hit counter script
Cisco NCS 5000 Series Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. NCS 5000 Series
  6. Manual

Cisco NCS 5000 Series Manual

System security command reference for cisco ncs 5000 series routers
Hide thumbs Also See for Cisco NCS 5000 Series:
Table of Contents

Advertisement

Quick Links

See also: Manual
System Security Command Reference for Cisco NCS 5000 Series
Routers
First Published: 2015-12-23
Last Modified: 2017-03-16
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

Related Manuals for Cisco Cisco NCS 5000 Series

Summary of Contents for Cisco Cisco NCS 5000 Series

  • Page 1 System Security Command Reference for Cisco NCS 5000 Series Routers First Published: 2015-12-23 Last Modified: 2017-03-16 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 2 Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

  • Page 3: Table Of Contents

    (line) authorization (line) description (AAA) group (AAA) inherit taskgroup inherit usergroup key (TACACS+) login authentication password (AAA) radius-server dead-criteria time radius-server dead-criteria tries radius-server deadtime (BNG) radius-server key (BNG) System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 4 (TACACS+) timeout login response usergroup username users group System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 5 (Interactive Mode) show netconf-yang clients show netconf-yang statistics show ssh show ssh session details ssh client knownhost ssh client source-interface ssh server System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 6 Contents ssh server logging ssh server rate-limit ssh server session-limit ssh server v2 ssh server netconf ssh timeout System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 7: Obtaining Documentation And Submitting A Service Request

    What's New in Cisco Product Documentation. To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What's New in Cisco Product Documentation RSS feed. RSS feeds are a free service.
  • Page 8 Preface Obtaining Documentation and Submitting a Service Request System Security Command Reference for Cisco NCS 5000 Series Routers viii...
  • Page 9 For detailed information about AAA concepts, configuration tasks, and examples, see the Configuring AAA Services chapter in the System Security Configuration Guide for Cisco NCS 5000 Series Routers. Currently, only default VRF is supported. VPNv4, VPNv6 and VPN routing and forwarding (VRF) address Note families will be supported in a future release.
  • Page 10 , page 89 • single-connection, page 90 • tacacs-server host, page 91 • tacacs-server key, page 93 • tacacs-server timeout, page 95 • tacacs-server ipv4, page 96 • tacacs source-interface, page 98 System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 11 100 • taskgroup, page 102 • timeout (TACACS+), page 104 • timeout login response, page 105 • usergroup, page 106 • username, page 108 • users group, page 112 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 12: Aaa Accounting

    • group radius—Uses the list of all RADIUS servers for accounting. • group named-group—Uses a named subset of TACACS+ or RADIUS servers for accounting, as defined by the aaa group server tacacs+ or aaa group server radius command. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 13 The list name can be applied to a line (console, aux, or vty template) to enable accounting on that particular line. The Cisco IOS XR software supports both TACACS+ and RADIUS methods for accounting. The router reports user activity to the security server in the form of accounting records, which are stored on the security server.

  • Page 14: Aaa Accounting System Default

    The default method list is automatically applied to all interfaces or lines. If no default method list is defined, then no accounting takes place. You can specify up to four methods in the method list. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 15 This example shows how to cause a “start accounting” record to be sent to a TACACS+ server when a router initially boots. A “stop accounting” record is also sent when a router is shut down or reloaded. RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa accounting system default start-stop group tacacs+ System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 16: Aaa Accounting Update

    System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 17 RP/0/RP0/CPU0:router(config)# aaa accounting update periodic 30 The following example shows how to send interim accounting records to the RADIUS server when there is new accounting information to report: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa accounting update newinfo System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 18: Aaa Authentication (Xr-Vm)

    Command Default Default behavior applies the local authentication on all ports. Command Modes XR Config mode or System Admin Config mode Command History Release Modification Release 6.0 This command was introduced. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 19 The following example shows how to specify the remote method list for authentication, and also enable authentication for console in System Admin Config mode: RP/0/RP0/CPU0:router# admin sysadmin-vm:0_RP0# configure sysadmin-vm:0_RP0(config)# aaa authentication users user lab admin RP/0/RP0/CPU0:router# sysadmin-vm:0_RP0# configure sysadmin-vm:0_RP0(config)# aaa authentication groups group aaa-r System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 20: Aaa Authorization (Xr-Vm)

    Command Default Authorization is disabled for all actions (equivalent to the method none keyword). Command Modes XR Config mode System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 21 TACACS+), in sequence. Method lists enable you to designate one or more security protocols for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS XR software uses the first method listed to authorize users for specific network services; if that method fails to respond, Cisco IOS XR software selects the next method listed in the method list.
  • Page 22 The following example shows how to define the network authorization method list named listname1, which specifies that TACACS+ authorization is used: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa authorization commands listname1 group tacacs+ System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 23: Aaa Default-Taskgroup

    Task ID Task ID Operations read, write Examples The following example shows how to specify taskgroup1 as the default task group for remote TACACS+ authentication: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa default-taskgroup taskgroup1 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 24: Aaa Group Server Radius

    The server group cannot be named radius or tacacs. This command enters server group configuration mode. You can use the server command to associate a particular RADIUS server with the defined server group. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 25 If the auth-port port-number and acct-port port-number keywords and arguments are not specified, the Note default value of the port-number argument for the auth-port keyword is 1645 and the default value of the port-number argument for the acct-port keyword is 1646. System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 26: Aaa Group Server Tacacs

