-
Cisco IOS Security Command Reference, Release 12.3 T
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through clear ip ips statistics
-
Security Commands: clear ip sdee through crypto isakmp nat keepalive
-
Security Commands: crypto key decrypt rsa through ctype
-
Security Commands: D through evaluate
-
Security Commands: fingerprint through ip ips signature disable
-
Security Commands: ip port-map through issuer name
-
Security Commands: keepalive (isakmp profile) through outgoing
-
Security Commands: parameter through quit
-
Security Commands: radius-server attribute 11 direction default through rsa-pubkey
-
Security Commands: save-password through show crypto ipsec transform-set
-
Security Commands: show crypto isakmp key through subject-name
-
Security Commands: tacacs-server administration through xauth userid mode
-
Table Of Contents
ip auth-proxy (global configuration)
ip auth-proxy (interface configuration)
ip auth-proxy auth-proxy-banner
ip inspect L2-transparent dhcp-passthrough
ip inspect max-incomplete high
ip inspect tcp max-incomplete host
ip ips deny-action ips-interface
fingerprint
To preenter a fingerprint that can be matched against the fingerprint of a certification authority (CA) certificate during authentication, use the fingerprint command in ca-trustpoint configuration mode. To remove the preentered fingerprint, use the no form of this command.
fingerprint ca-fingerprint
no fingerprint ca-fingerprint
Syntax Description
Defaults
A fingerprint is not preentered for a trustpoint, and if the authentication request is interactive, you must verify the fingerprint that is displayed during authentication of the CA certificate. If the authentication request is noninteractive, the certificate will be rejected without a preentered fingerprint.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Note
If the authentication request is made using the CLI, it is considered an interactive request. If the authentication request is made using HTTP or another management tool, it is considered a noninteractive request.
Preenter the fingerprint if you want to avoid responding to the verify question during CA certificate authentication or if you will be requesting authentication noninteractively. The preentered fingerprint may be either the MD5 fingerprint or the SHA1 fingerprint of the CA certificate.
If you are authenticating a CA certificate and the fingerprint was preentered, if the fingerprint matches that of the certificate, the certificate is accepted. If the preentered fingerprint does not match, the certificate is rejected.
If requesting authentication noninteractively, the fingerprint must be preentered or the certificate will be rejected. The verify question will not be asked when requesting authentication noninteractively.
If you are requesting authentication interactively without preentering the fingerprint, the fingerprint of the certificate will be displayed, and you will be asked to verify it.
Examples
The following example shows how to preenter an MD5 fingerprint before authenticating a CA certificate:
Router (config)# crypto pki trustpoint myTrustpointRouter (ca-trustpoint)# fingerprint 6513D537 7AEA61B7 29B7E8CD BBAA510BRouter (ca-trustpoint) exitRouter (config)# crypto pki authenticate myTrustpointCertificate has the following attributes:Fingerprint MD5: 6513D537 7AEA61B7 29B7E8CD BBAA510BFingerprint SHA1: 998CCFAA 5816ECDE 38FC217F 04C11F1D DA06667ETrustpoint Fingerprint: 6513D537 7AEA61B7 29B7E8CD BBAA510BCertificate validated - fingerprints matched.Trustpoint CA certificate accepted.Router (config)#The following is an example for Cisco Release 12.3(12). Note that the SHA1 fingerprint is not displayed because it is not supported by this release.
Router (config)# crypto ca trustpoint myTrustpointRouter (ca-trustpoint)# fingerprint 6513D537 7AEA61B7 29B7E8CD BBAA510BRouter (ca-trustpoint)# exitRouter (config)# crypto ca authenticate myTrustpointCertificate has the following attributes:Fingerprint: 6513D537 7AEA61B7 29B7E8CD BBAA510BTrustpoint Fingerprint: 6513D537 7AEA61B7 29B7E8CD BBAA510BCertificate validated - fingerprints matched.Trustpoint CA certificate accepted.Router (config)#Related Commands
crypto ca authenticate
Authenticates the CA (by getting the certificate of the CA).
crypto ca trustpoint
Declares the CA that your router should use.
firewall are-u-there
To add the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls, use the firewall are-u-there command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To disable the Firewall-Are-U-There attribute, use the no form of this command.
firewall are-u-there
no firewall are-u-there
Syntax Description
This command has no arguments or keywords.
Defaults
The server will not send the Firewall-Are-U-There attribute to the client.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
The Firewall-Are-U-There attribute is sent by the Black Ice and Zone Alarm personal firewalls if they are prompted by the server. If connections to the Virtual Private Network (VPN) are for protected devices only, that is, if a PC is running one of these personal firewalls, you should add the attribute to the server group. Devices that do not have a personal firewall will not respond with their capabilities, and their connections will be dropped.
The Firewall-Are-U-There attribute is configured on a Cisco IOS router or in the RADIUS profile.
To configure the Firewall-Are-U-There attribute, use the firewall are-u-there command.
An example of an attribute-value (AV) pair for the Firewall-Are-U-There attribute is as follows:
ipsec:firewall=1
You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the firewall are-u-there command.
Note
•
•
•
Examples
The following example shows that the Firewall-Are-U-There attribute has been configured:
crypto isakmp client configuration group group1firewall are-u-thereSyntax Description
acl
Configures split tunneling.
crypto isakmp client configuration group
Specifies the DNS domain to which a group belongs.
fqdn (ca-trustpoint)
To specify a fully qualified domain name (FQDN) that will be included as "unstructuredName" in the certificate request, use the fqdn command in ca-trustpoint configuration mode. To remove the FQDN, use the no form of this command.
fqdn {name | none}
no fqdn {name | none}
Syntax Description
name
FQDN that will be included as "unstructuredName" in the certificate request.
none
Router FQDN will not be included in the certificate request.
Defaults
The FQDN is not configured. The router FQDN will be included as "unstructuredName" in the certificate request.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can issue this command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode. The fqdn command is a subcommand that allows you to specify a certificate enrollment parameter. Use the fqdn command to include a different FQDN from that of the router in the certificate request or to specify that a FQDN should not be included in the certificate request.
Examples
The following example shows that the FQDN "jack.cisco.com" will be included in the certificate request instead of the router FQDN:
crypto ca trustpoint rootenrollment url http://10.3.0.7:80fqdn nonesubject-name CN=jack, OU=PKI, O=Cisco Systems, C=UScrypto ca trustpoint rootenrollment url http://10.3.0.7:80fqdn jack.cisco.comRelated Commands
fqdn (crypto identity)
To associate the identity of the router with the host name that the peer used to authenticate itself, use the fqdn command in crypto identity configuration mode. To remove this command from your configuration, use the no form of this command.
fqdn name
no fqdn name
Syntax Description
Defaults
If this command is not enabled, the router can communicate with any encrypted interface that is not restricted on its IP address.
Command Modes
Crypto identity configuration
Command History
Usage Guidelines
Use the fqdn command to associate the identity of the router, which is defined in the crypto identity command, with the distinguished name (DN) in the certificate of the router. This command allows you set restrictions in the router configuration that prevent those peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.
Note
Examples
The following example shows how to configure a crypto map that can be used only by peers that have been authenticated by hostname and if the certificate belongs to "little.com":
crypto map map-to-little-com 10 ipsec-isakmpset peer 172.21.115.119set transform-set my-transformsetmatch address 125identity to-little-com!crypto identity to-little-comfqdn little.comRelated Commands
grant auto
To specify automatic certificate enrollment, use the grant auto command in certificate server configuration mode. To disable automatic certificate enrollment, use the no form of this command.
grant auto
no grant auto
Syntax Description
This command has no arguments or keywords.
Defaults
Certificate enrollment is manual; that is, authorization is required.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
The grant auto command should be used only when testing and building simple networks. This command must be disabled before the network is accessible by the Internet.
Note
Examples
The following example shows how to enable automatic certificate enrollment for the certificate server "myserver":
Router#(config) ip http serverRouter#(config) crypto pki server myserverRouter#(cs-server) database level minimumRouter#(cs-server)# grant auto% This will cause all certificate requests to be automatically granted.Are you sure you want to do this? [yes/no]: yesRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
grant auto trustpoint
To specify the certification authority (CA) trustpoint of another vendor from which the Cisco IOS certificate server will automatically grant certificate enrollment requests, use the grant auto trustpoint command in certificate server configuration mode.
grant auto trustpoint label
Syntax Description
Defaults
No default behavior or values.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
After the network administrator for the server configures and authenticates a trustpoint for the CA of another vendor, the grant auto trustpoint command is issued to reference the newly created trustpoint and enroll the router with a Cisco IOS CA.
Note
The Cisco IOS certificate server will automatically grant only the requests from clients who were already enrolled with the CA of another vendor. All other requests must be manually granted—unless the server is set to be in auto grant mode (via the grant automatic command).
Caution
Examples
The following example shows how to configure a client router and a Cisco IOS certificate server to exchange enrollment requests via a certificate enrollment profile:
! Define the trustpoint "msca-root" that points to the non-Cisco IOS CA and enroll and ! authenticate the client with the non-Cisco IOS CA.crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllip-address FastEthernet2/0revocation-check crl!! Configure trustpoint "cs" for Cisco IOS CA.crypto pki trustpoint csenrollment profile cs1revocation-check crl!! Define enrollment profile "cs1," which points to Cisco IOS CA and mention (via the ! enrollment credential command) that "msca-root" is being initially enrolled with the ! Cisco IOS CA.crypto pki profile enrollment cs1enrollment url http://cs:80enrollment credential msca-root!! Configure the certificate server, and issue the grant auto trustpoint command to ! instruct the certificate server to accept enrollment request only from clients who are ! already enrolled with trustpoint "msca-root."crypto pki server csdatabase level minimumdatabase url nvram:issuer-name CN=csgrant auto trustpoint msca-root!crypto pki trustpoint csrevocation-check crlrsakeypair cs!crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllrevocation-check crlRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
grant none
To specify all certificate requests to be rejected, use the grant none command in certificate server configuration mode. To disable automatic rejection of certificate enrollment, use the no form of this command.
grant none
no grant none
Syntax Description
This command has no arguments or keywords.
Defaults
Certificate enrollment is manual; that is, authorization is required.
Command Modes
Certificate server configuration
Command History
Examples
The following example shows how to automatically reject all certificate enrollment requests for the certificate server "myserver":
Router#(config) ip http serverRouter#(config) crypto pki server myserverRouter#(cs-server) database level minimumRouter#(cs-server)# grant noneRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
grant automatic
Specifies automatic certificate enrollment.
grant ra-auto
To specify that all enrollment requests from a Registration Authority (RA) be granted automatically, use the grant ra-auto command in certificate server configuration mode. To disable automatic certificate enrollment, use the no form of this command.
grant ra-auto
no grant ra-auto
Syntax Description
This command has no arguments or keywords.
Defaults
Certificate enrollment is manual; that is, authorization is required.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
When grant ra-auto mode is configured on the issuing certificate server, ensure that the RA mode certificate server is running in manual grant mode so that enrollment requests are authorized individually by the RA.
Note
Examples
The following output shows that the issuing certificate server is configured to issue a certificate automatically if the request comes from an RA:
Router (config)# crypto pki server myserverRouter-ca (cs-server)# grant ra-auto% This will cause all certificate requests that are already authorized by known RAs to be automatically granted.Are you sure you want to do this? [yes/no]:yesRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
group (authentication)
To specify the authentication, authorization, and accounting (AAA) TACACS+ server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.
group {tacacs+ server-group}
no group {tacacs+ server-group}
Syntax Description
tacacs+
Uses a TACACS+ server for authentication.
server-group
Name of the server group to use for authentication.
