Cisco IOS IPv6 Command Reference
IPv6 Commands: clear ipv6 mo to ct
Download this chapter
IPv6 Commands: clear ipv6 mo to ctIPv6 Commands: clear ipv6 mo to ct
Download the complete book
Cisco IOS IPv6 Command ReferenceCisco IOS IPv6 Command Reference (PDF - 6 MB)
give_us_feedback

Contents

ipv6-c1

clear ipv6 mobile binding

To clear the Mobile IPv6 binding cache on a router, use the clear ipv6 mobile bindingcommand in privileged EXEC mode.

clear ipv6 mobile binding [care-of-address prefix | home-address prefix | interface-type interface-number]

Syntax Description

care-of-address

(Optional) Provides information about the mobile node's current location.

prefix

(Optional) IPv6 address prefix of the care-of address or the home address.

home-address

(Optional) IPv6 address assigned to the mobile node within its home subnet prefix on its home link.

interface-type interface-number

(Optional) Interface type and number.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.3(14)T

This command was introduced.

Usage Guidelines

The clear ipv6 mobile binding command clears the binding caches for a specified mobile node (if specified) or all mobile nodes (if no arguments or keywords are specified).

The prefix argument can be a prefix for the care-of address or the home address of a mobile node, so that entire networks can be cleared. Enter /128 to clear an individual mobile node.

Use of this command with the interface-typeand interface-number arguments clears all bindings on the specified interface.

Examples

In the following example, the binding caches for all mobile nodes are cleared: 

Router# clear ipv6 mobile binding
Clear 1 bindings [confirm]
Router# show ipv6 mobile binding 
Mobile IPv6 Binding Cache Entries:
Selection matched 0 bindings

Related Commands

Command

Description

binding

Configures binding options for the Mobile IPv6 home agent feature in home agent configuration mode.

ipv6 mobile home-agent (global configuration)

Enters home agent configuration mode.

show ipv6 mobile binding

Displays information about the binding cache.

clear ipv6 mobile home-agents

To clear the neighboring home agents list, use the clear ipv6 mobile home-agentscommand in privileged EXEC mode.

clear ipv6 mobile home-agents [interface-type interface-number]

Syntax Description

interface-type interface-number

(Optional) Interface type and number.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.3(14)T

This command was introduced.

Usage Guidelines

The clear ipv6 mobile home-agents command clears the neighboring home agents list. The list is subsequently reconstructed from received router advertisements.

If you do not enter the optional interface type and interface-numberarguments, the home agent lists on all interfaces are cleared.

Examples

In the following example, the neighboring home agent lists are cleared:

Router# clear ipv6 mobile home-agents

Related Commands

Command

Description

binding

Configures binding options for the Mobile IPv6 home agent feature in home agent configuration mode.

ipv6 mobile home-agent (global configuration)

Enters home agent configuration mode.

show ipv6 mobile home-agent

Displays neighboring home agents.

clear ipv6 mobile traffic

To clear statistics associated with Mobile IPv6 traffic, use the clear ipv6 mobile trafficcommand in privileged EXEC mode.

clear ipv6 mobile traffic

Syntax Description

This command has no arguments or keywords.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.3(14)T

This command was introduced.

Usage Guidelines

The clear ipv6 mobile traffic command clears the statistics about the received binding updates and transmitted binding acknowledgments on a mobile node.

Examples

In the following example, statistics about binding updates and binding acknowledgments are cleared:

Router# clear ipv6 mobile traffic
 
Router# show ipv6 mobile traffic
MIPv6 statistics:
  Rcvd: 0 total
      0 truncated, 0 format errors
      0 checksum errors
    Binding Updates received:0
      0 no HA option, 0 BU's length
      0 options' length, 0 invalid CoA
  Sent: 0 generated
    Binding Acknowledgements sent:0
      0 accepted (0 prefix discovery required)
      0 reason unspecified, 0 admin prohibited
      0 insufficient resources, 0 home reg not supported
      0 not home subnet, 0 not home agent for node
      0 DAD failed, 0 sequence number
    Binding Errors sent:0
      0 no binding, 0 unknown MH
  Home Agent Traffic:
    0 registrations, 0 deregistrations
    unknown time since last accepted HA registration
    unknown time since last failed HA registration
    unknown last failed registration code
    Traffic forwarded:
      0 tunneled, 0 reversed tunneled
    Dynamic Home Agent Address Discovery:
      0 requests received, 0 replies sent
    Mobile Prefix Discovery:
      0 solicitations received, 0 advertisements sent

Related Commands

Command

Description

binding

Configures binding options for the Mobile IPv6 home agent feature in home agent configuration mode.

show ipv6 mobile home-agent

Displays neighboring home agents.

clear ipv6 mtu

To clear the maximum transmission unit (MTU) cache of messages, use the clear ipv6 mtucommand in privileged EXEC mode.

clear ipv6 mtu

Syntax Description

This command has no arguments or keywords.

Command Default

Messages are not cleared from the MTU cache.

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Release 2.6

This command was introduced.

Usage Guidelines

If a router is flooded with ICMPv6 toobig messages, the router is forced to create an unlimited number of entries in the MTU cache until all available memory is consumed. Use the clear ipv6 mtu command to clear messages from the MTU cache.

Examples

The following example clears the MTU cache of messages:

Router# clear ipv6 mtu

Related Commands

Command

Description

ipv6 flowset

Configures flow-label marking in 1280-byte or larger packets sent by the router.

clear ipv6 multicast aaa authorization

To clear authorization parameters that restrict user access to an IPv6 multicast network, use the clear ipv6 multicast aaa authorizationcommand in privileged EXEC mode.

clear ipv6 multicast aaa authorization [interface-type interface-number]

Syntax Description

interface-type interface-number

Interface type and number. For more information, use the question mark (?) online help function.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.4(4)T

This command was introduced.

Usage Guidelines

Using the clear ipv6 multicast aaa authorizationcommand without the optional interface-type and interface-number arguments will clear all authorization parameters on a network.

Examples

The following example clears all configured authorization parameters on an IPv6 network:

Router# clear ipv6 multicast aaa authorization FastEthernet 1/0

Related Commands

Command

Description

aaa authorization multicast default

Sets parameters that restrict user access to an IPv6 multicast network.

clear ipv6 nat translation

To clear dynamic Network Address Translation--Protocol Translation (NAT-PT) translations from the dynamic state table, use the clear ipv6 nat translationcommand in privileged EXEC mode.

clear ipv6 nat translation *

Syntax Description

*

Clears all dynamic NAT-PT translations.