    Group name methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host Note command to configure the host servers. Task ID Task ID Operations read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 27 The following example shows the configuration of an AAA group server named tacgroup1, which comprises three member servers: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server tacacs+ tacgroup1 RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.226 RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.227 RP/0/RP0/CPU0:router(config-sg-tacacs)# server 192.168.200.228 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 28: Aaa Password-Policy

    Specifies, in integer, the duration (in days, hours, minutes or seconds) for which the user is locked out when he exceeds the maximum limit of authentication failure attempts allowed. Command Default None System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 29 AAA password security policy works as such for Cisco IOS XR platforms. Whereas, this feature is supported only on XR VM, for Cisco IOS XR 64 bit platforms and Cisco NCS 5000 Series Routers. For more details on the usage of each option of this command, refer the section on AAA Password Security for FIPS Compliance in Configuiring FIPS Mode chapter in the System Security Configuration Guide for Cisco NCS 5000 Series Routers.
  • Page 30 RP/0/RP0/CPU0:router(config-aaa)#max-length 15 RP/0/RP0/CPU0:router(config-aaa)#lifetime months 3 RP/0/RP0/CPU0:router(config-aaa)#min-char-change 5 RP/0/RP0/CPU0:router(config-aaa)#authen-max-attempts 3 RP/0/RP0/CPU0:router(config-aaa)#lockout-time days 1 Related Commands Command Description show aaa password-policy, on page 67 Displays the details of AAA password policy. username System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 31: Accounting (Line)

    If a method list is not specified this way, no accounting is applied to the selected line or group of lines. Task ID Task ID Operations read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 32 The following example shows how to enable command accounting services using the accounting method list named listname2 on a line template named configure: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template configure RP/0/RP0/CPU0:router(config-line)# accounting commands listname2 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 33: Authorization (Line)

    Use the authorization command to apply the specified method lists (or, if none is specified, the default method list) to the selected line or group of lines. Task ID Task ID Operations read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 34 The following example shows how to enable command authorization using the method list named listname4 on a line template named configure: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template configure RP/0/RP0/CPU0:router(config-line)# authorization commands listname4 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 35: Description (Aaa)

    RP/0/RP0/CPU0:router(config-tg)# description this is a sample taskgroup The following example shows the creation of a user group description: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# usergroup alpha RP/0/RP0/CPU0:router(config-ug)# description this is a sample user group System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 36: Group (Aaa)

    Adds the user to the predefined Cisco support personnel group. Note Starting from IOS XR 6.0 release, the cisco-support group is combined with the root-system group. This means a user who is part of the root-system group can also access commands that are included in the cisco-support group.
  • Page 37 108 command in XR Config mode. If the group command is used in System Admin Config mode, only cisco-support keywords can be specified. The privileges associated with the cisco-support group are now included in the root-system group. The cisco-support group is no longer required to be used for configuration.

  • Page 38: Inherit Taskgroup

    Any changes made to the taskgroup from which they are inherited are reflected immediately in the group from which they are inherited. Task ID Task ID Operations read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 39 Examples In the following example, the permissions of task group tg2 are inherited by task group tg1: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# taskgroup tg1 RP/0/RP0/CPU0:router(config-tg)# inherit taskgroup tg2 RP/0/RP0/CPU0:router(config-tg)# end System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 40: Inherit Usergroup

    Task ID Task ID Operations read, write Examples The following example shows how to enable the purchasing user group to inherit properties from the sales user group: RP/0/RP0/CPU0:router# configure System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 41 Authentication, Authorization, and Accounting Commands inherit usergroup RP/0/RP0/CPU0:router(config)# usergroup purchasing RP/0/RP0/CPU0:router(config-ug)# inherit usergroup sales System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 42: Key (Tacacs+)

    The key is used to encrypt the packets that are going from TACACS+, and it should match with the key configured on the external TACACS+ server so that the packets are decrypted properly. If a mismatch occurs, the result fails. Task ID Task ID Operations read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 43 Authentication, Authorization, and Accounting Commands key (TACACS+) Examples The following example shows how to set the encrypted key to anykey RP/0/RP0/CPU0:router(config)# tacacs-server host 209.165.200.226 RP/0/RP0/CPU0:router(config-tacacs-host)# key anykey System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 44: Login Authentication

    Entering the no form of the login authentication command has the same effect as entering the command with the default keyword. Before issuing this command, create a list of authentication processes by using the aaa authentication login command. Task ID Task ID Operations read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 45 RP/0/RP0/CPU0:router(config-line)# login authentication default The following example shows that the AAA authentication list called list1 is used for the line template template2: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template template2 RP/0/RP0/CPU0:router(config-line)# login authentication list1 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 46: Password (Aaa)

    Passwords are two-way encrypted and should be used for applications such as PPP that need decryptable passwords that can be decrypted. Note The show running-config command always displays the clear-text login password in encrypted form when the 0 option is used. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 47 RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# username user1 RP/0/RP0/CPU0:router(config-un)# password 0 pwd1 RP/0/RP0/CPU0:router(config-un)# commit RP/0/RP0/CPU0:router(config-un)# show running-config Building configuration... username user1 password 7 141B1309 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 48: Radius-Server Dead-Criteria Time

    If a packet has not been received since the router booted and there is a timeout, the time criterion is treated as though it were met. Task ID Task ID Operations read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 49 The following example shows how to establish the time for the dead-criteria conditions for a RADIUS server to be marked as dead for the radius-server dead-criteria time command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server dead-criteria time 5 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 50: Radius-Server Dead-Criteria Tries

