Implementing Keychain Management oncisco IOS XR Software
|
|
- Kellie Stevenson
- 6 years ago
- Views:
Transcription
1 Implementing Keychain Management oncisco IOS XR Software This module describes how to implement keychain management on Cisco IOS XR software. Keychain management is a common method of authentication to configure shared secrets on all entities that exchange secrets such as keys, befe establishing trust with each other. Routing protocols and netwk management applications on Cisco IOS XR software often use authentication to enhance security while communicating with peers. Feature Histy f Implementing Keychain Management on the Cisco XR Series Router Release Modification Release This feature was introduced on Cisco XR Series Router. Release Suppt f the MAC authentication algithm was added. Suppt f hitless key rollover and key acceptance tolerance were added. Release Suppt f hitless key rollover f Open Shtest Path First (OSPF) and Intermediate System-to-Intermediate System (IS-IS) was added. Release No modification. Release No modification. Release No modification. Release No modification. Contents Prerequisites f Configuring Keychain Management, page SC-218 Restrictions f Implementing Keychain Management, page SC-218 Infmation About Implementing Keychain Management, page SC-218 How to Implement Keychain Management, page SC-219 Configuration Examples f Implementing Keychain Management, page SC-231 Additional References, page SC-231 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-217
2 Prerequisites f Configuring Keychain Management Implementing Keychain Management oncisco IOS XR Software Prerequisites f Configuring Keychain Management You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required f each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrat f assistance. Restrictions f Implementing Keychain Management You must be aware that changing the system clock impacts the validity of the keys in the existing configuration. Infmation About Implementing Keychain Management The keychain by itself has no relevance; therefe, it must be used by an application that needs to communicate by using the keys (f authentication) with its peers. The keychain provides a secure mechanism to handle the keys and rollover based on the lifetime. Bder Gateway Protocol (BGP), Open Shtest Path First (OSPF), and Intermediate System-to-Intermediate System (IS-IS) use the keychain to implement a hitless key rollover f authentication. BGP uses TCP authentication, which enables the authentication option and sends the Message Authentication Code (MAC) based on the cryptographic algithm configured f the keychain. F infmation about BGP, OSPF, and IS-IS keychain configurations, see Cisco IOS XR Routing Configuration GuideTo implement keychain management, you must understand the concept of key lifetime, which is explained in the next section. Lifetime of a Key If you are using keys as the security method, you must specify the lifetime f the keys and change the keys on a regular basis when they expire. To maintain stability, each party must be able to ste and use me than one key f an application at the same time. A keychain is a sequence of keys that are collectively managed f authenticating the same peer, peer group, both. Keychain management groups a sequence of keys together under a keychain and associates each key in the keychain with a lifetime. Note Any key that is configured without a lifetime is considered invalid; therefe, the key is rejected during configuration. The lifetime of a key is defined by the following options: Start-time Specifies the absolute time. End-time Specifies the absolute time that is relative to the start-time infinite time. Each key definition within the keychain must specify a time interval f which that key is activated; f example, lifetime. Then, during a given key's lifetime, routing update packets are sent with this activated key. Keys cannot be used during time periods f which they are not activated. Therefe, we recommend that f a given keychain, key activation times overlap to avoid any period of time f which no key is activated. If a time period occurs during which no key is activated, neighb authentication cannot occur; therefe, routing updates can fail. SC-218 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router
3 Implementing Keychain Management oncisco IOS XR Software How to Implement Keychain Management Multiple keychains can be specified. How to Implement Keychain Management This section contains the following procedures: Configuring a Keychain, page SC-219 (required) Configuring a Tolerance Specification to Accept Keys, page SC-221 (required) Configuring a Key Identifier f the Keychain, page SC-222 (required) Configuring the Text f the Key String, page SC-223 (required) Determining the Valid Keys, page SC-225 (optional) Configuring the Keys to Generate Authentication Digest f the Outbound Application Traffic, page SC-227 (required) Configuring the Cryptographic Algithm, page SC-228 (required) Configuring a Keychain SUMMARY STEPS This task configures a name f the keychain. You can create modify the name of the keychain. 1. configure 2. key chain key-chain-name 3. end 4. show key chain key-chain-name Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-219