Command Default

Entries are deleted from the dynamic translation state table when they time out.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.2(13)T

This command was introduced.

Usage Guidelines

Use this command to clear entries from the dynamic translation state table before they time out. Static translation configuration is not affected by this command.

Examples

The following example shows the NAT-PT entries before and after the dynamic translation state table is cleared. Note that all the dynamic NAT-PT mappings are cleared, but the static NAT-PT configurations remain.

Router# show ipv6 nat translations
Prot  IPv4 source              IPv6 source 
      IPv4 destination         IPv6 destination 
---   ---                      --- 
      192.168.123.2            2001::2 
---   ---                      --- 
      192.168.122.10           2001::10 
tcp   192.168.124.8,11047      3002::8,11047 
      192.168.123.2,23         2001::2,23 
udp   192.168.124.8,52922      3002::8,52922 
      192.168.123.2,69         2001::2,69
Router# clear ipv6 nat translation *
Router# show ipv6 nat translations
Prot  IPv4 source              IPv6 source 
      IPv4 destination         IPv6 destination 
---   ---                      --- 
      192.168.123.2            2001::2 
---   ---                      --- 
      192.168.122.10           2001::10

Related Commands

Command

Description

ipv6 nat

Designates that traffic originating from or destined for the interface is subject to NAT-PT.

show ipv6 nat translations

Displays active NAT-PT translations.

clear ipv6 neighbors

To delete all entries in the IPv6 neighbor discovery cache, except static entries, use the clear ipv6 neighbors command in privileged EXEC mode.

Syntax for Releases 15.0(1)M, 12.2(33)SXH, and 12.2(33)SRC, and Later Releases

clear ipv6 neighbors [interface type number [ipv6 ipv6-address] | statistics | vrf table-name [ipv6-address | statistics]]

Syntax for Release Cisco IOS XE Release 2.1 and Later Releases

clear ipv6 neighbors

Syntax Description

interface type number

(Optional) Clears the IPv6 neighbor discovery cache in the specified interface.

ipv6 ipv6-address

(Optional) Clears the IPv6 neighbor discovery cache that matches the specified IPv6 address on the specified interface.

statistics

(Optional) Clears the IPv6 neighbor discovery entry cache.

vrf

(Optional) Clears entries for a virtual private network (VPN) routing or forwarding instance.

table-name

(Optional) Table name or identifier. The value range is from 0x0 to 0xFFFFFFFF (0 to 65535 in decimal).

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

15.0(1)M

This command was modified in a release earlier than Cisco IOS Release 15.0(1)M. The vrf keyword and table-name argument were added.

12.2(33)SRC

This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SRC.

Cisco IOS XE Release 2.1

This command was implemented on the Cisco ASR 1000 Series Aggregation Services Routers.

Examples

The following example deletes all entries, except static entries, in the neighbor discovery cache:

Router# clear ipv6 neighbors

The following example clears all IPv6 neighbor discovery cache entries, except static entries, on Ethernet interface 0/0: 

Router# clear ipv6 neighbors interface Ethernet 0/0

The following examples clears a neighbor discovery cache entry for 2001:0DB8:1::1 on Ethernet interface 0/0:

Router# clear ipv6 neighbors interface Ethernet0/0 ipv6 2001:0DB8:1::1

Related Commands

Command

Description

ipv6 neighbor

Configures a static entry in the IPv6 neighbor discovery cache.

show ipv6 neighbors

Displays IPv6 neighbor discovery cache information.

clear ipv6 nhrp

To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, use the clear ipv6 nhrpcommand in privileged EXEC mode.

clear ipv6 nhrp [ipv6-address | counters]

Syntax Description

ipv6-address

(Optional) The IPv6 network to delete.

counters

(Optional) Specifies NHRP counters to delete.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.4(20)T

This command was introduced.

Usage Guidelines

This command does not clear any static (configured) IPv6-to-nonbroadcast multiaccess (NBMA) address mappings from the NHRP cache.

Examples

The following example shows how to clear all dynamic entries from the NHRP cache for the interface:

Router# clear ipv6 nhrp

Related Commands

Command

Description

show ipv6 nhrp

Displays the NHRP cache.

clear ipv6 ospf

To clear the Open Shortest Path First (OSPF) state based on the OSPF routing process ID, use the cl ear ipv6 ospf command in privileged EXEC mode.

clear ipv6 ospf [process-id] {process | force-spf | redistribution}

Syntax Description

process-id

(Optional) Internal identification. It is locally assigned and can be any positive integer. The number used here is the number assigned administratively when enabling the OSPF routing process.

process

Restarts the OSPF process.

force-spf

Starts the shortest path first (SPF) algorithm without first clearing the OSPF database.

redistribution

Clears OSPF route redistribution.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.0(24)S

This command was introduced.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

15.0(1)M

This command was integrated into Cisco IOS Release 12.5(1)M.

Usage Guidelines

When the process keyword is used with the clear ipv6 ospfcommand, the OSPF database is cleared and repopulated, and then the shortest path first (SPF) algorithm is performed. When the force-spfkeyword is used with the clear ipv6 ospfcommand, the OSPF database is not cleared before the SPF algorithm is performed.

Use the process-idoption to clear only one OSPFprocess. If the process-idoptionis not specified,all OSPF processesare cleared.

Examples

The following example starts the SPF algorithm without clearing the OSPF database:

Router# clear ipv6 ospf force-spf

clear ipv6 ospf counters

To clear the Open Shortest Path First (OSPF) state based on the OSPF routing process ID, use the cl ear ipv6 ospf command in privileged EXEC mode.

clear ipv6 ospf [process-id] counters [neighbor [neighbor-interface | neighbor-id]]

Syntax Description

process-id

(Optional) Internal identification. It is locally assigned and can be any positive integer. The number used here is the number assigned administratively when enabling the OSPF routing process.

neighbor

(Optional) Neighbor statistics per interface or neighbor ID.

neighbor-interface

(Optional) Neighbor interface.

neighbor-id

(Optional) IPv6 or IP address of the neighbor.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.0(24)S

This command was introduced.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Usage Guidelines

Use the neighborneighbor-interface option to clear counters for all neighbors on a specified interface. If the neighborneighbor-interface option is not used, all OSPF counters are cleared.