Defaults
No method list is configured.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example enables Dialed Number Identification Service (DNIS) preauthentication using the abc123 server group and the password aaa-DNIS:
aaa preauthgroup abc123dnis password aaa-DNISRelated Commands
aaa preauth
Enters AAA preauthentication mode.
dnis (authentication)
Enables AAA preauthentication using DNIS.
group (IKE policy)
To specify the Diffie-Hellman group identifier within an Internet Key Exchange (IKE) policy, use the group command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
group {1 | 2}
no group
Syntax Description
Defaults
768-bit Diffie-Hellman (group 1)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the Diffie-Hellman group to be used in an IKE policy.
Examples
The following example configures an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):
crypto isakmp policy 15group 2exitRelated Commands
group (local RADIUS server)
To enter user group configuration mode and to configure shared settings for a user group, use the group command in local RADIUS server configuration mode. To remove the group configuration from the local RADIUS server, use the no form of this command.
group group-name
no group group-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Local RADIUS server configuration
Command History
Examples
The following example shows that shared settings are being configured for group "team1":
group team1Related Commands
group (RADIUS)
To specify the authentication, authorization, and accounting (AAA) RADIUS server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.
group server-group
no group server-group
Syntax Description
Defaults
No default behavior or values.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You must configure a RADIUS server group with the aaa group server radius command in global configuration mode before using the group command in AAA preauthentication configuration mode.
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example shows the creation of a RADIUS server group called "maestro" and then specifies that DNIS preauthentication be performed using this server group:
aaa group server radius maestroserver 1.1.1.1server 2.2.2.2server 3.3.3.3aaa preauthgroup maestrodnis requiredRelated Commands
group-lock
The group-lock command attribute is used to check if a user attempting to connect to a group belongs to this group. This attribute is used in conjunction with the extended authentication (Xauth) username. The user name must include the group to which it belongs. The group is then matched against the VPN group name (ID_KEY_ID) that is passed during the Internet Key Exchange (IKE). If the groups do not match, then the client connection is terminated.
To allow the extended authentication (Xauth) username to be entered when preshared key authentication is used with IKE, use the group-lock command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove the group lock, use the no form of this command.
Note
group-lock
no group-lock
Syntax Description
This command has no arguments or keywords.
Defaults
Group lock is not configured.
Command Modes
ISAKMP group configuration (config-isakmp-group)
Command History
Usage Guidelines
The Group-Lock attribute can be used if preshared key authentication is used with IKE. When the user enables the group-lock command attribute, one of the following extended Xauth usernames can be entered:
name/group
name\group
name@group
name%group
where the \ / @ % are the delimiters. The group that is specified after the delimiter is then compared against the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.
Caution
The Group-Lock attribute is configured on a Cisco IOS router or in the RADIUS profile. This attribute has local (gateway) significance only and is not passed to the client.
Note
The username in the local or RADIUS database must be of the following format:
username[/,\,%,@]group.
Examples
The following example shows how Group-Lock attribute is configured in the CLI using the group-lock command:
Note
crypto isakmp client configuration group ciscogroup-lockThe following example shows how an attribute-value (AV) pair for the User-VPN-Group attribute is added in the RADIUS configuration:
Note
ipsec:group-lock=1Related Commands
acl
Configures split tunneling.
crypto isakmp client configuration group
Specifies the DNS domain to which a group belongs.
hash (IKE policy)
To specify the hash algorithm within an Internet Key Exchange policy, use the hash command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command.
hash {sha | md5}
no hash
Syntax Description
sha
Specifies SHA-1 (HMAC variant) as the hash algorithm.
md5
Specifies MD5 (HMAC variant) as the hash algorithm.
Defaults
The SHA-1 hash algorithm
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the hash algorithm to be used in an IKE policy.
Examples
The following example configures an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):
crypto isakmp policy 15hash md5exitRelated Commands
heading
To set the heading that is displayed above all URLs on the portal page of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the heading command in Web VPN URL configuration mode. To remove the heading, use the no form of this command.
heading heading-name
no heading heading-name
Syntax Description
Defaults
A URL list is not configured.
Command Modes
Web VPN URL configuration
Command History
Usage Guidelines
This command sets the headings that are displayed above all URLs on the portal page.
Examples
The following example shows that the heading has been set to "Engineering":
Router (config) webvpnRouter (config-webvpn)# url-list englistRouter (config-webvpn-url)# heading EngineeringRelated Commands
url-list
Configures the list of URLs to which a user has access on the portal page of a SSLVPN and enters URL configuration mode
webvpn
Enters Web VPN configuration mode.
identity
To set the identity to the crypto map, use the identity command in crypto map configuration mode.
identity name
Syntax Description
Defaults
If this command is not enabled, the encrypted connection does not have any restrictions other than the IP address of the encrypting peer.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
Use the identity command to set the identity to the configured crypto maps. When this command is applied, only the hosts that match a configuration listed within the name argument can use that crypto map.
Examples
The following example shows how to configure two IP Security (IPSec) crypto maps and apply the identity to each crypto map. That is, the identity is set to "to-bigbiz" for the first crypto map and "to-little-com" for the second crypto map.
! The following is an IPSec crypto map (part of IPSec configuration). It can be used only! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.crypto map map-to-bigbiz 10 ipsec-isakmpset peer 172.21.114.196set transform-set my-transformsetmatch address 124identity to-bigbiz!crypto identity to-bigbizdn ou=BigBiz!!! This crypto map can be used only by peers that have been authenticated by hostname! and if the certificate belongs to little.com.crypto map map-to-little-com 10 ipsec-isakmpset peer 172.21.115.119set transform-set my-transformsetmatch address 125identity to-little-com!crypto identity to-little-comfqdn little.com!Related Commands
identity policy
To create an identity policy and to enter identity policy configuration mode, use the identity policy command in global configuration mode. To remove the policy, use the no form of this command.
identity policy policy-name [access-group group-name | description line-of-description | redirect url | template [virtual-template interface-number]]
no identity policy policy-name [access-group name | description line-of-description | redirect url | template [virtual-template interface-number]]
Syntax Description
Defaults
An identity policy is not created.
Command Modes
Global configuration
Command History
Usage Guidelines
An identity policy has to be associated with an identity profile.
Examples
The following example shows that an access policy named "greentree" is being created. The access-group attribute is set to "allow-access." The redirect URL is set to "http://remediate-url.com." This access policy will be associated with a statically authorized device in the identity profile.
Router (config)# identity policy greentreeRouter (config-identity-policy)# access-group allow-accessRouter (config-identity-policy)# redirect url http://remediate-url.comRelated Commands
identity profile
To create an identity profile and to enter identity profile configuration mode, use the identity profile command in global configuration mode. To disable an identity profile, use the no form of this command.
identity profile {default | dot1x | eapoudp}
no identity profile {default | dot1x | eapoudp}
Syntax Description
default
Service type is default.
dot1x
Service type for 802.1X.
eapoudp
Service type for Extensible Authentication Protocol over UDP (EAPoUDP).
Defaults
An identity profile is not created.
Command Modes
Global configuration
Command History
12.3(2)XA
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
12.3(8)T
The eapoudp keyword was added.
Usage Guidelines
The identity profile command and default keyword allow you to configure static MAC addresses of a client computer that does not support 802.1X and to authorize or unauthorize them statically. After you have issued the identity profile command and default keyword and are in identity profile configuration mode, you can specify the configuration of a template that can be used to create the virtual access interface to which unauthenticated supplicants (client computers) will be mapped.
The identity profile command and the dot1x keyword are used by the supplicant and authenticator. Using the dot1x keyword, you can set the username, password, or other identity-related information for an 802.1X authentication.
Using the identity profile command and the eapoudp keyword, you can statically authenticate or unauthenticate a device either on the basis of the device IP address or MAC address or on the type, and the corresponding network access policy can be specified using the identity policy command.
Examples
The following example shows that an identity profile and its description have been specified:
Router (config)# identity profile defaultRouter (config-identity-prof)# description description_entered_hereThe following example shows that an EAP username has been entered:
Router (config)# identity policy dot1xRouter (config-identity-prof)# eap username user1The following example shows that an EAPoUDP identity profile has been created:
Router (config)# identity policy eapoudpRelated Commands
identity profile eapoudp
To create an identity profile and to enter Extensible Authentication Protocol over UDP (EAPoUDP) profile configuration mode, use the identity profile eapoudp command in global configuration mode. To remove the policy, use the no form of this command.
identity profile eapoudp
no identity profile eapoudp
Syntax Description
This command has no arguments or keywords.
Defaults
No EAPoUDP identity profile exists.
Command Modes
Global configuration
Command History
Usage Guidelines
Using this command, you can statically authenticate or unauthenticate a device either on the basis of the device IP address or MAC address or on the type, and the corresponding network access policy can be specified using the identity policy command.
Examples
The following example shows that an EAPoUDP identity profile has been created:
Router (config)# identity profile eapoudpRelated Commands
idle-timeout
To set the default idle timeout for a Secure Sockets Layer Virtual Private Network (SSLVPN) if no idle timeout has been defined or if the idle timeout is zero (0), use the idle-timeout command in Web VPN configuration mode. To revert to the default value, use the no form of this command.
idle-timeout [never | seconds]
no idle-timeout [never | seconds]
Syntax Description
never
(Optional) The idle timeout function is disabled.
seconds
(Optional) Idle timeout in seconds. The values are from 180 seconds (3 minutes) to 86400 seconds (24 hours).
Defaults
If command is not configured, the default idle timeout is 1800 seconds (30 minutes).
Command Modes
Web VPN configuration
Command History
Usage Guidelines
Configuring this command prevents stale sessions.
Examples
The following example shows that the idle timeout has been set for 1200 seconds:
Router (config)# webvpnRouter (config-webvpn)# idle-timeout 1200The following example shows that the idle timeout function is disabled:Router (config)# webvpnRouter (config-webvpn)# idle-timeout neverRelated Commands
include-local-lan
To configure the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client, use the include-local-lan command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To disable the attribute that allows the nonsplit-tunneling connection, use the no form of this command.
include-local-lan
no include-local-lan
Syntax Description
This command has no arguments or keywords.
Defaults
A nonsplit-tunneling connection is not able to access the local subnet at the same time as the client.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
If split tunneling is not in use (that is, the SPLIT_INCLUDE attribute was not negotiated), you lose not only Internet access, but also access to resources on the local subnetworks. The Include-Local-LAN attribute allows the server to push the attribute to the client, which allows for a nonsplit-tunneling connection to access the local subnetwork at the same time as the client (that is, the connection is to the subnetwork to which the client is directly attached).
The Include-Local-LAN attribute is configured on a Cisco IOS router or in the RADIUS profile.
To configure the Include-Local-LAN attribute, use the include-local-lan command.
An example of an attribute-value (AV) pair for the Include-Local-LAN attribute is as follows:
ipsec:include-local-lan=1You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the include-local-lan command.
Note
•
•
•
Examples
The following example shows that the Include-Local-LAN has been configured:
crypto isakmp client configuration group ciscoinclude-local-lanRelated Commands
acl
Configures split tunneling.
crypto isakmp client configuration group
Specifies the DNS domain to which a group belongs.
incoming
To configure filtering for incoming IP traffic, use the incoming command in router IP traffic export (RITE) configuration mode. To disable filtering for incoming traffic, use the no form of this command.
incoming {access-list {standard | extended | named} | sample one-in-every packet-number}
no incoming {access-list {standard | extended | named} | sample one-in-every packet-number}
Syntax Description
Defaults
If this command is not enabled, all incoming IP traffic will be filtered via sampling.
