|
|
This chapter describes IP Security Options (IPSO) commands. IPSO is generally used to comply with the U.S. Government's Department of Defense security policy.
Refer to the Command Reference Master Index or search online to find complete descriptions of other commands used when configuring IPSO.
For IPSO configuration information, refer to the "Configuring IP Security Options" chapter in the Security Configuration Guide.
To set the retransmit count used by the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) Message Delivery Protocol (DMDP), use the dnsix-dmdp retries global configuration command. To restore the default number of retries, use the no form of this command.
dnsix-dmdp retries count| count | Number of times DMDP will retransmit a message. It can be an integer from 0 to 200. The default is 4 retries, or until acknowledged. |
Retransmits messages up to 4 times, or until acknowledged
Global configuration
This command first appeared in Cisco IOS Release 10.0.
The following example sets the number of times DMDP will attempt to retransmit a message to 150:
dnsix-dmdp retries 150
You can use the master indexes or search online to find documentation of related commands.
dnsix-nat authorized-redirection
dnsix-nat primary
dnsix-nat secondary
dnsix-nat source
dnsix-nat transmit-count
To specify the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages, use the dnsix-nat authorized-redirection global configuration command. To delete an address, use the no form of this command.
dnsix-nat authorized-redirection ip-address| ip-address | IP address of the host from which redirection requests are permitted. |
An empty list of addresses
Global configuration
This command first appeared in Cisco IOS Release 10.0.
Use multiple dnsix-nat authorized-redirection commands to specify a set of hosts that are authorized to change the destination for audit messages. Redirection requests are checked against the configured list, and if the address is not authorized the request is rejected and an audit message is generated. If no address is specified, no redirection messages are accepted.
The following example specifies that the address of the collection center that is authorized to change the primary and secondary addresses is 193.1.1.1.
dnsix-nat authorization-redirection 193.1.1.1.
To specify the IP address of the host to which DNSIX audit messages are sent, use the dnsix-nat primary global configuration command. To delete an entry, use the no form of this command.
dnsix-nat primary ip-address| ip-address | IP address for the primary collection center. |
Messages are not sent.
Global configuration
This command first appeared in Cisco IOS Release 10.0.
An IP address must be configured before audit messages can be sent.
The following example configures an IP address as the address of the host to which DNSIX audit messages are sent:
dnsix-nat primary 194.1.1.1
To specify an alternate IP address for the host to which DNSIX audit messages are sent, use the dnsix-nat secondary global configuration command. To delete an entry, use the no form of this command.
dnsix-nat secondary ip-address| ip-address | IP address for the secondary collection center. |
No alternate IP address is known.
Global configuration
This command first appeared in Cisco IOS Release 10.0.
When the primary collection center is unreachable, audit messages are sent to the secondary collection center instead.
The following example configures an IP address as the address of an alternate host to which DNSIX audit messages are sent:
dnsix-nat secondary 193.1.1.1
To start the audit-writing module and to define audit trail source address, use the dnsix-nat source global configuration command. To disable the DNSIX audit trail writing module, use the no form of this command.
dnsix-nat source ip-address| ip-address | Source IP address for DNSIX audit messages. |
Disabled
Global configuration
This command first appeared in Cisco IOS Release 10.0.
You must issue the dnsix-nat source command before any of the other dnsix-nat commands. The configured IP address is used as the source IP address for DMDP protocol packets sent to any of the collection centers.
The following example enables the audit trail writing module, and specifies that the source IP address for any generated audit messages should be the same as the primary IP address of Ethernet interface 0.
dnsix-nat source 128.105.2.5 interface ethernet 0 ip address 128.105.2.5 255.255.255.0
To have the audit writing module collect multiple audit messages in the buffer before sending the messages to a collection center, use the dnsix-nat transmit-count global configuration command. To revert to the default audit message count, use the no form of this command.
dnsix-nat transmit-count count| count | Number of audit messages to buffer before transmitting to the server. It can be an integer from 1 to 200. |
One message is sent at a time.