Use the neighbor neighbor-idoption to clear counters at a specified neighbor. If the neighbor neighbor-idoptionis not used,all OSPF counters are cleared.

Examples

The following example provides detailed information on a neighbor router:

Router# show ipv6 ospf neighbor detail
 Neighbor 10.0.0.1
    In the area 1 via interface Serial19/0
    Neighbor:interface-id 21, link-local address FE80::A8BB:CCFF:FE00:6F00
    Neighbor priority is 1, State is FULL, 6 state changes
    Options is 0x194AE05
    Dead timer due in 00:00:37
    Neighbor is up for 00:00:15
    Index 1/1/1, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec

The following example clears all neighbors on the specified interface:

Router# clear ipv6 ospf counters neighbor s19/0

The following example now shows that there have been 0 state changes since the clear ipv6 ospf counters neighbor s19/0 command was used:

Router# show ipv6 ospf neighbor detail
 Neighbor 10.0.0.1
    In the area 1 via interface Serial19/0
    Neighbor:interface-id 21, link-local address FE80::A8BB:CCFF:FE00:6F00
    Neighbor priority is 1, State is FULL, 0 state changes
    Options is 0x194AE05
    Dead timer due in 00:00:39
    Neighbor is up for 00:00:43
    Index 1/1/1, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec

Related Commands

Command

Description

show ipv6 ospf neighbor

Displays OSPF neighbor information on a per-interface basis.

clear ipv6 ospf events

To clear the Open Shortest Path First (OSPF) for IPv6 event log content based on the OSPF routing process ID, use the cl ear ipv6 ospf eventscommand in privileged EXEC mode.

clear ipv6 ospf [process-id] events

Syntax Description

process-id

(Optional) Internal identification. It is locally assigned and can be any positive integer. The number used here is the number assigned administratively when enabling the OSPF routing process.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.2(33)SRC

This command was introduced.

12.2(33)SB

This command was integrated into Cisco IOS Release 12.2(33)SB.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 series routers.

12.2(33)XNE

This command was modified. It was integrated into Cisco IOS Release 12.2(33)XNE.

Usage Guidelines

Use the optional process-id argument to clear the IPv6 event log content of a specified OSPF routing process. If the process-id argument is not used, all event log content is cleared.

Examples

The following example enables the clearing of OSPF for IPv6 event log content for routing process 1:

Router# clear ipv6 ospf 1 events

clear ipv6 pim counters

To reset the Protocol Independent Multicast (PIM) traffic counters, use the clear ipv6 pim counters command in privileged EXEC mode.

clear ipv6 pim counters

Syntax Description

This command has no arguments or keywords.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.0(26)S

This command was introduced.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.

Usage Guidelines

Using the clear ipv6 pim counterscommand will reset all PIM traffic counters.

Examples

The following example resets the PIM traffic counters:

Router# clear ipv6 pim counters

Related Commands

Command

Description

show ipv6 pim traffic

Displays the PIM traffic counters.

clear ipv6 pim limit

To clear Protocol Independent Multicast (PIM) statistics, use the clear ipv6 pim limit command in privileged EXEC mode.

clear ipv6 pim [vrf vrf-name] limit [interface]

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

interface

(Optional) Specific interface for which statistics will be cleared.

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

12.2(33)SRE

This command was introduced.

15.1(4)M

The vrf vrf-name keyword and argument were added.

Usage Guidelines

The clear ipv6 pim limit command clears IPv6 PIM interface statistics. If the optional interface argument is enabled, only statistics for the specified interface are cleared.

Examples

The following example clears PIM interface limit statistics:

Router# clear ipv6 pim limit

Related Commands

Command

Description

ipv6 multicast limit

Configures per-interface mroute state limiters in IPv6.

ipv6 multicast limit cost

Applies a cost to mroutes that match per interface mroute state limiters in IPv6.

clear ipv6 pim reset

To delete all entries from the topology table and reset the Multicast Routing Information Base (MRIB) connection, use the clear ipv6 pim resetcommand inprivilegedEXEC mode.

clear ipv6 pim [vrf vrf-name] reset

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.3(2)T

This command was introduced.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.0(26)S

This command was integrated into Cisco IOS Release 12.0(26)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

15.1(4)M

The vrf vrf-name keyword and argument were added.

Usage Guidelines

Using the clear ipv6 pim reset command breaks the PIM-MRIB connection, clears the topology table, and then reestablishes the PIM-MRIB connection. This procedure forces MRIB resynchronization.


Caution

Use the clear ipv6 pim reset command with caution, as it clears all PIM protocol information from the PIM topology table. Use of the clear ipv6 pim reset command should be reserved for situations where PIM and MRIB communication are malfunctioning.

Examples

The following example deletes all entries from the topology table and resets the MRIB connection:

Router# clear ipv6 pim reset

clear ipv6 pim topology

To clear the Protocol Independent Multicast (PIM) topology table, use the clear ipv6 pim topology command inprivilegedEXEC mode.

clear ipv6 pim [vrf vrf-name] topology [group-name | group-address]

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

group-name | group-address

(Optional) IPv6 address or name of the multicast group.

Command Default

When the command is used with no arguments, all group entries located in the PIM topology table are cleared of PIM protocol information.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.3(2)T

This command was introduced.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.0(26)S

This command was integrated into Cisco IOS Release 12.0(26)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.

15.1(4)M

The vrf vrf-name keyword and argument were added.

Usage Guidelines

This command clears PIM protocol informationfrom all group entries located in the PIM topology table. Information obtained from the MRIB table is retained. If a multicast group is specified, only those group entries are cleared.

Examples

The following example clears all group entries located in the PIM topology table:

Router# clear ipv6 pim topology

clear ipv6 pim traffic

To clear the Protocol Independent Multicast (PIM) traffic counters, use the clear ipv6 pim trafficcommand inprivilegedEXEC mode.

clear ipv6 pim [vrf vrf-name] traffic

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

Command Default

When the command is used with no arguments, all traffic counters are cleared.

Command Modes


Privileged EXEC

Command History

Release

Modification

15.1(4)M

This command was introduced.

Usage Guidelines

This command clears PIM traffic counters. If the vrf vrf-name keyword and argument are used, only those counters are cleared.