Command Modes
RITE configuration
Command History
12.3(4)T
This command was introduced.
12.2(25)S
This command was integrated into Cisco IOS Release 12.2(25)S.
Usage Guidelines
When configuring a network device for exporting IP traffic, you can issue the incoming command to filter unwanted traffic via the following methods:
•
•
Examples
The following example shows how to configure the profile "corp1," which will send captured IP traffic to host "00a.8aab.90a0" at the interface "FastEthernet 0/1." This profile is also configured to export one in every 50 packets and to allow incoming traffic only from the ACL "ham_ACL."
Router(config)# ip traffic-export profile corp1Router(config-rite)# interface FastEthernet 0/1Router(config-rite)# bidirectionalRouter(config-rite)# mac-address 00a.8aab.90a0Router(config-rite)# outgoing sample one-in-every 50Router(config-rite)# incoming access-list ham_aclRouter(config-rite)# exitRouter(config)# interface FastEthernet 0/0Router(config-if)# ip traffic-export apply corp1Related Commands
ip traffic-export profile
Creates or edits an IP traffic export profile and enables the profile on an ingress interface.
outgoing
Configures filtering for outgoing export traffic.
initiate-mode
To configure the Phase 1 mode of an Internet Key Exchange (IKE), use the initiate-mode command in ISAKMP profile configuration mode. To remove the mode that was configured, use the no form of this command.
initiate-mode aggressive
no initiate-mode aggressive
Syntax Description
Defaults
IKE initiates main mode.
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
Use this command if you want to initiate an IKE aggressive mode exchange instead of a main mode exchange.
Examples
The following example shows that aggressive mode has been configured:
crypto isakmp profile vpnprofileinitiate-mode aggressiveinterface (RITE)
To specify the outgoing interface for exporting traffic, use the interface command in router IP traffic export (RITE) configuration mode. To disable an interface, use the no form of this command.
interface interface-name
no interface interface-name
Syntax Description
Defaults
If this command is not enabled, the exported IP traffic profile does not recognize an interface in which to send captured IP traffic.
Command Modes
RITE configuration
Command History
12.3(4)T
This command was introduced.
12.2(25)S
This command was integrated into Cisco IOS Release 12.2(25)S.
Usage Guidelines
After you configure an IP traffic export profile via the ip traffic-export profile global configuration command, you should issue the interface command; otherwise, the profile will be unable to export the captured IP packets. If you do not specify the interface command, you will receive a warning, which states that the profile is incomplete, when you attempt to apply the profile to an interface via the ip traffic-export apply profile interface configuration command.
Note
Examples
The following example shows how to configure the profile "corp1," which will send captured IP traffic to host "00a.8aab.90a0" at the interface "FastEthernet 0/1." This profile is also configured to export one in every 50 packets and to allow incoming traffic only from the access control list ACL "ham_ACL."
Router(config)# ip traffic-export profile corp1Router(config-rite)# interface FastEthernet 0/1Router(config-rite)# bidirectionalRouter(config-rite)# mac-address 00a.8aab.90a0Router(config-rite)# outgoing sample one-in-every 50Router(config-rite)# incoming access-list ham_aclRouter(config-rite)# exitRouter(config)# interface FastEthernet 0/0Router(config-if)# ip traffic-export apply corp1Related Commands
ip-address (ca-trustpoint)
To specify a dotted IP address or an interface that will be included as "unstructuredAddress" in the certificate request, use the ip-address command in ca-trustpoint configuration mode. To restore the default behavior, use the no form of this command.
ip-address {ip-address | interface | none]
no ip-address
Syntax Description
Defaults
An IP address is not configured. You will be prompted for the IP address during certificate enrollment.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can issue this command, you must enable the crypto ca | pki trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode. The ip-address command is a subcommand that allows you to specify a certificate enrollment parameter.
Use the ip-address command to include the IP address of the specified interface in the certificate request or to specify that an IP address should not be included in the certificate request.
If this command is enabled, you will not be prompted for an IP address during certificate enrollment.
Examples
The following example shows how to include the IP address of the Ethernet-0 interface in the certificate request for the trustpoint "frog":
crypto ca trustpoint frogenrollment url http://frog.phoobin.com/subject-name OU=Spiral Dept., O=tiedye.comip-address ethernet-0The following example shows that an IP address is not to be included in the certificate request:
crypto ca trustpoint rootenrollment url http://10.3.0.7:80fqdn noneip-address nonesubject-name CN=subject1, OU=PKI, O=Cisco Systems, C=USRelated Commands
ip admission
To create a Layer 3 network admission control rule to be applied to the interface, use the ip admission command in interface configuration mode. To remove the admission control rule, use the no form of this command.
ip admission admission-name
no ip admission admission-name
Syntax Description
Defaults
A network admission control rule is not applied to the interface.
Command Modes
Interface configuration
Command History
Usage Guidelines
The admission rule defines how you apply admission control.
Examples
The following example shows that a network admission control rule named "greentree" is to be applied to the interface:
Router (config-if)# ip admission greentreeRelated Commands
ip admission name
To create an IP network admission control rule, use the ip admission name command in global configuration mode. To remove the network admission control rule, use the no form of this command.
ip admission name admission-name [eapoudp | proxy {ftp | http | telnet}] [list {acl | acl-name}]
no ip admission name admission-name [eapoudp | proxy {ftp | http | telnet}] [list {acl | acl-name}]
Syntax Description
Defaults
An IP network admission control rule is not created.
Command Modes
Global configuration
Command History
Usage Guidelines
The admission rule defines how you apply admission control.
You can associate the named rule with an ACL, providing control over which hosts use the admission control feature. If no standard access list is defined, the named admission rule intercepts IP traffic from all hosts whose connection-initiating packets are received at the configured interface.
The list keyword option allows you to apply a standard, extended (1 through 199) or named access list to a named admission control rule. IP connections that are initiated by hosts in the access list are intercepted by the admission control feature.
Examples
The following example shows that an IP admission control rule is named "greentree" and that it is associated with ACL "101." Any IP traffic that is destined to a previously configured network (using the access-list command) will be subjected to antivirus state validation using EAPoUDP.
Router (config)# ip admission name greentree eapoudp list 101Related Commands
ip auth-proxy (global configuration)
To set the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user access control list, is managed after a period of inactivity), use the ip auth-proxy command in global configuration mode. To set the default value, use the no form of this command.
ip auth-proxy {inactivity-timer min | absolute-timer min}
no ip auth-proxy {inactivity-timer | absolute-timer}
Syntax Description
Defaults
The default value of the inactivity-timer min option is 60 minutes.
The default value of the absolute-timer min option is 0 minutes.
Command Modes
Global configuration
Command History
12.0(5)T
This command was introduced.
12.3(1)
The inactivity-timer min and absolute-timer min options were added.
Usage Guidelines
Use this command to set the global idle timeout value for the authentication proxy. You must set the value of the inactivity-timer min option to a higher value than the idle timeout of any Context-Based Access Control (CBAC) protocols. Otherwise, when the authentication proxy removes the user profile along associated dynamic user ACLs, there might be some idle connections monitored by CBAC. Removing these user-specific ACLs could cause those idle connections to hang. If the CBAC idle timeout value is shorter, CBAC resets these connections when the CBAC idle timeout expires, which is before the authentication proxy removes the user profile.
The absolute-timer min option allows users to configure a window during which the authentication proxy on the enabled interface is active. Once the absolute timer expires, the authentication proxy will be disabled regardless of any activity. The global absolute timeout value can be overridden by the local (per protocol) value, which is enabled via the ip auth-proxy name command. The absolute timer is turned off by default, and the authentication proxy is enabled indefinitely.
Examples
The following example sets the inactivity timeout to 30 minutes:
ip auth-proxy inactivity-timer 30Related Commands
ip auth-proxy (interface configuration)
To apply an authentication proxy rule at a firewall interface, use the ip auth-proxy command in interface configuration mode. To remove the authentication proxy rules, use the no form of this command.
ip auth-proxy auth-proxy-name
no ip auth-proxy auth-proxy-name
Syntax Description
auth-proxy-name
Specifies the name of the authentication proxy rule to apply to the interface configuration. The authentication proxy rule is established with the ip auth-proxy name command.
Defaults
No default behavior or values.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the ip auth-proxy command to enable the named authentication proxy rule at the firewall interface. Traffic passing through the interface from hosts with an IP address matching the standard access list and protocol type (HTTP) is intercepted for authentication if no corresponding authentication cache entry exists. If no access list is defined, the authentication proxy intercepts traffic from all hosts whose connection initiating packets are received at the configured interface.
Use the no form of this command with a rule name to disable the authentication proxy for a given rule on a specific interface. If a rule is not specified, the no form of this command disables the authentication proxy on the interface.
Examples
The following example configures interface Ethernet0 with the HQ_users rule:
interface e0ip address 172.21.127.210 255.255.255.0ip access-group 111 inip auth-proxy HQ_usersip nat insideRelated Commands
ip auth-proxy auth-proxy-banner
To display a banner, such as the router name, in the authentication proxy login page, use the ip auth-proxy auth-proxy-banner command in global configuration mode. To disable display of the banner, use the no form of this command.
ip auth-proxy auth-proxy-banner {ftp | http | telnet} [banner-text]
no ip auth-proxy auth-proxy-banner {ftp | http | telnet}
Syntax Description
Defaults
This command is not enabled, and a banner is not displayed on the authentication proxy login page.
Command Modes
Global configuration
Command History
12.0(5)T
This command was introduced.
12.3(1)
The following keywords were added: ftp, http, and telnet.
Usage Guidelines
The ip auth-proxy auth-proxy-banner command allows users to configure one of two possible scenarios:
•
In this scenario, the administrator has not supplied any text. Thus, a default banner that states the following: "Cisco Systems, <router's hostname> Authentication" will be displayed in the authentication proxy login page. This scenario is most commonly used.
•
In this scenario, the administrator can supply multiline text that will be converted to HTML by the auth-proxy parser code. Thus, only the multiline text will displayed in the authentication proxy login page. You will not see the default banner, "Cisco Systems, <router's hostname> Authentication."
Note
Examples
The following example causes the router name to be displayed in the authentication proxy login page:
ip auth-proxy auth-proxy-banner ftpThe following example shows how to specify the custom banner "whozat" to be displayed in the authentication proxy login page:
ip auth-proxy auth-proxy-banner telnet CwhozatCRelated Commands
ip auth-proxy name
To create an authentication proxy rule, use the ip auth-proxy name command in global configuration mode. To remove the authentication proxy rules, use the no form of this command.
ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-timer min] [absolute-timer min] [list {acl | acl-name}]
no ip auth-proxy name auth-proxy-name
Syntax Description
Defaults
The default value is equal to the value set with the ip auth-proxy auth-cache-time command.
Command Modes
Global configuration
Command History
Usage Guidelines
This command creates a named authentication proxy rule, and it allows you to associate that rule with an access control list (ACL), providing control over which hosts use the authentication proxy. The rule is applied to an interface on a router using the ip auth-proxy command.
Use the inactivity-timer min option to override the global the authentication proxy cache timer. This option provides control over timeout values for specific authentication proxy rules. The authentication proxy cache timer monitors the length of time (in minutes) that an authentication cache entry, along with its associated dynamic user access control list, is managed after a period of inactivity. When that period of inactivity (idle time) expires, the authentication entry and the associated dynamic access lists are deleted.
