Cisco IOS XR Configuration Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Software
  5. Router IOS XR
  6. Configuration manual
Cisco IOS XR Configuration Manual

Cisco IOS XR Configuration Manual

System security configuration guide
Hide thumbs Also See for IOS XR:
Table of Contents

Advertisement

Quick Links

Enlarged version
Cisco IOS XR System Security
Configuration Guide
Cisco IOS XR Software Release 3.5
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-12287-01

Advertisement

Table of Contents
loading

Related Manuals for Cisco IOS XR

Summary of Contents for Cisco IOS XR

  • Page 1 Cisco IOS XR System Security Configuration Guide Cisco IOS XR Software Release 3.5 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-12287-01...
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.;...

  • Page 3: Table Of Contents

    SC-16 Standards SC-16 MIBs SC-17 RFCs SC-17 Technical Assistance SC-17 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software SC-19 Contents SC-20 Prerequisites SC-20 Information About Implementing IKE Security Protocol Configurations for IPSec Networks SC-20 Supported Standards SC-21...
  • Page 4 Call Admission Control SC-30 Information About IP Security VPN Monitoring SC-31 Information About IKE for the Cisco IPSec VPN SPA on Cisco IOS XR Software SC-32 IPSec Dead Peer Detection Periodic Message Option SC-32 How to Implement IKE Security Protocol Configurations for IPSec Networks...

  • Page 5: Contents

    Standards SC-88 MIBs SC-89 RFCs SC-89 Technical Assistance SC-89 Implementing IPSec Network Security on Cisco IOS XR Software SC-91 Contents SC-92 Prerequisites for Implementing IPSec Network Security SC-92 Restrictions for Implementing IPSec Network Security SC-93 Restrictions for Implementing IPSec Network with a...
  • Page 6 Prefragmentation for Cisco IPSec VPN SPAs SC-99 Reverse-Route Injection SC-100 IPSec—SNMP Support SC-101 Information About an IPSec Network with a Cisco IPSec VPN SPA on Cisco IOS XR Software SC-101 Cisco IPSec VPN SPA Overview SC-101 Displaying the SPA Hardware Type SC-101...
  • Page 7 SC-156 Standards SC-157 MIBs SC-157 RFCs SC-157 Technical Assistance SC-158 Implementing Secure Socket Layer on Cisco IOS XR Software SC-159 Contents SC-160 Prerequisites for Implementing Secure Socket Layer SC-160 Information About Implementing Secure Socket Layer SC-160 Purpose of Certification Authorities...
  • Page 8 Related Documents SC-164 Standards SC-165 MIBs SC-165 RFCs SC-165 Technical Assistance SC-165 Configuring AAA Services on Cisco IOS XR Software SC-167 Contents SC-168 Prerequisites for Configuring AAA Services SC-169 Restrictions for Configuring AAA Services SC-169 Information About Configuring AAA Services SC-169...
  • Page 9 Contents Configuring Software Authentication Manager on Cisco IOS XR Software SC-225 Implementing Management Plane Protection on Cisco IOS XR Software SC-227 Contents SC-227 Restrictions for Implementing Management Plane Protection SC-228 Information About Implementing Management Plane Protection SC-228 Inband Management Interface...
  • Page 10 Contents Cisco IOS XR System Security Configuration Guide...
  • Page 11 For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
  • Page 12 Preface Obtaining Documentation, Obtaining Support, and Security Guidelines Cisco IOS XR System Security Configuration Guide...
  • Page 13 Socket Layer (SSL), and Secure Shell (SSH) protocols. CA interoperability permits Cisco IOS XR devices and CAs to communicate so that your Cisco IOS XR device can obtain and use digital certificates from the CA. Although IPSec can be implemented in your network without the use of a CA, using a CA provides manageability and scalability for IPSec.

  • Page 14: Prerequisites For Implementing Certification Authority

    • security commands. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide. You must install and activate the Package Installation Envelope (PIE) for the security software.

  • Page 15: Certification Authorities

    Implementing Certification Authority Interoperability on Cisco IOS XR Software Information About Implementing Certification Authority Public-Key Cryptography Standard #10 (PKCS #10)—A standard syntax from RSA Data Security • Inc. for certificate requests. RSA keys—RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and •...
  • Page 16 IPSec Without CAs Without a CA, if you want to enable IPSec services (such as encryption) between two Cisco routers, you must first ensure that each router has the key of the other router (such as an RSA public key or a shared key).

  • Page 17: How To Implement Ca Interoperability

    Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability During IKE phase one signature verification, the initiator will send the responder a list of its CA certificates. The responder should send the certificate issued by one of the CAs in the list. If the certificate is verified, the router saves the public key contained in the certificate on its public key ring.

  • Page 18: Configuring A Router Hostname And Ip Domain Name

    Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability Configuring a Router Hostname and IP Domain Name This task configures a router hostname and IP domain name. You must configure the hostname and IP domain name of the router if they have not already been configured.

  • Page 19: Generating An Rsa Key Pair

    Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability Command or Action Purpose Step 3 Configures the IP domain name of the router. domain name domain-name Example: RP/0/RP0/CPU0:router(config)# domain name mydomain.com Step 4 Saves configuration changes.

  • Page 20: Declaring A Certification Authority And Configuring A Trusted Point

    Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability DETAILED STEPS Command or Action Purpose Step 1 Generates RSA key pairs. crypto key generate rsa [usage keys | general-keys] [ keypair-label ] Use the usage keys keyword to specify special usage •...
  • Page 21 Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Declares a CA. crypto ca trustpoint ca-name Configures a trusted point with a selected name so that •...

  • Page 22: Authenticating The Ca

    Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability Command or Action Purpose Step 7 (Optional) Specifies a named RSA key pair generated using rsakeypair keypair-label the crypto key generate rsa command for this trustpoint.

  • Page 23: Requesting Your Own Certificates

    Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability DETAILED STEPS Command or Action Purpose Step 1 Authenticates the CA to your router by obtaining a CA crypto ca authenticate ca-name certificate, which contains the public key for the CA.

  • Page 24: Configuring Certificate Enrollment Using Cut-And-Paste

    Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability DETAILED STEPS Command or Action Purpose Step 1 Requests certificates for all of your RSA key pairs. crypto ca enroll ca-name This command causes your router to request as many •...
  • Page 25 Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Declares the CA that your router should use and crypto ca trustpoint ca-name enters trustpoint configuration mode.

  • Page 26: Configuration Examples For Implementing Certification Authority Interoperability

    Implementing Certification Authority Interoperability on Cisco IOS XR Software Configuration Examples for Implementing Certification Authority Interoperability Command or Action Purpose Step 6 Obtains the certificates for your router from the CA. crypto ca enroll ca-name Use the ca-name argument to specify the name •...
  • Page 27 Implementing Certification Authority Interoperability on Cisco IOS XR Software Configuration Examples for Implementing Certification Authority Interoperability Done w/ crypto generate keypair [OK] show crypto key mypubkey rsa Key label:mykey Type :RSA General purpose Size :1024 Created :17:33:23 UTC Thu Sep 18 2003...

  • Page 28: Where To Go Next

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software module, IPSec in the Implementing IPSec Network Security on Cisco IOS XR Software module, and SSL in the Implementing Secure Socket Layer on Cisco IOS XR Software module.