Examples

The following example clears all PIM traffic counter:

Router# clear ipv6 pim traffic

clear ipv6 prefix-list

To reset the hit count of the IPv6 prefix list entries, use the clear ipv6 prefix-listcommand in privileged EXEC mode.

clear ipv6 prefix-list [prefix-list-name] [ipv6-prefix/prefix-length]

Syntax Description

prefix-list-name

(Optional) The name of the prefix list from which the hit count is to be cleared.

ipv6-prefix

(Optional) The IPv6 network from which the hit count is to be cleared.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

/ prefix-length

(Optional) The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

Command Default

The hit count is automatically cleared for all IPv6 prefix lists.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.

Usage Guidelines

The clear ipv6 prefix-listcommand is similar to the clear ip prefix-listcommand, except that it is IPv6-specific.

The hit count is a value indicating the number of matches to a specific prefix list entry.

Examples

The following example clears the hit count from the prefix list entries for the prefix list named first_list that match the network mask 2001:0DB8::/35. 

Router# clear ipv6 prefix-list first_list 2001:0DB8::/35

Related Commands

Command

Description

ipv6 prefix-list

Creates an entry in an IPv6 prefix list.

ipv6 prefix-list sequence-number

Enables the generation of sequence numbers for entries in an IPv6 prefix list.

show ipv6 prefix-list

Displays information about an IPv6 prefix list or prefix list entries.

clear ipv6 rip

To delete routes from the IPv6 Routing Information Protocol (RIP) routing table, use the clear ipv6 ripcommand in privileged EXEC mode.

clear ipv6 rip [name]

Syntax Description

name

(Optional) Name of an IPv6 RIP process.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.0(22)S

This command was introduced.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Usage Guidelines

When the name argument is specified, only routes for that process are deleted from the IPv6 RIP routing table and, if installed, from the IPv6 routing table. If no name argument is specified, all IPv6 RIP routes are deleted.

Use the show ipv6 rip command to display IPv6 RIP routes.

Examples

The following example deletes all the IPv6 routes for the RIP process called one:

Router# clear ipv6 rip one

Related Commands

Command

Description

show ipv6 rip

Displays the current contents of the IPv6 RIP routing table.

clear ipv6 route

To delete routes from the IPv6 routing table, use the clear ipv6 routecommand in privileged EXEC mode.

{clear ipv6 route {ipv6-address | ipv6-prefix/prefix-length} | *}

Syntax Description

ipv6-address

The address of the IPv6 network to delete from the table.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

ipv6-prefix

The IPv6 network number to delete from the table.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

/ prefix-length

The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

*

Clears all IPv6 routes.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Usage Guidelines

The clear ipv6 routecommand is similar to the clear ip routecommand, except that it is IPv6-specific.

When the ipv6-address or ipv6-prefix/ prefix-length argument is specified, only that route is deleted from the IPv6 routing table. When the * keyword is specified, all routes are deleted from the routing table (the per-destination maximum transmission unit [MTU] cache is also cleared).

Examples

The following example deletes the IPv6 network 2001:0DB8::/35: 

Router# clear ipv6 route 2001:0DB8::/35

Related Commands

Command

Description

ipv6 route

Establishes static IPv6 routes.

show ipv6 route

Displays the current contents of the IPv6 routing table.

clear ipv6 snooping counters

To remove counter entries, use the clear ipv6 snooping counterscommand in privileged EXEC mode.

clear ipv6 snooping counters [interface type number]

Syntax Description

interface type number

(Optional) Clears the counter of entries that match the specified interface type and number.

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

12.2(50)SY

This command was introduced.

Usage Guidelines

The clear ipv6 snooping counterscommand removes counters from all the configured interfaces. You can use the optional interface type number keyword and argument to remove counters from the specified interface.

Examples

The following example shows how to remove entries from the counter:

Router# clear
 ipv6 snooping counters

clear ipv6 spd

To clear the most recent Selective Packet Discard (SPD) state transition, use the clear ipv6 spdcommand in privileged EXEC mode.

clear ipv6 spd

Syntax Description

This command has no arguments or keywords.

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

15.1(3)T

This command was introduced.

Usage Guidelines

The clear ipv6 spd command removes the most recent SPD state transition and any trend historical data.

Examples

The following example shows how to clear the most recent SPD state transition:

Router# clear ipv6 spd

clear ipv6 traffic

To reset IPv6 traffic counters, use the clear ipv6 trafficcommand in privileged EXEC mode.

clear ipv6 traffic [interface-type interface-number]

Syntax Description

interface-type interface-number

Interface type and number. For more information, use the question mark (?) online help function.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S and output fields were added.

12.2(13)T

The modification to add output fields was integrated into this release.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

12.2(33)XN

The optional interface-type and interface-number arguments were added.

Usage Guidelines

Using this command resets the counters in the output from the show ipv6 traffic command.

Examples

The following example resets the IPv6 traffic counters. The output from the show ipv6 traffic command shows that the counters are reset:

Router# clear ipv6 traffic
Router# show ipv6 traffic
IPv6 statistics:
  Rcvd:  1 total, 1 local destination
         0 source-routed, 0 truncated
         0 format errors, 0 hop count exceeded
         0 bad header, 0 unknown option, 0 bad source
         0 unknown protocol, 0 not a router
         0 fragments, 0 total reassembled
         0 reassembly timeouts, 0 reassembly failures
  Sent:  1 generated, 0 forwarded
         0 fragmented into 0 fragments, 0 failed
         0 encapsulation failed, 0 no route, 0 too big
  Mcast: 0 received, 0 sent
ICMP statistics:
  Rcvd: 1 input, 0 checksum errors, 0 too short
        0 unknown info type, 0 unknown error type
        unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port
        parameter: 0 error, 0 header, 0 option
        0 hopcount expired, 0 reassembly timeout,0 too big
        0 echo request, 0 echo reply
        0 group query, 0 group report, 0 group reduce
        0 router solicit, 0 router advert, 0 redirects
        0 neighbor solicit, 1 neighbor advert
Sent: 1 output
        unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port
        parameter: 0 error, 0 header, 0 option
        0 hopcount expired, 0 reassembly timeout,0 too big
        0 echo request, 0 echo reply
        0 group query, 0 group report, 0 group reduce
        0 router solicit, 0 router advert, 0 redirects
        0 neighbor solicit, 1 neighbor advert
UDP statistics:
  Rcvd: 0 input, 0 checksum errors, 0 length errors
        0 no port, 0 dropped
  Sent: 0 output
TCP statistics:
  Rcvd: 0 input, 0 checksum errors
  Sent: 0 output, 0 retransmitted

Related Commands

Command

Description

show ipv6 traffic

Displays IPv6 traffic statistics.

clear ipv6 wccp

To remove IPv6 Web Cache Communication Protocol (WCCP) statistics (counts) maintained on the router for a particular service, use the clear ipv6 wccp command in privileged EXEC mode.

clear ipv6 wccp vrfvrf-name service-number web-cache default

Syntax Description

vrf vrf-name

(Optional) Directs the router to remove statistics for a specific virtual routing and forwarding (VRF) instance.

service-number

(Optional) Number of the cache service to be removed. The number can be from 0 to 254.

web-cache

(Optional) Directs the router to remove statistics for the web cache service.

default

(Optional) Directs the router to remove statistics for the default routing table.