    If you configure the radius-server dead-criteria tries command before the radius-server deadtime Note command, the radius-server dead-criteria tries command may not be enforced. Task ID Task ID Operations read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 51 The following example shows how to establish the number of tries for the dead-criteria conditions for a RADIUS server to be marked as dead for the radius-server dead-criteria tries command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server dead-criteria tries 4 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 52: Radius-Server Deadtime (Bng)

    Examples This example specifies five minutes of deadtime for RADIUS servers that fail to respond to authentication requests for the radius-server deadtime command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server deadtime 5 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 53: Radius-Server Key (Bng)

    Task ID Task ID Operations read, write Examples This example shows how to set the cleartext key to “samplekey”: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server key 0 samplekey System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 54 Authentication, Authorization, and Accounting Commands radius-server key (BNG) This example shows how to set the encrypted shared key to “anykey”: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server key 7 anykey System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 55: Radius-Server Retransmit (Bng)

    (BNG) To specify the number of times the Cisco IOS XR software retransmits a packet to a server before giving up, use the radius-server retransmit command in the XR Config mode. The no form of this command sets it to the default value of 3 .

  • Page 56: Radius-Server Timeout (Bng)

    Use the radius-server timeout command to set the number of seconds a router waits for a server host to reply before timing out. Task ID Task ID Operations read, write Examples This example shows how to change the interval timer to 10 seconds: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server timeout 10 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 57: Radius Source-Interface (Bng)

    The radius source-interface command is especially useful in cases in which the router has many interfaces or subinterfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address. Task ID Task ID Operations read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 58 (BNG) Examples This example shows how to make RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius source-interface loopback 10 vrf vrf1 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 59: Secret

    This command was introduced. Usage Guidelines Cisco IOS XR software allows you to configure Message Digest 5 (MD5) encryption for username logins and passwords. MD5 encryption is a one-way hash function that makes reversal of an encrypted password impossible, providing strong encryption protection. Using MD5 encryption, you cannot retrieve clear-text passwords.
  • Page 60 The following example shows how to establish the clear-text secret “lab” for the user user2: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# username user2 RP/0/RP0/CPU0:router(config-un)# secret 0 lab RP/0/RP0/CPU0:router(config-un)# commit RP/0/RP0/CPU0:router(config-un)# show running-config Building configuration... username user2 secret 5 $1$DTmd$q7C6fhzje7Cc7Xzmu2Frx1 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 61: Server (Radius)

    IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 62 The second host entry configured acts as switchover backup to the first one. RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server radius group1 RP/0/RP0/CPU0:router(config-sg-radius)# server 1.1.1.1 auth-port 1645 acct-port 1646 RP/0/RP0/CPU0:router(config-sg-radius)# server 2.2.2.2 auth-port 2000 acct-port 2001 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 63: Server (Tacacs+)

    The following example shows how to associate the TACACS+ server with the IP address 192.168.60.15 with the server group tac1: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server tacacs+ tac1 RP/0/RP0/CPU0:router(config-sg-tacacs+)# server 192.168.60.15 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 64: Server-Private (Radius)

    If no key string is specified, the global value is used. Command Default If no port attributes are defined, the defaults are as follows: • Authentication port: 1645 • Accounting port: 1646 System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 65 RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.2.2.2 key coke RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.2.2.2 auth-port 300 RP/0/RP0/CPU0:router(config-sg-radius-private)# RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server radius group1 RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.1.1.1 auth-port 300 RP/0/RP0/CPU0:router(config-sg-radius-private)# exit (config-sg-radius)# server-private 10.2.2.2 auth-port 300 RP/0/RP0/CPU0:router(config-sg-radius-private)# System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 66: Server-Private (Tacacs+)

    (for example, default tacacs+ server group) can still be referred by IP addresses and port System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 67 RP/0/RP0/CPU0:router(config-sg-tacacs+)# server-private 10.1.1.1 timeout 5 RP/0/RP0/CPU0:router(config-sg-tacacs+)# server-private 10.1.1.1 key a_secret RP/0/RP0/CPU0:router(config-sg-tacacs+)# server-private 10.1.1.1 port 51 RP/0/RP0/CPU0:router(config-sg-tacacs-private)# exit RP/0/RP0/CPU0:router(config-sg-tacacs+)# server-private 10.2.2.2 timeout 5 RP/0/RP0/CPU0:router(config-sg-tacacs+)# server-private 10.2.2.2 key coke RP/0/RP0/CPU0:router(config-sg-tacacs+)# server-private 10.2.2.2 port 300 RP/0/RP0/CPU0:router(config-sg-tacacs-private)# System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 68: Show Aaa (Xr-Vm)

    Details for all user groups, or all local users, or all task groups are listed if no argument is entered. Command Modes XR EXEC mode Command History Release Modification Release 6.0 This command was introduced. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 69 EXECUTE DEBUG Task: config-mgmt : READ WRITE EXECUTE DEBUG Task: config-services : READ WRITE EXECUTE DEBUG Task: crypto : READ WRITE EXECUTE DEBUG Task: diag : READ WRITE EXECUTE DEBUG System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 70 : READ WRITE EXECUTE DEBUG Task: acl admin : READ WRITE EXECUTE DEBUG Task: admin atm : READ WRITE EXECUTE DEBUG Task: atm basic-services : READ WRITE EXECUTE DEBUG System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 71 The following sample output is from the show aaa command, using the task supported keywords. Task IDs are displayed in alphabetic order. RP/0/RP0/CPU0:router# show aaa task supported admin basic-services bcdl System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 72 User group root-systemlrlr root-system route-map route-policy snmp sonet-sdh static sysmgr system transport tty-access tunnel universal vlan vrrp System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 73: Show Aaa Accounting