  • Page 29: Mibs

    Additional References MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs...
  • Page 30 Implementing Certification Authority Interoperability on Cisco IOS XR Software Additional References Cisco IOS XR System Security Configuration Guide SC-18...

  • Page 31: Implementing Internet Key Exchange Security Protocol On Cisco Ios Xr Software

    IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. This module describes the tasks that you need to implement IKE on your Cisco IOS XR network. Note...

  • Page 32: Prerequisites

    Information About Implementing IKE Security Protocol Configurations for IPSec Networks, • page SC-20 Information About IKE for the Cisco IPSec VPN SPA on Cisco IOS XR Software, page SC-32 • How to Implement IKE Security Protocol Configurations for IPSec Networks, page SC-32 •...

  • Page 33: Supported Standards

    IPSec is used to protect one or more data flows between a pair of hosts, a pair of security gateways, or a security gateway and a host. For more information on IPSec, see the Implementing IPSec Network Security on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

  • Page 34: Concessions For Not Enabling Ike

    Concessions for Not Enabling IKE IKE is disabled by default in Cisco IOS XR software. If you do not enable IKE, you must make these concessions at the peers: You must manually specify all IPSec security associations in the crypto profiles at all peers.
  • Page 35 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About Implementing IKE Security Protocol Configurations for IPSec Networks IKE Policy Creation IKE negotiations must be protected, so each IKE negotiation begins by agreement of both peers on a common (shared) IKE policy.
  • Page 36 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About Implementing IKE Security Protocol Configurations for IPSec Networks A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the remote peer’s policy specifies a lifetime that is less than or equal to the lifetime in the policy being compared.
  • Page 37 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About Implementing IKE Security Protocol Configurations for IPSec Networks If your local peer has previously used RSA signatures with certificates during a successful IKE – negotiation with a remote peer, your local peer already possesses the remote peer’s public key.

  • Page 38: Isakmp Identity

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About Implementing IKE Security Protocol Configurations for IPSec Networks Unlike RSA signatures, the RSA encrypted nonces method cannot use certificates to exchange public keys. Instead, you ensure that each peer has the others’ public keys by one of the following...

  • Page 39: Mask Preshared Keys

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About Implementing IKE Security Protocol Configurations for IPSec Networks criteria imposes the granularity of applying the specified parameters. The ISAKMP profile applies parameters specific to each profile, such as trust points, peer identities, and XAUTH authentication, authorization, and accounting (AAA) list, and so forth.

  • Page 40: Internet Key Exchange Mode Configuration

    • the username to query AAA if no local key can be found on the Cisco IOS XR router to which the user is trying to connect. Aggressive mode provides the ID in the first part of the IKE exchange;...

  • Page 41: Banner, Auto-Update, And Browser-Proxy

    After a Cisco Easy VPN connection is up, use the crypto ipsec server send-update command in EXEC mode to send auto-update notifications at anytime. Pushing a Configuration URL Through a Mode-Configuration Exchange...

  • Page 42: Internet Key Exchange Extended Authentication

    The Call Admission Control (CAC) for Internet Key Exchange (IKE) feature describes the application of CAC to the IKE protocol in Cisco IOS XR software. CAC limits the number of simultaneous IKE security associations (SAs) (that is, calls to CAC) that a router can establish. In addition, there is an option to limit the maximum number of active IKE SAs allowed in the system and the CPU usage that is consumed by the IKE process or global CPU.

  • Page 43: Information About Ip Security Vpn Monitoring

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About Implementing IKE Security Protocol Configurations for IPSec Networks Information About IP Security VPN Monitoring The IP Security (IPSec) VPN Monitoring feature provides VPN session monitoring enhancements that allow you to troubleshoot the Virtual Private Network (VPN) and monitor the end-user interface.

  • Page 44: Information About Ike For The Cisco Ipsec Vpn Spa On Cisco Ios Xr Software

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About IKE for the Cisco IPSec VPN SPA on Cisco IOS XR Software In addition, you can use the show crypto session command with the detail keyword to obtain more detailed information about the sessions.
  • Page 45 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Configuring a Browser Proxy, page SC-41 (optional) • Configuring a Browser-Proxy Map to a Group, page SC-42 (optional) •...

  • Page 46: Configuring Ike Policies

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 3 (Optional) Disables IKE at the peer router. no crypto isakmp Example: RP/0/RP0/CPU0:router(config)# no crypto isakmp Step 4 Saves configuration changes.
  • Page 47 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Identifies the policy to create.

  • Page 48: Defining Group Policy Information For Mode Configuration

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 8 Saves configuration changes. When you issue the end command, the system prompts •...
  • Page 49 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks max-logins number-of-logins max-users number-of-users netmask mask pool name save-password split-dns domain-name wins primary-server [secondary-server] commit DETAILED STEPS Command or Action...
  • Page 50 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 6 Specifies the primary and secondary Domain Name Service dns primary-server [ secondary-server ] (DNS) addresses.
  • Page 51 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 15 Defines the name of an address-pool in which an address is pool name allocated if required.

  • Page 52: Configuring A Banner

    { banner-text } Example: RP/0/RP0/CPU0:router(config-group)# banner thequickbrowndog Configuring Auto-Upgrade This task describes how to configure automatic update parameters for a Cisco Easy VPN remote device. SUMMARY STEPS configure crypto isakmp client configuration group group-name auto-update client {type-of-system} {url url} {rev review-version}...

  • Page 53: Configuring A Browser Proxy

    Cisco IOS XR System Security Command Reference. Configuring a Browser Proxy This task describes how to configure browser-proxy parameters for a Cisco Easy VPN remote device. SUMMARY STEPS configure crypto isakmp client configuration browser-proxy {browser-proxy-name}...

  • Page 54: Configuring A Browser-Proxy Map To A Group

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Configures browser-proxy parameters for a...

  • Page 55: Configuring The Pushing Of A Configuration Url Through A Mode-Configuration Exchange

    RP/0/RP0/CPU0:router(config-group)# browser-proxy EZVPN Configuring the Pushing of a Configuration URL Through a Mode-Configuration Exchange This task configures a Cisco Easy VPN server to push a configuration URL through a Mode-Configuration Exchange. SUMMARY STEPS configure crypto isakmp client configuration group group-name...

  • Page 56: Manually Configuring Rsa Keys

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Specifies which group's policy profile is defined and crypto isakmp client configuration group group-name enters ISAKMP group configuration mode.
  • Page 57 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks SUMMARY STEPS configure crypto isakmp identity {address | hostname} host hostname address1 [address2...address8] commit DETAILED STEPS Command or Action...
  • Page 58 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Configuring RSA Public Keys of All the Other Peers This task configures the RSA public keys of all the other peers.
  • Page 59 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 3 Defines the Rivest, Shamir, and Adelman (RSA) manual rsa-pubkey {address address | name fqdn }...

  • Page 60: Configuring Isakmp Preshared Keys In Isakmp Keyrings

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 7 Saves configuration changes. When you issue the end command, the system prompts •...
  • Page 61 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks SUMMARY STEPS configure crypto keyring keyring-name [vrf fvrf-name] pre-shared-key {address address [mask] | hostname hostname} key key commit DETAILED STEPS...

  • Page 62: Configuring Call Admission Control

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 3 Defines a preshared key for IKE authentication. pre-shared-key {address address [ mask ] |...
  • Page 63 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks commit show crypto isakmp call admission statistics DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode.
  • Page 64 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 3 Saves configuration changes. When you issue the end command, the system • commit...
  • Page 65 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Specifies the maximum number of IKE SAs that the...