Command Default

WCCP statistics are not removed.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

15.2(3)T

This command was introduced.

Usage Guidelines

Use the show ipv6 wccp and show ipv6 wccp detail commands to display WCCP statistics. If Cisco Cache Engines are used in your service group, the reverse proxy service is indicated by a value of 99.

Use the clear ipv6 wccp command to clear the WCCP counters for all WCCP services in all VRFs.

Examples

The following example shows how to clear all statistics associated with the web cache service: 

Router# clear ipv6 wccp web-cache

Related Commands

Command

Description

ipv6 wccp

Enables support of the specified WCCP service for participation in a service group.

show ipv6 wccp

Displays global statistics related to the WCCP.

clear mls cef ipv6 accounting per-prefix

To clear information about the IPv6 per-prefix accounting statistics, use the clear mls cef ipv6 accounting per-prefixcommand in privileged EXEC mode.

clear mls cef ipv6 accounting per-prefix {all | ipv6-address/mask [instance] }

Syntax Description

all

Clears all per-prefix accounting statistics information.

ipv6-address / mask

Entry IPv6 address and mask. The format used is X:X:X:X::X/ mask,where the valid values for mask are from 0 to 128.

instance

(Optional) VPN routing and forwarding instance name.

Command Default

This command has no default settings.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.2(17a)SX

This command was introduced on the Supervisor Engine 720.

12.2(17d)SXB

Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

When entering the ipv6-address / mask arguments, use this format, X:X:X:X::X/mask,where the valid values for mask are from 0 to 128.

Examples

This example shows how to clear all information about the per-prefix accounting statistics: 

Router# 
clear mls cef ipv6 accounting per-prefix all

clear ospfv3 counters

To clear Open Shortest Path First version 3 (OSPFv3) counters, use the clear ospfv3 counters command in privileged EXEC mode.

clear ospfv3 [process-id] [address-family] [vrf {vrf-name | *}] counters [neighbor [neighbor-interface | neighbor-id]]

Syntax Description

process-id

(Optional) Internal identification. The number used here is the number assigned administratively when enabling the OSPFv3 routing process and can be a value from 1 through 65535.

address-family

(Optional) Enter ipv6 for the IPv6 address family or ipv4 for the IPv4 address family.

vrf

(Optional) VPN Routing/Forwarding instance.

{vrf-name | *}

The virtual routing and forwarding table for which the information should be displayed. If this parameter is not specified, only information for the global routing table is shown. A VRF name of "*" displays information for all VRFs, including the global table.

neighbor

(Optional) Neighbor statistics per interface or neighbor ID.

neighbor-interface

(Optional) Specified neighbor interface.

neighbor-id

(Optional) IPv6 or IPv4 address of the neighbor.

Command Modes


Privileged EXEC

Command History

Release

Modification

15.1(3)S

This command was introduced.

Cisco IOS XE Release 3.4S

This command was integrated into Cisco IOS XE Release 3.4S.

15.2(1)T

This command was integrated into Cisco IOS Release 15.2(1)T.

Usage Guidelines

Use the neighborneighbor-interface option to clear counters for all neighbors on a specified interface. If the neighborneighbor-interface option is not used, all OSPFv3 counters are cleared.

Examples

The following example clears all neighbors on the serial 19/0 interface: 

Router# clear ospfv3 counters neighbor s19/0

clear ospfv3 force-spf

To run shortest path first (SPF) calculations for an Open Shortest Path First version 3 (OSPFv3) process, use the clear ospfv3 force-spf command in privileged EXEC mode.

clear ospfv3 [process-id] [address-family] [vrf {vrf-name | *}] force-spf

Syntax Description

process-id

(Optional) Internal identification. The number used here is the number assigned administratively when enabling the OSPFv3 routing process and can be a value from 1 through 65535.

address-family

(Optional) Enter ipv6 for the IPv6 address family or ipv4 for the IPv4 address family.

vrf

(Optional) VPN Routing/Forwarding instance.

{vrf-name | *}

The virtual routing and forwarding table for which the information should be displayed. If this parameter is not specified, only information for the global routing table is shown. A VRF name of "*" displays information for all VRFs, including the global table.

Command Modes


Privileged EXEC

Command History

Release

Modification

15.1(3)S

This command was introduced.

Cisco IOS XE Release 3.4S

This command was integrated into Cisco IOS XE Release 3.4S.

15.2(1)T

This command was integrated into Cisco IOS Release 15.2(1)T.

Usage Guidelines

Use the clear ospv3 force-spfcommand to run SPF calculations for either an IPv6 or an IPv4 OSPFv3 instance. If the optional process-ID argument is not used, SPF runs on all instances on the interface. <<OK?>>

Examples

The following example enables SPF calculations for process 1: 

Router# clear ospfv3 1 force-spf

clear ospfv3 process

To reset an Open Shortest Path First version 3 (OSPFv3) process, use the clear ospfv3 processcommand in privileged EXEC mode.

clear ospfv3 [process-id] [address-family] [vrf {vrf-name | *}] process

Syntax Description

process-id

(Optional) Internal identification. The number used here is the number assigned administratively when enabling the OSPFv3 routing process and can be a value from 1 through 65535.

address-family

(Optional) Enter ipv6 for the IPv6 address family or ipv4 for the IPv4 address family.

vrf

(Optional) VPN Routing/Forwarding instance.

{vrf-name | *}

The virtual routing and forwarding table for which the information should be displayed. If this parameter is not specified, only information for the global routing table is shown. A VRF name of "*" displays information for all VRFs, including the global table.

Command Modes


Privileged EXEC

Command History

Release

Modification

15.1(3)S

This command was introduced.

