Table Of Contents
ip port-map
ip radius source-interface
ip reflexive-list timeout
ip scp server enable
ip sdee events
ip sdee subscriptions
ip security add
ip security aeso
ip security dedicated
ip security eso-info
ip security eso-max
ip security eso-min
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security ignore-cipso
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security strip
ip source-track
ip source-track address-limit
ip source-track export-interval
ip source-track syslog-interval
ip ssh
ip ssh break-string
ip ssh port
ip ssh rsa keypair-name
ip ssh source-interface
ip ssh version
ip tacacs source-interface
ip tcp intercept connection-timeout
ip tcp intercept drop-mode
ip tcp intercept finrst-timeout
ip tcp intercept list
ip tcp intercept max-incomplete high
ip tcp intercept max-incomplete low
ip tcp intercept mode
ip tcp intercept one-minute high
ip tcp intercept one-minute low
ip tcp intercept watch-timeout
ip traffic-export apply profile
ip traffic-export profile
ip trigger-authentication (global)
ip trigger-authentication (interface)
ip urlfilter alert
ip urlfilter allowmode
ip urlfilter audit-trail
ip urlfilter cache
ip urlfilter exclusive-domain
ip urlfilter max-request
ip urlfilter max-resp-pak
ip urlfilter server vendor
ip urlfilter urlf-server-log
ip verify unicast source reachable-via
ip virtual-reassembly
ip vrf forwarding (server-group)
isakmp authorization list
issuer-name
ip port-map
To establish port-to-application mapping (PAM), use the ip port-map command in global configuration mode. To delete user-defined PAM entries, use the no form of this command.
ip port-map appl-name port [tcp | udp] [ port_num | from begin_port_num to end_port_num] [list
acl-num] [description description_string]
no ip port-map appl-name port [tcp | udp] [ port_num | from begin_port_num to end_port_num] [list
acl-num] [description description_string]
Syntax Description
appl-name
|
Specifies the name of the application with which to apply the port mapping. An application name can contain an underscore or a hyphen. An application can also be system or user-defined. However, a user-defined application must have the prefix user- in it; for example, user-payroll, user-sales, or user-10. Otherwise, the following error message appears: "Unable to add port-map entry. Names for user-defined applications must start with 'user-'."
|
port
|
Indicates that a port number maps to the application. You can specify up to five port numbers for each port.
|
tcp | udp
|
(Optional) Specifies the protocol for the application. For well-known applications (and those existing already under PAM), you can omit these keywords and the system assumes the standard protocol for that application. However, for user-defined applications, you must specify either tcp or udp.
|
port_num
|
(Optional) Identifies a port number in the range 1 to 65535.
|
from begin_port_num to end_port_num
|
(Optional) Specifies a range of port numbers. You must use the from and to keywords together.
|
list acl-num
|
(Optional) Indicates that the port mapping information applies to a specific host or subnet by associating it to an access control list (ACL) number used with PAM.
|
description description_string
|
(Optional) Specifies a description of up to 40 characters.
Note Write the text string in the following format: "C description_string C," where "C" is a delimiting character.
|
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.0(5)T
|
This command was introduced.
|
12.3(1)
|
Skinny Client Control Protocol (SCCP) support was added.
|
12.3(14)T
|
Support was added for the following:
• User-defined application names
• User-specified descriptions
• Port ranges
• tcp and udp keywords
• from begin_port_num to end_port_num keyword-argument combination
• description description_string keyword-argument combination
|
Usage Guidelines
The ip port-map command associates TCP or User Datagram Protocol (UDP) port numbers with applications or services, establishing a table of default port mapping information at the firewall. This information is used to support network environments that run services using ports that are different from the registered or well-known ports associated with a service or application.
When you issue the no form of the command, include all the parameters needed to remove the entry matching that specific set of parameters. For example, if you issued no ip port-map appl-name, then all entries for that application are removed.
The port mapping information in the PAM table is of one of three types:
•
System-defined
•
User-defined
•
Host-specific
System-Defined Port Mapping
Initially, PAM creates a set of system-defined entries in the mapping table using well-known or registered port mapping information set up during the system start-up. The Cisco IOS Firewall Context-Based Access Control (CBAC) feature requires the system-defined port mapping information to function properly.
You can delete or modify system-defined port mapping information. Use the no form of the command for deletion and the regular form of the command to remap information to another application.
You can also add new port numbers to system-defined applications. However, for some system-defined applications like HTTP and Simple Mail Transfer Protocol (SMTP), in which the firewall inspects deeper into packets, their protocol (UDP or TCP) cannot be changed from that defined in the system. In those instances, error messages display.
Table 26 lists some default system-defined services and applications in the PAM table. (Use the show ip port-map command for the complete list.)
Table 26 System-Defined Port Mapping
Application Name
|
Well-Known or Registered Port Number
|
Protocol Description
|
cuseeme
|
7648
|
CU-SeeMe Protocol
|
exec
|
512
|
Remote Process Execution
|
ftp
|
21
|
File Transfer Protocol (control port)
|
h323
|
1720
|
H.323 Protocol (for example, MS NetMeeting, Intel Video Phone)
|
http
|
80
|
Hypertext Transfer Protocol
|
login
|
513
|
Remote login
|
msrpc
|
135
|
Microsoft Remote Procedure Call
|
netshow
|
1755
|
Microsoft NetShow
|
real-audio-video
|
7070
|
RealAudio and RealVideo
|
sccp
|
2000
|
Skinny Client Control Protocol (SCCP)
|
smtp
|
25
|
Simple Mail Transfer Protocol (SMTP)
|
sql-net
|
1521
|
SQL-NET
|
streamworks
|
1558
|
StreamWorks Protocol
|
sunrpc
|
111
|
SUN Remote Procedure Call
|
tftp
|
69
|
Trivial File Transfer Protocol
|
vdolive
|
7000
|
VDOLive Protocol
|
Note
You can override system-defined entries for a specific host or subnet using the list acl-num option in the ip port-map command.
User-Defined Port Mapping
Network applications that use nonstandard ports require user-defined entries in the mapping table. Use the ip port-map command to create default user-defined entries in the PAM table. These entries automatically appear as an option for the ip inspect name command to facilitate the creation of inspection rules.
You can specify up to five separate port numbers for each port-map in a single entry. You can also specify a port range in a single entry. However, you may not specify both single port numbers and port ranges in the same entry.
Note
If you try to map an application to a system-defined port, a message appears warning you of a mapping conflict. Delete the system-defined entry before mapping it to another application. Deleted system defined mappings appear in the running-configuration in their no ip port-map form.
Use the no form of the ip port-map command to delete user-defined entries from the PAM table. To remove a single mapping, use the no form of the command with all its parameters.
To overwrite an existing user-defined port mapping, use the ip port-map command to associate another service or application with the specific port.
Multiple commands for the same application name are cumulative.
If you assign the same port number to a new application, the new entry replaces the existing entry and it no longer appears in the running configuration. You receive a message about the remapping.
You cannot specify a port number that is in a range assigned to another application; however, you can specify a range that takes over one singly allocated port, or fully overlaps another range.