4 How to Implement Keychain Management Implementing Keychain Management oncisco IOS XR Software DETAILED STEPS Step 1 Command Action configure Enters global configuration mode. Step 2 Step 3 Step 4 RP/0/0/CPU0:router# configure key chain key-chain-name RP/0/0/CPU0:router(config)# key chain isis-keys RP/0/0/CPU0:router(config-isis-keys)# end RP/0/0/CPU0:router(config-isis-keys)# end RP/0/0/CPU0:router(config-isis-keys)# show key chain key-chain-name RP/0/0/CPU0:router# show key chain isis-keys Creates a name f the keychain. Note Configuring only the keychain name without any key identifiers is considered a nonoperation. When you exit the configuration, the router does not prompt you to changes until you have configured the key identifier and at least one of the global configuration mode attributes keychain-key configuration mode attributes (f example, lifetime key string). Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. (Optional) Displays the name of the keychain. Note The key-chain-name argument is optional. If you do not specify a name f the key-chain-name argument, all the keychains are displayed. What to Do Next After completing keychain configuration, see the Configuring a Tolerance Specification to Accept Keys section. SC-220 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router
5 Implementing Keychain Management oncisco IOS XR Software How to Implement Keychain Management Configuring a Tolerance Specification to Accept Keys SUMMARY STEPS DETAILED STEPS This task configures the tolerance specification to accept keys f a keychain to facilitate a hitless key rollover f applications, such as routing and management protocols. 1. configure 2. key chain key-chain-name 3. accept-tolerance value [infinite] 4. end Step 1 Command Action configure Enters global configuration mode. Step 2 RP/0/0/CPU0:router# configure key chain key-chain-name Creates a name f the keychain. RP/0/0/CPU0:router(config)# key chain isis-keys Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-221
6 How to Implement Keychain Management Implementing Keychain Management oncisco IOS XR Software Step 3 Step 4 Command Action accept-tolerance value [infinite] RP/0/0/CPU0:router(config-isis-keys)# accept-tolerance infinite end RP/0/0/CPU0:router(config-isis-keys)# end RP/0/0/CPU0:router(config-isis-keys)# Configures a tolerance value to accept keys f the keychain. Use the value argument to set the tolerance range in seconds. The range is from 1 to Use the infinite keywd to specify that the tolerance specification is infinite. Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring a Key Identifier f the Keychain SUMMARY STEPS This task configures a key identifier f the keychain. You can create modify the key f the keychain. 1. configure 2. key chain key-chain-name 3. key key-id 4. end SC-222 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router
7 Implementing Keychain Management oncisco IOS XR Software How to Implement Keychain Management DETAILED STEPS Step 1 Command Action configure Enters global configuration mode. Step 2 RP/0/0/CPU0:router# configure key chain key-chain-name Creates a name f the keychain. Step 3 Step 4 RP/0/0/CPU0:router(config)# key chain isis-keys key key-id RP/0/0/CPU0:router(config-isis-keys)# key 8 end end Creates a key f the keychain. The key ID number is translated from decimal to hexadecimal to create the command mode subprompt. Use the key-id argument as a 48-bit integer. Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. What to Do Next After configuring a key identifier f the keychain, see the Configuring the Text f the Key String section. Configuring the Text f the Key String This task configures the text f the key string. Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-223
8 How to Implement Keychain Management Implementing Keychain Management oncisco IOS XR Software SUMMARY STEPS 1. configure 2. key chain key-chain-name 3. key key-id 4. key-string [clear passwd] key-string-text 5. end DETAILED STEPS Step 1 Command Action configure Enters global configuration mode. Step 2 RP/0/0/CPU0:router# configure key chain key-chain-name Creates a name f the keychain. Step 3 RP/0/0/CPU0:router(config)# key chain isis-keys key key-id Creates a key f the keychain. RP/0/0/CPU0:router(config-isis-keys)# key 8 SC-224 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router
9 Implementing Keychain Management oncisco IOS XR Software How to Implement Keychain Management Step 4 Step 5 Command Action key-string [clear passwd] key-string-text key-string passwd 8 end end Specifies the text string f the key. Use the clear keywd to specify the key string in clear text fm; use the passwd keywd to specify the key in encrypted fm. Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. What to Do Next After configuring the text f the key string, see the Configuring the Keys to Generate Authentication Digest f the Outbound Application Traffic section. Determining the Valid Keys This task determines the valid keys f local applications to authenticate the remote peers. SUMMARY STEPS 1. configure 2. key chain key-chain-name 3. key key-id 4. accept-lifetime start-time [duration duration-value infinite end-time] 5. end Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-225
10 How to Implement Keychain Management Implementing Keychain Management oncisco IOS XR Software DETAILED STEPS Step 1 Command Action configure Enters global configuration mode. Step 2 RP/0/0/CPU0:router# configure key chain key-chain-name Creates a a name f the keychain. Step 3 RP/0/0/CPU0:router(config)# key chain isis-keys key key-id Creates a key f the keychain. Step 4 RP/0/0/CPU0:router(config-isis-keys)# key 8 accept-lifetime start-time [duration duration-value infinite end-time] (Optional) Specifies the validity of the key lifetime in terms of clock time. Step 5 RP/0/0/CPU0:router(config-isis-keys)# key 8 accept-lifetime 1:00:00 october infinite end end Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. SC-226 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router