Use the list option to associate a set of specific IP addresses or a named ACL with the ip auth-proxy name command.
Use the no form of this command with a rule name to remove the authentication proxy rules. If no rule is specified, the no form of this command removes all the authentication rules on the router, and disables the proxy at all interfaces.
Note
Examples
The following example creates the HQ_users authentication proxy rule. Because an access list is not specified in the rule, all connection-initiating HTTP traffic is subjected to authentication.
ip auth-proxy name HQ_users httpThe following example creates the Mfg_users authentication proxy rule and applies it to hosts specified in ACL 10:
access-list 10 192.168.7.0 0.0.0.255ip auth-proxy name Mfg_users http list 10The following example sets the timeout value for Mfg_users to 30 minutes:
access-list 15 anyip auth-proxy name Mfg_users http inactivity-timer 30 list 15The following example disables the Mfg_users rule:
no ip auth-proxy name Mfg_usersThe following example disables the authentication proxy at all interfaces and removes all the rules from the router configuration:
no ip auth-proxyRelated Commands
ip http ezvpn
To enable the Cisco Easy VPN remote web server interface, use the ip http ezvpn command in global configuration mode. To disable the Cisco Easy VPN remote web server interface, use the no form of this command.
Cisco uBR905 and Cisco BR925 cable access routers
ip http ezvpn
no ip http ezvpn
Syntax Description
This command has no arguments or keywords.
Defaults
The Cisco Easy VPN Remote web server interface is disabled by default.
Command Modes
Global configuration
Command History
12.2(8)YJ
This command was introduced for the Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
Usage Guidelines
This command enables the Cisco Easy VPN Remote web server, an onboard web server that allows users to connect an IPSec Easy VPN tunnel and to provide the required authentication information. The Cisco Easy VPN Remote web server allows the user to perform these functions without having to use the Cisco command-line interface (CLI).
Before using this command, you must first enable the Cisco web server that is onboard the cable access router by entering the ip http server command. Then use the ip http ezvpn command to enable the Cisco Easy VPN remote web server. You can then access the web server by entering the IP address for the Ethernet interface of the router in your web browser.
Note
Examples
The following example shows how to enable the Cisco Easy VPN remote web server interface:
Router# configure terminalRouter(config)# ip http serverRouter(config)# ip http ezvpnRouter(config)# exitRouter# copy running-config startup-configRelated Commands
ip inspect
To apply a set of inspection rules to an interface, use the ip inspect command in interface configuration mode. To remove the set of rules from the interface, use the no form of this command.
ip inspect inspection-name {in | out}
no ip inspect inspection-name {in | out}
Syntax Description
inspection-name
Identifies which set of inspection rules to apply.
in
Applies the inspection rules to inbound traffic.
out
Applies the inspection rules to outbound traffic.
Defaults
If no set of inspection rules is applied to an interface, no traffic will be inspected by CBAC.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command to apply a set of inspection rules to an interface.
Typically, if the interface connects to the external network, you apply the inspection rules to outbound traffic; alternately, if the interface connects to the internal network, you apply the inspection rules to inbound traffic.
If you apply the rules to outbound traffic, then return inbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an outbound packet.
If you apply the rules to inbound traffic, then return outbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an inbound packet.
Examples
The following example applies a set of inspection rules named "outboundrules" to an external interface's outbound traffic. This causes inbound IP traffic to be permitted only if the traffic is part of an existing session, and to be denied if the traffic is not part of an existing session.
interface serial0ip inspect outboundrules outRelated Commands
ip inspect alert-off
To disable Context-based Access Control (CBAC) alert messages, which are displayed on the console, use the ip inspect alert-off command in global configuration mode. To enable CBAC alert messages, use the no form of this command.
ip inspect alert-off [vrf vrf-name]
no ip inspect alert-off [vrf vrf-name]
Syntax Description
vrf vrf-name
(Optional) Disables CBAC alert messages only for the specified Virtual Routing and Forwarding (VRF) interface.
Defaults
Alert messages are displayed.
Command Modes
Global configuration
Command History
12.0(5)T
This command was introduced.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Examples
The following example disables CBAC alert messages:
ip inspect alert-offip inspect audit-trail
To turn on Context-based Access Control (CBAC) audit trail messages, which will be displayed on the console after each CBAC session closes, use the ip inspect audit-trail command in global configuration mode. To turn off CBAC audit trail messages, use the no form of this command.
ip inspect audit-trail [vrf vrf-name]
no ip inspect audit-trail [vrf vrf-name]
Syntax Description
vrf vrf-name
(Optional) Turns on CBAC audit trail messages only for the specified Virtual Routing and Forwarding (VRF) interface.
Defaults
Audit trail messages are not displayed.
Command Modes
Global configuration
Command History
11.2 P
This command was introduced.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
Use this command to turn on CBAC audit trail messages.
Examples
The following example turns on CBAC audit trail messages:
ip inspect audit-trailAfterward, audit trail messages such as the following are displayed. These messages are examples of audit trail messages. To determine which protocol was inspected, see the port number of the responder. The port number follows the IP address of the responder.
%FW-6-SESS_AUDIT_TRAIL: tcp session initiator (192.168.1.13:33192) sent 22 bytes -- responder (192.168.129.11:25) sent 208 bytes%FW-6-SESS_AUDIT_TRAIL: ftp session initiator 192.168.1.13:33194) sent 336 bytes -- responder (192.168.129.11:21) sent 325 bytesThe following example disables CBAC alert messages for VRF interface vrf1:
ip inspect audit-trail vrf vrf1Following are examples of audit trail messages:
00:10:15: %FW-6-SESS_AUDIT_TRAIL: VRF-vrf1:Stop udp session: initiator (192.168.14.1:40801) sent 54 bytes -- responder (192.168.114.1:7) sent 54 bytes 00:10:47: %FW-6-SESS_AUDIT_TRAIL: VRF-vrf1:Stop ftp-data session: initiator (192.168.114.1:20) sent 80000 bytes -- responder (192.168.14.1:38766) sent 0 bytes 00:10:47: %FW-6-SESS_AUDIT_TRAIL: VRF-vrf1:Stop ftp session: initiator (192.168.14.1:38765) sent 80 bytes -- responder (192.168.114.1:21) sent 265 bytes 00:10:57: %FW-6-SESS_AUDIT_TRAIL: VRF-vrf1:Stop rcmd session: initiator (192.168.14.1:531) sent 31 bytes -- responder (192.168.114.1:514) sent 12 bytes 00:10:57: %FW-6-SESS_AUDIT_TRAIL: VRF-vrf1:Stop rcmd-data session: initiator (192.168.114.1:594) sent 0 bytes -- responder (192.168.14.1:530) sent 0 bytesip inspect dns-timeout
To specify the Domain Name System (DNS) idle timeout (the length of time during which a DNS name lookup session will still be managed while there is no activity), use the ip inspect dns-timeout command in global configuration mode. To reset the timeout to the default of 5 seconds, use the no form of this command.
ip inspect dns-timeout seconds [vrf vrf-name]
no ip inspect dns-timeout seconds [vrf vrf-name]
Syntax Description
Defaults
5 seconds
Command Modes
Global configuration
Command History
11.2 P
This command was introduced.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
When the software detects a valid User Datagram Protocol (UDP) packet for a new DNS name lookup session, if Context-based Access Control (CBAC) inspection is configured for UDP, the software establishes state information for the new DNS session.
If the software detects no packets for the DNS session for a time period defined by the DNS idle timeout, the software will not continue to manage state information for the session.
The DNS idle timeout applies to all DNS name lookup sessions inspected by CBAC.
The DNS idle timeout value overrides the global UDP timeout. The DNS idle timeout value also enters aggressive mode and overrides any timeouts specified for specific interfaces when you define a set of inspection rules with the ip inspect name command.
Examples
The following example sets the DNS idle timeout to 30 seconds:
ip inspect dns-timeout 30The following example sets the DNS idle timeout back to the default (5 seconds):
no ip inspect dns-timeoutip inspect hashtable
To change the size of the session hash table, use the ip inspect hashtable command in global configuration mode. To restore the size of the session hash table to the default, use the no form of this command.
ip inspect hashtable number
no ip inspect hashtable number
Syntax Description
number
Size of the hash table in terms of buckets. Possible values for the hash table are 1024, 2048, 4096, and 8192; the default value is 1024.
Defaults
1024 buckets
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip inspect hashtable command to increase the size of the hash table when the number of concurrent sessions increases or to reduce the search time for the session. Collisions in a hash table result in poor hash function distribution because many entries are hashed into the same bucket for certain patterns of addresses. Even if a hash function distribution evenly dispenses the input across all of the buckets, a small hash table size will not scale well if there are a large number of sessions. As the number of sessions increase, the collisions increase, which increases the length of the linked lists, thereby, deteriorating the throughput performance.
Note
Examples
The following example shows how to change the size of the session hash table to 2048 buckets:
ip inspect hashtable 2048ip inspect L2-transparent dhcp-passthrough
To allow a transparent firewall to forward Dynamic Host Control Protocol (DHCP) pass-through traffic, use the ip inspect L2-transparent dhcp-passthrough command in global configuration mode. To return to the default functionality, use the no form of this command.
ip inspect L2-transparent dhcp-passthrough
no ip inspect L2-transparent dhcp-passthrough
Syntax Description
This command has no arguments or keywords.
Defaults
This command is not enabled; thus, DHCP packets are forwarded or denied according to the configured access control list (ACL).
Command Modes
Global configuration
Command History
Usage Guidelines
A transparent firewall allows a Cisco IOS Firewall (a Layer 3 device) to operate as a Layer 2 firewall in bridging mode. Thus, the firewall can exist "transparently" to a network, no longer requiring users to reconfigure their statically defined network devices.
The ip inspect L2-transparent dhcp-passthrough command overrides the ACL for DHCP packets; that is, DHCP packets are forwarded even if the ACL is configured to deny all IP packets. Thus, this command can be used to enable a transparent firewall to forward DHCP packets across the bridge without inspection so clients on one side of the bridge can get an IP address from a DHCP server on the opposite side of the bridge.
Examples
Allowing DHCP Pass-Through Traffic
In this example, the static IP address of the client is removed, and the address is acquired via DHCP using the ip address dhcp command on the interface that is connected to the transparent firewall.