You cannot specify overlapping port ranges.
Host-Specific Port Mapping
User-defined entries in the mapping table can include host-specific mapping information, which establishes port mapping information for specific hosts or subnets. In some environments, it might be necessary to override the default port mapping information for a specific host or subnet, including a system-defined default port mapping information. Use the list acl-num option for the ip port-map command to specify an ACL for a host or subnet that uses PAM.
Note
If the host-specific port mapping information is the same as existing system-defined or user-defined default entries, host-specific port changes have no effect.
Examples
The following example provides examples for adding and removing user-defined PAM configuration entries at the firewall.
In the following example, nonstandard port 8000 is established as the user-defined default port for HTTP services:
ip port-map http port 8000
The following example shows PAM entries that establish a range of nonstandard ports for HTTP services:
In the following example the command fails because it tries to map port 21, which is the system-defined default port for FTP, with HTTP:
In the following example, a specific host uses port 8000 for FTP services. ACL 10 identifies the server address (192.168.32.43), while port 8000 is mapped with FTP services:
access-list 10 permit 192.168.32.43
ip port-map ftp port 8000 list 10
In the following example, port 21, which is normally reserved for FTP services, is mapped to the RealAudio application for the hosts in list 10. In this configuration, hosts in list 10 do not recognize FTP activity on port 21.
ip port-map realaudio port 21 list 10
In the following example, the ip port-map command fails and generates an error message:
ip port-map netshow port 21
Command fail: the port 21 has already been defined for ftp by the system.
No change can be made to the system defined port mappings.
In the following example, the no form of this command deletes user-defined entries from the PAM table. It has no effect on the system-defined port mappings. This command deletes the host-specific port mapping of FTP.
no ip port-map ftp port 1022 list 10
Note
All no forms of the ip port-map command appear before other entries in the running configuration.
In the following example, the command fails because it tries to delete the system-defined default port for HTTP:
no ip port-map http port 80
In the following example, a specific host uses port 8000 for FTP services. ACL 10 identifies the server address (192.168.32.43), while port 8000 is mapped with FTP services.
access-list 10 permit 192.168.32.43
ip port-map ftp port 8000 list 10
In the following example, a specific subnet runs HTTP services on port 8080. ACL 50 identifies the subnet, while the PAM entry maps port 8080 with HTTP services.
access-list 50 permit 192.168.92.0
ip port-map http 8080 list 50
In the following example, a specific host runs HTTP services on port 25, which is the system-defined port number for SMTP services. This requires a host-specific PAM entry that overrides the system-defined default port mapping for HTTP, which is port 80. ACL 15 identifies the host address (192.168.33.43), while port 25 is mapped with HTTP services.
access-list 15 permit 192.168.33.43
ip port-map http port 25 list 15
In the following example, the same port number is required by different services running on different hosts. Port 8000 is required for HTTP services by host 192.168.3.4, while port 8000 is required for FTP services by host 192.168.5.6. ACL 10 and ACL 20 identify the specific hosts, while PAM maps the ports with the services for each ACL.
access-list 10 permit 192.168.3.4
access-list 20 permit 192.168.5.6
ip port-map http port 8000 list 10
ip port-map http ftp 8000 list 20
In the following example, five separate port numbers are specified:
ip port-map user-my-app port tcp 8085 8087 8092 8093 8094
In the following example, multiple commands for the same application name are cumulative and both ports map to the myapp application:
ip port-map user-myapp port tcp 3400
ip port-map user-myapp port tcp 3500
In the following example, the same port number is assigned to a new application. The new entry replaces the existing entry, meaning that port 5670 gets mapped to user-my-new-app and its mapping to myapp is removed. As a result, the first command no longer appears in the running configuration and you receive a message about the remapping.
ip port-map user-myapp port tcp 5670
ip port-map user-my-new-app port tcp 5670
In the following example, the second command assigns port 8085 to user-my-new-app because you cannot specify a port number that is in a range assigned to another application. As a result, the first command no longer appears in the running configuration, and you receive a message about the port being moved from one application to another.
ip port-map user-my-app port tcp 8085
ip port-map user-my-new-app port tcp from 8080 to 8090
Similarly, in the following example the second command assigns port range 8080 to 8085 to user-my-new-app and the first command no longer appears in the running configuration. You receive a message about the remapping.
ip port-map user-my-app port tcp from 8080 to 8085
ip port-map user-my-new-app port tcp from 8080 to 8090
Related Commands
Command
|
Description
|
show ip port-map
|
Displays the PAM information.
|
ip radius source-interface
To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface command in global configuration mode. To prevent RADIUS from using the IP address of a specified interface for all outgoing RADIUS packets, use the no form of this command.
ip radius source-interface subinterface-name [vrf vrf-name]
no ip radius source-interface
Syntax Description
subinterface-name
|
Name of the interface that RADIUS uses for all of its outgoing packets.
|
vrf vrf-name
|
(Optional) Per Virtual Route Forwarding (VRF) configuration.
|
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3
|
This command was introduced.
|
12.2(1)DX
|
The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR.
|
12.2(2)DD
|
This command was integrated into Cisco IOS Release 12.2(2)DD.
|
12.2(4)B
|
This command was integrated into Cisco IOS Release 12.2(4)B.
|
12.2(13)T
|
This command was integrated into Cisco IOS Release 12.2(13)T.
|
Usage Guidelines
Use this command to set the IP address of a subinterface to be used as the source address for all outgoing RADIUS packets. The IP address is used as long as the subinterface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.
This command is especially useful in cases where the router has many subinterfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.
The specified subinterface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the subinterface to the up state.
Use the vrf vrf-name keyword and argument to configure this command per VRF, which allows multiple disjoined routing or forwarding tables, where the routes of a user have no correlation with the routes of another user.
Examples
The following example shows how to configure RADIUS to use the IP address of subinterface s2 for all outgoing RADIUS packets:
ip radius source-interface s2
The following example shows how to configure RADIUS to use the IP address of subinterface Ethernet0 for VRF definition:
ip radius source-interface Ethernet 0 vrf water
Related Commands
Command
|
Description
|
ip tacacs source-interface
|
Uses the IP address of a specified interface for all outgoing TACACS packets.
|
ip telnet source-interface
|
Allows a user to select an address of an interface as the source address for Telnet connections.
|
ip tftp source-interface
|
Allows a user to select the interface whose address will be used as the source address for TFTP connections.
|
ip reflexive-list timeout
To specify the length of time that reflexive access list entries will continue to exist when no packets in the session are detected, use the ip reflexive-list timeout command in global configuration mode. To reset the timeout period to the default timeout, use the no form of this command.
ip reflexive-list timeout seconds
no ip reflexive-list timeout
Syntax Description
seconds
|
Specifies the number of seconds to wait (when no session traffic is being detected) before temporary access list entries expire. Use a positive integer from 0 to 2,147,483. The default is 300 seconds.
|
Defaults
300 seconds
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3
|
This command was introduced.
|
Usage Guidelines
This command is used with reflexive filtering, a form of session filtering.
This command specifies when a reflexive access list entry will be removed after a period of no traffic for the session (the timeout period).