  • Page 66: Configuring Crypto Keyrings

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Configuring Crypto Keyrings A crypto keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The router can have zero or more keyrings.
  • Page 67 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Defines a crypto keyring to be used during IKE crypto keyring keyring-name [vrf fvrf-name ] authentication.
  • Page 68 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 6 Defines a Rivest, Shamir, and Adelman (RSA) rsa-pubkey {address address | name fqdn } [encryption | signature] public key by address or hostname.

  • Page 69: Configuring Ip Security Vpn Monitoring

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Configuring IP Security VPN Monitoring The following sections describe how to configure IP Security (IPSec) VPN monitoring: Adding the Description of an IKE Peer, page SC-57 (optional) •...

  • Page 70: How To Implement Ike For Locally Sourced And Destined Traffic

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Locally Sourced and Destined Traffic Command or Action Purpose Step 4 Saves configuration changes. When you issue the end command, the system • commit...
  • Page 71 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Locally Sourced and Destined Traffic SUMMARY STEPS configure crypto isakmp profile [local] profile-name description string keepalive disable self-identity {address | fqdn | user-fqdn user-fqdn}...
  • Page 72 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Locally Sourced and Destined Traffic Command or Action Purpose Step 5 Defines the identity that the local IKE uses to self-identity {address | fqdn | user-fqdn user-fqdn } identify itself to the remote peer.
  • Page 73 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Locally Sourced and Destined Traffic Command or Action Purpose Step 7 Matches the identity from a peer in an ISAKMP match identity {group group-name | address address [ mask ] vrf [ fvrf ] | host hostname | host domain profile.

  • Page 74: How To Implement Ike For Cisco Ipsec Vpn Spas On Cisco Ios Xr Software

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Cisco IPSec VPN SPAs on Cisco IOS XR Software Command or Action Purpose Step 9 Predefines the IPSec profile instance when IKE set ipsec-profile profile-name...
  • Page 75 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Cisco IPSec VPN SPAs on Cisco IOS XR Software Configuring a Periodic Dead Peer Detection Message This task configures a periodic dead peer detection (DPD) message.

  • Page 76: Configuring The Isakmp Profile For Service Interfaces

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Cisco IPSec VPN SPAs on Cisco IOS XR Software Command or Action Purpose Step 2 Uses the IKE security association (SA) feature to crypto isakmp keepalive seconds retry-seconds...
  • Page 77 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Cisco IPSec VPN SPAs on Cisco IOS XR Software description string keepalive disable self-identity {address | fqdn | user-fqdn user-fqdn} keyring keyring-name match identity {group group-name | address address [mask] vrf [fvrf] | host hostname | host...
  • Page 78 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Cisco IPSec VPN SPAs on Cisco IOS XR Software Command or Action Purpose Step 5 Defines the identity that the local IKE uses to self-identity {address | fqdn | user-fqdn user-fqdn } identify itself to the remote peer.
  • Page 79 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Cisco IPSec VPN SPAs on Cisco IOS XR Software Command or Action Purpose Step 7 Matches the identity from a peer in an ISAKMP...

  • Page 80: Configuration Examples For Implementing Ike Security Protocol

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Configuration Examples for Implementing IKE Security Protocol Command or Action Purpose Step 8 Predefines the virtual interface when IKE negotiates set interface {service-ipsec | service-gre} intf-index for IPSec SAs and the local endpoint is the IKE responder.
  • Page 81 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Configuration Examples for Implementing IKE Security Protocol Creating IKE Policies: Example This example shows how to create two IKE policies with policy 15 as the highest priority, policy 20 as the next priority, and the existing default priority as the lowest priority.

  • Page 82: Configuring Easy Vpn With A Local Aaa: Example

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Configuration Examples for Implementing IKE Security Protocol group 5 encryption 3des lifetime 86400 crypto keyring ring1 vrf default pre-shared-key address 40.0.0.1 255.255.255.255 key key1 crypto isakmp profile ike-profile1 keyring ring1 match identity address 40.0.0.0/16 vrf default...

  • Page 83: Configuring Vrf-Aware: Example

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Configuration Examples for Implementing IKE Security Protocol service-location preferred-active 0/2/0 crypto isakmp client configuration group group-a key group-a-key pool pool-1 crypto isakmp crypto isakmp policy 30 authentication pre-share group 2...
  • Page 84 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Configuration Examples for Implementing IKE Security Protocol dot1q vlan 63 interface GigabitEthernet0/1/0/0.11 vrf FVRF ipv4 address 10.0.91.1 255.255.255.0 dot1q vlan 91 interface GigabitEthernet0/1/0/0.12 vrf FVRF ipv4 address 10.0.92.1 255.255.255.0 dot1q vlan 92 interface GigabitEthernet0/1/0/0.13...

  • Page 85: Additional References

    Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Additional References crypto isakmp profile isakmp-prof7 keyring kr12 match identity address 10.0.85.2/32 vrf FVRF set interface service-ipsec16 crypto ipsec transform-set tsfm5 transform ah-sha-hmac esp-aes crypto ipsec transform-set tsfm15 transform esp-3des esp-md5-hmac...

  • Page 86: Mibs

    Additional References MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs...

  • Page 87: Implementing Keychain Management On Cisco Ios Xr Software

    Keychain management is a common method of authentication to configure shared secrets on all the entities, which exchange secrets such as keys before establishing trust with each other. Routing protocols and network management applications on Cisco IOS XR software often use authentication to enhance security while communicating with peers.

  • Page 88: Information About Implementing Keychain Management

    Shortest Path First (OSPF), and Intermediate System-to-Intermediate System (IS-IS) use the keychain to implement a hitless key rollover for authentication. For information about BGP, OSPF, and IS-IS keychain configurations, see Cisco IOS XR Routing Configuration Guide. BGP uses TCP authentication, which enables the authentication option and sends the Message Authentication Code (MAC) based on the cryptographic algorithm configured for the keychain.

  • Page 89: Configuring A Keychain

    Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management Determining the Valid Keys, page SC-82 (optional) • Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic, • page SC-84 (required) Configuring the Cryptographic Algorithm, page SC-85 (required) •...

  • Page 90: Configuring A Tolerance Specification To Accept Keys

    Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management Command or Action Purpose Step 3 Saves configuration changes. When you issue the end command, the system prompts • commit you to commit changes: Uncommitted changes found, commit them before...

  • Page 91: Configuring A Key Identifier For The Keychain

    Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a name for the keychain. key chain key-chain-name...
  • Page 92 Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management SUMMARY STEPS configure key chain key-chain-name key key-id commit DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a name for the keychain.

  • Page 93: Configuring The Text For The Key String

    Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management What to Do Next After configuring a key identifier for the keychain, see the Configuring the Text for the Key String section. Configuring the Text for the Key String This task configures the text for the key string.

  • Page 94: Determining The Valid Keys

    Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management Command or Action Purpose Step 4 Specifies the text string for the key. key-string [clear | password] key-string-text Use the clear keyword to specify the key string in clear •...
  • Page 95 Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a a name for the keychain. key chain key-chain-name...

  • Page 96: Configuring The Keys To Generate Authentication Digest For The Outbound Application Traffic

    Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic This task configures the keys to generate authentication digest for the outbound application traffic. SUMMARY STEPS...