Cisco IOS XE Release 3.4S

This command was integrated into Cisco IOS XE Release 3.4S.

15.2(1)T

This command was integrated into Cisco IOS Release 15.2(1)T.

Usage Guidelines

Use the clear ospv3 processcommand to reset either an IPv6 or IPv4 OSPFv3 process. If the optional process-ID argument is not used, all OSPFv3 processes are reset.

Examples

The following example resets the OSPFv3 process 2: 

Router# clear ospfv3 2 process

clear ospfv3 redistribution

To clear Open Shortest Path First version 3 (OSPFv3) route redistribution, use the clear ospfv3 redistributioncommand in privileged EXEC mode.

clear ospfv3 [process-id] [address-family] [vrf {vrf-name | *}] redistribution

Syntax Description

process-id

(Optional) Internal identification. The number used here is the number assigned administratively when enabling the OSPFv3 routing process and can be a value from 1 through 65535.

address-family

(Optional) Enter ipv6 for the IPv6 address family or ipv4 for the IPv4 address family.

vrf

(Optional) VPN Routing/Forwarding instance.

{vrf-name | *}

The virtual routing and forwarding table for which the information should be displayed. If this parameter is not specified, only information for the global routing table is shown. A VRF name of "*" displays information for all VRFs, including the global table.

Command Modes


Privileged EXEC

Command History

Release

Modification

15.1(3)S

This command was introduced.

Cisco IOS XE Release 3.4S

This command was integrated into Cisco IOS XE Release 3.4S.

15.2(1)T

This command was integrated into Cisco IOS Release 15.2(1)T.

Usage Guidelines

Use the clear ospv3 processcommand to clear either IPv6 or IPv4 OSPFv3 redistribution. If the optional process-ID argument is not used, all processes on the interface are cleared. <<OK?>>

Examples

The following example clears OSPFv3 redistribution on all OSPFv3 processes: 

Router# clear ospfv3 redistribution

clear ospfv3 traffic

To reset counters and clear Open Shortest Path First version 3 (OSPFv3) traffic statistics, use the clear ospfv3 traffic command privileged EXEC mode.

clear ospfv3 [process-id] [address-family] [vrf {vrf-name | *}] traffic [interface]

Syntax Description

process-id

(Optional) Internal identification. The number used here is the number assigned administratively when enabling the OSPFv3 routing process and can be a value from 1 through 65535.

address-family

(Optional) Enter ipv6 for the IPv6 address family or ipv4 for the IPv4 address family.

vrf

(Optional) VPN Routing/Forwarding instance.

{vrf-name | *}

The virtual routing and forwarding table for which the information should be displayed. If this parameter is not specified, only information for the global routing table is shown. A VRF name of "*" displays information for all VRFs, including the global table.

interface

(Optional) Specified interface from which to clear traffic statistics.

Command Modes


Privileged EXEC

Command History

Release

Modification

15.1(3)S

This command was introduced.

Cisco IOS XE Release 3.4S

This command was integrated into Cisco IOS XE Release 3.4S.

15.2(1)T

This command was integrated into Cisco IOS Release 15.2(1)T.

Usage Guidelines

Use the clear ospv3 trafficcommand to reset traffic statistics for an IPv6 or IPv4 OSPFv3 process. If the optional process-ID argument is not used, all traffic statistics are cleared. <<OK?>>

Examples

The following example resets the counters and clears the OSPFv3 traffics statistics: 

Router# clear ospfv3 traffic

compatible rfc1583

To restore the method used to calculate summary route costs per RFC 1583, use the compatible rfc1583command in router configuration mode. To disable RFC 1583 compatibility, use the no form of this command.

compatible rfc1583
no compatible rfc1583

Syntax Description

This command has no arguments or keywords.

Command Default

Compatible with RFC 1583.

Command Modes

Router configuration

Command History

Release

Modification

12.1(2)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

This command is backward compatible with Cisco IOS Release 12.0.

To minimize the chance of routing loops, all Open Shortest Path First (OSPF) routers in an OSPF routing domain should have RFC compatibility set identically.

Because of the introduction of RFC 2328, OSPF Version 2, the method used to calculate summary route costs has changed. Use the no compatible rfc1583 command to enable the calculation method used per RFC 2328.

Examples

The following example specifies that the router process is compatible with RFC 1583: 

router ospf 1 
 compatible rfc1583
 !

crypto key generate rsa

To generate Rivest, Shamir, and Adelman (RSA) key pairs, use the crypto key generate rsa commandinglobal configuration mode.

crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label] [exportable] [modulus modulus-size] [storage devicename :] [redundancy] [on devicename :]

Syntax Description

general-keys

(Optional) Specifies that a general-purpose key pair will be generated, which is the default.

usage-keys

(Optional) Specifies that two RSA special-usage key pairs, one encryption pair and one signature pair, will be generated.

signature

(Optional) Specifies that the RSA public key generated will be a signature special usage key.

encryption

(Optional) Specifies that the RSA public key generated will be an encryption special usage key.

label key-label

(Optional) Specifies the name that is used for an RSA key pair when they are being exported.

If a key label is not specified, the fully qualified domain name (FQDN) of the router is used.

exportable

(Optional) Specifies that the RSA key pair can be exported to another Cisco device, such as a router.

modulus modulus-size

(Optional) Specifies the IP size of the key modulus.

By default, the modulus of a certification authority (CA) key is 1024 bits. The recommended modulus for a CA key is 2048 bits. The range of a CA key modulus is from 350 to 4096 bits.

Note    Effective with Cisco IOS XE Release 2.4 and Cisco IOS Release 15.1(1)T, the maximum key size was expanded to 4096 bits for private key operations. The maximum for private key operations prior to these releases was 2048 bits.

storage devicename :

(Optional) Specifies the key storage location. The name of the storage device is followed by a colon (:).

redundancy

(Optional) Specifies that the key should be synchronized to the standby CA.

on devicename :

(Optional) Specifies that the RSA key pair will be created on the specified device, including a Universal Serial Bus (USB) token, local disk, or NVRAM. The name of the device is followed by a colon (:).

Keys created on a USB token must be 2048 bits or less.

Command Default

RSA key pairs do not exist.

Command Modes


Global configuration

Command History

Release

Modification

11.3

This command was introduced.

12.2(8)T

The key-label argumentwas added.