    CLI 'config terminal' 2014-11-03.13:37:03 UTC cisco 0/RP0 CLI done 2014-11-03.13:37:09 UTC cisco 0/RP0 CLI 'aaa authentication users user temp' 2014-11-03.13:37:09 UTC cisco 0/RP0 CLI done 2014-11-03.13:37:11 UTC cisco 0/RP0 CLI 'password System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 74 0/RP0 CLI 'exit' 2014-11-03.13:37:16 UTC cisco 0/RP0 CLI done 2014-11-03.13:37:18 UTC cisco 0/RP0 CLI 'exit' 2014-11-03.13:37:18 UTC cisco 0/RP0 CLI done 2014-11-03.13:37:21 UTC cisco 0/RP0 CLI 'show aaa accounting' System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 75: Show Aaa Password-Policy

    Special Character Len : 0 Uppercase Character Len : 0 Lowercase Character Len : 1 Numeric Character Len : 0 Policy Life Time : seconds : 0 minutes : 0 hours : 0 System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 76 : 0 years : 0 Character Change Len : 4 Maximum Failure Attempts : 0 Related Commands Command Description aaa password-policy, on page 20 Defines the FIPS-compliant AAA password security policy. System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 77: Show Radius

    0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt Server: 2.2.2.2/1645/1646 is UP Timeout: 10 sec, Retransmit limit: 3 Authentication: System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 78 Number of seconds the router waits for a server host to reply before timing out. Retransmit limit Number of times the Cisco IOS XR software searches the list of RADIUS server hosts before giving up. System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 79: Show Radius Accounting

    0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt Server: 12.38.28.18, port: 29199 0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 80 This table describes the significant fields shown in the display. Table 3: show radius accounting Field Descriptions Field Description Server Server IP address/UDP destination port for authentication requests; UDP destination port for accounting requests. System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 81: Show Radius Authentication

    0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt Server: 12.38.28.18, port: 21099 0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 82 This table describes the significant fields shown in the display. Table 4: show radius authentication Field Descriptions Field Description Server Server IP address/UDP destination port for authentication requests; UDP destination port for accounting requests. System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 83: Show Radius Dead-Criteria

    RP/0/RP0/CPU0:router# show radius dead-criteria host 12.26.49.12 auth-port 11000 acct-port 11001 Server: 12.26.49.12/11000/11001 Dead criteria time: 10 sec (computed) tries: 10 (computed) This table describes the significant fields shown in the display. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 84 Number of seconds the router waits for a server host to reply before timing out. Retransmits Number of times Cisco IOS XR software searches the list of RADIUS server hosts before giving up. System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 85: Show Radius Server-Groups

    The following sample output is for the show radius server-groups command: RP/0/RP0/CPU0:router# show radius server-groups Global list of servers Contains 2 server(s) Server 1.1.1.1/1645/1646 Server 2.2.2.2/1645/1646 Server group 'radgrp1' has 2 server(s) System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 86 This table describes the significant fields shown in the display. Table 6: show radius server-groups Field Descriptions Field Description Server Server IP address/UDP destination port for authentication requests/UDP destination port for accounting requests. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 87 Authentication, Authorization, and Accounting Commands show radius server-groups System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 88: Show Tacacs

    For IPv6 IP addresses: Server: 1.2.3.5/49 family = AF_INET opens=0 closes=0 aborts=0 errors=0 packets in=0 packets out=0 status=up single-connect=false This table describes the significant fields shown in the display. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 89 Number of error replies from the external server. packets in Number of TCP packets that have been received from the external server. packets out Number of TCP packets that have been sent to the external server. System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 90: Show Tacacs Server-Groups

    Server 12.26.25.61/23456 Server 12.26.49.12/12345 Server 12.26.49.12/9000 Server 12.26.25.61/23432 Server 5.5.5.5/23456 Server 1.1.1.1/49 Server group ‘tac100’ has 1 servers Server 12.26.49.12 This table describes the significant fields shown in the display. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 91 Authentication, Authorization, and Accounting Commands show tacacs server-groups Table 8: show tacacs server-groups Field Descriptions Field Description Server Server IP address. System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 92: Show User

    Use the show user command to display all user groups and task IDs associated with the currently logged-in user. Task ID Task ID Operations none — Examples The following sample output displays the authentication method parameters from the show user command: RP/0/RP0/CPU0:router# show user authentication method local System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 93 WRITE EXECUTE DEBUG Task: : READ WRITE EXECUTE DEBUG Task: snmp : READ WRITE EXECUTE DEBUG Task: sonet-sdh : READ WRITE EXECUTE DEBUG Task: static : READ WRITE EXECUTE DEBUG System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 94 WRITE EXECUTE DEBUG Task: : READ WRITE EXECUTE DEBUG Task: snmp : READ WRITE EXECUTE DEBUG Task: sonet-sdh : READ WRITE EXECUTE DEBUG Task: static : READ WRITE EXECUTE DEBUG System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 95 DEBUG Task: tunnel : READ WRITE EXECUTE DEBUG Task: universal : READ WRITE EXECUTE DEBUG (reserved) Task: vlan : READ WRITE EXECUTE DEBUG Task: vrrp : READ WRITE EXECUTE DEBUG System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 96: Show Aaa User-Group