  • Page 97: Configuring The Cryptographic Algorithm

    Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management Command or Action Purpose Step 4 (Optional) Specifies the set time period during which an send-lifetime start-time [duration durationvalue | infinite | end-time ] authentication key on a keychain is valid to be sent. You can specify the validity of the key lifetime in terms of clock time.
  • Page 98 Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1] commit DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure...

  • Page 99: Configuration Examples For Implementing Keychain Management

    Implementing Keychain Management on Cisco IOS XR Software Configuration Examples for Implementing Keychain Management Command or Action Purpose Step 4 Specifies the choice of the cryptographic algorithm. cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1] You can choose from the following list of...

  • Page 100: Additional References

    Related Documents Related Topic Document Title Keychain management commands: complete Keychain Management Commands on Cisco IOS XR Software module in command syntax, command modes, command Cisco IOS XR System Security Command Reference, Release 3.5 history, defaults, usage guidelines, and examples...

  • Page 101: Mibs

    Additional References MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs...
  • Page 102 Implementing Keychain Management on Cisco IOS XR Software Additional References Cisco IOS XR System Security Configuration Guide SC-90...

  • Page 103: Implementing Ipsec Network Security On Cisco Ios Xr Software

    Cisco CRS-1 and Cisco XR 12000 Series Router. Either tunnel-ipsec interfaces or a transport entity are used. This type is also called software-based IPSec. IPSec for transit traffic is supported on the Cisco XR 12000 Series Router IPSec VPN SPA. This •...

  • Page 104: Prerequisites For Implementing Ipsec Network Security

    Restrictions for Implementing IPSec Network with a Cisco IPSec VPN SPA, page SC-93 • Information About Implementing IPSec Networks, page SC-94 • Information About an IPSec Network with a Cisco IPSec VPN SPA on Cisco IOS XR Software, page SC-101 • How to Implement General IPSec Configurations for IPSec Networks, page SC-104 •...

  • Page 105: Restrictions For Implementing Ipsec Network Security

    Restrictions for Implementing IPSec Network with a Cisco IPSec VPN SPA The following restrictions are known to implement IPSec network with a Cisco XR 12000 Series Router IPSec VPN SPA: Clear GRE is not supported. Only secure generic routing encapsulation (GRE) is supported by the •...

  • Page 106: Information About Implementing Ipsec Networks

    Reverse-Route Injection, page SC-100 • IPSec—SNMP Support, page SC-101 • For information about IPSec Quality of Service (QoS), refer to the Cisco IOS XR Quality of Service Note Configuration Guide. Crypto Profiles Crypto profile entries created for IPSec combine the various parts used to set up IPSec security...

  • Page 107: Dynamic Crypto Profiles

    Implementing IPSec Network Security on Cisco IOS XR Software Information About Implementing IPSec Networks For IPSec to succeed between two IPSec peers, both peers’ crypto profile entries must contain compatible configuration statements. When two peers try to establish an SA, each must have at least one crypto profile entry that is compatible with one of the other peer’s crypto profile entries.

  • Page 108: Transform Sets

    Implementing IPSec Network Security on Cisco IOS XR Software Information About Implementing IPSec Networks Crypto access lists associated with IPSec crypto profile entries have four primary functions: Select outbound traffic to be protected by IPSec (permit = protect). • Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when •...

  • Page 109: Manual Ipsec Security Associations

    Implementing IPSec Network Security on Cisco IOS XR Software Information About Implementing IPSec Networks Assuming that the particular crypto profile entry does not have lifetime values configured, when the router requests new SAs it specifies its global lifetime values in the request to the peer; it uses this value as the lifetime of the new SAs.

  • Page 110: Checkpointing

    X-N is discarded. Currently, N is set at 64, so only 64 packets can be kept in the memory of the decryptor. At times, however, the 64-packet window size is not sufficient. For example, Cisco quality of service (QoS) gives priority to high-priority packets, which could cause some low-priority packets to be discarded even though they could be one of the last 64 packets received by the decryptor.

  • Page 111: Ipsec Nat Transparency

    This IPSec feature is supported only on the Cisco IPSec VPN SPA. When a router running Cisco IOS XR software creates an IPSec SA for a peer, resources must be allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these resources are wasted.

  • Page 112: Reverse-Route Injection

    Implementing IPSec Network Security on Cisco IOS XR Software Information About Implementing IPSec Networks Table 4 Pre-Fragmentation for Cisco IPSec VPN SPA Dependencies Pre-Fragmentation for IPSec VPN Service IPSec Interface SPAs Feature State (Enabled or “crypto ipsec df-bit” Incoming Packet...

  • Page 113: Ipsec-Snmp Support

    VPNs. Using the Cisco IPSec VPN SPA enables you to send all VPN traffic coming from or going to the Internet through the SPA hardware. The SPA supports all IPSec-related processing. Packets coming from the trusted LAN are encrypted and sent through the Internet.
  • Page 114 Implementing IPSec Network Security on Cisco IOS XR Software Information About an IPSec Network with a Cisco IPSec VPN SPA on Cisco IOS XR Software Table 5 SPA Hardware Description in show diag Command Description in show diag Command SPA-IPSEC-2G...
  • Page 115 Implementing IPSec Network Security on Cisco IOS XR Software Information About an IPSec Network with a Cisco IPSec VPN SPA on Cisco IOS XR Software Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to routers at remote points over an IP network.
  • Page 116 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks VRF-aware IPSec Each IPSec tunnel is associated with two VRF domains. The outer encapsulated domain belongs to one VRF domain, which is called the front door VRF (FVRF), while the inner, protected IP packet belongs to another domain called inside VRF (IVRF).

  • Page 117: Setting Global Lifetimes For Ipsec Security Associations

    Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Setting Global Lifetimes for IPSec Security Associations This task sets global lifetimes for IPSec security associations. SUMMARY STEPS configure crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}...

  • Page 118: Creating Crypto Access Lists

    Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 3 Saves configuration changes. When you issue the end command, the system prompts • commit you to commit changes:...
  • Page 119 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Specifies conditions to determine which IP packets are ipv4 access-list name protected.

  • Page 120: Defining Transform Sets

    Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Defining Transform Sets This task defines a transform set. SUMMARY STEPS configure crypto ipsec transform-set name transform-set submode transform protocol transform-set submode mode {transport | tunnel}...

  • Page 121: Configuring Crypto Profiles

    Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 2 Defines a transform set. crypto ipsec transform-set name transform-set submode transform protocol Complex rules define which entries you can use for the •...
  • Page 122 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks set session-key inbound ah spi hex-key-data set session-key inbound esp spi {cipher hex-key-data authentication hex-key-data} set session-key outbound ah spi hex-key-data set session-key outbound esp spi {cipher hex-key-data authentication hex-key-data}...
  • Page 123 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 6 Specifies a list of transform sets in priority order. The set set transform-set transform-set-name transform-set command is used in profiles that are attached to service-gre interfaces.
  • Page 124 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 11 (Optional) Manually specifies the IP Security session keys set session-key inbound ah spi hex-key-data to set the inbound IPSec session key for the Authentication Header (AH) protocol.
  • Page 125 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 14 (Optional) Manually specifies the IP Security session key to set session-key outbound esp spi {cipher hex-key-data authentication hex-key-data } set the outbound IPSec session key for ESP.