With reflexive filtering, when an IP upper-layer session begins from within your network, a temporary entry is created within the reflexive access list, and a timer is set. Whenever a packet belonging to this session is forwarded (inbound or outbound) the timer is reset. When this timer counts down to zero without being reset, the temporary reflexive access list entry is removed.
The timer is set to the timeout period. Individual timeout periods can be defined for specific reflexive access lists, but for reflexive access lists that do not have individually defined timeout periods, the global timeout period is used. The global timeout value is 300 seconds by default; however, you can change the global timeout to a different value at any time using this command.
This command does not take effect for reflexive access list entries that were already created when the command is entered; this command only changes the timeout period for entries created after the command is entered.
Examples
The following example sets the global timeout period for reflexive access list entries to 120 seconds:
ip reflexive-list timeout 120
The following example returns the global timeout period to the default of 300 seconds:
no ip reflexive-list timeout
Related Commands
Command
|
Description
|
evaluate
|
Nests a reflexive access list within an access list.
|
ip access-list
|
Defines an IP access list by name.
|
permit (reflexive)
|
Creates a reflexive access list and enables its temporary entries to be automatically generated.
|
ip scp server enable
To enable the router to securely copy files from a remote workstation, use the ip scp server enable command in global configuration mode. To disable secure copy functionality (the default), use the no form of this command.
ip scp server enable
no ip scp server enable
Syntax Description
This command has no arguments or keywords.
Defaults
The secure copy function is disabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(2)T
|
This command was introduced.
|
12.0(21)S
|
This command was integrated into Cisco IOS Release 12.0(21)S and support for the Cisco 7500 series and Cisco 12000 series routers was added.
|
Usage Guidelines
Use this command to enable secure copying of files from systems using the Secure Shell (SSH) application. This secure copy function is accomplished by an addition to the copy command in the Cisco IOS software, which takes care of using the secure copy protocol (scp) to copy to and from a router while logged in to the router itself. Because copying files is generally a restricted operation in the Cisco IOS software, a user attempting to copy such files needs to be at the correct enable level.
The Cisco IOS software must also allow files to be copied to or from itself from a remote workstation running the SSH application (which is supported by both the Microsoft Windows and UNIX operating systems). To get this information, the Cisco IOS software must have authentication and authorization configured in the authentication, authorization, and accounting (AAA) feature. SSH already relies on AAA authentication to authenticate the user username and password. Scp adds the requirement that AAA authorization be turned on so that the operating system can determine whether or not the user is at the correct privilege level.
Examples
The following example shows a typical configuration that allows the router to securely copy files from a remote workstation. Because scp relies on AAA authentication and authorization to function properly, AAA must be configured.
aaa authentication login default tac-group tacacs+
aaa authorization exec default local
username user1 privilege 15 password 0 lab
The following example shows how to use scp to copy a system image from Flash memory to a server that supports SSH:
Router# copy flash:c4500-ik2s-mz.scp scp://user1@host1/
Address or name of remote host [host1]?
Destination username [user1]?
Destination filename [c4500-ik2s-mz.scp]?
Writing c4500-ik2s-mz.scp
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Note
When using scp, you cannot enter the password into the copy command; enter the password when prompted.
Related Commands
Command
|
Description
|
aaa authentication login
|
Sets AAA authentication at login.
|
aaa authorization
|
Sets parameters that restrict user access to a network.
|
copy
|
Copies any file from a source to a destination.
|
debug ip scp
|
Troubleshoots scp authentication problems.
|
ip ssh port
|
Enables secure network access to the tty lines.
|
username
|
Establishes a username-based authentication system.
|
ip sdee events
To set the maximum number of Security Device Event Exchange (SDEE) events that can be stored in the event buffer, use the ip sdee events command in global configuration mode. To change the buffer size or return to the default buffer size, use the no form of this command.
ip sdee events events
no ip sdee events events
Syntax Description
events
|
Maximum number of events; maximum number of allowable events: 1000.
|
Defaults
200 events
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
When SDEE notification is enabled (via the ip ips notify sdee command), 200 hundred events can automatically be stored in the buffer. When SDEE notification is disabled, all stored events are lost. A new buffer is allocated when the notifications are reenabled.
When specifying the size of an events buffer, note the following functionality:
•
It is circular. When the end of the buffer is reached, the buffer will start overwriting the earliest stored events. (If overwritten events have not yet been reported, you will receive a buffer overflow notice.)
•
If a new, smaller buffer is requested, all events that are stored in the previous buffer will be lost.
•
If a new, larger buffer is requested, all existing events will be saved.
Examples
The following example shows how to set the maximum buffer events size to 500:
Related Commands
Command
|
Description
|
ip ips notify
|
Specifies the method of event notification.
|
ip sdee subscriptions
To set the maximum number of Security Device Event Exchange (SDEE) subscriptions that can be open simultaneously, use the ip sdee subscriptions command in global configuration mode. To change the current selection or return to the default, use the no form of this command.
ip sdee subscriptions subscriptions
no ip sdee subscriptions subscriptions
Syntax Description
subscriptions
|
Maximum number of subscriptions; valid value ranges from 1 to 3.
|
Defaults
1 subscription
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
After you have enabled SDEE to receive and process events from Intrusion Prevention System (IPS) unless SDEE, you can issue the ip sdee subscriptions command to modify the number of allowed open SDEE subscriptions.
Examples
The following example shows how to change the number of allowed open subscriptions to 2:
Related Commands
Command
|
Description
|
ip ips notify
|
Specifies the method of event notification.
|
ip security add
To add a basic security option to all outgoing packets, use the ip security add command in interface configuration mode. To disable the adding of a basic security option to all outgoing packets, use the no form of this command.
ip security add
no ip security add
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is enabled.
Command Modes
Interface configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Usage Guidelines
If an outgoing packet does not have a security option present, this interface configuration command will add one as the first IP option. The security label added to the option field is the label that was computed for this packet when it first entered the router. Because this action is performed after all the security tests have been passed, this label will either be the same or will fall within the range of the interface.
Examples
The following example adds a basic security option to each packet leaving Ethernet interface 0:
Related Commands
Command
|
Description
|
ip security dedicated
|
Sets the level of classification and authority on the interface.
|
ip security extended-allowed
|
Accepts packets on an interface that has an Extended Security Option present.
|
ip security first
|
Prioritizes the presence of security options on a packet.
|
ip security ignore-authorities
|
Causes the Cisco IOS software to ignore the authorities field of all incoming packets.
|
ip security implicit-labelling
|
Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.
|
ip security multilevel
|
Sets the range of classifications and authorities on an interface.
|
ip security reserved-allowed
|
Treats as valid any packets that have Reserved1 through Reserved4 security levels.
|
ip security strip
|
Removes any basic security option on outgoing packets on an interface.
|
ip security aeso
To attach Auxiliary Extended Security Options (AESOs) to an interface, use the ip security aeso command in interface configuration mode. To disable AESO on an interface, use the no form of this command.
ip security aeso source compartment-bits
no ip security aeso source compartment-bits
Syntax Description
source
|
Extended Security Option (ESO) source. This can be an integer from 0 to 255.
|
compartment-bits
|
Number of compartment bits in hexadecimal.
|
Defaults
Disabled
Command Modes
Interface configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Usage Guidelines
Compartment bits are specified only if this AESO is to be inserted in a packet. On every incoming packet at this level on this interface, these AESOs should be present.
