|
|
This chapter explains the function and syntax of the IP security options commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.
To set the retransmit count used by the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) Message Delivery Protocol (DMDP), use the dnsix-dmdp retries command in global configuration mode. Use the no form of this command to restore the default number of retries.
dnsix-dmdp retries count
Syntax Description
count Number of times DMDP will retransmit a message. It can be an integer from 0 to 200. The default is 4 retries, or until acknowledged.
To specify the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages, use the dnsix-nat authorized-redirection global configuration command. Use the no form of this command to delete an address.
dnsix-nat authorized-redirection ip-address
Syntax Description
ip-address IP address of the host from which redirection requests are permitted.
To specify the IP address of the host to which DNSIX audit messages are sent, use the dnsix-nat primary command in global configuration mode. Use the no form of this command to delete an entry.
dnsix-nat primary ip-address
Syntax Description
ip-address IP address for the primary collection center.
To specify an alternate IP address for the host to which DNSIX audit messages are sent, use the dnsix-nat secondary command in global configuration mode. Use the no form of this command to delete an entry.
dnsix-nat secondary ip-address
Syntax Description
ip-address IP address for the secondary collection center.
To start the audit-writing module and to define the audit trail source address, use the dnsix-nat source command in global configuration mode. Use the no form of this command to disable the DNSIX audit trail writing module.
dnsix-nat source ip-address
Syntax Description
ip-address Source IP address for DNSIX audit messages.
To have the audit writing module collect multiple audit messages in the buffer before sending the messages to a collection center, use the dnsix-nat transmit-count command in global configuration mode. Use the no form of this command to revert to the default audit message count.
dnsix-nat transmit-count count
Syntax Description
count Number of audit messages to buffer before transmitting to the server. It can be an integer from 1 to 200.
To add a basic security option to all outgoing packets, use the ip security add command in interface configuration mode.Use the no form of this command to disable the adding of a basic security option to all outgoing packets.
ip security addSyntax Description
This command has no arguments or keywords.
To attach Auxiliary Extended Security Options (AESOs) to an interface, use the ip security aeso command in interface configuration mode. Use the no form of this command to disable AESO on an interface.
ip security aeso source compartment-bits
Syntax Description
source Extended Security Option (ESO) source. This can be an integer from 0 to 255. compartment-bits Compartment bits in hexadecimal.
To set the level of classification and authority on the interface, use the ip security dedicated command in interface configuration mode. Use the no form of this command to reset the interface to the default classification and authorities.
ip security dedicated level authority [authority...]
Syntax Description
level Degree of sensitivity of information. The level keywords are listed in Table 41. authority Organization that defines the set of security levels that will be used in a network. The authority keywords are listed in Table 42.
| Level Keyword | Bit Pattern |
|---|---|
Reserved4 | 0000 0001 |
TopSecret | 0011 1101 |
Secret | 0101 1010 |
Confidential | 1001 0110 |
Reserved3 | 0110 0110 |
Reserved2 | 1100 1100 |
Unclassified | 1010 1011 |
Reserved1 | 1111 0001 |
| Authority Keyword | Bit Pattern |
|---|---|
Genser | 1000 0000 |
Siop-Esi | 0100 0000 |
DIA | 0010 0000 |
NSA | 0001 0000 |
DOE | 0000 1000 |
To configure system-wide defaults for extended IP Security Option (IPSO) information, use the ip security eso-info command in global configuration mode. Use the no form of this command to return to the default settings.
ip security eso-info source compartment-size default-bit
Syntax Description
source Hexadecimal or decimal value representing the extended IPSO source. This is an integer from 0 to 255. compartment-size Maximum number of bytes of compartment information allowed for a particular extended IPSO source. This is an integer from 1 to 16. default-bit Default bit value for any unsent compartment bits.
To specify the maximum sensitivity level for an interface, use the ip security eso-max command in interface configuration mode. Use the no form of this command to return to the default.
ip security eso-max source compartment-bits
Syntax Description
source Extended Security Option (ESO) source. This is an integer from 1 to 255. compartment-bits Compartment bits in hexadecimal.
To configure the minimum sensitivity for an interface, use the ip security eso-min command in interface configuration mode. Use the no form of this command to return to the default.
ip security eso-min source compartment-bits
Syntax Description
source Extended Security Option (ESO) source. This is an integer from 1 to 255. compartment-bits Compartment bits in hexadecimal.
To accept packets on an interface that has an extended security option present, use the ip security extended-allowed command in interface configuration mode. Use the no form of this command to restore the default.
ip security extended-allowedSyntax Description
This command has no arguments or keywords.
To prioritize the presence of security options on a packet, use the ip security first command in interface configuration mode. Use the no form of this command to not move packets that include security options to the front of the options field.
ip security firstSyntax Description
This command has no arguments or keywords.
To have the Cisco IOS software ignore the authorities field of all incoming packets, use the ip security ignore-authorities command in interface configuration mode. Use the no form of this command to disable this function.
ip security ignore-authoritiesSyntax Description
This command has no arguments or keywords.
To force the Cisco IOS software to accept packets on the interface, even if they do not include a security option, use the ip security implicit-labelling command in interface configuration mode. Use the no form of this command to require security options.
ip security implicit-labelling [level authority [authority...]]
Syntax Description
level (Optional) Degree of sensitivity of information. If your interface has multilevel security set, you must specify this argument. (See the level keywords listed in Table 41 in the ip security dedicated command section.) authority (Optional) Organization that defines the set of security levels that will be used in a network. If your interface has multilevel security set, you must specify this argument. You can specify more than one. (See the authority keywords listed in Table 42 in the ip security dedicated command section.)
To set the range of classifications and authorities on an interface, use the ip security multilevel command in interface configuration mode. Use the no form of this command to remove security classifications and authorities.
ip security multilevel level1 [authority1...] to level2 authority2 [authority2...]
Syntax Description
level1 Degree of sensitivity of information. The classification level of incoming packets must be equal to or greater than this value for processing to occur. (See the level keywords found in Table 41 in the ip security dedicated command section.) authority1 (Optional) Organization that defines the set of security levels that will be used in a network. The authority bits must be a superset of this value. (See the authority keywords listed in Table 42 in the ip security dedicated command section.) to Separates the range of classifications and authorities. level2 Degree of sensitivity of information. The classification level of incoming packets must be equal to or less than this value for processing to occur. (See the level keywords found in Table 41 in the ip security dedicated command section.) authority2 Organization that defines the set of security levels that will be used in a network. The authority bits must be a proper subset of this value. (See the authority keywords listed in Table 42 in the ip security dedicated command section.)
To treat as valid any packets that have Reserved1 through Reserved4 security levels, use the ip security reserved-allowed command in interface configuration mode. Use the no form of this command to not allow packets that have security levels of Reserved3 and Reserved2.
ip security reserved-allowedSyntax Description
This command has no arguments or keywords.
To remove any basic security option on outgoing packets on an interface, use the ip security strip command in interface configuration mode. Use the no form of this command to restore security options.
ip security stripSyntax Description
This command has no arguments or keywords.
To display state information and the current configuration of the DNSIX audit writing module, use the show dnsix command in privileged EXEC mode.
show dnsixSyntax Description
This command has no arguments or keywords.
Posted: Wed Jul 26 16:24:01 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.