    Task ID Task ID Operation read Examples This is the sample output of the show aaa user-group command: sysadmin-vm:0_RP0#show aaa user-group Mon Nov 13:39:33.380 UTC User group : root-system sysadmin-vm:0_RP0# System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 97: Show Tech-Support Aaa

    Compressing show tech output Show tech output available at /misc/disk1//showtech-aaa-admin-2014-Nov-04.082457.UTC.tgz Please collect show tech-support ctrace in addition to any sysadmin show-tech-support collection ++ Show tech end time: 2014-Nov-04.UTC ++ sysadmin-vm:0_RP0# System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 98: Single-Connection

    This works only if the TACACS+ server is also configured in single-connection mode. To configure the TACACS+ server in single connection mode, refer to the respective server manual. RP/0/RP0/CPU0:router(config)# tacacs-server host 209.165.200.226 RP/0/RP0/CPU0:router(config-tacacs-host)# single-connection System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 99: Tacacs-Server Host

    No TACACS+ host is specified. The port-name argument, if not specified, defaults to the standard port 49. The seconds argument, if not specified, defaults to 5 seconds. Command Modes XR Config mode System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 100 Modification Release 6.0 This command was introduced. Usage Guidelines You can use multiple tacacs-server host commands to specify additional hosts. Cisco IOS XR software searches for hosts in the order in which you specify them. Task ID Task ID Operations...

  • Page 101: Tacacs-Server Key

    The TACACS server key is used only if no key is configured for an individual TACACS server. Keys configured for an individual TACACS server always override this global key configuration. Task ID Task ID Operations read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 102 Authentication, Authorization, and Accounting Commands tacacs-server key Examples The following example sets the authentication and encryption key to key1: RP/0/RP0/CPU0:router(config)# tacacs-server key key1 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 103: Tacacs-Server Timeout

    Timeout intervals configured for an individual TACACS+ server always override this global timeout configuration. Task ID Task ID Operations read, write Examples The following example shows the interval timer being changed to 10 seconds: RP/0/RP0/CPU0:router(config)# tacacs-server timeout 10 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 104: Tacacs-Server Ipv4

    • cs6 Match packets with CS6(precedence 6) dscp (110000) • cs7 Match packets with CS7(precedence 7) dscp (111000) • default Match packets with default dscp (000000) • ef Match packets with EF dscp (101110) System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 105 No specific guidelines impact the use of this command. Task ID Task ID Operation read, write Examples The following example sets the DSCP value to Assured Forwarding (AF)11: RP/0/RP0/CPU0:router(config)# tacacs-server ipv4 dscp af11 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 106: Tacacs Source-Interface

    TACACS+ packets from a particular router have the same IP address. When the specified interface does not have an IP address or is in a down state, TACACS+ behaves as if no source interface configuration is used. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 107 Examples The following example shows how to set the IP address of the specified interface for all outgoing TACACS+ packets: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# tacacs source-interface TenGigabitEthernet 0/0/0/29 vrf abc System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 108: Task

    Examples The following example shows how to enable execute privileges for the config-services task ID and associate that task ID with the task group named taskgroup1: RP/0/RP0/CPU0:router# configure System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 109 Authentication, Authorization, and Accounting Commands task RP/0/RP0/CPU0:router(config)# taskgroup taskgroup1 RP/0/RP0/CPU0:router(config-tg)# task execute config-services System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 110: Taskgroup

    (Optional) Name of the task group from which permissions are to be inherited. Command Default Five predefined user groups are available by default. Command Modes XR Config mode Command History Release Modification Release 6.0 This command was introduced. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 111 Task ID Task ID Operations read, write Examples The following example assigns read bgp permission to the task group named alpha: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# taskgroup alpha RP/0/RP0/CPU0:router(config-tg)# task read bgp System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 112: Timeout (Tacacs+)

    Task ID Task ID Operations read, write Examples The following example shows how to set the number of seconds for the timeout value: RP/0/RP0/CPU0:router(config)# tacacs-server host 209.165.200.226 RP/0/RP0/CPU0:router(config-tacacs-host)# timeout 500 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 113: Timeout Login Response

    Task ID Operations read, write Examples The following example shows how to change the interval timer to 20 seconds: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template alpha RP/0/RP0/CPU0:router(config-line)# timeout login response 20 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 114: Usergroup

    From global configuration mode, you can display all the configured user groups. However, you cannot display all the configured user groups in usergroup configuration mode. Task ID Task ID Operations read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 115 Authentication, Authorization, and Accounting Commands usergroup Examples The following example shows how to add permissions from the user group beta to the user group alpha: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# usergroup alpha RP/0/RP0/CPU0:router(config-ug)# inherit usergroup beta System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 116: Username