11 Implementing Keychain Management oncisco IOS XR Software How to Implement Keychain Management Configuring the Keys to Generate Authentication Digest f the Outbound Application Traffic SUMMARY STEPS DETAILED STEPS This task configures the keys to generate authentication digest f the outbound application traffic. 1. configure 2. key chain key-chain-name 3. key key-id 4. send-lifetime start-time [duration duration-value infinite end-time] 5. end Step 1 Command Action configure Enters global configuration mode. Step 2 RP/0/0/CPU0:router# configure key chain key-chain-name Creates a name f the keychain. Step 3 RP/0/0/CPU0:router(config)# key chain isis-keys key key-id Creates a key f the keychain. RP/0/0/CPU0:router(config-isis-keys)# key 8 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-227
12 How to Implement Keychain Management Implementing Keychain Management oncisco IOS XR Software Step 4 Step 5 Command Action send-lifetime start-time [duration duration-value infinite end-time] RP/0/0/CPU0:router(config-isis-keys)# key 8 send-lifetime 1:00:00 october infinite end end (Optional) Specifies the set time period during which an authentication key on a keychain is valid to be sent. You can specify the validity of the key lifetime in terms of clock time. In addition, you can specify a start-time value and one of the following values: duration keywd (seconds) infinite keywd end-time argument If you intend to set lifetimes on keys, Netwk Time Protocol (NTP) some other time synchronization method is recommended. Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring the Cryptographic Algithm This task allows the keychain configuration to accept the choice of the cryptographic algithm. SUMMARY STEPS 1. configure 2. key chain key-chain-name 3. key key-id 4. cryptographic-algithm [HMAC-MD5 HMAC-SHA1-12 HMAC-SHA1-20 MD5 SHA-1] SC-228 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router
13 Implementing Keychain Management oncisco IOS XR Software How to Implement Keychain Management 5. end DETAILED STEPS Step 1 Command Action configure Enters global configuration mode. Step 2 RP/0/0/CPU0:router# configure key chain key-chain-name Creates a name f the keychain. Step 3 RP/0/0/CPU0:router(config)# key chain isis-keys RP/0/0/CPU0:router(config-isis-keys)# key key-id Creates a key f the keychain. RP/0/0/CPU0:router(config-isis-keys)# key 8 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-229
14 How to Implement Keychain Management Implementing Keychain Management oncisco IOS XR Software Command Action Step 4 cryptographic-algithm [HMAC-MD5 HMAC-SHA1-12 HMAC-SHA1-20 MD5 SHA-1] Step 5 cryptographic-algithm MD5 end end Specifies the choice of the cryptographic algithm. You can choose from the following list of algithms: HMAC-MD5 HMAC-SHA1-12 HMAC-SHA1-20 MD5 SHA-1 The routing protocols each suppt a different set of cryptographic algithms: Bder Gateway Protocol (BGP) suppts only HMAC-MD5 and HMAC-SHA1-12. Intermediate System-to-Intermediate System (IS-IS) suppts only HMAC-MD5. Open Shtest Path First (OSPF) suppts only MD5 and HMAC-MD5. Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. SC-230 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router
15 Implementing Keychain Management oncisco IOS XR Software Configuration Examples f Implementing Keychain Management Configuration Examples f Implementing Keychain Management This section provides the following configuration example: Configuring Keychain Management: Example, page SC-231 Configuring Keychain Management: Example The following example shows how to configure keychain management: configure key chain isis-keys accept-tolerance infinite key 8 key-string mykey91abcd cryptographic-algithm MD5 send-lifetime 1:00:00 june infinite accept-lifetime 1:00:00 june infinite end Unted changes found, them? [yes]: yes show key chain isis-keys Key-chain: isis-keys/ - accept-tolerance -- infinite Key 8 -- text " E120B " cryptographic-algithm -- MD5 Send lifetime: 01:00:00, 29 Jun Always valid [Valid now] Accept lifetime: 01:00:00, 29 Jun Always valid [Valid now] Additional References The following sections provide references related to implementing keychain management. Related Documents Related Topic Keychain management commands: complete command syntax, command modes, command histy, defaults, usage guidelines, and examples Document Title Keychain Management Commands on Cisco IOS XR Software module in Cisco IOS XR System Security Command Reference Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-231
16 Additional References Implementing Keychain Management oncisco IOS XR Software Standards Standards No new modified standards are suppted by this feature, and suppt f existing standards has not been modified by this feature. Title MIBs MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locat found at the following URL and choose a platfm under the Cisco Access Products menu: RFCs RFCs No new modified RFCs are suppted by this feature. Title Technical Assistance Description The Cisco Technical Suppt website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even me content. Link SC-232 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router
Keychain Management Commands
This module describes the commands used to configure keychain management. For detailed information about keychain management concepts, configuration tasks, and examples, see the Implementing Keychain Management
More informationConfiguring Bidirectional Forwarding Detection on Cisco IOS XR
Configuring Bidirectional Fwarding Detection on Cisco IOS XR Bidirectional fwarding detection (BFD) provides low-overhead, sht-duration detection of failures in the path between adjacent fwarding engines.