Beyond being recognized, no further processing of AESO information is performed. AESO contents are not checked and are assumed to be valid if the source is listed in the configurable AESO table.
Configuring any per-interface extended IP Security Option (IPSO) information automatically enables ip security extended-allowed (disabled by default).
Examples
The following example defines the Extended Security Option source as 5 and sets the compartments bits to 5:
Related Commands
Command
|
Description
|
ip security eso-info
|
Configures system-wide defaults for extended IPSO information.
|
ip security eso-max
|
Specifies the maximum sensitivity level for an interface.
|
ip security eso-min
|
Configures the minimum sensitivity level for an interface.
|
ip security extended-allowed
|
Accepts packets on an interface that has an Extended Security Option present.
|
ip security dedicated
To set the level of classification and authority on the interface, use the ip security dedicated command in interface configuration mode. To reset the interface to the default classification and authorities, use the no form of this command.
ip security dedicated level authority [authority...]
no ip security dedicated level authority [authority...]
Syntax Description
level
|
Degree of sensitivity of information. The level keywords are listed in Table 27.
|
authority
|
Organization that defines the set of security levels that will be used in a network. The authority keywords are listed in Table 28.
|
Defaults
Disabled
Command Modes
Interface configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Usage Guidelines
All traffic entering the system on this interface must have a security option that exactly matches this label. Any traffic leaving via this interface will have this label attached to it.
The following definitions apply to the descriptions of the IP Security Option (IPSO) in this section:
•
level—The degree of sensitivity of information. For example, data marked TOPSECRET is more sensitive than data marked SECRET. The level keywords and their corresponding bit patterns are shown in Table 27.
Table 27 IPSO Level Keywords and Bit Patterns
Level Keyword
|
Bit Pattern
|
Reserved4
|
0000 0001
|
TopSecret
|
0011 1101
|
Secret
|
0101 1010
|
Confidential
|
1001 0110
|
Reserved3
|
0110 0110
|
Reserved2
|
1100 1100
|
Unclassified
|
1010 1011
|
Reserved1
|
1111 0001
|
•
authority—An organization that defines the set of security levels that will be used in a network. For example, the Genser authority consists of level names defined by the U.S. Defense Communications Agency (DCA). The authority keywords and their corresponding bit patterns are shown in Table 28.
Table 28 IPSO Authority Keywords and Bit Patterns
Authority Keyword
|
Bit Pattern
|
Genser
|
1000 0000
|
Siop-Esi
|
0100 0000
|
DIA
|
0010 0000
|
NSA
|
0001 0000
|
DOE
|
0000 1000
|
•
label—A combination of a security level and an authority or authorities.
Examples
The following example sets a confidential level with Genser authority:
ip security dedicated confidential Genser
Related Commands
Command
|
Description
|
ip security add
|
Adds a basic security option to all outgoing packets.
|
ip security extended-allowed
|
Accepts packets on an interface that has an Extended Security Option present.
|
ip security first
|
Prioritizes the presence of security options on a packet.
|
ip security ignore-authorities
|
Causes the Cisco IOS software to ignore the authorities field of all incoming packets.
|
ip security implicit-labelling
|
Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.
|
ip security multilevel
|
Sets the range of classifications and authorities on an interface.
|
ip security reserved-allowed
|
Treats as valid any packets that have Reserved1 through Reserved4 security levels.
|
ip security strip
|
Removes any basic security option on outgoing packets on an interface.
|
ip security eso-info
To configure system-wide defaults for extended IP Security Option (IPSO) information, use the ip security eso-info command in global configuration mode. To return to the default settings, use the no form of this command.
ip security eso-info source compartment-size default-bit
no ip security eso-info source compartment-size default-bit
Syntax Description
source
|
Hexadecimal or decimal value representing the extended IPSO source. This is an integer from 0 to 255.
|
compartment-size
|
Maximum number of bytes of compartment information allowed for a particular extended IPSO source. This is an integer from 1 to 16.
|
default-bit
|
Default bit value for any unsent compartment bits.
|
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Usage Guidelines
This command configures Extended Security Option (ESO) information, including Auxiliary Extended Security Option (AESO). Transmitted compartment information is padded to the size specified by the compartment-size argument.
Examples
The following example sets system-wide defaults for source, compartment size, and the default bit value:
ip security eso-info 100 5 1
Related Commands
Command
|
Description
|
ip security eso-max
|
Specifies the maximum sensitivity level for an interface.
|
ip security eso-min
|
Configures the minimum sensitivity level for an interface.
|
ip security eso-max
To specify the maximum sensitivity level for an interface, use the ip security eso-max command in interface configuration mode. To return to the default, use the no form of this command.
ip security eso-max source compartment-bits
no ip security eso-max source compartment-bits
Syntax Description
source
|
Extended Security Option (ESO) source. This is an integer from 1 to 255.
|
compartment-bits
|
Number of compartment bits in hexadecimal.
|
Defaults
Disabled
Command Modes
Interface configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Usage Guidelines
The command is used to specify the maximum sensitivity level for a particular interface. Before the per-interface compartment information for a particular Network-Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.
On every incoming packet on the interface, these Extended Security Options should be present at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.
On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.
When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.
A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.
Examples
In the following example, the specified ESO source is 240 and the compartment bits are specified as 500:
ip security eso-max 240 500
Related Commands
Command
|
Description
|
ip security eso-info
|
Configures system-wide defaults for extended IPSO information.
|
ip security eso-min
|
Configures the minimum sensitivity level for an interface.
|
ip security eso-min
To configure the minimum sensitivity for an interface, use the ip security eso-min command in interface configuration mode. To return to the default, use the no form of this command.
ip security eso-min source compartment-bits
no ip security eso-min source compartment-bits
Syntax Description
source
|
Extended Security Option (ESO) source. This is an integer from 1 to 255.
|
compartment-bits
|
Number of compartment bits in hexadecimal.
|
Defaults
Disabled
Command Modes
Interface configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Usage Guidelines
The command is used to specify the minimum sensitivity level for a particular interface. Before the per-interface compartment information for a particular Network Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.
On every incoming packet on this interface, these Extended Security Options should be present at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.
On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.
When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.
A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.
Examples
In the following example, the specified ESO source is 5, and the compartment bits are specified as 5:
Related Commands
Command
|
Description
|
ip security eso-info
|
Configures system-wide defaults for extended IPSO information.
|
ip security eso-max
|
Specifies the maximum sensitivity level for an interface.
|
ip security extended-allowed
To accept packets on an interface that has an extended security option present, use the ip security extended-allowed command in interface configuration mode. To restore the default, use the no form of this command.
ip security extended-allowed
no ip security extended-allowed
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Usage Guidelines
Packets containing extended security options are rejected.