Global configuration
This command first appeared in Cisco IOS Release 10.0.
An audit message is sent as soon as the message is generated by the IP packet-processing code. The audit writing module can, instead, buffer up to several audit messages before transmitting to a collection center.
The following example configures the system to buffer five audit messages before transmitting them to a collection center:
dnsix-nat transmit-count 5
To add a basic security option to all outgoing packets, use the ip security add interface configuration command. To disable the adding of a basic security option to all outgoing packets, use the no form of this command.
ip security addThis command has no arguments or keywords.
Disabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is enabled.
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
If an outgoing packet does not have a security option present, this interface configuration command will add one as the first IP option. The security label added to the option field is the label that was computed for this packet when it first entered the router. Because this action is performed after all the security tests have been passed, this label will either be the same as or will fall within the range of the interface.
The following example adds a basic security option to each packet leaving Ethernet interface 0:
interface ethernet 0 ip security add
You can use the master indexes or search online to find documentation of related commands.
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security strip
To attach Auxiliary Extended Security Options (AESOs) to an interface, use the ip security aeso interface configuration command. To disable AESO on an interface, use the no form of this command.
ip security aeso source compartment-bits| source | Extended Security Option (ESO) source. This can be an integer from 0 to 255. |
| compartment-bits | Compartment bits in hexadecimal. |
Disabled
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
Compartment bits are specified only if this AESO is to be inserted in a packet. On every incoming packet at this level on this interface, these AESOs should be present.
Beyond being recognized, no further processing of AESO information is performed. AESO contents are not checked and are assumed to be valid if the source is listed in the configurable AESO table.
Configuring any per-interface extended IP security option (IPSO) information automatically enables ip security extended-allowed (disabled by default).
In the following example, the extended security option source is defined as 5 and the compartments bits are set to 5:
interface ethernet 0 ip security aeso 5 5
You can use the master indexes or search online to find documentation of related commands.
ip security eso-info
ip security eso-max
ip security eso-min
ip security extended-allowed
To set the level of classification and authority on the interface, use the ip security dedicated interface configuration command. To reset the interface to the default classification and authorities, use the no form of this command.
ip security dedicated level authority [authority...]| level | Degree of sensitivity of information. The level keywords are listed in Table 24. |
| authority | Organization that defines the set of security levels that will be used in a network. The authority keywords are listed in Table 25. |
Disabled
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
All traffic entering the system on this interface must have a security option that exactly matches this label. Any traffic leaving via this interface will have this label attached to it.
The following definitions apply to the descriptions of the IP security options (IPSO) in this section:
| Level Keyword | Bit Pattern |
|---|---|
| Reserved4 | 0000 0001 |
| TopSecret | 0011 1101 |
| Secret | 0101 1010 |
| Confidential | 1001 0110 |
| Reserved3 | 0110 0110 |
| Reserved2 | 1100 1100 |
| Unclassified | 1010 1011 |
| Reserved1 | 1111 0001 |
| Authority Keyword | Bit Pattern |
|---|---|
| Genser | 1000 0000 |
| Siop-Esi | 0100 0000 |
| DIA | 0010 0000 |
| NSA | 0001 0000 |
| DOE | 0000 1000 |
The following example sets a confidential level with Genser authority:
ip security dedicated confidential Genser
You can use the master indexes or search online to find documentation of related commands.
ip security add
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security strip
To configure system-wide defaults for extended IP Security Option (IPSO) information, use the ip security eso-info global configuration command. To return to the default settings, use the no form of this command.
ip security eso-info source compartment-size default-bit| source | Hexadecimal or decimal value representing the extended IPSO source. This is an integer from 0 to 255. |
| compartment-size | Maximum number of bytes of compartment information allowed for a particular extended IPSO source. This is an integer from 1 to 16. |
| default-bit | Default bit value for any unsent compartment bits. |
Disabled
Global configuration
This command first appeared in Cisco IOS Release 10.0.