12.2(15)T

The exportable keyword was added.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.4(4)T

The storage keyword and devicename : argument were added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(11)T

The storage keyword and devicename : argument were implemented on the Cisco 7200VXR NPE-G2 platform.

The signature, encryption and on keywords and devicename : argument were added.

12.4(24)T

Support for IPv6 Secure Neighbor Discovery (SeND) was added.

XE 2.4

The maximum RSA key size was expanded from 2048 to 4096 bits for private key operations.

15.0(1)M

This command was modified. The redundancy keyword was introduced.

15.1(1)T

This command was modified. The range value for the modulus keyword value is extended from 360 to 2048 bits to 360 to 4096 bits.

Usage Guidelines

Use this command to generate RSA key pairs for your Cisco device (such as a router).

RSA keys are generated in pairs--one public RSA key and one private RSA key.

If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.


Note
Before issuing this command, ensure that your router has a hostname and IP domain name configured (with the hostname and ip domain-name commands). You will be unable to complete the crypto key generate rsa command without a hostname and IP domain name. (This situation is not true when you generate only a named key pair.)

Note
Secure Shell (SSH) may generate an additional RSA key pair if you generate a key pair on a router having no RSA keys. The additional key pair is used only by SSH and will have a name such as {router_FQDN }.server. For example, if a router name is "router1.cisco.com," the key name is "router1.cisco.com.server."

This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.


Note
If the configuration is not saved to NVRAM, the generated keys are lost on the next reload of the router.

There are two mutually exclusive types of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either special-usage keys or general-purpose keys.

Special-Usage Keys

If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair will be used with any IKE policy that specifies RSA encrypted keys as the authentication method.

A CA is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA-encrypted nonces. (However, you could specify more than one IKE policy and have RSA signatures specified in one policy and RSA-encrypted nonces in another policy.)

If you plan to have both types of RSA authentication methods in your IKE policies, you may prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key.)

General-Purpose Keys

If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted keys. Therefore, a general-purpose key pair might get used more frequently than a special-usage key pair.

Named Key Pairs

If you generate a named key pair using the key-labelargument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate.

Modulus Length

When you generate RSA keys, you will be prompted to enter a modulus length. The longer the modulus, the stronger the security. However a longer modules takes longer to generate (see the table below for sample times) and takes longer to use.

Table 1Sample Times by Modulus Length to Generate RSA Keys

Router

360 bits

512 bits

1024 bits

2048 bits (maximum)

Cisco 2500

11 seconds

20 seconds

4 minutes, 38 seconds

More than 1 hour

Cisco 4700

Less than 1 second

1 second

4 seconds

50 seconds

Cisco IOS software does not support a modulus greater than 4096 bits. A length of less than 512 bits is normally not recommended. In certain situations, the shorter modulus may not function properly with IKE, so we recommend using a minimum modulus of 2048 bits.


Note
As of Cisco IOS Release 12.4(11)T, peer public RSA key modulus values up to 4096 bits are automatically supported. The largest private RSA key modulus is 4096 bits. Therefore, the largest RSA private key a router may generate or import is 4096 bits. However, RFC 2409 restricts the private key size to 2048 bits or less for RSA encryption. The recommended modulus for a CA is 2048 bits; the recommended modulus for a client is 2048 bits.

Additional limitations may apply when RSA keys are generated by cryptographic hardware. For example, when RSA keys are generated by the Cisco VPN Services Port Adapter (VSPA), the RSA key modulus must be a minimum of 384 bits and must be a multiple of 64.

Specifying a Storage Location for RSA Keys

When you issue the crypto key generate rsa command with the storage devicename : keyword and argument, the RSA keys will be stored on the specified device. This location will supersede any crypto key storage command settings.

Specifying a Device for RSA Key Generation

As of Cisco IOS Release 12.4(11)T and later releases, you may specify the device where RSA keys are generated. Devices supported include NVRAM, local disks, and USB tokens. If your router has a USB token configured and available, the USB token can be used as cryptographic device in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication of credentials to be performed on the token. The private key never leaves the USB token and is not exportable. The public key is exportable.

RSA keys may be generated on a configured and available USB token, by the use of the on devicename : keyword and argument. Keys that reside on a USB token are saved to persistent token storage when they are generated. The number of keys that can be generated on a USB token is limited by the space available. If you attempt to generate keys on a USB token and it is full you will receive the following message: 

% Error in generating keys:no available resources

Key deletion will remove the keys stored on the token from persistent storage immediately. (Keys that do not reside on a token are saved to or deleted from nontoken storage locations when the copyor similar command is issued.)

For information on configuring a USB token, see " Storing PKI Credentials " chapter in the Cisco IOS Security Configuration Guide. For information on using on-token RSA credentials, see the " Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment " chapter in the Cisco IOS Security Configuration Guide , Release 12.4T.

Specifying RSA Key Redundancy Generation on a Device

You can specify redundancy for existing keys only if they are exportable.

Examples

The following example generates a general-usage 1024-bit RSA key pair on a USB token with the label "ms2" with crypto engine debugging messages shown: 

Router(config)# crypto key generate rsa label ms2 modulus 2048 on usbtoken0:
The name for the keys will be: ms2 
% The key modulus size is 2048 bits 
% Generating 1024 bit RSA keys, keys will be on-token, non-exportable... 
Jan 7 02:41:40.895: crypto_engine: Generate public/private keypair [OK] 
Jan 7 02:44:09.623: crypto_engine: Create signature 
Jan 7 02:44:10.467: crypto_engine: Verify signature 
Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_CREATE_PUBKEY(hw)(ipsec) 
Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_PUB_DECRYPT(hw)(ipsec)

Now, the on-token keys labeled "ms2" may be used for enrollment.

The following example generates special-usage RSA keys: 

Router(config)# crypto key generate rsa usage-keys
The name for the keys will be: myrouter.example.com
Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK].
Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK].

The following example generates general-purpose RSA keys:


Note
You cannot generate both special-usage and general-purpose keys; you can generate only one or the other. 
Router(config)# crypto key generate rsa general-keys
The name for the keys will be: myrouter.example.com
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK].