    Applies a particular password password-policy policy to the user. policy-name Specifies the name of the password policy. This policy name has to be configured prior to applying this policy to the user. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 117 FIPS compliance. Usage Guidelines A user is never allowed to have cisco-support privileges as the only group. Note Use the username command to identify the user and enter username configuration mode. Password and user group assignments can be made from either XR Config mode or username configuration submode. Permissions (task IDs) are assigned by associating the user with one or more defined user groups.
  • Page 118 For more details on defining a password policy, refer aaa password-policy command. The AAA password security policy feature works as such for Cisco IOS XR platforms. Whereas, it is supported only on XR VM, for Cisco IOS XR 64 bit platforms.
  • Page 119 RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# username user1 RP/0/RP0/CPU0:router(config-un)# password 0 password1 This example shows how to apply a AAA password policy for a user: RP/0/RP0/CPU0:router# config RP/0/RP0/CPU0:router(config)# username user1 password-policy test-policy password abc System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 120: Users Group

    Name of the user group. The usergroup-name argument can be only one word. Spaces and quotation marks are not allowed. cisco-support Specifies that users logging in through the line are given Cisco support personnel privileges. netadmin Specifies that users logging in through the line are given network administrator privileges.
  • Page 121 In the following example, if a vty-pool is created with line template vty, users logging in through vty are given operator privileges: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa authen login vty-authen line RP/0/RP0/CPU0:router(config)# commit RP/0/RP0/CPU0:router(config)# line template vty RP/0/RP0/CPU0:router(config-line)# users group operator RP/0/RP0/CPU0:router(config-line)# login authentication System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 122 Authentication, Authorization, and Accounting Commands users group System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 123: Keychain Management Commands

    This module describes the commands used to configure keychain management. For detailed information about keychain management concepts, configuration tasks, and examples, see the Implementing Keychain Management chapter in the System Security Configuration Guide for Cisco NCS 5000 Series Routers. Note Currently, only default VRF is supported.

  • Page 124: Accept-Lifetime

    Key configuration Command History Release Modification Release 6.0 This command was introduced. Usage Guidelines No specific guidelines impact the use of this command. Task ID Task ID Operations system read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 125 Keychain Management Commands accept-lifetime Examples The following example shows how to use the accept-lifetime command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)# accept-lifetime 1:00:00 June 29 2006 infinite System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 126: Accept-Tolerance

    (for example, either prior to the start of the lifetime, or after the end of the lifetime). Task ID Task ID Operations system read, write Examples The following example shows how to use the accept-tolerance command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# accept-tolerance infinite System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 127: Cryptographic-Algorithm

    These protocols support the following cryptographic algorithms: • Border Gateway Protocol (BGP) supports only HMAC-MD5 and HMAC-SHA1-12. • Intermediate System-to-Intermediate System (IS-IS) supports only HMAC-MD5. • Open Shortest Path First (OSPF) supports only MD5. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 128 Task ID Task ID Operations system read, write Examples The following example shows how to use the cryptographic-algorithm command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)# cryptographic-algorithm HMAC-MD5 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 129: Key (Key Chain)

    0 to 63. If the range is above the value of 63, the BGP keychain operation is rejected. Task ID Task ID Operations system read, write Examples The following example shows how to use the key command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)# System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 130: Key Chain (Key Chain)

    Task ID Operations system read, write Examples The following example shows that the name of the keychain isis-keys is for the key chain command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 131: Key-String (Keychain)

    • The first two characters in the password string must be decimal numbers and the rest must be hexadecimals. • The first two digits must not be a number greater than 53. Either of the following examples would be valid encrypted passwords: 1234abcd 50aefd System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 132 Task ID Operations system read, write Examples The following example shows how to use the keystring command: RP/0/RP0/CPU0:router:# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)# key-string password 850aefd System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 133: Send-Lifetime

    No specific guidelines impact the use of this command. Task ID Task ID Operations system read, write Examples The following example shows how to use the send-lifetime command: RP/0/RP0/CPU0:router# configure System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 134 Keychain Management Commands send-lifetime RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)# send-lifetime 1:00:00 June 29 2006 infinite System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 135: Show Key Chain

    Key 8 -- text "8" cryptographic-algorithm -- MD5 Send lifetime: 01:00:00, 29 Jun 2006 - Always valid [Valid now] Accept lifetime: 01:00:00, 29 Jun 2006 - Always valid [Valid now] System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 136 Keychain Management Commands show key chain System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 137: Management Plane Protection Commands

    This module describes the commands used to configure management plane protection (MPP). For detailed information about keychain management concepts, configuration tasks, and examples, see the Implementing Management Plane Protection chapter in the System Security Configuration Guide for Cisco NCS 5000 Series Routers.

  • Page 138: Address Ipv4 (Mpp)

    Interface peer configuration Command History Release Modification Release 6.0.1 This command was introduced. Usage Guidelines No specific guidelines impact the use of this command. Task ID Task ID Operations system read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 139 The following example shows how to configure the peer IPv4 address 10.1.0.0, with a prefix of 16 for traffic management: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# inband RP/0/RP0/CPU0:router(config-mpp-inband)# interface all RP/0/RP0/CPU0:router(config-mpp-inbandoutband-all)# allow all peer RP/0/RP0/CPU0:router(config-telnettftp-peer)# address ipv4 10.1.0.0/16 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 140: Address Ipv6 (Mpp)

    The following example shows how to configure the peer IPv6 address 33::33 for management traffic: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# inband RP/0/RP0/CPU0:router(config-mpp-outband)# interface GigabitEthernet 0/1/1/2 RP/0/RP0/CPU0:router(config-mpp-outband-GigabitEthernet0_1_1_2)# allow TFTP peer RP/0/RP0/CPU0:router(config-tftp-peer)# address ipv6 33::33 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 141: Allow