Router# show debugARP:ARP packet debugging is onL2 Inspection:INSPECT L2 firewall debugging is onINSPECT L2 firewall DHCP debugging is onRouter#Router#! Configure DHCP passthroughRouter(config)# ip insp L2-transparent dhcp-passthrough! The DHCP discover broadcast packet arrives from the client. Since this packet is a ! broadcast (255.255.255.255), it arrives in the flood path*Mar 1 00:35:01.299:L2FW:insp_l2_flood:input is Ethernet0 output is Ethernet1*Mar 1 00:35:01.299:L2FW*:Src 0.0.0.0 dst 255.255.255.255 protocol udp*Mar 1 00:35:01.299:L2FW:udp ports src 68 dst 67*Mar 1 00:35:01.299:L2FW:src 0.0.0.0 dst 255.255.255.255! The DHCP pass through flag is checked and the packet is allowed*Mar 1 00:35:01.299:L2FW:DHCP packet seen. Pass-through flag allows the packet! The packet is a broadcast packet and therefore not sent to CBAC*Mar 1 00:35:01.299:L2FW*:Packet is broadcast or multicast.PASS! The DHCP server 97.0.0.23 responds to the client's request*Mar 1 00:35:01.303:L2FW:insp_l2_flood:input is Ethernet1 output is Ethernet0*Mar 1 00:35:01.303:L2FW*:Src 97.0.0.23 dst 255.255.255.255 protocol udp*Mar 1 00:35:01.307:L2FW:udp ports src 67 dst 68*Mar 1 00:35:01.307:L2FW:src 97.0.0.23 dst 255.255.255.255*Mar 1 00:35:01.307:L2FW:DHCP packet seen. Pass-through flag allows the packet*Mar 1 00:35:01.307:L2FW*:Packet is broadcast or multicast.PASS*Mar 1 00:35:01.311:L2FW:insp_l2_flood:input is Ethernet0 output is Ethernet1*Mar 1 00:35:01.311:L2FW*:Src 0.0.0.0 dst 255.255.255.255 protocol udp*Mar 1 00:35:01.311:L2FW:udp ports src 68 dst 67*Mar 1 00:35:01.311:L2FW:src 0.0.0.0 dst 255.255.255.255*Mar 1 00:35:01.315:L2FW:DHCP packet seen. Pass-through flag allows the packet*Mar 1 00:35:01.315:L2FW*:Packet is broadcast or multicast.PASS*Mar 1 00:35:01.315:L2FW:insp_l2_flood:input is Ethernet1 output is Ethernet0*Mar 1 00:35:01.323:L2FW*:Src 97.0.0.23 dst 255.255.255.255 protocol udp*Mar 1 00:35:01.323:L2FW:udp ports src 67 dst 68*Mar 1 00:35:01.323:L2FW:src 97.0.0.23 dst 255.255.255.255*Mar 1 00:35:01.323:L2FW:DHCP packet seen. Pass-through flag allows the packet*Mar 1 00:35:01.323:L2FW*:Packet is broadcast or multicast.PASS! The client has an IP address (97.0.0.5) and has issued a G-ARP to let everyone know it's address*Mar 1 00:35:01.327:IP ARP:rcvd rep src 97.0.0.5 0008.a3b6.b603, dst 97.0.0.5 BVI1Router#Denying DHCP Pass-Through Traffic
In this example, DHCP pass-through traffic is not allowed (via the no ip inspect L2-transparent dhcp-passthrough command). The client is denied when it attempts to acquire a DHCP address from the server.
! Deny DHCP pass-through trafficRouter(config)# no ip inspect L2-transparent dhcp-passthrough! The DHCP discover broadcast packet arrives from the client*Mar 1 00:36:40.003:L2FW:insp_l2_flood:input is Ethernet0 output is Ethernet1*Mar 1 00:36:40.003:L2FW*:Src 0.0.0.0 dst 255.255.255.255 protocol udp*Mar 1 00:36:40.003:L2FW:udp ports src 68 dst 67*Mar 1 00:36:40.007:L2FW:src 0.0.0.0 dst 255.255.255.255! The pass-through flag is checked*Mar 1 00:36:40.007:L2FW:DHCP packet seen. Pass-through flag denies the packet! The packet is dropped because the flag does not allow DHCP passthrough traffic. Thus, ! the client cannot acquire an address, and it times out*Mar 1 00:36:40.007:L2FW:FLOOD Dropping the packet after ACL check.
Related Commands
debug ip inspect L2-transparent
Enables debugging messages for transparent firewall events.
show ip inspect
Displays Cisco IOS Firewall configuration and session information.
ip inspect max-incomplete high
To define the number of existing half-open sessions that will cause the software to start deleting half-open sessions, use the ip inspect max-incomplete high command in global configuration mode. To reset the threshold to the default of 500 half-open sessions, use the no form of this command.
ip inspect max-incomplete high number [vrf vrf-name]
no ip inspect max-incomplete high
Syntax Description
Defaults
500 half-open sessions
Command Modes
Global configuration
Command History
11.2 P
This command was introduced.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol (UDP), "half-open" means that the firewall has detected traffic from one direction only.
Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).
The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.
Examples
The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800:
ip inspect max-incomplete high 900ip inspect max-incomplete low 800The following example shows an ALERT_ON message generated for the ip inspect max-incomplete high command:
ip inspect max-incomplete high 20 vrf vrf1show log / include ALERT_ON00:59:00:%FW-4-ALERT_ON: VRF-vrf1:getting aggressive, count (21/20) current 1-min rate: 21Related Commands
ip inspect max-incomplete low
To define the number of existing half-open sessions that will cause the software to stop deleting half-open sessions, use the ip inspect max-incomplete low command in global configuration mode. To reset the threshold to the default of 400 half-open sessions, use the no form of this command.
ip inspect max-incomplete low number [vrf vrf-name]
no ip inspect max-incomplete low
Syntax Description
Defaults
400 half-open sessions
Command Modes
Global configuration
Command History
11.2 P
This command was introduced.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol (UDP), "half-open" means that the firewall has detected traffic from one direction only.
Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).
The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.
Examples
The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800:
ip inspect max-incomplete high 900ip inspect max-incomplete low 800The following example shows an ALERT_OFF message generated for the ip inspect max-incomplete low command:
ip inspect max-incomplete low 10 vrf vrf1show log / include ALERT_OFF00:59:31: %FW-4-ALERT_OFF: VRF-vrf1:calming down, count (9/10) current 1-min rate: 100Related Commands
ip inspect name
To define a set of inspection rules, use the ip inspect name command in global configuration mode. To remove the inspection rule for a protocol or to remove the entire set of inspection rules, use the no form of this command.
ip inspect name inspection-name [parameter max-sessions number] protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]
no ip inspect name inspection-name [parameter max-sessions number] protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]
HTTP Inspection Syntax
ip inspect name inspection-name http [java-list access-list] [urlfilter] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]
no ip inspect name inspection-name protocol
SMTP and ESMTP Inspection Syntax
ip inspect name inspection-name {smtp | esmtp} [alert {on | off}] [audit-trail {on | off}] [max-data number] [timeout seconds]
remote-procedure call (RPC) Inspection Syntax
ip inspect name inspection-name [parameter max-sessions number] rpc program-number number [wait-time minutes] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]
no ip inspect name inspection-name protocol
POP3/IMAP Inspection Syntax
ip inspect name inspection-name imap [alert {on | off}] [audit-trail {on | off}] [reset] [secure-login] [timeout number]
ip inspect name inspection-name pop3 [alert {on | off}] [audit-trail {on | off}] [reset] [secure-login] [timeout number]
Fragment Inspection Syntax
ip inspect name inspection-name [parameter max-sessions number] fragment [max number timeout seconds]
no ip inspect name inspection-name [parameter max-sessions number] fragment [max number timeout seconds]
Application Firewall Provisioning Syntax
ip inspect name inspection-name [parameter max-sessions number] appfw policy-name
no ip inspect name inspection-name [parameter max-sessions number] appfw policy-name
User-Defined Application Syntax
ip inspect name inspection-name user-10 [alert {on | off}] [audit-trail {on | off}] [timeout seconds}
no ip inspect name inspection-name user-10 [alert {on | off}] [audit-trail {on | off}] [timeout seconds}
Session Limiting Syntax
no ip inspect name inspection-name [parameter max-sessions number]
Syntax Description
inspection-name
Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules.
Note
parameter
max-sessions number(Optional) Limits the number of established firewall sessions that a firewall rule creates. The default is that there is no limit to the number of firewall sessions.
protocol
alert {on | off}
(Optional) For each inspected protocol, the generation of alert messages can be set be on or off. If no option is selected, alerts are generated on the basis of the setting of the ip inspect alert-off command.
audit-trail {on | off}
(Optional) For each inspected protocol, audit trail can be set on or off. If no option is selected, an audit trail message are generated on the basis of the setting of the ip inspect audit-trail command.
timeout seconds
(Optional) To override the global TCP or User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout.
This timeout overrides the global TCP, UDP, or ICMP timeouts but will not override the global Domain Name System (DNS) timeout.
http
Specifies the HTTP protocol for Java applet blocking.
urlfilter
(Optional) Associates URL filtering with HTTP inspection.
java-list access-list
(Optional) Specifies the numbered standard access list to use to determine "friendly" sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with numbered standard access lists.
smtp | esmtp
Specifies the protocol being used to inspect the traffic.
max-data number
(Optional) Specifies the maximum number of bytes (data) that can be transferred in a single Simple Mail Transport Protocol (SMTP) session. After the maximum value is exceeded, the firewall logs an alert message and closes the session. Default value: 20 MB
rpc program-number number
Specifies the program number to permit. This keyword is available only for the remote-procedure call protocol.
wait-time minutes
(Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the remote-procedure call (RPC) protocol.
reset
(Optional) Resets the TCP connection if the client enters a non-protocol command before authentication is complete.
secure-login
(Optional) Causes a user at a non-secure location to use encryption for authentication.
imap
Specifies that the Internet Message Access Protocol (IMAP) is being used.
pop3
Specifies that the Post Office Protocol, Version 3 (POP3) is being used.
fragment
Specifies fragment inspection for the named rule.
max number
(Optional) Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. The acceptable range is 50 through 10000. The default is 256 state entries.
Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.
timeout seconds
(fragmentation)(Optional) Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. The default timeout value is 1 second.
If this number is set to a value greater that 1 second, it is automatically adjusted by the Cisco IOS software when the number of free state structures goes below certain thresholds: when the number of free states is fewer than 32, the timeout is divided by 2. When the number of free states is fewer than 16, the timeout is set to 1 second.
appfw
Specifies application firewall provisioning.
policy-name
Application firewall policy name.
Note
appname
Specifies a user- or a system-defined application; for example, user-payroll-sap and user-sametime. Application names can contain hyphens and underscores; however, a user-defined application must have the prefix user- in its title.
port
Specifies the port range for an application.
tcp | udp
Specifies the protocol being used to inspect the traffic.
from begin_port_num to end_port_num | port_num1 ...
Specifies the starting and ending port numbers or a range of ports from 1 to 5. You must use the from and to keywords together.
list acl_list_num
(Optional) Specifies an access control list number. Only standard ACLs are supported.
description description_string
(Optional) Specifies a description of up to 40 characters.
user-10
Represents a user-defined application in the port-to-application mapping (PAM) table of the ip port-map command.
router-traffic
(Optional) Enables inspection of traffic destined to or originated from a router. Applicable only for H.323, TCP, and UDP protocols. For the command format, see the Note after Table 24.
Defaults
No inspection rules are defined until you define them using this command.
no ip inspect-name protocol removes the inspection rule for the specified protocol.
no ip inspect name removes the entire set of inspection rules.
Command Modes
Global configuration
Command History
Usage Guidelines
To define a set of inspection rules, enter this command for each protocol that you want the Cisco IOS firewall to inspect, using the same inspection-name. Give each set of inspection rules a unique inspection-name, which should not exceed the 16-character limit. Define either one or two sets of rules per interface—you can define one set to examine both inbound and outbound traffic, or you can define two sets: one for outbound traffic and one for inbound traffic.
To define a single set of inspection rules, configure inspection for all the desired application-layer protocols, and for ICMP, TCP, and UDP, or as desired. This combination of TCP, UDP, and application-layer protocols join together to form a single set of inspection rules with a unique name. (There are no application-layer protocols associated with ICMP.)
To remove the inspection rule for a protocol, use the no form of this command with the specified inspection name and protocol; to remove the entire set of inspection rules, use the no form of this command only; that is, do not list any inspection names or protocols.
In general, when inspection is configured for a protocol, return traffic entering the internal network will be permitted only if the packets are part of a valid, existing session for which state information is being maintained.