Examples
The following example allows interface Ethernet 0 to accept packets that have an extended security option present:
ip security extended-allowed
Related Commands
Command
|
Description
|
ip security add
|
Adds a basic security option to all outgoing packets.
|
ip security dedicated
|
Sets the level of classification and authority on the interface.
|
ip security first
|
Prioritizes the presence of security options on a packet.
|
ip security ignore-authorities
|
Causes the Cisco IOS software to ignore the authorities field of all incoming packets.
|
ip security implicit-labelling
|
Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.
|
ip security multilevel
|
Sets the range of classifications and authorities on an interface.
|
ip security reserved-allowed
|
Treats as valid any packets that have Reserved1 through Reserved4 security levels.
|
ip security strip
|
Removes any basic security option on outgoing packets on an interface.
|
ip security first
To prioritize the presence of security options on a packet, use the ip security first command in interface configuration mode. To prevent packets that include security options from moving to the front of the options field, use the no form of this command.
ip security first
no ip security first
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Usage Guidelines
If a basic security option is present on an outgoing packet, but it is not the first IP option, then the packet is moved to the front of the options field when this interface configuration command is used.
Examples
The following example ensures that, if a basic security option is present in the options field of a packet exiting interface Ethernet 0, the packet is moved to the front of the options field:
Related Commands
Command
|
Description
|
ip security add
|
Adds a basic security option to all outgoing packets.
|
ip security dedicated
|
Sets the level of classification and authority on the interface.
|
ip security extended-allowed
|
Accepts packets on an interface that has an Extended Security Option present.
|
ip security ignore-authorities
|
Causes the Cisco IOS software to ignore the authorities field of all incoming packets.
|
ip security implicit-labelling
|
Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.
|
ip security multilevel
|
Sets the range of classifications and authorities on an interface.
|
ip security reserved-allowed
|
Treats as valid any packets that have Reserved1 through Reserved4 security levels.
|
ip security strip
|
Removes any basic security option on outgoing packets on an interface.
|
ip security ignore-authorities
To have the Cisco IOS software ignore the authorities field of all incoming packets, use the ip security ignore-authorities command in interface configuration mode. To disable this function, use the no form of this command.
ip security ignore-authorities
no ip security ignore-authorities
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Usage Guidelines
When the packet's authority field is ignored, the value used in place of this field is the authority value declared for the specified interface. The ip security ignore-authorities can be configured only on interfaces that have dedicated security levels.
Examples
The following example causes interface Ethernet 0 to ignore the authorities field on all incoming packets:
ip security ignore-authorities
Related Commands
Command
|
Description
|
ip security add
|
Adds a basic security option to all outgoing packets.
|
ip security dedicated
|
Sets the level of classification and authority on the interface.
|
ip security extended-allowed
|
Accepts packets on an interface that has an Extended Security Option present.
|
ip security first
|
Prioritizes the presence of security options on a packet.
|
ip security implicit-labelling
|
Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.
|
ip security multilevel
|
Sets the range of classifications and authorities on an interface.
|
ip security reserved-allowed
|
Treats as valid any packets that have Reserved1 through Reserved4 security levels.
|
ip security strip
|
Removes any basic security option on outgoing packets on an interface.
|
ip security ignore-cipso
To enable Cisco IOS software to ignore the Commercial IP Security Option (CIPSO) field of all incoming packets at the interface, use the ip security ignore-cipso command in interface configuration mode. To disable this function, use the no form of this command.
ip security ignore-cipso
no ip security ignore-cipso
Syntax Description
This command has no arguments or keywords.
Command Default
Cisco IOS software cannot ignore the CIPSO field.
Command Modes
Interface configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
Usage Guidelines
The ip security ignore-cipso command allows a router running Cisco IOS software to ignore the CIPSO field in the IP packet and forward the packet as if the field was not present.
Examples
The following example shows how to enable Cisco IOS software to ignore the CIPSO field for all incoming packets at the Ethernet interface:
The following sample output from the show ip interface command can be used to verify that the ip security ignore-cipso option has been enabled. If this option is enabled, the output will display the text "Commercial security options are ignored."
Router# show ip interface ethernet 0
Ethernet0 is up, line protocol is up
Internet address is 172.16.0.0/28
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
Helper address is not set
Directed broadcast forwarding is enabled
Secondary address 172.19.56.31/24
Outgoing access list is not set
Inbound access list is not set
Security level is default
Commercial security options are ignored
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP multicast fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
Probe proxy name replies are disabled
Gateway Discovery is disabled
Policy routing is disabled
Network address translation is disabled
The following sample outputs from the show ip traffic command can be used to verify that the ip security ignore-cipso command has been enabled:
Sample Output Before the ip security ignore-cipso Command Was Introduced
Rcvd: 153 total, 129 local destination
0 format errors, 0 checksum errors, 0 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 34 bad options, 44 with options
Opts: 10 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 couldn't fragment
Bcast: 108 received, 1 sent
Mcast: 0 received, 4 sent
Sent: 30 generated, 0 forwarded
2 encapsulation failed, 0 no route
Sample Output with the ip security ignore-cipso Command Enabled
Rcvd: 153 total, 129 local destination
0 format errors, 0 checksum errors, 0 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 34 bad options, 44 with options
Opts: 10 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 44 cipso
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 couldn't fragment
Bcast: 108 received, 1 sent
Mcast: 0 received, 4 sent
Sent: 30 generated, 0 forwarded
2 encapsulation failed, 0 no route
Related Commands
Command
|
Description
|
show ip interfaces
|
Displays the usability status of interfaces configured for IP.
|
show ip traffic
|
Displays statistics about IP traffic.
|
ip security implicit-labelling
To force the Cisco IOS software to accept packets on the interface, even if they do not include a security option, use the ip security implicit-labelling command in interface configuration mode. To require security options, use the no form of this command.
ip security implicit-labelling [level authority [authority...]]
no ip security implicit-labelling [level authority [authority...]]
Syntax Description
level
|
(Optional) Degree of sensitivity of information. If your interface has multilevel security set, you must specify this argument. (See the level keywords listed in Table 27 in the ip security dedicated command section.)
|
authority
|
(Optional) Organization that defines the set of security levels that will be used in a network. If your interface has multilevel security set, you must specify this argument. You can specify more than one. (See the authority keywords listed in Table 28 in the ip security dedicated command section.)
|
Defaults
Enabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is disabled.
Command Modes
Interface configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Usage Guidelines
If your interface has multilevel security set, you must use the expanded form of the command (with the optional arguments as noted in brackets) because the arguments are used to specify the precise level and authority to use when labeling the packet. If your interface has dedicated security set, the additional arguments are ignored.
