user from the local authentication database.
ip rcmd remote-host local-username {ip-address | host} remote-username [enable]| local-username | Name of the user on the local switch. You can specify the switch host name as the username. This name must be communicated to the network administrator or the user on the remote system. To be allowed to remotely execute commands on the switch, the remote user must specify this value correctly. |
| ip-address | IP address of the remote host from which the local switch accepts remotely executed commands. Either the IP address or the host name is required. |
| host | Name of the remote host from which the local switch accepts remotely executed commands. Either the host name or the IP address is required. |
| remote-username | Name of the user on the remote host from which the switch accepts remotely executed commands. |
| enable | (Optional) Enables the remote user to execute privileged EXEC commands using RSH. This keyword does not apply to RCP. |
Global configuration
A TCP connection to a switch is established using an IP address. Using the host name is valid only when you are initiating an RCP or RSH command from a local switch. The host name is converted to an IP address using DNS or host-name aliasing.
To allow a remote user to execute RCP or RSH commands on a local switch, you must create an entry for the remote user in the local switch's authentication database. You must also enable the switch to act as an RSH or RCP server.
To enable the switch to act as an RSH server, issue the ip rcmd rsh-enable command. To enable the switch to act as an RCP server, issue the ip rcmd rcp-enable command.The switch cannot act as a server for either of these protocols unless you explicitly enable the capacity.
A local authentication database, which is similar in concept and use to a UNIX .rhosts file, is used to enforce security on the switch through access control. Each entry that you configure in the authentication database identifies the local user, the remote host, and the remote user. To permit a remote user of RSH to run commands in privileged EXEC mode, specify the enable keyword.
An entry that you configure in the switch authentication database differs from an entry in a UNIX .rhost file. Because the .rhosts file on a UNIX system resides in the home directory of a local user account, an entry in a UNIX .rhosts file need not include the local username; the local username is determined from the user account. To provide equivalent support on a switch configured, specify the local username, the remote host, and remote username in each authentication database entry that you configure.
For a remote user to be able to run commands on the switch in its capacity as a server, the local username, host address or name, and remote username sent with the remote client request must match values configured in an entry in the local authentication file.
A remote client host should be registered with DNS. The switch software uses DNS to authenticate the remote host's name and address. Because DNS can return several valid IP addresses for a host name, the switch software checks the address of the requesting client against all of the IP addresses for the named host returned by DNS. If the address sent by the requester is considered invalid (that is, it does not match any address listed with DNS for the host name) the switch software rejects the remote-command execution request.
Note that if no DNS servers are configured for the switch, then the switch cannot authenticate the host in this manner. In this case, the switch software sends a broadcast request to attempt to gain access to DNS services on another server. If DNS services are not available, you must use the no ip domain-lookup command to disable the switch's attempt to gain access to a DNS server by sending a broadcast request.
If DNS services are not available and, therefore, you bypass the DNS security check, the switch software accepts the request to remotely execute a command only if all three values sent with the request match exactly the values configured for an entry in the local authentication file.
The following example allows the remote user netadmin3 on a remote host with the IP address 131.108.101.101 to run commands on switch1 using the RSH protocol. For RSH, user netadmin3 is allowed to execute commands in privileged EXEC mode.
Switch(config)# ip rcmd remote-host switch131.108.101.101 netadmin3 enable
ip rcmd rcp-enable
ip rcmd rsh-enable
no ip domain-lookup
To configure the remote username to be used when requesting a remote copy using RCP, use the ip rcmd remote-username global configuration command. To remove the remote username from the configuration, use the no form of this command.
ip rcmd remote-username username | Caution The remote username must be associated with an account on the destination server. |
| username | Name of the remote user on the server. This name is used for RCP copy requests. All files and images to be copied are searched for or written relative to the directory of the remote user's account if the server has a directory structure as do UNIX systems, for example. |
If you do not issue this command, the switch software sends the remote username associated with the current TTY process, if that name is valid, for RCP copy commands. For example, if the user is connected to the switch through Telnet and the user was authenticated through the username command, the switch software sends that username as the remote username.
Global configuration
The RCP protocol requires that a client send the remote username on an RCP request to the server. Use this command to specify the remote username to be sent to the server for an RCP copy request. If the server has a directory structure, as do UNIX systems, all files and images to be copied are searched for or written relative to the directory of the remote user's account.
If the username for the current TTY process is not valid, the switch software sends the host name as the remote username. For RCP boot commands, the switch software sends the switch host name by default.
The following example shows how to use this command.
Switch#configure terminalSwitch(config)#ip rcmd remote-username netadmin1Switch(config)#^Z
boot network
boot system
copy flash
copy rcp
copy running-config
copy startup-config
To configure the switch to allow remote users to execute commands on the switch using RSH, use the ip rcmd rsh-enable global configuration command. Use the no form of this command to disable a switch that is enabled for RSH.
ip rcmd rsh-enableThis command has no arguments or keywords.