Table 24 Protocol Keywords—Transport-Layer and Network-Layer Protocols
ICMP
icmp
TCP
tcp
UDP
udp
Note
ip inspect name inspection-name {TCP | UDP | H323} [alert {on | off}] [audit-trail {on | off}][router-traffic][timeout seconds]TCP and UDP Inspection
You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through the firewall, even if the application-layer protocol is not configured to be inspected. However, TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number from the previous exiting packet.
Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant.
With TCP and UDP inspection, packets entering the network must exactly match an existing session: the entering packets must have the same source or destination addresses and source or destination port numbers as the exiting packet (but reversed). Otherwise, the entering packets will be blocked at the interface.
Granular protocol inspection allows you to specify TCP or UDP ports by using the PAM table. This eliminates having to inspect all applications running under TCP or UDP and the need for multiple access control lists (ACLs) to filter the traffic.
Using the PAM table, you simply pick an existing application or define a new one for inspection thereby simplifying ACL configuration.
ICMP Inspection
An ICMP inspection session is on the basis of the source address of the inside host that originates the ICMP packet. Dynamic access control lists (ACLs) are created for return ICMP packets of the allowed types (echo-reply, time-exceeded, destination unreachable, and timestamp reply) for each session. There are no port numbers associated with an ICMP session, and the permitted IP address of the return packet is wild-carded in the ACL. The wildcard address is because the IP address of the return packet cannot be known in advance for time-exceeded and destination-unreachable replies. These replies can come from intermediate devices rather than the intended destination.
Application-Layer Protocol Inspection
In general, if you configure inspection for an application-layer protocol, packets for that protocol should be permitted to exit the firewall (by configuring the correct access control list), and packets for that protocol will only be allowed back in through the firewall if they belong to a valid existing session. Each protocol packet is inspected to maintain information about the session state.
Java, H.323, RPC, SIP, and SMTP inspection have additional information, described in the next five sections. Table 25 lists the supported application-layer protocols.
Java Inspection
Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as "friendly." If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet will be blocked. Alternately, you could permit applets from all sites except sites specifically designated as "hostile."
Note
Note
Caution
H.323 Inspection
If you want CBAC inspection to work with NetMeeting 2.0 traffic (an H.323 application-layer protocol), you must also configure inspection for TCP, as described in the chapter "Configuring Context-Based Access Control" in the Cisco IOS Security Configuration Guide. This requirement exists because NetMeeting 2.0 uses an additional TCP channel not defined in the H.323 specification.
RPC Inspection
RPC inspection allows the specification of various program numbers. You can define multiple program numbers by creating multiple entries for RPC inspection, each with a different program number. If a program number is specified, all traffic for that program number will be permitted. If a program number is not specified, all traffic for that program number will be blocked. For example, if you created an RPC entry with the NFS program number, all NFS traffic will be allowed through the firewall.
SIP Inspection
You can configure SIP inspection to permit media sessions associated with SIP-signaled calls to traverse the firewall. Because SIP is frequently used to signal both incoming and outgoing calls, it is often necessary to configure SIP inspection in both directions on a firewall (both from the protected internal network and from the external network). Because inspection of traffic from the external network is not done with most protocols, it may be necessary to create an additional inspection rule to cause only SIP inspection to be performed on traffic coming from the external network.
SMTP Inspection
SMTP inspection causes SMTP commands to be inspected for illegal commands. Packets with illegal commands are modified to a "xxxx" pattern and forwarded to the server. This process causes the server to send a negative reply, forcing the client to issue a valid command. An illegal SMTP command is any command except the following:
•
•
•
•
•
•
•
•
•
•
•
•
ESMTP Inspection
Like SMTP, ESMTP inspection also causes the commands to be inspected for illegal commands. Packets with illegal commands are modified to a "xxxx" pattern and forwarded to the server. This process causes the server to send a negative reply, forcing the client to issue a valid command. An illegal ESMTP command is any command except the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
In addition to inspecting commands, the ESMTP firewall also inspects the following extensions via deeper command inspection:
•
•
•
•
•
•
•
•
Note
Use of the urlfilter Keyword
If you specify the urlfilter keyword, the Cisco IOS Firewall will interact with a URL filtering software to control web traffic for a given host or user on the basis of a specified security policy.
Note
Use of the timeout Keyword
If you specify a timeout for any of the transport-layer or application-layer protocols, the timeout will override the global idle timeout for the interface to which the set of inspection rules is applied.
If the protocol is TCP or a TCP application-layer protocol, the timeout will override the global TCP idle timeout. If the protocol is UDP or a UDP application-layer protocol, the timeout will override the global UDP idle timeout.
If you do not specify a timeout for a protocol, the timeout value applied to a new session of that protocol will be taken from the corresponding TCP or UDP global timeout value valid at the time of session creation.
The default ICMP timeout is deliberately short (10 seconds) due to the security hole that is opened by allowing ICMP packets with a wild-carded source address back into the inside network. The timeout will occur 10 seconds after the last outgoing packet from the originating host. For example, if you send a set of 10 ping packets spaced one second apart, the timeout will expire in 20 seconds or 10 seconds after the last outgoing packet. However, the timeout is not extended for return packets. If a return packet is not seen within the timeout window, the hole will be closed and the return packet will not be allowed in. Although the default timeout can be made longer if desired, it is recommended that this value be kept relatively short.
IP Fragmentation Inspection
CBAC inspection rules can help protect hosts against certain denial-of-service attacks involving fragmented IP packets. Even though the firewall keeps an attacker from making actual connections to a given host, the attacker may still be able to disrupt services provided by that host. This is done by sending many noninitial IP fragments or by sending complete fragmented packets through a router with an ACL that filters the first fragment of a fragmented packet. These fragments can tie up resources on the target host as it tries to reassemble the incomplete packets.
Using fragmentation inspection, the firewall maintains an interfragment state (structure) for IP traffic. Noninitial fragments are discarded unless the corresponding initial fragment was permitted to pass through the firewall. Noninitial fragments received before the corresponding initial fragments are discarded.
Note
Because routers running Cisco IOS software are used in a very large variety of networks, and because the CBAC feature is often used to isolate parts of internal networks from one another, the fragmentation inspection feature is not enabled by default. Fragmentation detection must be explicitly enabled for an inspection rule using the ip inspect name command. Unfragmented traffic is never discarded because it lacks a fragment state. Even when the system is under heavy attack with fragmented packets, legitimate fragmented traffic, if any, will still get some fraction of the firewall's fragment state resources, and legitimate, unfragmented traffic can flow through the firewall unimpeded.
Application Firewall Provisioning
Application firewall provisioning allows you to configure your Cisco IOS Firewall to detect and prohibit a specific protocol type of traffic.
Most firewalls provide only packet filtering capabilities that simply permit or deny traffic without inspecting the data stream; the Cisco IOS application firewall can detect whether or not a packet is in compliance with given HTTP protocol. If the packet is determined to be unauthorized, it will be dropped, the connection will be reset, and a syslog message will be generated, as appropriate.
User-Defined Applications
You can define your own applications and enter them into the port-to-application mapping (PAM) table using the ip port-map command. Then you set up your inspection rules by inserting your user-defined application as a value for the protocol argument in the ip inspect name command.
Session Limiting
Users can limit the number of established firewall sessions that a firewall rule creates by setting the "max-sessions" threshold. A session counter is maintained for each firewall interface. When a session count exceeds the specified threshold, an alert FW-4-SESSION_THRESHOLD_EXCEEDED message is logged to the syslog server and no new sessions can be created.
Examples
The following example causes the software to inspect TCP sessions and UDP sessions, and to specifically allow CU-SeeMe, FTP, and RPC traffic back through the firewall for existing sessions only. For UDP traffic, audit-trail is on. For FTP traffic, the idle timeout is set to override the global TCP idle timeout. For RPC traffic, program numbers 100003, 100005, and 100021 are permitted.
ip inspect name myrules tcpip inspect name myrules udp audit-trail onip inspect name myrules cuseemeip inspect name myrules ftp timeout 120ip inspect name myrules rpc program-number 100003ip inspect name myrules rpc program-number 100005ip inspect name myrules rpc program-number 100021The following example adds fragment checking to software inspection of TCP and UDP sessions for the rule named "myrules." In this example, the firewall software will allocate 100 state structures, and the timeout value for dropping unassembled packets is set to 4 seconds. If 100 initial fragments for 100 different packets are sent through the router, all of the state structures will be used up. The initial fragment for packet 101 will be dropped. Additionally, if the number of free state structures (structures available for use by unassembled packets) drops below the threshold values, 32 or 16, the timeout value is automatically reduced to 2 or 1, respectively. Changing the timeout value frees up packet state structures more quickly.
ip inspect name myrules tcpip inspect name myrules udp audit-trail onip inspect name myrules cuseemeip inspect name myrules ftp timeout 120ip inspect name myrules rpc program-number 100003ip inspect name myrules rpc program-number 100005ip inspect name myrules rpc program-number 100021ip inspect name myrules fragment max 100 timeout 4The following firewall and SIP example shows how to allow outside-initiated calls and internal calls. For outside-initiated calls, an ACL needs to be punched to allow for the traffic from the initial signaling packet from outside. Subsequent signaling and media channels will be allowed by the inspection module.
ip inspect name voip sipinterface FastEthernet0/0ip inspect voip in!!interface FastEthernet0/1ip inspect voip inip access-group 100 in!!access-list 100 permit udp host <gw ip> any eq 5060access-list 100 permit udp host <proxy ip> any eq 5060access-list deny ip any anyThe following example shows two configured inspections named fw_only and fw_urlf; URL filtering will work only on the traffic that is inspected by fw_urlf. Note that the java-list access-list option has been enabled, which disables java scanning.
ip inspect name fw_only http java-list 51 timeout 30interface e0ip inspect fw_only in!ip inspect name fw_urlf http urlfilter java-list 51 timeout 30interface e1ip inspect fw_urlf inThe following example shows how to define the HTTP application firewall policy mypolicy. This policy includes all supported HTTP policy rules. This example also includes sample output from the show appfw configuration and show ip inspect config commands, which allow you to verify the configured setting for the application policy.
! Define the HTTP policy.appfw policy-name mypolicyapplication httpstrict-http action allow alarmcontent-length maximum 1 action allow alarmcontent-type-verification match-req-rsp action allow alarmmax-header-length request 1 response 1 action allow alarmmax-uri-length 1 action allow alarmport-misuse default action allow alarmrequest-method rfc default action allow alarmrequest-method extension default action allow alarmtransfer-encoding type default action allow alarm!!! Apply the policy to an inspection rule.ip inspect name firewall appfw mypolicyip inspect name firewall http!!! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.interface FastEthernet0/0ip inspect firewall in!!! Issue the show appfw configuration command and the show ip inspect config command after the inspection rule "mypolicy" is applied to all incoming HTTP traffic on the FastEthernet0/0 interface.!Router# show appfw configurationApplication Firewall Rule configurationApplication Policy name mypolicyApplication httpstrict-http action allow alarmcontent-length minimum 0 maximum 1 action allow alarmcontent-type-verification match-req-rsp action allow alarmmax-header-length request length 1 response length 1 action allow alarmmax-uri-length 1 action allow alarmport-misuse default action allow alarmrequest-method rfc default action allow alarmrequest-method extension default action allow alarmtransfer-encoding default action allow alarmRouter# show ip inspect configSession audit trail is disabledSession alert is enabledone-minute (sampling period) thresholds are [400:500] connectionsmax-incomplete sessions thresholds are [400:500]max-incomplete tcp connections per host is 50. Block-time 0 minute.tcp synwait-time is 30 sec -- tcp finwait-time is 5 sectcp idle-time is 3600 sec -- udp idle-time is 30 secdns-timeout is 5 secInspection Rule ConfigurationInspection name firewallhttp alert is on audit-trail is off timeout 3600Related Commands
ip inspect one-minute high
To define the rate of new unestablished sessions that will cause the software to start deleting half-open sessions, use the ip inspect one-minute high command in global configuration mode. To reset the threshold to the default of 500 half-open sessions, use the no form of this command.
ip inspect one-minute high number [vrf vrf-name]
no ip inspect one-minute high
Syntax Description
Defaults
500 half-open sessions
Command Modes
Global configuration
Command History
11.2 P
This command was introduced.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol (UDP), "half-open" means that the firewall has detected traffic from one direction only.
Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute.
When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially decayed rate.)
The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.
Examples
The following example causes the software to start deleting half-open sessions when more than 1000 session establishment attempts have been detected in the last minute, and to stop deleting half-open sessions when fewer than 950 session establishment attempts have been detected in the last minute:
ip inspect one-minute high 1000ip inspect one-minute low 950Related Commands
ip inspect one-minute low
To define the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions, use the ip inspect one-minute low command in global configuration mode. To reset the threshold to the default of 400 half-open sessions, use the no form of this command.
ip inspect one-minute low number [vrf vrf-name]
no ip inspect one-minute low
Syntax Description
Defaults
400 half-open sessions
Command Modes
Global configuration
Command History
11.2 P
This command was introduced.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol (UDP), "half-open" means that the firewall has detected traffic from one direction only.
Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute.
When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially decayed rate.)
The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.
Examples
The following example causes the software to start deleting half-open sessions when more than 1000 session establishment attempts have been detected in the last minute, and to stop deleting half-open sessions when fewer than 950 session establishment attempts have been detected in the last minute:
ip inspect one-minute high 1000ip inspect one-minute low 950Related Commands
ip inspect tcp finwait-time
To define how long a TCP session will still be managed after the firewall detects a FIN-exchange, use the ip inspect tcp finwait-time command in global configuration mode. To reset the timeout to the default of 5 seconds, use the no form of this command.
ip inspect tcp finwait-time seconds [vrf vrf-name]
no ip inspect tcp finwait-time
Syntax Description
Defaults
5 seconds
Command Modes
Global configuration
Command History
11.2 P
This command was introduced.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
When the software detects a valid TCP packet that is the first in a session, and if Context-based Access Control (CBAC) inspection is configured for the protocol of the packet, the software establishes state information for the new session.
Use this command to define how long TCP session state information will be maintained after the firewall detects a FIN-exchange for the session. The FIN-exchange occurs when the TCP session is ready to close.
The global value specified for this timeout applies to all TCP sessions inspected by CBAC.
The timeout set with this command is referred to as the "finwait" timeout.
Note
Examples
The following example changes the finwait timeout to 10 seconds:
ip inspect tcp finwait-time 10The following example changes the finwait timeout back to the default (5 seconds):
no ip inspect tcp finwait-timeip inspect tcp idle-time
To specify the TCP idle timeout (the length of time a TCP session will still be managed while there is no activity), use the ip inspect tcp idle-time command in global configuration mode. To reset the timeout to the default of 3600 seconds (1 hour), use the no form of this command.
ip inspect tcp idle-time seconds [vrf vrf-name]
no ip inspect tcp idle-time
Syntax Description
Defaults
3600 seconds (1 hour)
Command Modes
Global configuration
Command History
11.2 P
This command was introduced.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
When the software detects a valid TCP packet that is the first in a session, and if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for the new session.
If the software detects no packets for the session for a time period defined by the TCP idle timeout, the software will not continue to manage state information for the session.
The global value specified for this timeout applies to all TCP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the
ip inspect name (global configuration) command.
Note
Examples
The following example sets the global TCP idle timeout to 1800 seconds (30 minutes):
ip inspect tcp idle-time 1800The following example sets the global TCP idle timeout back to the default of 3600 seconds (one hour):
no ip inspect tcp idle-timeip inspect tcp max-incomplete host
To specify threshold and blocking time values for TCP host-specific denial-of-service (DoS) detection and prevention, use the ip inspect tcp max-incomplete host command in global configuration mode. To reset the threshold and blocking time to the default values, use the no form of this command.
ip inspect tcp max-incomplete host number block-time minutes [vrf vrf-name]
no ip inspect tcp max-incomplete host
Syntax Description
Defaults
50 half-open sessions and 0 minutes
Command Modes
Global configuration
Command History
11.2 P
This command was introduced.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
An unusually high number of half-open sessions with the same destination host address could indicate that a denial-of-service attack is being launched against the host. For TCP, "half-open" means that the session has not reached the established state.
Whenever the number of half-open sessions with the same destination host address rises above a threshold (the max-incomplete host number), the software will delete half-open sessions according to one of the following methods:
•
The software will delete the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.
•
The software will delete all existing half-open sessions for the host, and then block all new connection requests to the host. The software will continue to block all new connection requests until the block-time expires.
The software also sends syslog messages whenever the max-incomplete host number is exceeded and when blocking of connection initiations to a host starts or ends.
The global values specified for the threshold and blocking time apply to all TCP connections inspected by Context-based Access Control (CBAC).
Examples
The following example changes the max-incomplete host number to 40 half-open sessions, and changes the block-time timeout to 2 minutes:
ip inspect tcp max-incomplete host 40 block-time 2The following example resets the defaults (50 half-open sessions and 0 minutes):
no ip inspect tcp max-incomplete hostRelated Commands
ip inspect tcp synwait-time
To define how long the software will wait for a TCP session to reach the established state before dropping the session, use the ip inspect tcp synwait-time command in global configuration mode. To reset the timeout to the default of 30 seconds, use the no form of this command.
ip inspect tcp synwait-time seconds [vrf vrf-name]
no ip inspect tcp synwait-time
Syntax Description
Defaults
30 seconds
Command Modes
Global configuration
Command History
11.2 P
This command was introduced.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
Use this command to define how long Cisco IOS software will wait for a TCP session to reach the established state before dropping the session. The session is considered to have reached the established state after the first synchronize sequence number (SYN) bit of the session is detected.
The global value specified for this timeout applies to all TCP sessions inspected by Context-based Access Control (CBAC).
Examples
The following example changes the synwait timeout to 20 seconds:
ip inspect tcp synwait-time 20The following example changes the synwait timeout back to the default (30 seconds):
no ip inspect tcp synwait-timeip inspect udp idle-time
To specify the User Datagram Protocol (UDP) idle timeout (the length of time for which a UDP "session" will still be managed while there is no activity), use the ip inspect udp idle-time command in global configuration mode. To reset the timeout to the default of 30 seconds, use the no form of this command.
ip inspect udp idle-time seconds [vrf vrf-name]
no ip inspect udp idle-time
Syntax Description
Defaults
30 seconds
Command Modes
Global configuration
Command History
11.2 P
This command was introduced.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
When the software detects a valid UDP packet, if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for a new UDP "session." Because UDP is a connectionless service, there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, it has similar source or destination addresses) and if the packet was detected soon after another similar UDP packet.
If the software detects no UDP packets for the UDP session for the a period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session.
The global value specified for this timeout applies to all UDP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the
ip inspect name command.
Note
Examples
The following example sets the global UDP idle timeout to 120 seconds (2 minutes):
ip inspect udp idle-time 120The following example sets the global UDP idle timeout back to the default of 30 seconds:
no ip inspect udp idle-timeip ips
To apply an Intrusion Prevention System (IPS) rule to an interface, use the ip ips command in interface configuration mode. To remove an IPS rule from an interface direction, use the no form of this command.
ip ips ips-name {in | out}
no ip ips ips-name {in | out}
Syntax Description
ips-name
Name of IPS signature definition file (SDF).
in
Applies IPS to inbound traffic.
out
Applies IPS to outbound traffic.
Defaults
By default, IPS signatures are not applied to an interface or direction.
Command Modes
Interface configuration
Command History
12.0(5)T
This command was introduced.
12.3(8)T
The command name was changed from the ip audit command to the ip ips command.
Usage Guidelines
The ip ips command loads the SDF onto the router and builds the signature engines when IPS is applied to the first interface.
Note
Depending on your platform and how many signatures are being loaded, building the signature engine can take several of minutes. It is recommended that you enable logging messages so you can monitor the engine building status.The ip ips command replaces the ip audit command. If the ip audit command is part of an existing configuration, IPS will interpret it as the ip ips command.
Examples
The following example shows the basic configuration necessary to load the attack-drop.sdf file onto a router running Cisco IOS IPS. Note that the configuration is almost the same as when you load the default signatures onto a router, except for the ip ips sdf location command, which specifies the attack-drop.sdf file.
!ip ips sdf location disk2:attack-drop.sdfip ips name MYIPS!interface GigabitEthernet0/1ip address 10.1.1.16 255.255.255.0ip ips MYIPS induplex fullspeed 100media-type rj45no negotiation auto!The following example shows how to configure the router to load and merge the attack-drop.sdf file with the default signatures. After you have merged the two files, it is recommended to copy the newly merged signatures to a separate file. The router can then be reloaded (via the reload command) or reinitalized to so as to recognize the newly merged file (as shown the following example)
!ip ips name MYIPS!interface GigabitEthernet0/1ip address 10.1.1.16 255.255.255.0ip ips MYIPS induplex fullspeed 100media-type rj45no negotiation auto!!! Merge the flash-based SDF (attack-drop.sdf) with the built-in signatures.copy disk2:attack-drop.sdf ips-sdf! Save the newly merged signatures to a separate file.copy ips-sdf disk2:my-signatures.sdf!! Configure the router to use the new file, my-signatures.sdfconfigure terminalip ips sdf location disk2:my-signatures.sdf! Reinitialize the IPS by removing the IPS rule set and reapplying the rule set.interface gig 0/1no ip ips MYIPS in!*Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS disabled!ip ips MYIPS in!exitRelated Commands
copy ips-sdf
Loads or saves the SDF in the router.
ip ips sdf location
Specifies the location in which the router should load the SDF.
ip ips deny-action ips-interface
To create an access control list (ACL) filter for the deny actions ("denyFlowInline" and "denyConnectionInline") on the intrusion prevention system (IPS) interface rather than ingress interface, use the ip ips deny-action ips-interface command in global configuration mode. To return to the default, use the no form of this command.
ip ips deny-action ips-interface
no ip ips deny-action ips-interface
Syntax Description
This command has no arguments or keywords.
Defaults
ACLs filter for the deny actions are applied to the ingress interface.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip ips deny-action ips-interface command to change the default behavior of the ACL filters that are created for the deny actions.
Note
Default ACL Filter Approach
By default, ACL filters for the deny actions are created on the ingress interfaces of the offending packet. Thus, if Cisco IOS IPS is configured in outbound direction on the egress interface and the "deny" ACLs are created on the ingress interface, Cisco IOS IPS will drop the matching traffic before it goes through much processing. Unfortunately, this approach does not work in load balancing scenarios for which there is more than one ingress interface performing load-balancing.
Alternative ACL Filter Approach
The ip ips deny-action ips-interface command enables ACLs to be created on the same interface and in the same direction as Cisco IOS IPS is configured. This alternative approach supports load-balancing scenarios—assuming that the load-balancing interfaces have the same Cisco IOS IPS configuration. However, all outbound Cisco IOS IPS traffic will go through substantial packet path processing before it is eventually dropped by the ACLs.