This command configures Extended Security Option (ESO) information, including Auxiliary Extended Security Option (AESO). Transmitted compartment info is padded to the size specified by the compartment-size argument.
In the following example, system-wide defaults for source, compartment size, and the default bit value are set:
ip security eso-info 100 5 1
You can use the master indexes or search online to find documentation of related commands.
ip security eso-max
ip security eso-min
To specify the maximum sensitivity level for an interface, use the ip security eso-max interface configuration command. To return to the default, use the no form of this command.
ip security eso-max source compartment-bits| source | Extended Security Option (ESO) source. This is an integer from 1 to 255. |
| compartment-bits | Compartment bits in hexadecimal. |
Disabled
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
The command is used to specify the minimum sensitivity level for a particular interface. Before the per interface compartment information for a particular Network Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.
On every incoming packet on the interface, these extended security options should be resent at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.
On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.
When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.
A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.
In the following example, the specified ESO source is 240 and the compartment bits are specified as 500:
interface ethernet 0 ip security eso-max 240 500
You can use the master indexes or search online to find documentation of related commands.
ip security eso-info
ip security eso-min
To configure the minimum sensitivity for an interface, use the ip security eso-min interface configuration command. To return to the default, use the no form of this command.
ip security eso-min source compartment-bits| source | Extended Security Option (ESO) source. This is an integer from 1 to 255. |
| compartment-bits | Compartment bits in hexadecimal. |
Disabled
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
The command is used to specify the minimum sensitivity level for a particular interface. Before the per-interface compartment information for a particular Network Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.
On every incoming packet on this interface, these extended security options should be resent at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.
On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.
When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.
A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.
In the following example, the specified ESO source is 5 and the compartment bits are specified as 5:
interface ethernet 0 ip security eso-min 5 5
You can use the master indexes or search online to find documentation of related commands.
ip security eso-info
ip security eso-max
To accept packets on an interface that has an extended security option present, use the ip security extended-allowed interface configuration command. To restore the default, use the no form of this command.
ip security extended-allowedThis command has no arguments or keywords.
Disabled
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
Packets containing extended security options are rejected.
The following example allows interface Ethernet 0 to accept packets that have an extended security option present:
interface ethernet 0 ip security extended-allowed
You can use the master indexes or search online to find documentation of related commands.
ip security add
ip security dedicated
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security strip
To prioritize the presence of security options on a packet, use the ip security first interface configuration command. To disable this function, use the no form of this command.
ip security firstThis command has no arguments or keywords.
Disabled
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
If a basic security option is present on an outgoing packet, but it is not the first IP option, then the packet is moved to the front of the options field when this interface configuration command is used.
The following example ensures that, if a basic security option is present in the options field of a packet exiting interface Ethernet 0, the packet is moved to the front of the options field:
interface ethernet 0 ip security first
You can use the master indexes or search online to find documentation of related commands.
ip security add
ip security dedicated
ip security extended-allowed
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security strip
To have the Cisco IOS software ignore the authorities field of all incoming packets, use the ip security ignore-authorities interface configuration command. To disable this function, use the no form of this command.
ip security ignore-authoritiesThis command has no arguments or keywords.
Disabled
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
When the packet's authority field is ignored, the value used in place of this field is the authority value declared for the specified interface. The ip security ignore-authorities can only be configured on interfaces with dedicated security levels.
The following example causes interface Ethernet 0 to ignore the authorities field on all incoming packets:
interface ethernet 0 ip security ignore-authorities
You can use the master indexes or search online to find documentation of related commands.
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security strip
To force the Cisco IOS software to accept packets on the interface, even if they do not include a security option, use the ip security implicit-labelling interface configuration command. To disable this function, use the no form of this command.
ip security implicit-labelling [level authority [authority...]]| level | (Optional) Degree of sensitivity of information. If your interface has multilevel security set, you must specify this argument. (See the level keywords listed in Table 24 in the ip security dedicated command section.) |
| authority | (Optional) Organization that defines the set of security levels that will be used in a network. If your interface has multilevel security set, you must specify this argument. You can specify more than one. (See the authority keywords listed in Table 25 in the ip security dedicated command section.) |
Enabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is disabled.
