cc/td/doc/product/software/ios113ed/cs/csprts
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

IP Security Options Commands

IP Security Options Commands

This chapter describes the function and displays the syntax for IP Security Options (IPSO) commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.

dnsix-dmdp retries

To set the retransmit count used by the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) Message Delivery Protocol (DMDP), use the dnsix-dmdp retries global configuration command. To restore the default number of retries, use the no form of this command.

dnsix-dmdp retries count
no dnsix-dmdp retries count


count Number of times DMDP will retransmit a message. It can be an integer from 0 to 200. The default is 4 retries, or until acknowledged.

dnsix-nat authorized-redirection

To specify the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages, use the dnsix-nat authorized-redirection global configuration command. To delete an address, use the no form of this command.

dnsix-nat authorized-redirection ip-address
no dnsix-nat authorized-redirection ip-address


ip-address IP address of the host from which redirection requests are permitted.

dnsix-nat primary

To specify the IP address of the host to which DNSIX audit messages are sent, use the dnsix-nat primary global configuration command. To delete an entry, use the no form of this command.

dnsix-nat primary ip-address
no dnsix-nat primary
ip-address

ip-address IP address for the primary collection center.

dnsix-nat secondary

To specify an alternate IP address for the host to which DNSIX audit messages are sent, use the dnsix-nat secondary global configuration command. To delete an entry, use the no form of this command.

dnsix-nat secondary ip-address
no dnsix-nat secondary
ip-address

ip-address IP address for the secondary collection center.

dnsix-nat source

To start the audit-writing module and to define audit trail source address, use the dnsix-nat source global configuration command. To disable the DNSIX audit trail writing module, use the no form of this command.

dnsix-nat source ip-address
no dnsix-nat source ip-address


ip-address Source IP address for DNSIX audit messages.

dnsix-nat transmit-count

To have the audit writing module collect multiple audit messages in the buffer before sending the messages to a collection center, use the dnsix-nat transmit-count global configuration command. To revert to the default audit message count, use the no form of this command.

dnsix-nat transmit-count count
no dnsix-nat transmit-count
count

count Number of audit messages to buffer before transmitting to the server. It can be an integer from 1 to 200.

ip security add

To add a basic security option to all outgoing packets, use the ip security add interface configuration command. To disable the adding of a basic security option to all outgoing packets, use the no form of this command.

ip security add
no ip security add

ip security aeso

To attach Auxiliary Extended Security Options (AESOs) to an interface, use the ip security aeso interface configuration command. To disable AESO on an interface, use the no form of this command.

ip security aeso source compartment-bits
no ip security aeso
source compartment-bits

source Extended Security Option (ESO) source. This can be an integer from 0 to 255.
compartment-bits Compartment bits in hexadecimal.

ip security dedicated

To set the level of classification and authority on the interface, use the ip security dedicated interface configuration command. To reset the interface to the default classification and authorities, use the no form of this command.

ip security dedicated level authority [authority...]
no ip security dedicated level authority [authority...]


level Degree of sensitivity of information.
authority Organization that defines the set of security levels that will be used in a network.

ip security eso-info

To configure system-wide defaults for extended IP Security Option (IPSO) information, use the ip security eso-info global configuration command. To return to the default settings, use the no form of this command.

ip security eso-info source compartment-size default-bit
no ip security eso-info source compartment-size default-bit


source Hexadecimal or decimal value representing the extended IPSO source. This is an integer from 0 to 255.
compartment-size Maximum number of bytes of compartment information allowed for a particular extended IPSO source. This is an integer from 1 to 16.
default-bit Default bit value for any unsent compartment bits.

ip security eso-max

To specify the maximum sensitivity level for an interface, use the ip security eso-max interface configuration command. To return to the default, use the no form of this command.

ip security eso-max source compartment-bits
no ip security eso-max
source compartment-bits

source Extended Security Option (ESO) source. This is an integer from 1 to 255.
compartment-bits Compartment bits in hexadecimal.

ip security eso-min

To configure the minimum sensitivity for an interface, use the ip security eso-min interface configuration command. To return to the default, use the no form of this command.

ip security eso-min source compartment-bits
no ip security eso-min
source compartment-bits

source Extended Security Option (ESO) source. This is an integer from 1 to 255.
compartment-bits Compartment bits in hexadecimal.

ip security extended-allowed

To accept packets on an interface that has an extended security option present, use the ip security extended-allowed interface configuration command. To restore the default, use the no form of this command.

ip security extended-allowed
no ip security extended-allowed

ip security first

To prioritize the presence of security options on a packet, use the ip security first interface configuration command. To disable this function, use the no form of this command.

ip security first
no ip security first

ip security ignore-authorities

To have the Cisco IOS software ignore the authorities field of all incoming packets, use the ip security ignore-authorities interface configuration command. To disable this function, use the no form of this command.

ip security ignore-authorities
no ip security ignore-authorities

ip security implicit-labelling

To force the Cisco IOS software to accept packets on the interface, even if they do not include a security option, use the ip security implicit-labelling interface configuration command. To disable this function, use the no form of this command.

ip security implicit-labelling [level authority [authority...]]
no ip security implicit-labelling [level authority [authority...]]


level (Optional) Degree of sensitivity of information. If your interface has multilevel security set, you must specify this argument.
authority (Optional) Organization that defines the set of security levels that will be used in a network. If your interface has multilevel security set, you must specify this argument. You can specify more than one.

ip security multilevel

To set the range of classifications and authorities on an interface, use the ip security multilevel interface configuration command. To disable this function, use the no form of this command.

ip security multilevel level1 [authority1...] to level2 authority2 [authority2...]
no ip security multilevel


level1 Degree of sensitivity of information. The classification level of incoming packets must be equal to or greater than this value for processing to occur.
authority1 (Optional) Organization that defines the set of security levels that will be used in a network. The authority bits must be a superset of this value.
to Separates the range of classifications and authorities.
level2 Degree of sensitivity of information. The classification level of incoming packets must be equal to or less than this value for processing to occur.
authority2 Organization that defines the set of security levels that will be used in a network. The authority bits must be a proper subset of this value.

ip security reserved-allowed

To treat as valid any packets that have Reserved1 through Reserved4 security levels, use the ip security reserved-allowed interface configuration command. To disable this feature, use the no form of this command.

ip security reserved-allowed
no ip security reserved-allowed

ip security strip

To remove any basic security option on outgoing packets on an interface, use the ip security strip interface configuration command. To disable this function, use the no form of this command.

ip security strip
no ip security strip

show dnsix

To display state information and the current configuration of the DNSIX audit writing module, use the show dnsix privileged EXEC command.

show dnsix

hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.