Examples
The following example shows how to configure load-balancing between interface e0 and interface e1:
ip ips name testip ips deny-action ips-interface! Enables load balancing with e1interface e0ip address 10.1.1.14 255.255.255.0no shut!! Enables load balancing with e0interface e1ip address 10.1.1.16 255.255.255.0no shut!interface e2ip address 10.1.1.18 255.255.255.0ip ips test inno shutip ips fail closed
To instruct the router to drop all packets until the signature engine is built and ready to scan traffic, use the ip ips fail closed command in global configuration mode. To return to the default functionality, use the no form of this command.
ip ips fail closed
no ip ips fail closed
Syntax Description
This command has no arguments or keywords.
Defaults
All packets are passed without being scanned while the signature engine is being built or if the signature engine fails to build.
Command Modes
Global configuration
Command History
Usage Guidelines
Cisco IOS IPS Fails to Load the SDF
By default, the router running Intrusion Prevention System (IPS) will load the built-in signatures if it fails to load the signature definition file (SDF). If this command is issued, the router will drop all packets—unless the user specifies an access control list (ACL) for packets to send to IPS.
IPS Loads the SDF but Fails to Build a Signature Engine
If the router running IPS loads the SDF but fails to build a signature engine, the router will mark the engine "not ready." If an available engine is previously loaded, the IPS will keep the available engine and discard the engine that is not ready for use. If no previous engines have been loaded or "not ready," the router will install the engine that is not ready and rely on the configuration of the ip ips fail closed command.
By default, packets destined for an engine marked "not ready" will be passed without being scanned. If this command is issued, the router will drop all packets that are destined for that signature engine.
Examples
The following example shows how to instruct the router to drop all packets if the SME is not yet available:
Router(config)# ip ips fail closedip ips name
To specify an intrusion prevention system (IPS) rule, use the ip ips name command in global configuration mode. To delete an IPS rule, use the no form of this command.
ip ips name ips-name [list acl]
no ip ips name ips-name [list acl]
Syntax Description
Defaults
An IPS rule does not exist.
Command Modes
Global configuration
Command History
12.0(5)T
This command was introduced.
12.3(8)T
The command name was changed from the ip audit name command to the ip ips name command.
Usage Guidelines
The IPS does not load the signatures until the rule is applied to an interface via the ip ips command.
Note
Examples
The following example shows how to configure a router running Cisco IOS IPS to load the default, built-in signatures. Note that a configuration option for specifying an SDF location is not necessary; built-in signatures reside statically in Cisco IOS.
!ip ips po max-events 100ip ips name MYIPS!interface GigabitEthernet0/1ip address 10.1.1.16 255.255.255.0ip ips MYIPS induplex fullspeed 100media-type rj45no negotiation auto!Related Commands
ip ips
Applies an IPS rule to an interface.
show ip ips
Displays IPS information such as configured sessions and signatures.
ip ips notify
To specify the method of event notification, use the ip ips notify command in global configuration mode. To disable event notification, use the no form of this command.
ip ips notify [log | sdee]
no ip ips notify [log | sdee]
Syntax Description
Defaults
Disabled (alert messages are not sent).
Command Modes
Global configuration
Command History
Usage Guidelines
SDEE is always running, but it does not receive and process events from Intrusion Prevention System (IPS) unless SDEE notification is enabled. If it is not enabled and a client sends a request, SDEE will respond with a fault response message, indicating that notification is not enabled.
To use SDEE, the HTTP server must be enabled (via the ip http server command). If the HTTP server is not enabled, the router cannot respond to the SDEE clients because it cannot not see the requests.
Note
Examples
In the following example, event notifications are specified to be sent in SDEE format:
ip ips notify sdeeRelated Commands
ip ips po local
Note
To specify the local Post Office parameters used when sending event notifications to the VPN/Security Management Solution (VMS), use the ip ips po local command in global configuration mode. To set the local Post Office parameters to their default settings, use the no form of this command.
ip ips po local hostid id-number orgid id-number
no ip ips po local [hostid id-number orgid id-number]
Syntax Description
Defaults
The default organization ID is 1. The default host ID is 1.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip ips po local global configuration command to specify the local Post Office parameters used when sending event notifications to the VMS.
Examples
In the following example, the local host is assigned a host ID of 10 and an organization ID of 500:
ip ips po local hostid 10 orgid 500ip ips po max-events
Note
To specify the maximum number of event notifications that are placed in the router's event queue, use the ip ips po max-events command in global configuration mode. To set the number of recipients to the default setting, use the no form of this command.
ip ips po max-events number-of-events
no ip ips po max-events
Syntax Description
number-of-events
Integer in the range from 1 to 65535 that designates the maximum number of events allowable in the event queue. The default is 100 events.
Defaults
The default number of events is 100.
Command Modes
Global configuration
Command History
Usage Guidelines
Raising the number of events past 100 may cause memory and performance impacts because each event in the event queue requires 32 KB of memory.
Examples
In the following example, the number of events in the event queue is set to 250:
ip ips po max-events 250ip ips po protected
Note
To specify whether an address is on a protected network, use the ip ips po protected command in global configuration mode. To remove network addresses from the protected network list, use the no form of this command.
ip ips po protected ip-addr [to ip-addr]
no ip ips po protected [ip-addr]
Syntax Description
Defaults
If no addresses are defined as protected, then all addresses are considered outside the protected network.
Command Modes
Global configuration
Command History
Usage Guidelines
You can enter a single address at a time or a range of addresses at a time. You can also make as many entries to the protected networks list as you want. When an attack is detected, the corresponding event contains a flag that denotes whether the source or destination of the packet belongs to a protected network or not.
If you specify an IP address for removal, that address is removed from the list. If you do not specify an address, then all IP addresses are removed from the list.
Examples
In the following example, a range of addresses is added to the protected network list:
ip ips po protected 10.1.1.0 to 10.1.1.255In the following example, three individual addresses are added to the protected network list:
ip ips po protected 10.4.1.1ip ips po protected 10.4.1.8ip ips po protected 10.4.1.25ip ips po remote
Note
To specify one or more set of Post Office parameters for the VPN/Security Management Solution (VMS) receiving event notifications from the router, use the ip ips po remote command in global configuration mode. To remove a VMS' Post Office parameters as defined by host ID, organization ID, and IP address, use the no form of this command.
ip ips po remote hostid host-id orgid org-id rmtaddress ip-address localaddress ip-address [port port-number] [preference preference-number] [timeout seconds] [application {director | logger}]
no ip ips po remote hostid host-id orgid org-id rmtaddress ip-address
Syntax Description
Defaults
Parameter values are not set.
Command Modes
Global configuration
Command History
Usage Guidelines
A router can report to more than one VMS. In this case, use the ip ips po remote command to add each VMS to which the router sends notifications.
More than one route can be established to the same VMS. In this case, you must give each route a preference number that establishes the relative priority of routes. The router always attempts to use the lowest numbered route, switching automatically to the next higher number when a route fails, and then switching back when the route begins functioning again.
Note
Examples
In the following example, two communication routes for the same dual-homed VMS are defined:
ip ips po remote hostid 30 orgid 500 rmtaddress 10.1.99.100 localaddress 10.1.99.1preference 1ip ips po remote hostid 30 orgid 500 rmtaddress 10.1.4.30 localaddress 10.1.4.1 preference2The router uses the first entry to establish communication with the VMS defined with host ID 30 and organization ID 500. If this route fails, then the router will switch to the secondary communications route. As soon as the first route begins functioning again, the router switches back to the primary route and closes the secondary route.
In the following example, a different VMS is assigned a longer heartbeat timeout value because of network congestion, and is designated as a logger application:
ip ips po remote hostid 70 orgid 500 rmtaddress 10.1.8.1 localaddress 10.1.8.100 timeout10 application directorip ips sdf location
To specify the location in which the router will load the signature definition file (SDF), use the ip ips sdf location command in global configuration mode. To remove an SDF location from the configuration, use the no form of this command.
ip ips sdf location url
no ip ips sdf location url
Syntax Description
Defaults
If an SDF location is not specified, the router will load the default, built-in signatures.
Command Modes
Global configuration
Command History
Usage Guidelines
When the ip ips sdf location command is issued, the signatures are not loaded until the router is rebooted or until the Intrusion Prevention System (IPS) is applied to an interface (via the ip ips command). If IPS is already applied to an interface, the signatures will not be loaded. If IPS cannot load the SDF, you will receive an error message and the router will use the built-in IPS signatures.
You can also issue the copy ips-sdf command to load an SDF from a specified location. Unlike the ip ips sdf location command, the signatures are loaded immediately after the copy ips-sdf command is issued.
Examples
The following example shows how to configure the router to load and merge the attack-drop.sdf file with the default signatures. After you have merged the two files, it is recommended to copy the newly merged signatures to a separate file. The router can then be reloaded (via the reload command) or reinitalized to so as to recognize the newly merged file (as shown the following example)
!ip ips name MYIPS!interface GigabitEthernet0/1ip address 10.1.1.16 255.255.255.0ip ips MYIPS induplex fullspeed 100media-type rj45no negotiation auto!!! Merge the flash-based SDF (attack-drop.sdf) with the built-in signatures.copy disk2:attack-drop.sdf ips-sdf! Save the newly merged signatures to a separate file.copy ips-sdf disk2:my-signatures.sdf!! Configure the router to use the new file, my-signatures.sdfconfigure terminalip ips sdf location disk2:my-signatures.sdf! Reinitialize the IPS by removing the IPS rule set and reapplying the rule set.interface gig 0/1no ip ips MYIPS in!*Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS disabled!ip ips MYIPS in!exitRelated Commands
copy ips-sdf
Loads or saves the SDF in the router.
ip ips
Applies the IPS rule to an interface.
ip ips signature
To attach a policy to a signature, use the ip ips signature command in global configuration mode. If the policy disabled a signature, use the no form of this command to reenable the signature. If the policy attached an access list to the signature, use the no form of this command to remove the access list.
ip ips signature signature-id {delete | disable | list acl-list}
no ip ips signature signature-id
Syntax Description
Defaults
No policy is attached to a signature.
Command Modes
Global configuration
Command History
12.0(5)T
This command was introduced.
12.3(8)T
The command name was changed from the ip audit signature command to the ip ips signature command to support SDFs.
Usage Guidelines
This command allow you to set three policies: delete a signature, disable the audit of a signature, or qualify the audit of a signature with an access list.
If you are attaching an ACL to a signature, then you also need to create an Intrusion Prevention System (IPS) rule with the ip ips name command and apply it to an interface with the ip ips command.
Note
Examples
In the following example, a signature is disabled, another signature has ACL 99 attached to it, and ACL 99 is defined:
ip ips signature 6150 disableip ips signature 1000 list 99access-list 99 deny 10.1.10.0 0.0.0.255access-list 99 permit any
ip ips signature disable
To instruct the router to scan for a given signature but not take any action if the signature is detected, use the ip ips signature command in global configuration mode. To reenable a signature, use the no form of this command.
ip ips signature signature-id [sub-signature-id] disable [list acl-list]
no ip ips signature signature-id [sub-signature-id] disable [list acl-list]
Syntax Description
Defaults
All signatures within the signature definition file (SDF) are reported, if detected.
Command Modes
Global configuration
Command History
Usage Guidelines
You may want to disable a signature (or set of signatures) if your deployment scenario deems the signatures unnecessary.
Examples
The following example shows how to instructs the router not to report on signature 1000, if detected:
Router(config) ip ips signature 1000 disableRelated Commands