More informationImplementing Layer 2 Access Lists
Implementing Layer 2 Access Lists An Ethernet services access control list (ACL) consists of one me access control entries (ACE) that collectively define the Layer 2 netwk traffic profile. This profile
More informationConfiguring ARP on Cisco ASR 9000 Series Routers
Configuring ARP on Cisco ASR 9000 Series Routers Address resolution is the process of mapping netwk addresses to Media Access Control (MAC) addresses. This process is accomplished using the Address Resolution
More informationConfiguring Virtual Loopback and Null Interfaces on Cisco IOS XR Software
Configuring Virtual Loopback and Null Interfaces on Cisco IOS XR Software This module describes the configuration of loopback and null interfaces on routers suppting Cisco IOS XR software. Loopback and
More informationConfiguring Virtual Loopback and Null Interfaces on Cisco IOS XR Software
Configuring Virtual Loopback and Null Interfaces on Cisco IOS XR Software This module describes the configuration of loopback and null interfaces on the Cisco CRS Router. Loopback and null interfaces are
More informationImplementing Management Plane Protection on Cisco IOS XR Software
Implementing Management Plane Protection on Cisco IOS XR Software The Management Plane Protection (MPP) feature in Cisco IOS XR software provides the capability to restrict the interfaces on which network
More informationConfiguring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
Configuring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router This module describes the configuration of clear channel SONET controllers on the Cisco ASR 9000 Series Router. SONET controller
More informationAdvanced Configuration and Modification of the Management Ethernet Interface on the Cisco ASR 9000 Series Router
Advanced Configuration and Modification of the Management Ethernet Interface on the Cisco ASR 9000 Series Router This module describes the configuration of Management Ethernet interfaces on the Cisco ASR
More informationImplementing Static Routes on Cisco IOS XR Software
Implementing Static Routes on Cisco IOS XR Software This module describes how to implement static routes. Static routes are user-defined routes that cause packets moving between a source and a destination
More informationOSPFv2 Cryptographic Authentication
To prevent unauthorized or invalid routing updates in your network, Open Shortest Path First version 2 (OSPFv2) protocol packets must be authenticated. There are two methods of authentication that are
More informationImplementing MPLS Layer 3 VPNs
Implementing MPLS Layer 3 VPNs A Multiprotocol Label Switching (MPLS) Layer 3 Virtual Private Netwk (VPN) consists of a set of sites that are interconnected by means of an MPLS provider ce netwk. At each
More informationConfiguring Tunnel Interfaces on Cisco IOS XR Software
Configuring Tunnel Interfaces on Cisco IOS XR Software This module describes the configuration of Tunnel-IPSec interfaces on the Cisco CRS Router. Tunnel interfaces are virtual interfaces that provide
More informationConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
Configuring Serial Interfaces on the Cisco ASR 9000 Series Router This module describes the configuration of serial interfaces on the Cisco ASR 9000 Series Router. Feature Histy f Configuring Serial Controller
More informationConfiguring SRP Interfaces on Cisco IOS XR Software
Configuring SRP Interfaces on Cisco IOS XR Software This module describes how to configure the Spatial Reuse Protocol (SRP) on suppted Cisco Dynamic Packet Transpt (DPT) interfaces on the Cisco CRS Router.
More informationImplementing Access Lists and Prefix Lists on Cisco ASR 9000 Series Routers
Implementing Access Lists and Prefix Lists on Cisco ASR 9000 Series Routers An access control list (ACL) consists of one me access control entries (ACE) that collectively define the netwk traffic profile.