  • Page 126: Configuring The Df Bit For The Encapsulating Header In Ipsec Tunnels

    This task configures the DF bit for the encapsulating header in IPSec tunnels. The DF bit configuration is also specified for both service-ipsec and service-gre interfaces. This IPSec feature is supported only on the Cisco IPSec VPN SPA. Note SUMMARY STEPS...

  • Page 127: Configuring The Ipsec Antireplay Window: Expanding And Disabling

    Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Example: Use the crypto ipsec df-bit command in global RP/0/0/CPU0:router(config)# interface service-ipsec configuration mode and service-ipsec interface configuration mode.
  • Page 128 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks This IPSec feature is supported only on the Cisco IPSec VPN SPA. Note Configuring the IPSec Antireplay Window: Expanding and Disabling Globally This task configures the IPSec Antireplay Window: Expanding and Disabling globally.
  • Page 129 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 3 Disables checking globally. crypto ipsec security-association replay disable Configure this command or the crypto ipsec Note...

  • Page 130: Configuring Ipsec Nat Transparency

    Configuring IPSec NAT Transparency Network Address Translator (NAT) is automatically detected by the Cisco IPSec VPN SPA. If both VPN devices are NAT-T capable, NAT Transparency is automatically detected and automatically negotiated. No configuration steps are needed to enable IPSec NAT transparency.
  • Page 131 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks This IPSec feature is supported only on the Cisco IPSec VPN SPA. Note Disabling IPSec NAT Transparency This task disables NAT transparency if you already know that your network uses IPSec-awareness NAT (spi-matching scheme).

  • Page 132: Configuring Ipsec Security Association Idle Timers

    Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/0/CPU0:router# configure Step 2 Disables the NAT transparency capability.
  • Page 133 Note Lifetimes for IPSec Security Associations Cisco IOS XR software currently allows the configuration of lifetimes for IPSec SAs. Lifetimes can be configured globally or for each crypto profile. Two lifetimes exist: a “timed” lifetime and a “traffic-volume” lifetime. A security association expires after the first of these lifetimes is reached.
  • Page 134 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 2 Configures the IPSec SA idle timer globally. crypto ipsec security-association idle-time seconds Use the seconds argument to specify the time, in •...
  • Page 135 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/0/CPU0:router# configure Step 2 Creates or modifies a crypto profile entry and enters crypto ipsec profile name profile configuration mode.

  • Page 136: Disabling Prefragmentation For Cisco Ipsec Vpn Spas

    Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Disabling Prefragmentation for Cisco IPSec VPN SPAs This section provides the following procedures to disable prefragmentation for Cisco IPSec VPN SPAs: Disabling Prefragmentation for service-ipsec Interfaces, page SC-124 •...
  • Page 137 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 2 Specifies the handling of fragmentation for the crypto ipsec pre-fragmentation disable near-MTU-sized packets. Use the disable keyword to disable the Example: •...
  • Page 138 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks commit DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/0/CPU0:router# configure Step 2 Specifies the handling of fragmentation for the crypto ipsec pre-fragmentation disable near-MTU-sized packets.

  • Page 139: Configuring Reverse-Route Injection In A Crypto Profile

    Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Configuring Reverse-Route Injection in a Crypto Profile This tasks shows how to configure reverse-route injection in a crypto profile. SUMMARY STEPS configure...

  • Page 140: Configuring Ipsec Failure History Table Size

    Configuring IPSec Failure History Table Size This task changes the size of the failure history table. Note This IPSec feature is supported only on the Cisco IPSec VPN SPA. SUMMARY STEPS configure crypto mib ipsec flowmib history failure size number...
  • Page 141 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for Locally Sourced and Destined Traffic DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/0/CPU0:router# configure Step 2 Sets the size of the failure history table.

  • Page 142: Applying Crypto Profiles To Tunnel-Ipsec Interfaces

    Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for Locally Sourced and Destined Traffic Be sure to define which packets to protect. If you must use the any keyword in a permit statement, you must preface that statement with a series of deny statements to filter any traffic (that would otherwise fall within that permit statement) that you do not want to be protected.

  • Page 143: Applying Crypto Profiles To Crypto Transport

    Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for Locally Sourced and Destined Traffic Command or Action Purpose Step 5 Specifies the tunnel destination IP address. tunnel destination ip-address This command is not required if the profile is dynamic.

  • Page 144: How To Implement Ipsec Network Security For Vpns

    Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Enters IPSec transport configuration mode.

  • Page 145: Configuring Ipsec Virtual Interfaces

    Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Configuring IPSec Virtual Interfaces These tasks configure IPSec virtual interfaces: Configuring Static IPSec Virtual Interfaces, page SC-133 • Configuring IPSec-Protected GRE Virtual Interfaces, page SC-136 •...
  • Page 146 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Command or Action Purpose Step 4 Specifies the source address for a tunnel-ipsec tunnel source { ip-address } interface. Use the ip-address argument to set the IP Example: •...
  • Page 147 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Command or Action Purpose Step 9 Specifies both active and standby locations for the service-location preferred-active location [preferred-standby location [auto-revert]] interface. Use the preferred-active keyword to specify •...
  • Page 148 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Configuring IPSec-Protected GRE Virtual Interfaces This task configures IPSec-protected GRE service virtual interfaces. SUMMARY STEPS configure interface service-gre number profile profile-name tunnel source {ip-address}...
  • Page 149 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Command or Action Purpose Step 5 Identifies the IP address of the tunnel destination. tunnel destination ip-address Use the ip-address argument to set the IP •...
  • Page 150 Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Command or Action Purpose Step 9 Specifies both active and standby locations for the service-location preferred-active location [preferred-standby location [auto-revert] interface. Use the preferred-active keyword to specify •...

  • Page 151: Configuring The Default Path Maximum Transmission Unit For The Sa

    Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Configuring the Default Path Maximum Transmission Unit for the SA This task configures the default path maximum transmission unit (MTU) for the SA.

  • Page 152: Configuring A Static Profile And Attaching To A Tunnel-Ipsec Interface: Example

    Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for Implementing IPSec Network Security for Locally Sourced Traffic and Destined Traffic Command or Action Purpose Step 3 Specifies the default path MTU for the SAs that are crypto ipsec pmtu pmtu created under the interface.
  • Page 153 Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for Implementing IPSec Network Security for Locally Sourced Traffic and Destined Traffic A transform set defines how the traffic is protected. In this example, transform set myset1 uses Data...

  • Page 154: Configuring A Static Profile And Attaching To Transport: Example

    Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for an IPSec Network with a Cisco IPSec VPN SPA Configuring a Static Profile and Attaching to Transport: Example The following example shows a minimal IPSec configuration in which a static profile is created and attached to a transport.
  • Page 155 Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for an IPSec Network with a Cisco IPSec VPN SPA import route-target 100:1000 export route-target 100:1000 Configuring ACL That Is Used by the IPSec Profile ipv4 access-list acl1 10 permit ipv4 100.0.1.0 0.0.0.255 30.0.1.0 0.0.0.255...
  • Page 156 Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for an IPSec Network with a Cisco IPSec VPN SPA The following example shows that the IPSec SA is created from the show crypto ipsec summary command and show crypto ipsec sa command:...