Examples
In the following example, an interface is set for security and will accept unlabeled packets:
ip security dedicated confidential genser
ip security implicit-labelling
Related Commands
Command
|
Description
|
ip security add
|
Adds a basic security option to all outgoing packets.
|
ip security dedicated
|
Sets the level of classification and authority on the interface.
|
ip security extended-allowed
|
Accepts packets on an interface that has an Extended Security Option present.
|
ip security first
|
Prioritizes the presence of security options on a packet.
|
ip security ignore-authorities
|
Causes the Cisco IOS software to ignore the authorities field of all incoming packets.
|
ip security multilevel
|
Sets the range of classifications and authorities on an interface.
|
ip security reserved-allowed
|
Treats as valid any packets that have Reserved1 through Reserved4 security levels.
|
ip security strip
|
Removes any basic security option on outgoing packets on an interface.
|
ip security multilevel
To set the range of classifications and authorities on an interface, use the ip security multilevel command in interface configuration mode. To remove security classifications and authorities, use the no form of this command.
ip security multilevel level1 [authority1...] to level2 authority2 [authority2...]
no ip security multilevel
Syntax Description
level1
|
Degree of sensitivity of information. The classification level of incoming packets must be equal to or greater than this value for processing to occur. (See the level keywords found in Table 27 in the ip security dedicated command section.)
|
authority1
|
(Optional) Organization that defines the set of security levels that will be used in a network. The authority bits must be a superset of this value. (See the authority keywords listed in Table 28 in the ip security dedicated command section.)
|
to
|
Separates the range of classifications and authorities.
|
level2
|
Degree of sensitivity of information. The classification level of incoming packets must be equal to or less than this value for processing to occur. (See the level keywords found in Table 27 in the ip security dedicated command section.)
|
authority2
|
Organization that defines the set of security levels that will be used in a network. The authority bits must be a proper subset of this value. (See the authority keywords listed in Table 28 in the ip security dedicated command section.)
|
Defaults
Disabled
Command Modes
Interface configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Usage Guidelines
All traffic entering or leaving the system must have a security option that falls within this range. Being within range requires that the following two conditions be met:
•
The classification level must be greater than or equal to level1 and less than or equal to level2.
•
The authority bits must be a superset of authority1 and a proper subset of authority2. That is, authority1 specifies those authority bits that are required on a packet, and authority2 specifies the required bits plus any optional authorities that also can be included. If the authority1 field is the empty set, then a packet is required to specify any one or more of the authority bits in authority2.
Examples
The following example specifies levels Unclassified to Secret and NSA authority:
ip security multilevel unclassified to secret nsa
Related Commands
Command
|
Description
|
ip security add
|
Adds a basic security option to all outgoing packets.
|
ip security dedicated
|
Sets the level of classification and authority on the interface.
|
ip security extended-allowed
|
Accepts packets on an interface that has an Extended Security Option present.
|
ip security first
|
Prioritizes the presence of security options on a packet.
|
ip security ignore-authorities
|
Causes the Cisco IOS software to ignore the authorities field of all incoming packets.
|
ip security implicit-labelling
|
Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.
|
ip security reserved-allowed
|
Treats as valid any packets that have Reserved1 through Reserved4 security levels.
|
ip security strip
|
Removes any basic security option on outgoing packets on an interface.
|
ip security reserved-allowed
To treat as valid any packets that have Reserved1 through Reserved4 security levels, use the ip security reserved-allowed command in interface configuration mode. To disallow packets that have security levels of Reserved3 and Reserved2, use the no form of this command.
ip security reserved-allowed
no ip security reserved-allowed
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Release
|
Modification
|
10.3
|
This command was introduced.
|
Usage Guidelines
When you set multilevel security on an interface, and indicate, for example, that the highest range allowed is Confidential, and the lowest is Unclassified, the Cisco IOS software neither allows nor operates on packets that have security levels of Reserved3 and Reserved2 because they are undefined.
If you use the IP Security Option (IPSO) to block transmission out of unclassified interfaces, and you use one of the Reserved security levels, you must enable this feature to preserve network security.
Examples
The following example allows a security level of Reserved through Ethernet interface 0:
ip security reserved-allowed
Related Commands
Command
|
Description
|
ip security add
|
Adds a basic security option to all outgoing packets.
|
ip security dedicated
|
Sets the level of classification and authority on the interface.
|
ip security extended-allowed
|
Accepts packets on an interface that has an Extended Security Option present.
|
ip security first
|
Prioritizes the presence of security options on a packet.
|
ip security ignore-authorities
|
Causes the Cisco IOS software to ignore the authorities field of all incoming packets.
|
ip security implicit-labelling
|
Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.
|
ip security multilevel
|
Sets the range of classifications and authorities on an interface.
|
ip security strip
|
Removes any basic security option on outgoing packets on an interface.
|
ip security strip
To remove any basic security option on outgoing packets on an interface, use the ip security strip command in interface configuration mode. To restore security options, use the no form of this command.
ip security strip
no ip security strip
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Usage Guidelines
The removal procedure is performed after all security tests in the router have been passed. This command is not allowed for multilevel interfaces.
Examples
The following example removes any basic security options on outgoing packets on Ethernet interface 0:
Related Commands
Command
|
Description
|
ip security add
|
Adds a basic security option to all outgoing packets.
|
ip security dedicated
|
Sets the level of classification and authority on the interface.
|
ip security extended-allowed
|
Accepts packets on an interface that has an Extended Security Option present.
|
ip security first
|
Prioritizes the presence of security options on a packet.
|
ip security ignore-authorities
|
Causes the Cisco IOS software to ignore the authorities field of all incoming packets.
|
ip security implicit-labelling
|
Forces the Cisco IOS software to accept packets on the interface, even if they do not include a security option.
|
ip security multilevel
|
Sets the range of classifications and authorities on an interface.
|
ip security reserved-allowed
|
Treats as valid any packets that have Reserved1 through Reserved4 security levels.
|
ip source-track
To enable IP source tracking for a specified host, use the ip source-track command in global configuration mode. To disable IP source tracking, use the no form of this command.
ip source-track ip-address
no ip source-track ip-address
Syntax Description
ip-address
|
Destination IP address of the host that is to be tracked.
|
Defaults
IP address tracking is not enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.0(21)S
|
This command was introduced.
|
12.0(22)S
|
This command was implemented on the Cisco 7500 series routers.
|
12.0(26)S
|
This command was implemented on Cisco 12000 series ISE line cards.
|
12.3(7)T
|
This command was integrated into Cisco IOS Release 12.3(7)T.
|
12.2(25)S
|
This command was integrated into Cisco IOS Release 12.2(25)S.
|
Usage Guidelines
IP source tracking allows you to gather information about the traffic that is flowing to a host that is suspected of being under attack. It also allows you to easily trace a denial-of-service (DoS) attack to its entry point into the network.
After you have identified the destination that is being attacked, enable tracking for the destination address on the whole router by entering the ip source-track command.
Examples
The following example shows how to configure IP source tracking on all line cards and port adapters in the router. In this example, each line card or port adapter collects traffic flow data to host address 100.10.0.1 for 2 minutes before creating an internal system log entry; packet and flow information recorded in the system log is exported for viewing to the route processor or switch processor every 60 seconds.