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
If your interface has multilevel security set, you must use the expanded form of the command (with the optional arguments as noted in brackets) because the arguments are used to specify the precise level and authority to use when labeling the packet. If your interface has dedicated security set, the additional arguments are ignored.
In the following example, an interface is set for security and will accept unlabeled packets:
ip security dedicated confidential genser ip security implicit-labelling
You can use the master indexes or search online to find documentation of related commands.
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security multilevel
ip security reserved-allowed
ip security strip
To set the range of classifications and authorities on an interface, use the ip security multilevel interface configuration command. To disable this function, use the no form of this command.
ip security multilevel level1 [authority1...] to level2 authority2 [authority2...]| level1 | Degree of sensitivity of information. The classification level of incoming packets must be equal to or greater than this value for processing to occur. (See the level keywords found in Table 24 in the ip security dedicated command section.) |
| authority1 | (Optional) Organization that defines the set of security levels that will be used in a network. The authority bits must be a superset of this value. (See the authority keywords listed in Table 25 in the ip security dedicated command section.) |
| to | Separates the range of classifications and authorities. |
| level2 | Degree of sensitivity of information. The classification level of incoming packets must be equal to or less than this value for processing to occur. (See the level keywords found in Table 24 in the ip security dedicated command section.) |
| authority2 | Organization that defines the set of security levels that will be used in a network. The authority bits must be a proper subset of this value. (See the authority keywords listed in Table 25 in the ip security dedicated command section.) |
Disabled
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
All traffic entering or leaving the system must have a security option that falls within this range. Being within range requires that the following two conditions be met:
The following example specifies levels Unclassified to Secret and NSA authority:
ip security multilevel unclassified to secret nsa
You can use the master indexes or search online to find documentation of related commands.
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security reserved-allowed
ip security strip
To treat as valid any packets that have Reserved1 through Reserved4 security levels, use the ip security reserved-allowed interface configuration command. To disable this feature, use the no form of this command.
ip security reserved-allowedThis command has no arguments or keywords.
Disabled
Interface configuration
This command first appeared in Cisco IOS Release 10.3.
When you set multilevel security on an interface, and indicate, for example, that the highest range allowed is Confidential, and the lowest is Unclassified, the Cisco IOS software neither allows nor operates on packets that have security levels of Reserved3 and Reserved2 because they are undefined.
If you use the IP Security Option (IPSO) to block transmission out of unclassified interfaces, and you use one of the Reserved security levels, you must enable this feature to preserve network security.
The following example allows a security level of Reserved through Ethernet interface 0:
interface ethernet 0 ip security reserved-allowed
You can use the master indexes or search online to find documentation of related commands.
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security strip
To remove any basic security option on outgoing packets on an interface, use the ip security strip interface configuration command. To disable this function, use the no form of this command.
ip security stripThis command has no arguments or keywords.
Disabled
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
The removal procedure is performed after all security tests in the router have been passed. This command is not allowed for multilevel interfaces.
The following example removes any basic security options on outgoing packets on Ethernet interface 0:
interface ethernet 0 ip security strip
You can use the master indexes or search online to find documentation of related commands.
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
To display state information and the current configuration of the DNSIX audit writing module, use the show dnsix privileged EXEC command.
show dnsixThis command has no arguments or keywords.
Privileged EXEC
This command first appeared in Cisco IOS Release 10.0.
The following is sample output from the show dnsix command:
Router# show dnsix
Audit Trail Enabled with Source 128.105.2.5
State: PRIMARY
Connected to 128.105.2.4
Primary 128.105.2.4
Transmit Count 1
DMDP retries 4
Authorization Redirection List:
128.105.2.4
Record count: 0
Packet Count: 0
Redirect Rcv: 0
|
|