  • Page 157: Configuring A Service-Gre Interface: Example

    Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for an IPSec Network with a Cisco IPSec VPN SPA ia - IS-IS inter area, su - IS-IS summary null, * - candidate default U - per-user static route, o - ODR, L - local Gateway of last resort is not set 30.0.1.0/24 is directly connected, 00:02:09, service-ipsec1...
  • Page 158 Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for an IPSec Network with a Cisco IPSec VPN SPA # Active IPSec Sessions: 2 Local Peer Remote Peer FVRF Profile Transform Lifetime ------------------------------------------------------------------------------- 50.50.50.2 40.40.40.2 default esp-3des esp 120/4194303...
  • Page 159 Internet Key Exchange (IKE) security protocol Internet Key Exchange Security Protocol Commands on commands: complete command syntax, command Cisco IOS XR Software module in Cisco IOS XR System Security modes, command history, defaults, usage guidelines, Command Reference, Release 3.5 and examples...
  • Page 160 Implementing IPSec Network Security on Cisco IOS XR Software Additional References RFCs RFCs Title RFC 2401 Security Architecture for the Internet Protocol RFC 2402 IP Authentication Header RFC 2403 The Use of HMAC-MD5-96 within ESP and AH RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH...
  • Page 161 Rivest, Shamir, and Adelman (RSA) keys and SSHv2 uses Digital Signature Algorithm (DSA) keys. Cisco IOS XR software supports both SSHv1 and SSHv2. This module describes the tasks that you need to implement Secure Shell on your Cisco IOS XR network.

  • Page 162: Prerequisites To Implementing Secure Shell

    • security commands. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide. Download the required image on your router. The SSH server and SSH client require you to have a •...

  • Page 163: Information About Implementing Secure Shell

    • SSH Server The SSH server feature enables an SSH client to make a secure, encrypted connection to a Cisco router. This connection provides functionality that is similar to that of an inbound Telnet connection. Before SSH, security was limited to Telnet security. SSH allows a strong encryption to be used with the Cisco IOS XR software authentication.

  • Page 164: Configuring Ssh

    AAA is a suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server. For more information on AAA, see the Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software module in the Cisco IOS XR System Security Command Reference publication and the Configuring AAA Services on Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide publication.
  • Page 165 Implementing Secure Shell on Cisco IOS XR Software How to Implement Secure Shell DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Configures a hostname for your router. hostname hostname Example:...

  • Page 166: Configuring The Ssh Client

    Implementing Secure Shell on Cisco IOS XR Software How to Implement Secure Shell Command or Action Purpose Step 9 Brings up an SSH server. ssh server To bring down an SSH server, use the no ssh server • ssh server v2 command.
  • Page 167 Implementing Secure Shell on Cisco IOS XR Software How to Implement Secure Shell exit ssh {ipv4-address | ipv6-address | hostname} [username user-id | cipher des | source-interface type instance] DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode.

  • Page 168: Configuration Examples For Implementing Secure Shell

    Document Title AAA commands: complete command syntax, Authentication, Authorization, and Accounting Commands on command modes, command history, defaults, usage Cisco IOS XR Software module in the Cisco IOS XR System Security guidelines, and examples Command Reference, Release 3.5 AAA configuration tasks Configuring AAA Services on Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide, Release 3.5...
  • Page 169 SSH Transport Layer Protocol, July 2003 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
  • Page 170 Implementing Secure Shell on Cisco IOS XR Software Additional References Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

  • Page 171: Implementing Secure Socket Layer On Cisco Ios Xr Software

    Data encrypted with the public key can be decrypted only with the private key. This module describes the tasks that you need to implement SSL on your Cisco IOS XR network. For a complete description of the Public Key Infrastructure (PKI) commands used in this chapter, see...

  • Page 172: Prerequisites For Implementing Secure Socket Layer

    For more information on the commands required to perform these tasks, see the crypto key generate rsa, crypto key generate dsa, crypto ca enroll, and crypto ca authenticate commands in the Public Key Infrastructure Commands on Cisco IOS XR Software module of the Cisco IOS XR System Security Command Reference.

  • Page 173: How To Implement Secure Socket Layer

    Implementing Secure Socket Layer on Cisco IOS XR Software How to Implement Secure Socket Layer public key indicates that the holder of the private key, the sender, must have created the message. This process relies on the receiver having a copy of the sender’s public key and knowing with a high degree of certainty that it does belong to the sender and not to someone pretending to be the sender.
  • Page 174 Implementing Secure Socket Layer on Cisco IOS XR Software How to Implement Secure Socket Layer DETAILED STEPS Command or Action Purpose Step 1 Generates RSA key pairs. crypto key generate rsa [usage-keys | general-keys] [ keypair-label ] RSA key pairs are used to sign and encrypt Internet Key •...
  • Page 175 Implementing Secure Socket Layer on Cisco IOS XR Software How to Implement Secure Socket Layer Command or Action Purpose Step 6 Saves configuration changes. When you issue the end command, the system prompts • commit you to commit changes: Uncommitted changes found, commit them before...

  • Page 176: Configuration Examples For Implementing Secure Socket Layer

    Cisco IOS XR System Security Command Reference, and examples Release 3.5 Certification authority information Implementing Certification Authority Interoperability on Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide, Release 3.5 Cisco IOS XR System Security Configuration Guide SC-164...
  • Page 177 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
  • Page 178 Implementing Secure Socket Layer on Cisco IOS XR Software Additional References Cisco IOS XR System Security Configuration Guide SC-166...
  • Page 179 Cisco IOS XR system. The major tasks required to implement task-based authorization involve configuring user groups and task groups. User groups and task groups are configured through the Cisco IOS XR software command set used for authentication and authorization services. Authentication commands are used to verify the identity of a user or principal.
  • Page 180 • Support was added on Cisco IOS XR to allow you to specify task IDs as an attribute in the external RADIUS or TACACS+ server. If the server is also shared by non-Cisco IOS XR systems, these attributes are marked as optional as indicated by the server documentation.

  • Page 181: Prerequisites For Configuring Aaa Services

    Information About Configuring AAA Services This section lists all the conceptual information that a Cisco IOS XR software user must understand before configuring user groups and task groups through AAA or configuring Remote Authentication Dial-in User Service (RADIUS) or TACACS+ servers. Conceptual information also describes what AAA is and why it is important.

  • Page 182: User, User Groups, And Task Groups

    Information About Configuring AAA Services User, User Groups, and Task Groups Cisco IOS XR software user attributes form the basis of the Cisco IOS XR software administrative model. Each router user is associated with the following attributes: User ID (ASCII string) that identifies the user uniquely across an administrative domain •...

  • Page 183: User Groups

    User Groups Cisco IOS XR software allows the system administrator to configure groups of users and the job characteristics that are common in groups of users. Groups must be explicitly assigned to users. Users are not assigned to groups by default. A user can be assigned to more than one group.
  • Page 184 Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services Task Groups A task group is defined by a collection of task IDs. Task groups contain task ID lists for each class of action. Each user group is associated with a set of task groups applicable to the users in that group. A user’s task permissions are derived from the task groups associated with the user groups to which that user belongs.
  • Page 185 The none option for authentication is not supported in Cisco IOS XR software. Cisco IOS XR user access is more secure than Cisco IOS software, and there is no way that a user can access the system without a valid username and password.
  • Page 186 Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services Remote Database AAA data can be stored in an external security server, such as CiscoSecure ACS. Security data stored in the server can be used by any client (such as a network access server [NAS]) provided that the client knows the server IP address and shared secret.
  • Page 187 Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services Rollover Mechanism AAA can be configured to use a prioritized list of database options. If the system is unable to use a database, it automatically rolls over to the next database on the list. If the authentication, authorization, or accounting request is rejected by any database, the rollover does not occur and the request is rejected.
  • Page 188 Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services Authentication of Secure Domain Router User Secure domain router user authentication is similar to owner secure domain router user authentication. If the user is not found to be a member of the designated owner secure domain router user group or root-system user group, the user is authenticated as a secure domain router user.