More informationReset and Restart Cisco Unified IP Phones
Infmation About Resetting and Restarting Phones, on page 1 Reset and Restart Phones, on page 2 Feature Infmation f Reset and Restart Phones, on page 8 Infmation About Resetting and Restarting Phones Differences
More informationImplementing Secure Shell
Implementing Secure Shell Secure Shell (SSH) is an application and a protocol that provides a secure replacement to the Berkeley r-tools. The protocol secures sessions using standard cryptographic mechanisms,
More informationImplementing Virtual Private LAN Services
Implementing Virtual Private LAN Services This module provides the conceptual and configuration infmation f Virtual Private LAN Services (VPLS) on Cisco IOS XR software. VPLS suppts Layer 2 VPN technology
More informationImplementing Internet Key Exchange Security Protocol
Implementing Internet Key Exchange Security Protocol Internet Key Exchange (IKE) is a key management protocol standard that is used in conjunction with the IP Security (IPSec) standard. IPSec is a feature
More informationConfiguring Logical Routers on Cisco IOS XR Software
Configuring Logical Routers on Cisco IOS XR Software Logical routers (LRs) are a means of dividing a single physical system into multiple logically separated routers. LRs represent a relatively coarse
More informationOSPFv3 Commands. address-family (OSPFv3), page 4. authentication (OSPFv3), page 7
This module describes the commands used to configure and monitor the IP Version 6 (IPv6) Open Shortest Path First Version 3 (OSPFv3) routing protocol. For detailed information about OSPFv3 concepts, configuration
More informationImplementing NTP. Release 3.8.0
Network Time Protocol (NTP) is a protocol designed to time-synchronize devices within a network. Cisco IOS XR software implements NTPv4. NTPv4 retains backwards compatibility with the older versions of
More informationImplementing OSPF on Cisco IOS XR Software
Implementing OSPF on Cisco IOS XR Software Open Shtest Path First (OSPF) is an Interi Gateway Protocol (IGP) developed by the OSPF wking group of the Internet Engineering Task Fce (IETF). Designed expressly
More informationImplementing NTP. Support was added for IPv6 addresses, VRFs, multicast-based associations, and burst and iburst modes for poll-based associations.
Network Time Protocol (NTP) is a protocol designed to time-synchronize devices within a network. Cisco IOS XR software implements NTPv4. NTPv4 retains backwards compatibility with the older versions of
More informationConfiguring LAN/WAN-PHY Controllers on Cisco IOS XR Software
Configuring LAN/WAN-PHY Controllers on Cisco IOS XR Software This module describes the configuration of LAN/WAN-PHY controllers on the Cisco CRS Router. Feature Histy f Configuring LAN/WAN-PHY Controller
More informationIPsec Dead Peer Detection Periodic Message Option
IPsec Dead Peer Detection Periodic Message The IPsec Dead Peer Detection Periodic Message feature is used to configure the router to query the liveliness of its Internet Key Exchange (IKE) peer at regular
More informationCisco Mobile Networks Tunnel Templates for Multicast
Cisco Mobile Networks Tunnel Templates for Multicast The Cisco Mobile Networks--Tunnel Templates for Multicast feature allows the configuration of multicast on statically created tunnels to be applied
More informationRSVP Message Authentication
RSVP Message Authentication First Published: March 17, 2003 Last Updated: August 6, 2007 The Resource Reservation Protocol (RSVP) Message Authentication feature provides a secure method to control quality
More informationImplementing BGP on Cisco ASR 9000 Series Routers
Implementing BGP on Cisco ASR 9000 Series Routers Bder Gateway Protocol (BGP) is an Exteri Gateway Protocol (EGP) that allows you to create loop-free interdomain routing between autonomous systems. This
More informationImplementing Static Routes
This module describes how to implement static routes. Static routes are user-defined routes that cause packets moving between a source and a destination to take a specified path. Static routes can be important
More informationRSVP Message Authentication
RSVP Message Authentication Last Updated: January 12, 2012 The Resource Reservation Protocol (RSVP) Message Authentication feature provides a secure method to control quality of service (QoS) access to
More informationIP Routing Protocol-Independent Commands
IP Routing Protocol-Independent Commands Use the commands in this chapter to configure and monitor the features that are routing protocol-independent. For configuration information and examples on IP routing
More informationRSVP Message Authentication
RSVP Message Authentication Last Updated: December 10, 2012 The Resource Reservation Protocol (RSVP) Message Authentication feature provides a secure method to control quality of service (QoS) access to
More informationImplementing OSPF on Cisco IOS XR Software
Open Shtest Path First (OSPF) is an Interi Gateway Protocol (IGP) developed by the OSPF wking group of the Internet Engineering Task Fce (IETF). Designed expressly f IP netwks, OSPF suppts IP subnetting
More informationImplementing OSPF on Cisco ASR 9000 Series Routers
Implementing OSPF on Cisco ASR 9000 Series Routers Open Shtest Path First (OSPF) is an Interi Gateway Protocol (IGP) developed by the OSPF wking group of the Internet Engineering Task Fce (IETF). This
More informationImplementing Management Plane Protection
The Management Plane Protection (MPP) feature in Cisco IOS XR software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature
More informationConfiguring Transports