Router# configure interface
Router(config)# ip source-track 100.10.0.1
Router(config)# ip source-track syslog-interval 2
Router(config)# ip source-track export-interval 60
Related Commands
Command
|
Description
|
ip source-track address-limit
|
Configures the maximum number of destination hosts that can be simultaneously tracked at any given moment.
|
ip source-track export-interval
|
Sets the time interval (in seconds) in which IP source tracking statistics are exported from the line card to the RP.
|
ip source-track syslog-interval
|
Sets the time interval (in minutes) in which syslog messages are generated if IP source tracking is enabled on a device.
|
show ip source-track
|
Displays traffic flow statistics for tracked IP host addresses.
|
show ip source-track export flows
|
Displays the last 10 packet flows that were exported from the line card to the route processor.
|
ip source-track address-limit
To configure the maximum number of destination hosts that can be simultaneously tracked at any given moment, use the ip source-track address-limit command in global configuration mode. To cancel this administrative limit and return to the default, use the no form of this command.
ip source-track address-limit number
no ip source-track address-limit number
Syntax Description
number
|
Maximum number of hosts that can be tracked.
|
Defaults
An unlimited number of hosts can be tracked.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.0(21)S
|
This command was introduced.
|
12.0(22)S
|
This command was implemented on the Cisco 7500 series routers.
|
12.0(26)S
|
This command was implemented on Cisco 12000 series ISE line cards.
|
12.3(7)T
|
This command was integrated into Cisco IOS Release 12.3(7)T.
|
12.2(25)S
|
This command was integrated into Cisco IOS Release 12.2(25)S.
|
Usage Guidelines
After you have configured at least one destination IP address for source tracking (via the ip source-track command), you can limit the number of destination IP addresses that can be tracked via the ip source-track address-limit command.
Examples
The following example shows how to configure IP source tracking for data that flows to host 100.10.1.1 and limit IP source tracking to 10 IP addresses:
Router(config)# ip source-track 100.10.0.1
Router(config)# ip source-track address-limit 10
Related Commands
Command
|
Description
|
ip source-track
|
Enables IP source tracking for a specified host.
|
show ip source-track
|
Displays traffic flow statistics for tracked IP host addresses.
|
ip source-track export-interval
To set the time interval (in seconds) in which IP source tracking statistics are exported from the line card to the route processor (RP), use the ip source-track export-interval command in global configuration mode. To return to default functionality, use the no form of this command.
ip source-track export-interval number
no ip source-track export-interval number
Syntax Description
number
|
Number of seconds that pass before IP source tracking statistics are exported.
|
Defaults
Traffic flow information is exported from the line card to the RP every 30 seconds.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.0(21)S
|
This command was introduced.
|
12.0(22)S
|
This command was implemented on the Cisco 7500 series routers.
|
12.0(26)S
|
This command was implemented on Cisco 12000 series ISE line cards.
|
12.3(7)T
|
This command was integrated into Cisco IOS Release 12.3(7)T.
|
12.2(25)S
|
This command was integrated into Cisco IOS Release 12.2(25)S.
|
Usage Guidelines
Use the ip source-track export-interval command to specify the frequency in which IP source tracking information is sent to the RP for viewing.
Note
This command can be issued only on distributed platforms such as the gigabit route processor (GRP) and the route switch processor (RSP).
Examples
The following example shows how to configure IP source tracking on all line cards and port adapters in the router. In this example, each line card or port adapter collects traffic flow data to host address 100.10.0.1 for 2 minutes before creating an internal system log entry; packet and flow information recorded in the system log is exported for viewing to the route processor or switch processor every 60 seconds.
Router# configure interface
Router(config)# ip source-track 100.10.0.1
Router(config)# ip source-track syslog-interval 2
Router(config)# ip source-track export-interval 60
Related Commands
Command
|
Description
|
ip source-track
|
Enables IP source tracking for a specified host.
|
show ip source-track export flows
|
Displays the last 10 packet flows that were exported from the line card to the route processor.
|
ip source-track syslog-interval
To set the time interval (in minutes) in which syslog messages are generated if IP source tracking is enabled on a device, use the ip source-track syslog-interval command in global configuration mode. To cancel this setting and disable syslog generation, use the no form of this command.
ip source-track syslog-interval number
no ip source-track syslog-interval number
Syntax Description
number
|
IP address of the destination that is to be tracked.
|
Defaults
Syslog messages are not generated.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.0(21)S
|
This command was introduced.
|
12.0(22)S
|
This command was implemented on the Cisco 7500 series routers.
|
12.0(26)S
|
This command was implemented on Cisco 12000 series ISE line cards.
|
12.3(7)T
|
This command was integrated into Cisco IOS Release 12.3(7)T.
|
12.2(25)S
|
This command was integrated into Cisco IOS Release 12.2(25)S.
|
Usage Guidelines
Use the ip source-track syslog-interval command to track the source interfaces of traffic that are destined to a particular address.
Examples
The following example shows how to configure IP source tracking on all line cards and port adapters in the router. In this example, each line card or port adapter collects traffic flow data to host address 100.10.0.1 for 2 minutes before creating an internal system log entry; packet and flow information recorded in the system log is exported for viewing to the route processor or switch processor every 60 seconds.
Router# configure interface
Router(config)# ip source-track 100.10.0.1
Router(config)# ip source-track syslog-interval 2
Router(config)# ip source-track export-interval 60
Related Commands
Command
|
Description
|
ip source-track
|
Enables IP source tracking for a specified host.
|
show ip source-track
|
Displays traffic flow statistics for tracked IP host addresses.
|
ip ssh
To configure Secure Shell (SSH) control parameters on your router, use the ip ssh command in global configuration mode. To restore the default value, use the no form of this command.
ip ssh [timeout seconds | authentication-retries integer]
no ip ssh [timeout seconds | authentication-retries integer]
Syntax Description
timeout
|
(Optional) The time interval that the router waits for the SSH client to respond.
This setting applies to the SSH negotiation phase. Once the EXEC session starts, the standard timeouts configured for the vty apply. By default, there are 5 vtys defined (0-4), therefore 5 terminal sessions are possible. After the SSH executes a shell, the vty timeout starts. The vty timeout defaults to 10 minutes.
|
seconds
|
(Optional) The number of seconds until timeout disconnects, with a maximum of 120 seconds. The default is 120 seconds.
|
authentication- retries
|
(Optional) The number of attempts after which the interface is reset.
|
integer
|
(Optional) The number of retries, with a maximum of 5 authentication retries. The default is 3.
|
Defaults
120 seconds for the timeout timer
3 authentication retries
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.0(5)S
|
This command was introduced.
|
12.1(1)T
|
This command was integrated into Cisco IOS Release 12.1(1) T.
|
Usage Guidelines
Before you configure SSH on your router, you must enable the SSH server using the crypto key generate rsa command.