  • Page 189: Password Types

    Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services Ksh authentication cannot be turned off or bypassed after the card is booted. To bypass • authentication, a user needs a reload of the card. (See the “Bypassing ksh...

  • Page 190: Task-Based Authorization

    Task-Based Authorization AAA employs “task permissions” for any control, configure, or monitor operation through CLI or API. The Cisco IOS software concept of privilege levels has been replaced in Cisco IOS XR software by a task-based authorization system. Task IDs The operational tasks that enable users to control, configure, and monitor Cisco IOS XR software are represented by task IDs.

  • Page 191: Task Ids For Tacacs+ And Radius Authenticated Users

    = “<permissions>:<taskid name>, #<usergroup name>, ...” Cisco IOS XR allows you to specify task IDs as an attribute in the external RADIUS or TACACS+ Note server. If the server is also shared by non-Cisco IOS XR systems, these attributes are marked as optional as indicated by the server documentation.
  • Page 192 Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services For example, to give a user named user1 BGP read, write, and execute permissions and include user1 in a user group named operator, the username entry in the external server’s TACACS+ configuration file...

  • Page 193: Xml Schema For Aaa Services

    13. For privilege level 15, the root-system user group is used; privilege level 14 maps to the user group owner-sdr. For example, with the Cisco freeware tac plus server, the configuration file has to specify priv_lvl in its configuration file, as shown in the following example:...

  • Page 194: About Radius

    Enigma security cards to validate users and grant access to network resources. • Networks already using RADIUS. You can add a Cisco router with RADIUS to the network. This might be the first step when you make a transition to a Terminal Access Controller Access Control System Plus (TACACS+) server.

  • Page 195: How To Configure Aaa Services

    Router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be • used to authenticate from one router to a router other than a Cisco router if that router requires RADIUS authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.

  • Page 196: Configuring Task Groups

    Each task group is associated with one or more task IDs selected from the Cisco CRS-1 set of available task IDs. The first configuration task in setting up the Cisco CRS-1 authorization scheme is to configure the task groups, followed by user groups, followed by individual users.
  • Page 197 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a name for a particular task group and enters task taskgroup taskgroup-name group configuration submode.

  • Page 198: Configuring User Groups

    Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 6 Repeat Step 5 for each task ID to be associated with the — task group named in Step 2. Step 7 Saves configuration changes.
  • Page 199 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services description string inherit usergroup usergroup-name taskgroup taskgroup-name Repeat Step 5 for each task group to be associated with the user group named in Step 2. commit DETAILED STEPS...

  • Page 200: Configuring Users

    Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 6 Repeat Step 5 for each task group to be associated with — the user group named in Step 2. Step 7 Saves configuration changes.
  • Page 201 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services commit DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a name for a new user (or identifies a current user) username user-name and enters username configuration submode.

  • Page 202: Configuring Router To Radius Server Communication

    Configuring Router to RADIUS Server Communication This task configures router to RADIUS server communication. The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (CiscoSecure ACS), Livingston, Merit, Microsoft, or another software provider. Configuring router to...
  • Page 203 (The RADIUS host entries are tried in the order they are configured.) A RADIUS server and a Cisco router use a shared secret text string to encrypt passwords and exchange responses.To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the router.
  • Page 204 Step 3 Specifies the number of times the Cisco IOS XR software radius-server retransmit retries searches the list of RADIUS server hosts before giving up. In the example, the number of retransmission attempts Example: •...
  • Page 205 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 5 Sets the authentication and encryption key for all RADIUS radius-server key {0 clear-text-key | 7 encrypted-key | clear-text-key } communications between the router and the RADIUS daemon.

  • Page 206: Configuring Radius Dead-Server Detection

    Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Configuring RADIUS Dead-Server Detection This task configures the RADIUS Dead-Server Detection feature. The RADIUS Dead-Server Detection feature lets you configure and determine the criteria that is used to mark a RADIUS server as dead.
  • Page 207 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Improves RADIUS response times when some servers radius-server deadtime minutes might be unavailable and causes the unavailable servers to be skipped immediately.

  • Page 208: Configuring Per Vrf Aaa

    "cisco-avpair." The value is a string of the following format: protocol : attribute sep value * "Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. “Attribute” and “value” are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and “sep”...
  • Page 209 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services server-private {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] vrf vrf-name commit DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode.

  • Page 210: Configuring A Tacacs+ Server

    Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 4 Configures the VRF reference of an AAA RADIUS vrf vrf-name server group. Private server IP addresses can overlap with Example: Note...
  • Page 211 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Repeat Step 2 through Step 5 for each external server to be configured. commit show tacacs DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode.
  • Page 212 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 5 Prompts the router to multiplex all TACACS+ requests to tacacs-server host host-name single-connection this server over a single TCP connection. By default, a separate connection is used for each session.

  • Page 213: Configuring Radius Server Groups

    Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Configuring RADIUS Server Groups This task configures RADIUS server groups. The user can enter one or more server commands. The server command specifies the hostname or IP address of an external RADIUS server along with port numbers.
  • Page 214 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 4 Repeat Step 3 for every external server to be added to — the server group named in Step 2. Step 5...

  • Page 215: Configuring Tacacs+ Server Groups

    Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services What to Do Next After configuring RADIUS server groups, define method lists by configuring authentication, authorization, and accounting. (See the “Configuring AAA Method Lists” section.) Configuring TACACS+ Server Groups This task configures TACACS+ server groups.

  • Page 216: Configuring Aaa Method Lists

    Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 4 Repeat Step 3 for every external server to be added to — the server group named in Step 2. Step 5 Saves configuration changes.
  • Page 217 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Configuring Authentication Method Lists This task configures method lists for authentication. Authentication Configuration Authentication is the process by which a user (or a principal) is verified. Authentication configuration uses method lists to define an order of preference for the source of AAA data, which may be stored in a variety of data sources.
  • Page 218 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services commit Repeat Step 1 through Step 3 for every authentication method list to be configured. DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode.
  • Page 219 The Cisco IOS XR software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS XR software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or until all methods defined have been exhausted.
  • Page 220 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services The Cisco IOS XR software attempts authorization with the next listed method only when there is no Note response or an error response (not a failure) from the previous method. If authorization fails at any point in this cycle—meaning that the security server or local username database responds by denying the user...
  • Page 221 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a series of authorization methods, or a method list.
  • Page 222 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action (continued) Purpose (continued) group tacacs+—Uses the list of all configured – TACACS+ servers for authorization. The NAS exchanges authorization information with the TACACS+ security daemon. TACACS+...
  • Page 223 How to Configure AAA Services Accounting Configuration Currently, Cisco IOS XR software supports both the TACACS+ and RADIUS methods for accounting. The router reports user activity to the TACACS+ or RADIUS security server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the security server.
  • Page 224 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a series of accounting methods, or a method list.
  • Page 225 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action (continued) Purpose (continued) The stop-only keyword sends a “stop accounting” • notice at the end of the requested user process The none keyword states that no accounting is •...
  • Page 226 Generating Interim Accounting Records This task enables periodic interim accounting records to be sent to the accounting server. When the aaa accounting update command is activated, Cisco IOS XR software issues interim accounting records for all users on the system.
  • Page 227 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action (continued) Purpose (continued) Step 2 Enables periodic interim accounting records to be aaa accounting update {newinfo | periodic minutes } sent to the accounting server.