    The IOS XR XML API provides a programmatic interface to the router for use by external management applications. This interface provides a mechanism for router configuration and monitoring utilizing XML System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 142 The following example shows how to configure MPP support on an XML peer in-band interface: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-ctrl-mpp)# inband interface all allow xml peer address ipv4 172.10.10.1 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 143: Control-Plane

    Use the control-plane command to enter control plane configuration mode. Task ID Task ID Operations system read, write Examples The following example shows how to enter control plane configuration mode using the control-plane command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 144: Inband

    Examples The following example shows how to enter management plane protection inband configuration mode using the inband command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# inband RP/0/RP0/CPU0:router(config-mpp-inband)# System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 145: Interface (Mpp)

    Use the interface command to enter management plane protection inband interface configuration mode. For the instance argument, you cannot configure Management Ethernet interfaces as inband interfaces. Task ID Task ID Operations system read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 146 Management Plane Protection Commands interface (MPP) Examples The following example shows how to configure all inband interfaces for MPP: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# inband RP/0/RP0/CPU0:router(config-mpp-inband)# interface all RP/0/RP0/CPU0:router(config-mpp-inband-all)# System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 147: Management-Plane

    Task ID Operations system read, write Examples The following example shows how to enter management plane protection configuration mode using the management-plane command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 148: Show Mgmt-Plane

    Task ID Task ID Operations system read Examples The following sample output displays all the interfaces that are configured as inband under MPP: RP/0/RP0/CPU0:router# show mgmt-plane Management Plane Protection inband interfaces System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 149 - All peers allowed telnet configured - peer v4 allowed - 10.1.0.0/16 all configured - All peers allowed interface - TenGigabitEthernet0_1_1_0 telnet configured - peer v4 allowed - 10.1.0.0/16 System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 150 Management Plane Protection Commands show mgmt-plane System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 151: Secure Shell Commands

    For detailed information about SSH concepts, configuration tasks, and examples, see the Implementing Secure Shell chapter in the System Security Configuration Guide for Cisco NCS 5000 Series Routers. Currently, only default VRF is supported. VPNv4, VPNv6 and VPN routing and forwarding (VRF) address Note families will be supported in a future release.
  • Page 152 Secure Shell Commands • ssh timeout, page 177 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 153: Clear Ssh

    The clear ssh command is then used to terminate the incoming session with the ID number 0. show ssh RP/0/RP0/CPU0:router# SSH version: Cisco-2.0 session location state userid host -------------------------------------------------------------------- Incoming sessions vty0 0/33/1 SESSION_OPEN cisco 172.19.72.182 System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 154 Sftp-Subsystem vty7 0/RP0/CPU0 SESSION_OPEN cisco 12.22.22.57 password Command-Line-Interface 0/RP0/CPU0 SESSION_OPEN 12.22.57.75 password Netconf-Subsystem vty3 0/RP0/CPU0 SESSION_OPEN 192.168.1.55 password Command-Line-Interface Outgoing sessions 0/RP0/CPU0 SESSION_OPEN 192.168.1.51 password RP/0/RP0/CPU0:router# clear ssh 0 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 155: Clear Netconf-Yang Agent Session

    The show netconf-yang clients command can be used to get the required session-id(s). Task ID Task ID Operation config-services read, write Examples This example shows how to use the clear netconf-yang agent session command: RP/0/RP0/CPU0:router (config) # clear netconf-yang agent session 32125 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 156: Netconf-Yang Agent Ssh

    SSH is currently the supported transport method for Netconf. Task ID Task ID Operation config-services read, write Examples This example shows how to use the netconf-yang agent ssh command: netconf-yang agent ssh RP/0/RP0/CPU0:router (config) # System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 157: Sftp

    If no username argument is provided, the login name on the router is used. If no hostname argument is provided, the file is considered local. Command Modes XR EXEC mode Command History Release Modification Release 6.0 This command was introduced. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 158 2102657024 bytes total (1537638400 bytes free) In the following example, user admin is uploading the file v6copy from disk0: to disk0a:/v6back on a local SFTP server using an IPv6 address: RP/0/RP0/CPU0:router#sftp disk0:/V6copy admin@[2:2:2::2]:disk0a:/v6back System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 159 Transferred 986 Bytes 986 bytes copied in 0 sec (564000)bytes/sec RP/0/RP0/CPU0:router#dir disk0:/sampfile_back Directory of disk0: 121765 -rwx Tue Oct 18 05:39:00 2011 sampfile_back 524501272 bytes total (512507614 bytes free) System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 160: Sftp (Interactive Mode)

    'non-acknowledged' or outstanding requests to the server, the server might buffer or queue these requests for convenience. Therefore, there might be a logical sequence to the order of requests. The following unix based commands are supported in the interactive mode: System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 161 In the following example, user admin is downloading and uploading a file from/to an external SFTP server using an IPv6 address: RP/0/RP0/CPU0:router#sftp admin@[2:2:2::2] Connecting to 2:2:2::2... Password: sftp> pwd Remote working directory: / System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 162 /disk0:/frmRouterdownoad /auto/tftp-server1-users5/abc/frmRouter Transferred 1578 Bytes 1578 bytes copied in 0 sec (27684)bytes/sec sftp> put /disk0:/frmRouterdownoad againtoServer /disk0:/frmRouterdownoad Transferred 1578 Bytes 1578 bytes copied in 0 sec (14747)bytes/sec sftp> System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 163: Show Netconf-Yang Clients