To ensure security, the switch is not enabled for RSH by default.
Global configuration
Use this command to enable the switch to receive RSH requests from remote users. In addition to using this command, to allow a remote user to execute RSH commands on the switch, you must also create an entry for the remote user in the local switch's authentication database.
The no ip rcmd rsh-enable command does not prohibit a local user of the switch from executing a command on other switches and UNIX hosts on the network by using RSH.
The following example shows how to enable the switch as an RSH server.
Switch(config)# ip rcmd rsh-enable
To establish static routes, use the ip route global configuration command. To remove static routes, use the no form of this command.
ip route destination-prefix| destination-prefix | IP address of the target network or subnet. |
None
Global configuration
This command does not apply to the ASP interface, ATM 2/0/0.
In the following example, an administrative distance of 110 was chosen. In this case, packets for network 10.0.0.0 are routed to the switch at 131.108.3.4 if dynamic information with an administrative distance less than 110 is not available.
Switch(config)# ip route 10.0.0.0 255.0.0.0 131.108.3.4 110
In the following example, packets for network 131.108.0.0 are routed to the switch at 131.108.6.6.
Switch(config)# ip route 131.108.0.0 255.255.0.0 131.108.6.6
To add a basic security option to all outgoing packets, use the ip security add interface configuration command. To disable the adding of a basic security option to all outgoing packets, use the no form of this command.
ip security addThis command has no arguments or keywords.
Disabled when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is enabled.
Interface configuration
This command only applies to the interfaces on the ASP card: Ethernet 2/0/0 or ATM 2/0/0 (or 13/0/0 in the Catalyst 5500). If an outgoing packet does not have a security option present, this interface configuration command adds one as the first IP option. The security label added to the option field is the label that was computed for this packet when it first entered the switch. Because this action is performed after all the security tests have been passed, this label is either the same as or is in the range of the interface.
The following example adds a basic security option to each packet leaving Ethernet interface 2/0/0.
Switch(config)#interface ethernet 2/0/0Switch(config-if)#ip security add
To attach Auxiliary Extended Security Options (AESOs) to an interface, use the ip security aeso interface configuration command. To disable AESO on an interface, use the no form of this command.
ip security aeso source compartment-bits| source | Extended Security Option (ESO) source. This can be an integer from 0 through 255. |
| compartment-bits | Compartment bits in hexadecimal. |
Disabled
Interface configuration
This command only applies to the interfaces on the ASP card: Ethernet 2/0/0 or ATM 2/0/0 (or 13/0/0 in the Catalyst 5500). Compartment bits are specified only if this AESO is to be inserted in a packet. On every incoming packet at this level on this interface, these AESOs should be present.
Beyond being recognized, no further processing of AESO information is performed. AESO contents are not checked and are assumed to be valid if the source is listed in the configurable AESO table.
Configuring any per-interface extended IP security option (IPSO) information automatically enables ip security extended-allowed (disabled by default).
In the following example, the extended security option source is defined as 5, and the compartment bits are set to 5.
Switch(config)#interface ethernet 2/0/0Switch(config-if)#ip security aeso 5 5
ip security eso-info
ip security eso-max
To set the level of classification and authority on the interface, use the ip security dedicated interface configuration command. To reset the interface to the default classification and authorities, use the no form of this command.
ip security dedicated level authority [authority...]| level | Degree of sensitivity of information. The level keywords are listed in Table 9-2. |
| authority | Organization that defines the set of security levels that is used in a network. The authority keywords are listed in Table 9-3. |
Disabled
Interface configuration
This command only applies to the interfaces on the ASP card: Ethernet 2/0/0 or ATM 2/0/0 (or 13/0/0 in the Catalyst 5500).
All traffic entering the system on this interface must have a security option that exactly matches this label. Any traffic leaving via this interface has this label attached.
The following definitions apply to the descriptions of the IP security options (IPSO) in this section:
| Level Keyword | Bit Pattern |
|---|---|
| Reserved4 | 0000 0001 |
| TopSecret | 0011 1101 |
| Secret | 0101 1010 |
| Confidential | 1001 0110 |
| Reserved3 | 0110 0110 |
| Reserved2 | 1100 1100 |
| Unclassified | 1010 1011 |
| Reserved1 | 1111 0001 |
| Authority Keyword | Bit Pattern |
|---|---|
| Genser | 1000 0000 |
| Siop-Esi | 0100 0000 |
| DIA | 0010 0000 |
| NSA | 0001 0000 |
| DOE | 0000 1000 |
The following example sets a confidential level with Genser authority.
Switch(config)# ip security dedicated confidential Genser
To specify the maximum sensitivity level for an interface, use the ip security eso-max interface configuration command. To return to the default, use the no form of this command.
ip security eso-max source compartment-bits| source | Extended Security Option (ESO) source. This is an integer from 1 through 255. |
| compartment-bits | Compartment bits in hexadecimal. |
Disabled
Interface configuration
This command only applies to the interfaces on the ASP card: Ethernet 2/0/0 or ATM 2/0/0 (or 13/0/0 in the Catalyst 5500).