This module provides information about Nonstop Routing (NSR), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP) transports on Cisco ASR 9000 Series Aggregation Services Routers. If
More informationEIGRP Support for Route Map Filtering
The feature enables Enhanced Interior Gateway Routing Protocol (EIGRP) to interoperate with other protocols to leverage additional routing functionality by filtering inbound and outbound traffic based
More informationConfiguring Transports
This module provides information about Nonstop Routing (NSR), Stream Control Transmission Protocol (SCTP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP ), and RAW Transports. If you
More informationImplementing MPLS Forwarding
All Multiprotocol Label Switching (MPLS) features require a core set of MPLS label management and forwarding services; the MPLS Forwarding Infrastructure (MFI) supplies these services. Feature History
More informationBasic IP Routing. Finding Feature Information. Information About Basic IP Routing. Variable-Length Subnet Masks
This module describes how to configure basic IP routing. The Internet Protocol (IP) is a network layer (Layer 3) protocol that contains addressing information and some control information that enables
More informationHSRP MD5 Authentication
Finding Feature Information, page 1 Information About, page 1 How to Configure, page 2 Configuration Examples for, page 8 Additional References, page 9 Feature Information for, page 10 Finding Feature
More informationOSPF Limit on Number of Redistributed Routes
Open Shortest Path First (OSPF) supports a user-defined maximum number of prefixes (routes) that are allowed to be redistributed into OSPF from other protocols or other OSPF processes. Such a limit could
More informationConfiguring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Configuring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router This module describes the configuration of dense wavelength division multiplexing (DWDM) controllers on
More informationTo implement LPTS features mentioned in this document you must understand the following concepts:
Local Packet Transport Services (LPTS) maintains tables describing all packet flows destined for the secure domain router (SDR), making sure that packets are delivered to their intended destinations. For
More informationBasic IP Routing. Finding Feature Information. Information About Basic IP Routing. Variable-Length Subnet Masks
This module describes how to configure basic IP routing. The Internet Protocol (IP) is a network layer (Layer 3) protocol that contains addressing information and some control information that enables
More informationRIP Commands. output-delay, page 32 passive-interface (RIP), page 33 poison-reverse, page 35 receive version, page 37 redistribute (RIP), page 39
RIP Commands This module describes the commands used to configure and monitor the Routing Information Protocol (RIP). For detailed information about RIP concepts, configuration tasks, and examples, see
More informationImplementing Secure Socket Layer
This module describes how to implement SSL. The Secure Socket Layer (SSL) protocol and Transport Layer Security (TLS) are application-level protocols that provide for secure communication between a client
More informationIS-IS Configuration Commands. Generic Commands. shutdown IS-IS XRS Routing Protocols Guide Page 533. Syntax [no] shutdown
IS-IS IS-IS Configuration Commands Generic Commands shutdown Syntax [no] shutdown config>router>isis>interface ip-int-name config>router>isis>if>level level-number config>router>isis>if>segment-routing
More informationImplementing RIP for IPv6
Implementing RIP for IPv6 This module describes how to configure Routing Information Protocol for IPv6. RIP is a distance-vector routing protocol that uses hop count as a routing metric. RIP is an Interior
More informationBGP Enforce the First Autonomous System Path
BGP Enforce the First Autonomous System Path The BGP Enforce the First Autonomous System Path feature is used to configure a Border Gateway Protocol (BGP) routing process to discard updates received from
More informationCisco IOS-XR Routing Configuration Guide
Cisco IOS-XR Software Release 2.0 Cpate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text
More informationSSH Algorithms for Common Criteria Certification
The feature provides the list and order of the algorithms that are allowed for Common Criteria Certification. This module describes how to configure the encryption, Message Authentication Code (MAC), and
More informationDHCP Server RADIUS Proxy
The Dynamic Host Configuration Protocol (DHCP) Server RADIUS Proxy is a RADIUS-based address assignment mechanism in which a DHCP server authorizes remote clients and allocates addresses based on replies
More informationIPsec Anti-Replay Window Expanding and Disabling
IPsec Anti-Replay Window Expanding and Disabling Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence
More informationR&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell
R&E ROUTING SECURITY BEST PRACTICES Grover Browning Karl Newell RFC 7454 BGP Operations & Security Feb, 2015 https://tools.ietf.org/html/rfc7454 [ 2 ] Agenda Background / Community Development Overview
More informationPre-Fragmentation for IPSec VPNs
Pre-Fragmentation for IPSec VPNs Feature History Release 12.1(11b)E 12.2(13)T 12.2(14)S Modification This feature was introduced. This feature was integrated into Cisco IOS Release 12.2(13)T. This feature
More informationService Advertisement Framework Configuration Guide, Cisco IOS Release 12.2SX
Service Advertisement Framework Configuration Guide, Cisco IOS Release 12.2SX Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