    15389| 1.1| 11:11:25| get-config| Table 9: Field descriptions Field name Description Client session ID Assigned session identifier NC version Version of the Netconf client as advertised in the hello message System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 164 Time elapsed since the client was connected Last OP time Last operation time Last OP type Last operation type Lock (yes or no) To check if the session holds a lock on the configuration datastore System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 165: Show Netconf-Yang Statistics

    0ms| get-schema 0ms| 0ms| 0ms| 0ms| 0ms| 0ms| 0ms| 0ms| get-config 1ms| 1ms| 1ms| 1ms| edit-config 2ms| 0ms| 1ms| 0ms| commit 0ms| 0ms| 0ms| 0ms| cancel-commit 0ms| 0ms| 0ms| 0ms| System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 166 Minimum processing time for a request of a given type Max time per request Maximum processing time for a request of a given type Avg time per request Average processing time for a request type System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 167: Show Ssh

    SESSION_OPEN 12.22.57. password 0/3/CPU0 SESSION_OPEN 12.22.57.75 keyboard-interactive The following output is applicable for the show ssh command starting IOS-XR 6.0 releases and later. RP/0/RP0/CPU0:router# show ssh SSH version : Cisco-2.0 System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 168 Specifies if the connection type is SSHv1 or SSHv2. authentication Specifies the type of authentication method chosen by the user. connection type Specifies which application is performed over this connection (Command-Line-Interface, Remote-Command, Scp, Sftp-Subsystem, or Netconf-Subsystem) System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 169 Secure Shell Commands show ssh System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 170: Show Ssh Session Details

    ------------------------------------------------------------------------------- Incoming Session diffie-hellman ssh-dss 3des-cbc 3des-cbc hmac-md5 hmac-md5 Outgoing connection diffie-hellman ssh-dss 3des-cbc 3des-cbc hmac-md5 hmac-md5 This table describes the significant fields shown in the display. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 171 Encryption cipher chosen for the Rx traffic. outcipher Encryption cipher chosen for the Tx traffic. inmac Authentication (message digest) algorithm chosen for the Rx traffic. outmac Authentication (message digest) algorithm chosen for the Tx traffic. System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 172: Ssh

    (Optional) Specifies a remote command. Adding this keyword prompts the SSHv2 server to parse and execute thesshcommand in non-interactive mode instead of initiating the interactive session. System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 173 Operations crypto execute basic-services execute Examples The following sample output is from the ssh command to enable an outbound SSH client connection: RP/0/RP0/CPU0:router# ssh vrf green username userabc Password: Remote-host> System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 174: Ssh Client Knownhost

    Shell (SSH) implementations in the UNIX environment. Task ID Task ID Operations crypto read, write Examples The following sample output is from the ssh client knownhost command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# ssh client knownhost disk0:/ssh.knownhost RP/0/RP0/CPU0:router(config)# commit System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 175 RP/0/RP0/CPU0:router# ssh host1 username user1234 Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Password: RP/0/RP0/CPU0:host1# exit RP/0/RP0/CPU0:router# ssh host1 username user1234 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 176: Ssh Client Source-Interface

    The system database (Sysdb) verifies that the interface specified in the command has a corresponding IP address (in the same family) configured. Task ID Task ID Operations crypto read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 177 Examples The following example shows how to set the IP address of the Management Ethernet interface for all outgoing SSH connections: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# ssh client source-interface MgmtEth 0/RP0/CPU0/0 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 178: Ssh Server

    175 command. To verify that the SSH server is up and running, use the show process sshd command. Task ID Task ID Operations crypto read, write System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 179 Secure Shell Commands ssh server Examples In the following example, the SSH server is brought up to receive connections for VRF “green”: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# ssh serverserver vrf green System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 180: Ssh Server Logging

    The second message confirms a successful login. Task ID Task ID Operations crypto read, write Examples The following example shows the initiation of an SSH server logging: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# ssh server logging System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 181: Ssh Server Rate-Limit

    Operations crypto read, write Examples The following example shows how to set the limit of incoming SSH connection requests to 20 per minute: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# ssh server rate-limit 20 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 182: Ssh Server Session-Limit

    Task ID Task ID Operations crypto read, write Examples The following example shows how to set the limit of incoming SSH connections to 50: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# ssh server session-limit 50 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 183: Ssh Server V2

    Only SSHv2 client connections are allowed. Task ID Task ID Operations crypto read, write Examples The following example shows how to initiate the SSH server version to be only SSHv2: RP/0/RP0/CPU0:router#configure RP/0/RP0/CPU0:router(config)# ssh server v2 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 184: Ssh Server Netconf

    No specific guidelines impact the use of this command. Task ID Task ID Operation crypto read, write Examples This example shows how to use the ssh server netconf port command: RP/0/RP0/CPU0:router (config) # ssh server netconf port 830 System Security Command Reference for Cisco NCS 5000 Series Routers...

  • Page 185: Ssh Timeout

    Task ID Task ID Operations crypto read, write Examples In the following example, the timeout value for AAA user authentication is set to 60 seconds: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# ssh timeout 60 System Security Command Reference for Cisco NCS 5000 Series Routers...
  • Page 186 Secure Shell Commands ssh timeout System Security Command Reference for Cisco NCS 5000 Series Routers...

Table of Contents