  • Page 228: Applying Method Lists For Applications

    Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Applying Method Lists for Applications After you configure method lists for authorization and accounting services, you can apply those method lists for applications that use those services (console, vty, auxiliary, and so on). Applying method lists is accomplished by enabling AAA authorization and accounting.
  • Page 229 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action (continued) Purpose (continued) Step 3 Enables AAA authorization for a specific line or group of authorization {commands | exec} {default | list-name } lines.
  • Page 230 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services SUMMARY STEPS configure line {aux | console | default | template template-name} accounting {commands | exec} {default | list-name} commit Cisco IOS XR System Security Configuration Guide...
  • Page 231 Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Enters line template configuration mode. line {aux | console | default | template...

  • Page 232: Configuring Login Parameters

    Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services What to Do Next After applying accounting method lists by enabling AAA accounting services, configure login parameters. (See the “Configuring Login Parameters” section.) Configuring Login Parameters This task sets the interval that the server waits for reply to a login.

  • Page 233: Configuration Examples For Configuring Aaa Services

    Configuring AAA Services on Cisco IOS XR Software Configuration Examples for Configuring AAA Services Command or Action (continued) Purpose (continued) Step 3 Sets the interval that the server waits for reply to a login. timeout login response seconds The seconds argument specifies the timeout interval (in •...
  • Page 234 Configuring AAA Services on Cisco IOS XR Software Configuration Examples for Configuring AAA Services secret lab group root-system exit username user2 secret lab exit A task group named tga is created, tasks are added to tga, a user group named uga is created, and uga is configured to inherit permissions from task group tga.
  • Page 235 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Cisco IOS XR System Security Configuration Guide...
  • Page 236 Configuring AAA Services on Cisco IOS XR Software Additional References RFCs RFCs Title No new or modified RFCs are supported by this — feature, and support for existing RFCs has not been modified by this feature. Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport...
  • Page 237 If the system clock is not set correctly, the system does not function properly. For information on setting the system clock, see the clock set command in the Clock Commands on Cisco IOS XR Software module in the Cisco IOS XR System Management Command Reference.
  • Page 238 Configuring Software Authentication Manager on Cisco IOS XR Software Cisco IOS XR System Security Configuration Guide SC-226...
  • Page 239 Implementing Management Plane Protection on Cisco IOS XR Software The Management Plane Protection (MPP) feature in Cisco IOS XR software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces.

  • Page 240: Restrictions For Implementing Management Plane Protection

    CoPP allows you to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets. This QoS filter helps to protect the control plane of Cisco IOS XR routers and switches against denial-of-service (DoS) attacks and helps to maintain packet forwarding and protocol states during an attack or during heavy traffic loads.

  • Page 241: Management Plane Protection Feature

    Implementing Management Plane Protection on Cisco IOS XR Software How to Configure a Device for Management Plane Protection Examples of protocols processed in the management plane are Simple Network Management Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for monitoring and for command-line interface (CLI) access.

  • Page 242: Configuring A Device For Management Plane Protection

    Implementing Management Plane Protection on Cisco IOS XR Software How to Configure a Device for Management Plane Protection Configuring a Device for Management Plane Protection Perform this task to configure a device that you have just added to your network or a device already operating in your network.
  • Page 243 Implementing Management Plane Protection on Cisco IOS XR Software How to Configure a Device for Management Plane Protection Command or Action Purpose Step 5 Configures a specific inband interface or all inband interface { type instance | all} interfaces as an inband interface. Use the interface...

  • Page 244: Configuring Management Plane Protection: Example

    Implementing Management Plane Protection on Cisco IOS XR Software Configuration Examples for Implementing Management Plane Protection Command or Action Purpose Step 7 Saves configuration changes. When you issue the end command, the system • commit prompts you to commit changes:...
  • Page 245 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Cisco IOS XR System Security Configuration Guide...
  • Page 246 Implementing Management Plane Protection on Cisco IOS XR Software Additional References RFCs RFCs Title No new or modified RFCs are supported by this — feature. Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools.
  • Page 247 Cisco IOS XR Interface and Hardware Component configuration Configuration Guide SC-184 Cisco IOS XR IP Addresses and Services Configuration Guide user and group attributes SC-170 Cisco IOS XR Multicast Configuration Guide user groups Cisco IOS XR System Monitoring Configuration Guide...
  • Page 248 CAs (certification authorities) command SC-40, SC-42, SC-43 authenticating SC-10 crypto keyrings declaring SC-8 configuration SC-54 description SC-3, SC-160 guidelines and restrictions SC-54 domain names, configuring (example) SC-6 host names SC-6 Cisco IOS XR System Security Configuration Guide SC-236...
  • Page 249 ISAKMP identity, configuring SC-26 banner SC-29 keys browser-proxy SC-29 See keys, preshared; keys, preshared using AAA URL configuration server; RSA keys SC-29 encrypted nonces mode configuration SC-28 See RSA encrypted nonces negotiations SC-24 Cisco IOS XR System Security Configuration Guide SC-237...
  • Page 250 SC-131 configuring SC-77 applying to tunnel-ipsec interfaces SC-130 end-time SC-76 static or dynamic, configuring SC-109 key chain command SC-77 dynamic crypto profiles SC-95 key identifier, configuring SC-79 lifetime SC-76 Cisco IOS XR System Security Configuration Guide SC-238...
  • Page 251 SC-59 vrf command SC-197 MD5 (Message Digest 5) algorithm SC-22 PFS (perfect forward secrecy) IKE policy parameter SC-23 overview SC-97 MPLS (Multiprotocol Label Switching), encapsulated set pfs command SC-97 packets SC-104 Cisco IOS XR System Security Configuration Guide SC-239...
  • Page 252 IKE policy parameter SC-127 SC-23 RSA (Rivest, Shamir, and Adelman) limit overview SC-30 encrypted nonces resource limit configuration SC-22 SC-52 self-identity command SC-59 send-lifetime command SC-85 server-private command SC-197, SC-201 Cisco IOS XR System Security Configuration Guide SC-240...
  • Page 253 SC-154 IPSec-protected GRE SC-136 DES and 3DES support SC-151 static SC-133 description SC-151 service-location command SC-103 server support SC-151 show route command SC-133, SC-136 configuring SC-152 prerequisites, configuring SC-150 Cisco IOS XR System Security Configuration Guide SC-241...
  • Page 254 SC-31 summary status SC-31 vrf-aware (IPSec) overview SC-104 tunnel vrf command SC-104 vrf command SC-104 vrf command (per VRF AAA) SC-197 VSAs (vendor-specific attributes) per VRF AAA SC-196 supported VSAs SC-196 Cisco IOS XR System Security Configuration Guide SC-242...

This manual is also suitable for:

Ios xr 3.5

Table of Contents