More informationThe MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to
The feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to utilize Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) authentication for PPP connections between
More informationSuppress BGP Advertisement for Inactive Routes
Suppress BGP Advertisement for Inactive Routes The Suppress BGP Advertisements for Inactive Routes features allows you to configure the suppression of advertisements for routes that are not installed in
More informationDistributed Traffic Shaping for Line Cards in the Cisco Gigabit Switch Router
Distributed Traffic Shaping for Line Cards in the Cisco 12000 Gigabit Switch Router This document describes the Distributed Traffic Shaping (DTS) feature for the 12000 series Gigabit Route Processor line
More informationOSPF Incremental SPF
OSPF Incremental SPF The Open Shortest Path First (OSPF) protocol can be configured to use an incremental SPF algorithm for calculating the shortest path first routes. Incremental SPF is more efficient
More informationBGP NSF Awareness. Finding Feature Information
Nonstop Forwarding (NSF) awareness allows a device to assist NSF-capable neighbors to continue forwarding packets during a Stateful Switchover (SSO) operation. The feature allows an NSF-aware device that
More informationstandby arp gratuitous through track vrrp
standby arp gratuitous, page 2 standby authentication, page 4 standby bfd, page 7 standby bfd all-interfaces, page 9 standby delay minimum reload, page 11 standby follow, page 13 standby ip, page 15 standby
More informationConfiguring Management Interfaces on Cisco IOS XR Software
Configuring Management Interfaces on Cisco IOS XR Software This module describes configuration procedures for management interfaces on the route processors (RPs). Although the management interfaces on
More informationBGP Route Reflector Commands
This chapter provides details of the commands used for configuring Border Gateway Protocol (BGP) Route Reflector (RR). address-family (BGP), on page 2 keychain, on page 5 neighbor (BGP), on page 7 remote-as
More informationImplementing LPTS. Prerequisites for Implementing LPTS. Information About Implementing LPTS
Local Packet Transport Services (LPTS) maintains tables describing all packet flows destined for the secure domain router (SDR), making sure that packets are delivered to their intended destinations. For
More informationConfiguring OSPF with CLI
OSPF Configuring OSPF with CLI This section provides information to configure Open Shortest Path First (OSPF) using the command line interface. Topics in this section include: OSPF Configuration Guidelines
More informationConfiguring VRRP. Finding Feature Information. Contents
Configuring VRRP First Published: May 2, 2005 Last Updated: July 30, 2010 The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns responsibility for one or more virtual
More informationIS-IS Incremental SPF
IS-IS Incremental SPF Integrated Intermediate System-to-Intermediate System (IS-IS) can be configured to use an incremental SPF algorithm for calculating the shortest path first routes. Incremental SPF
More informationSignaling IS-IS When dcef Is Disabled
Signaling IS-IS When dcef Is Disabled Feature History Release 12.0(10)S 12.0(10)ST Modification This feature was introduced. This command was integrated into T. This feature module describes the Signaling
More informationWCCPv2 and WCCP Enhancements
WCCPv2 and WCCP Enhancements Release 12.0(11)S June 20, 2000 This feature module describes the Web Cache Communication Protocol (WCCP) Enhancements feature and includes information on the benefits of the
More informationCisco IOS XR MPLS Configuration Guide
Cisco IOS XR Software Release 3.7 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
More informationOSPF RFC 3623 Graceful Restart Helper Mode
First Published: February 27, 2006 Last Updated: February 27, 2006 This document focuses on non-stop forwarding (NSF) helper mode for OSPFv2 in Cisco IOS software, using IETF standardized graceful restart
More informationConfiguring ARP. Prerequisites for Configuring ARP. Restrictions for Configuring ARP
Address resolution is the process of mapping network addresses to Media Access Control (MAC) addresses. This process is accomplished using the Address Resolution Protocol (ARP). This module describes how
More informationGET VPN Resiliency. Finding Feature Information. Prerequisites for GET VPN Resiliency
The feature improves the resiliency of Cisco Group Encrypted Transport (GET) VPN so that data traffic disruption is prevented or minimized when errors occur. Finding Feature Information, page 1 Prerequisites
More informationConfiguring a Basic Wireless LAN Connection
This module describes how to configure a wireless LAN (WLAN) connection between a wireless device, such as a laptop computer or mobile phone, and a Cisco 800, 1800 (fixed and modular), 2800, or 3800 series
More informationCOPS Engine Operation
This document describes the Common Open Policy Service (COPS) engine feature on the Cisco CMTS routers. The Cisco CMTS routers also support Access control lists (ACLs) with the COPS engine. Finding Feature
More informationIEEE 802.1X Multiple Authentication
The feature provides a means of authenticating multiple hosts on a single port. With both 802.1X and non-802.1x devices, multiple hosts can be authenticated using different methods. Each host is individually
More informationMPLS VPN ID. Feature Overview. This feature was introduced. Support for this feature was integrated into Cisco IOS Release 12.2(4)B.