The following example generates the general-purpose RSA key pair "exampleCAkeys": 

crypto key generate rsa general-keys label exampleCAkeys
crypto ca trustpoint exampleCAkeys
 enroll url 
http://exampleCAkeys/certsrv/mscep/mscep.dll
 rsakeypair exampleCAkeys 1024 1024

The following example specifies the RSA key storage location of "usbtoken0:" for "tokenkey1":

crypto key generate rsa general-keys label tokenkey1 storage usbtoken0: 


 
		
 The following example specifies the 
		  redundancy keyword: 
		

 
		
Router(config)# crypto key generate rsa label MYKEYS redundancy


 
		
 The name for the keys will be: MYKEYS 
		

 
		
 Choose the size of the key modulus in the range of 360 to 2048 for your 
		

 
		
 General Purpose Keys. Choosing a key modulus greater than 512 may take 
		

 
		
 a few minutes. 
		

 
		

 
		
 How many bits in the modulus [512]: 
		

 
		
 % Generating 512 bit RSA keys, keys will be non-exportable with redundancy...[OK] 
		

 
	 

 
	 

      Related Commands
      
 
		

 
			  
			  
			  
				
 
				   
					 
 
						 
						  Command 
						 
					 

 
				  		
 
				   
					 
 
						 
						  Description 
						 
					 

 
				  		
 
				

 
			 
 
			  
				
 
				   
					 
 copy 
					 

 
				  		
 
				   
					 
 Copies any file from a source to a destination, use the copy command in privileged EXEC mode. 
					 

 
				  		
 
				

 
				
 
				   
					 
 
						 
						  crypto 
						  key 
						  storage 
						 
					 

 
				  		
 
				   
					 
 Sets the default storage location for RSA key pairs. 
					 

 
				  		
 
				

 
				
 
				   
					 
 
						 
						  debug 
						  crypto 
						  engine 
						 
					 

 
				  		
 
				   
					 
 Displays debug messages about crypto engines. 
					 

 
				  		
 
				

 
				
 
				   
					 
 
						 
						  hostname 
						 
					 

 
				  		
 
				   
					 
 Specifies or modifies the hostname for the network server. 
					 

 
				  		
 
				

 
				
 
				   
					 
 
						 
						  ip 
						  domain-name 
						 
					 

 
				  		
 
				   
					 
 Defines a default domain name to complete unqualified hostnames (names without a dotted-decimal domain name). 
					 

 
				  		
 
				

 
				
 
				   
					 
 
						 
						  show 
						  crypto 
						  key 
						  mypubkey 
						  rsa 
						 
					 

 
				  		
 
				   
					 
 Displays the RSA public keys of your router. 
					 

 
				  		
 
				

 
				
 
				   
					 
 show crypto pki certificates 
					 

 
				  		
 
				   
					 
 Displays information about your PKI certificate, certification authority, and any registration authority certificates. 
					 

 
				  		
 
				

 
			 
 
		  



 
	 

 
  




ctunnel mode



    

      

To transport IPv4 and IPv6 packets over Connectionless Network Service (CLNS) tunnel (CTunnel), use the ctunnelmode command in interface configuration mode. To return the ctunnel to the default cisco mode, use the no form of this command.


    


    

      

        

          
            ctunnel
             
            mode
             
            [gre | cisco]
          
        

        

          
            no
             
            ctunnel
             
            mode
          
        

      

    


    

      Syntax Description
      

      


          
          
          
            

              
                

                  
                    gre
                  
                


              		

              
                

(Optional) Sets the ctunnel mode to Generic Routing Encapsulation (GRE) for transporting IPv6 packets over the CLNS network.


              		

            


            

              
                

                  
                    cisco
                  
                


              		

              
                

(Optional) Returns the ctunnel mode to the default cisco.


              		

            


          

        




    


    

          Command Default
          

      

Cisco encapsulation tunnel mode is the default.


    


    

          Command Modes
          

      

Interface configuration


    


    

      

        Command History
      



          
          
          
            

              
                

Release


              		

              
                

Modification


              		

            


          

          
            

              
                

12.3(7)T


              		

              
                

This command was introduced.


              		

            


            

              
                

12.2(25)S


              		

              
                

This command was integrated into Cisco IOS Release 12.2(25)S.


              		

            


            

              
                

12.2(28)SB


              		

              
                

This command was integrated into Cisco IOS Release 12.2(28)SB.


              		

            


            

              
                

12.2(33)SRA


              		

              
                

This command was integrated into Cisco IOS Release 12.2(33)SRA.


              		

            


            

              
                

12.2(33)SXH


              		

              
                

This command was integrated into Cisco IOS Release 12.2(33)SXH.


              		

            


          

        




    


    

            Usage Guidelines
          

      

GRE tunneling of IPv4 and IPv6 packets through CLNS-only networks enables Cisco ctunnels to interoperate with networking equipment from other vendors. This feature provides compliance with RFC 3147, Generic Routing Encapsulation over CLNS Networks, which should allow interoperation between Cisco equipment and that of other vendors. in which the same standard is implemented.


      

RFC 3147 specifies the use of GRE when tunneling packets. The implementation of this feature does not include support for GRE header fields such as those used to specify checksums, keys, or sequencing. Any packets received which specify the use of these features will be dropped.


      

The default ctunnel mode continues to use the standard Cisco encapsulation. Both ends of the tunnel must be configured with the same mode for it to work. If you want to tunnel ipv6 packets you must use the new gre mode.


    


    

        Examples
      

      

The following example configures a CTunnel from one router to another and shows the CTunnel destination set to 49.0001.1111.1111.1111.00. The ctunnel mode is set to gre to transport IPv6 packets.


      
interface ctunnel 301
 ipv6 address 2001:0DB8:1111:2222::2/64
 ctunnel destination 49.0001.1111.1111.1111.00
 ctunnel mode gre


    


    

      Related Commands
      

      


          
          
          
            

              
                

Command


              		

              
                

Description


              		

            


          

          
            

              
                

                  
                    clns
                    routing
                  
                


              		

              
                

Enables routing of CLNS packets.


              		

            


            

              
                

                  
                    ctunnel
                    destination
                  
                


              		

              
                

Specifies the destination for the CTunnel.


              		

            


            

              
                

                  
                    debug
                    ctunnel
                  
                


              		

              
                

Displays debug messages for the IP over a CLNS Tunnel feature.


              		

            


            

              
                

                  
                    interface
                    ctunnel
                  
                


              		

              
                

Creates a virtual interface to transport IP over a CLNS tunnel.


              		

            


            

              
                

                  
                    ip
                    address
                  
                


              		

              
                

Sets a primary or secondary IP address for an interface.


              		

            


          

        




      


    


  




© 2012 Cisco Systems, Inc. All rights reserved.