This command is used to specify the minimum sensitivity level for a particular interface. Before the per interface compartment information for a particular Network Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.
On every incoming packet on the interface, these extended security options should be resent at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.
On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.
When transmitting locally generated traffic out this interface or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.
A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.
In the following example, the specified ESO source is 240, and the compartment bits are specified as 500.
Switch(config)#interface ethernet 2/0/0Switch(config-if)#ip security eso-max 240 500
To configure system-wide defaults for extended IP Security Option (IPSO) information, use the ip security eso-info global configuration command. To return to the default settings, use the no form of this command.
ip security eso-info source compartment-size default-bit| source | Hexadecimal or decimal value representing the extended IPSO source. This is an integer from 0 through 255. |
| compartment-size | Maximum number of bytes of compartment information allowed for a particular extended IPSO source. This is an integer from 1 through 16. |
| default-bit | Default bit value for any unsent compartment bits. |
Disabled
Global configuration
This command configures Extended Security Option (ESO) information, including Auxiliary Extended Security Option (AESO). Transmitted compartment information is padded to the size specified by the compartment-size argument.
In the following example, system-wide defaults for source, compartment size, and the default bit value are set.
Switch(config)# ip security eso-info 100 5 1 1
To allow the switch to handle IP datagrams with source routing header options, use the ip source-route global configuration command. To have the switch discard any IP datagram containing a source-route option, use the no form of this command.
ip source-routeThis command has no arguments or keywords.
Enabled
Global configuration
The following example enables the handling of IP datagrams with source routing header options.
Switch(config)# ip source-route
To enable the use of subnet zero for interface addresses and routing updates, use the ip subnet-zero global configuration command. To restore the default, use the no form of this command.
ip subnet-zeroThis command has no arguments or keywords.
Disabled
Global configuration
The ip subnet-zero command provides the ability to configure subnet-zero subnets.
Subnetting with a subnet address of zero is discouraged because of the confusion inherent in having a network and a subnet with indistinguishable addresses.
In the following example, subnet-zero is enabled for the switch.
Switch(config)# ip subnet-zero
To alter the TCP maximum read size for Telnet or rlogin, use the ip tcp chunk-size global configuration command. To restore the default value, use the no form of this command.
ip tcp chunk-size characters| characters | Maximum number of characters that Telnet or rlogin can read in one read instruction. |
0, which Telnet and rlogin interpret as the largest possible 32-bit positive number.
Global configuration
Do not use this command unless you understand why you need to change the default value.
The following example sets the maximum TCP read size to 64000 bytes.
Switch(config)# ip tcp chunk-size 64000
To alter the maximum TCP outgoing queue per connection, use the ip tcp queuemax global configuration command. To restore the default value, use the no form of this command.
ip tcp queuemax packets| packets | Outgoing queue size of TCP packets. |
The default value is 5 segments if the connection has a TTY associated with it. If there is no TTY associated with it, the default value is 20 segments.
Global configuration
Changing the default value only changes the queue that has a TTY associated with the connection.
The following example sets the maximum TCP outgoing queue to 10 packets.
Switch(config)# ip tcp queuemax 10
To set a period of time the switch waits while attempting to establish a TCP connection before it times out, use the ip tcp synwait-time global configuration command. To restore the default time, use the no form of this command.
ip tcp synwait-time seconds| seconds | Time in seconds the switch waits while attempting to establish a TCP connection. It can be an integer from 5 to 300 seconds. The default is 30 seconds. |
30 seconds
Global configuration
If your network contains Public Switched Telephone Network Dial on Demand Routing (PSTN DDR), it is possible that the call setup time exceeds 30 seconds. This amount of time is not sufficient in networks that have dial-up asynchronous connections because it affects your ability to Telnet over the interface (from the switch) if the interface must be brought up. If you have this type of network, you might want to set this value to the UNIX value of 75.
Because this is a host parameter, it does not pertain to traffic going through the switch, just for traffic originating at the switch. Because UNIX has a fixed 75-second timeout, hosts are unlikely to see this problem.
The following example configures the switch to continue attempting to establish a TCP connection for 180 seconds.
Switch(config)# ip tcp synwait-time 180
To alter the TCP window size, use the ip tcp window-size global configuration command. To restore the default value, use the no form of this command.
ip tcp window-size bytes| bytes | Window size in bytes. The maximum value is 65535 bytes. |
2144 bytes
Global configuration
Do not use this command unless you understand why you need to change the default value.
If your TCP window size is set to 1000 bytes, for example, you could have 1 packet of 1000 bytes or 2 packets of 500 bytes, and so on.
However, there is also a limit on the number of packets allowed in the window. There can be a maximum of 5 packets if the connection has TTY; otherwise there can be 20 packets.
The following example sets the TCP window size to 1000 bytes.
Switch(config)# ip tcp window-size 1000
|
|