MPLS VPN ID Feature History Release 12.0(17)ST 12.2(4)B Modification This feature was introduced. Support for this feature was integrated into. This document describes the MPLS VPN ID feature in and includes
More informationRestrictions for Secure Copy Performance Improvement
The Protocol (SCP) feature provides a secure and authenticated method for copying router configuration or router image files. SCP relies on Secure Shell (SSH), an application and a protocol that provide
More informationImplementing the Dynamic Host Configuration Protocol
Implementing the Dynamic Host Configuration Protocol This module describes the concepts and tasks you will use to Dynamic Host Configuration Protocol (DHCP). Feature History for Implementing the Dynamic
More informationL2TP IPsec Support for NAT and PAT Windows Clients
L2TP IPsec Support for NAT and PAT Windows Clients The L2TP IPsec Support for NAT and PAT Windows Clients feature allows mulitple Windows client to connect to an IPsec-enabled Cisco IOS Layer 2 Tunneling
More informationRADIUS Packet of Disconnect
First Published: March 19, 2001 Last Updated: October 2, 2009 The feature is used to terminate a connected voice call. Finding Feature Information Your software release may not support all the features
More informationMPLS LDP Autoconfiguration
First Published: November 8, 2004 Last Updated: November 25, 2009 The feature enables you to globally configure Label Distribution Protocol (LDP) on every interface associated with a specified Interior
More informationService Advertisement Framework Configuration Guide, Cisco IOS XE Release 3S
Service Advertisement Framework Configuration Guide, Cisco IOS XE Release 3S Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
More informationOSPF Commands on Cisco IOS XR Software
This module describes the commands used to configure and monitor the Open Shortest Path First (OSPF) routing protocol. For detailed information about OSPF concepts, configuration tasks, and examples, see
More informationOSPF Commands on Cisco ASR 9000 Series Router
OSPF Commands on Cisco ASR 9000 Series Router This module describes the commands used to configure and monitor the Open Shortest Path First (OSPF) routing protocol. For detailed information about OSPF
More informationDHCP Server Port-Based Address Allocation
The feature provides port-based address allocation support on the Cisco IOS Dynamic Host Configuration Protocol (DHCP) server for the Ethernet platform. The DHCP server provides address assignment support
More informationCOPS Engine Operation
This document describes the Common Open Policy Service (COPS) engine feature on the Cisco CMTS routers. The Cisco CMTS routers also support Access control lists (ACLs) with the COPS engine. Finding Feature
More informationConfiguring Integrated IS-IS Protocol Shutdown Support Maintaining Configuration Parameters
Configuring Integrated IS-IS Protocol Shutdown Support Maintaining Configuration Parameters The Integrated IS-IS Protocol Shutdown Support Maintaining Configuration Parameters feature allows you to disable
More informationSecure Shell Version 2 Support
Secure Shell Version 2 Support Last Updated: January 16, 2012 The Secure Shell Version 2 Support feature allows you to configure Secure Shell (SSH) Version 2. SSH runs on top of a reliable transport layer
More informationCipher Suite Configuration Mode Commands
The Cipher Suite Configuration Mode is used to configure the building blocks for SSL cipher suites, including the encryption algorithm, hash function, and key exchange. Important The commands or keywords/variables
More informationExcessive ARP Punt Protection was supported.
Local Packet Transport Services (LPTS) maintains tables describing all packet flows destined for the secure domain router (SDR), making sure that packets are delivered to their intended destinations. For
More informationConfiguring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands
Configuring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands This module contains information about and instructions for configuring NetFlow Top Talkers feature. The NetFlow Top Talkers
More informationRSVP Message Authentication
RSVP Message Authentication The Resource Reservation Protocol (RSVP) Message Authentication feature provides a secure method to control quality of service (QoS) access to a network. Feature Specifications
More informationIPsec NAT Transparency
The feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network by addressing many known incompatibilities
More informationSSG Service Profile Caching
SSG Service Profile Caching The SSG Service Profile Caching feature enhances the authentication process for Service Selection Gateway services by allowing users to authenticate a service using the service
More informationIPsec Anti-Replay Window: Expanding and Disabling
IPsec Anti-Replay Window: Expanding and Disabling First Published: February 28, 2005 Last Updated: March 24, 2011 Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker
More information