Examples
The following examples configure SSH control parameters on your router:
ip ssh authentication-retries 3
ip ssh break-string
To configure a string that, when received from a Secure Shell (SSH) client, will cause the Cisco IOS SSH server to transmit a break signal out an asynchronous line, use the ip ssh break-string command in global configuration mode. To remove the string, use the no form of this command.
ip ssh break-string string
no ip ssh break-string string
Syntax Description
string
|
Any sequence of characters not including embedded whitespace. Include control characters by prefixing them with ^V (control/V) or denote them using the \000 notation (that is, a backslash followed by the the ASCII value of the character in three octal digits.)
|
Defaults
Break signal is not enabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(2)
|
This command was introduced.
|
12.3(2)T
|
This command was integrated into Cisco IOS Release 12.3(2)T.
|
Usage Guidelines
Note
This break string is used only for SSH sessions that are outbound on physical lines using the SSH Terminal-Line Access feature. This break string is not used by the Cisco IOS SSH client, nor is it used by the Cisco IOS SSH server when the server uses a virtual terminal (VTY) line. This break string does not provide any interoperability with the method that is described in the Internet Engineering Task Force (IETF) Internet-Draft "Session Channel Break Extension" (draft-ietf-secsh-break-02.txt).
Note
In some versions of Cisco IOS, if the SSH break string is set to a single character, the Cisco IOS server will not immediately process that character as a break signal on receipt of that character but will delay until it has received a subsequent character. A break string of two or more characters will be immediately processed as a break signal after the last character in the string has been received from the SSH client.
Examples
The following example shows that the control-B character (ASCII 2) has been set as the SSH break string:
Router (config)# ip ssh break-string \002
Related Commands
Command
|
Description
|
ip ssh port
|
Enables SSH access to TTY lines.
|
ip ssh port
To enable secure access to tty (asynchronous) lines, use the ip ssh port command in global configuration mode. To disable this functionality, use the no form of this command.
ip ssh port por-tnum rotary group
no ip ssh port por-tnum rotary group
Syntax Description
port-num
|
Specifies the port, such as 2001, to which Secure Shell (SSH) needs to connect.
|
rotary group
|
Specifies the defined rotary that should search for a valid name.
|
Defaults
This command is disabled by default.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(2)T
|
This command was introduced.
|
Usage Guidelines
The ip ssh port command supports a functionality that replaces reverse Telnet with SSH. Use this command to securely access the devices attached to the serial ports of a router and to perform the following tasks:
•
Connect to a router with multiple terminal lines that are connected to consoles of other devices.
•
Allow network available modems to be securely accessed for dial-out.
Examples
The following example shows how to configure the SSH Terminal-Line Access feature on a modem that is used for dial-out on lines 1 through 200:
login authentication default
ip ssh port 2000 rotary 1
The following example shows how to configure the SSH Terminal-Line Access feature to access the console ports of various devices that are attached to the serial ports of the router. For this type of access, each line is put into its own rotary, and each rotary is used for a single port. In this example, lines 1 through 3 are used, and the port (line) mappings of the configuration are as follows: Port 2001 = Line 1, Port 2002 = Line 2, and Port 2003 = Line 3.
login authentication default
login authentication default
login authentication default
ip ssh port 2001 rotary 1 3
From any UNIX or UNIX-like device, the following command is typically used to form an SSH session:
ssh -c 3des -p 2002 router.example.com
This command will initiate an SSH session using the 3DES cipher to the device known as "router.example.com," which uses port 2002. This device will connect to the device on Line 2, which was associated with port 2002. Similarly, many Windows SSH packages have related methods of selecting the cipher and the port for this access.
Related Commands
Command
|
Description
|
ip ssh
|
Configures SSH control variables on your router.
|
line
|
Identifies a specific line for configuration and begins the command in line configuration mode.
|
rotary
|
Defines a group of lines consisting of one or more lines.
|
ssh
|
Starts an encrypted session with a remote networking device.
|
transport input
|
Defines which protocols to use to connect to a specific line of the router.
|
ip ssh rsa keypair-name
To specify which Rivest, Shimar, and Adelman (RSA) key pair to use for a Secure Shell (SSH) connection, use the ip ssh rsa keypair-name command in global configuration mode. To disable the key pair that was configured, use the no form of this command.
ip ssh rsa keypair-name keypair-name
no ip ssh rsa keypair-name keypair-name
Syntax Description
keypair-name
|
Name of the key pair.
|
Defaults
If this command is not configured, SSH will use the first RSA key pair that is enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
12.3(2)XE
|
This command was introduced into Cisco IOS Release 12.3(2)XE.
|
Usage Guidelines
Using the ip ssh rsa keypair-name command, you can enable an SSH connection using RSA keys that you have configured using the keypair-name argument. Previously, SSH was tied to the first RSA keys that were generated (that is, SSH was enabled when the first RSA key pair was generated). The previous behavior still exists but by using the ip ssh rsa keypair-name command, you can overcome that behavior. If you configure the ip ssh rsa keypair-name command with a key pair name, SSH is enabled if the key pair exists, or SSH will be enabled if the key pair is generated later. If you use this command, you are not forced to configure a host name and a domain name.
Note
A Cisco IOS router can have many RSA key pairs.
Examples
The following example shows that the ip ssh rsa keypair-name command has been used to specify the RSA key pair "sshkeys" for a SSH connection:
Router# configure terminal
Router (config)# ip ssh rsa keypair-name sshkeys
Related Commands
Command
|
Description
|
debug ip ssh
|
Displays debug messages for SSH.
|
disconnect ssh
|
Terminates a SSH connection on your router.
|
ip ssh
|
Configures SSH control parameters on your router.
|
ip ssh version
|
Specifies the version of SSH to be run on a router.
|
show ip ssh
|
Displays the SSH connections of your router.
|
ip ssh source-interface
To specify the IP address of an interface as the source address for a Secure Shell (SSH) client device, use the ip ssh source-interface command in global configuration mode. To remove the IP address as the source address, use the no form of this command.
ip ssh source-interface interface
no ip ssh source-interface interface
Syntax Description
interface
|
The interface whose address is used as the source address for the SSH client.
|
Defaults
The address of the closest interface to the destination is used as the source address (the closest interface is the output interface through which the SSH packet is sent).
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
Usage Guidelines
By specifying this command, you can force the SSH client to use the IP address of the source interface as the source address.
Examples
In the following example, the IP address assigned to Ethernet interface 0 will be used as the source address for the SSH client:
ip ssh source-interface ethernet0
ip ssh version
To specify the version of Secure Shell (SSH) to be run on a router, use the ip ssh version command in global configuration mode. To disable the version of SSH that was configured and to return to compatibility mode, use the no form of this command.
ip ssh version [1 | 2]
no ip ssh version [1 | 2]
Syntax Description
1
|
(Optional) Router runs only SSH Version 1.
|
2
|
(Optional) Router runs only SSH Version 2.
|
Defaults
If this command is not configured, SSH operates in compatibility mode, that is, Version 1 and Version 2 are both supported.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
12.3(2)XE
|
This command was introduced into Cisco IOS Release 12.3(2)XE.
|
Usage Guidelines
You can use this command with the 2 keyword to ensure that your router will not inadvertently establish a weaker SSH Version 1 connection.
Examples
The following example shows that only SSH Version 1 support is configured:
Router (config)# ip ssh version 1
The following example shows that only SSH Version 2 is configured:
Router (config)# ip ssh version 2
The following example shows that SSH Versions 1 and 2 are configured:
Router (config)# no ip ssh version
Related Commands
Command
|
Description
|
debug ip ssh
|
Displays debug messages for SSH.
|
disconnect ssh
|
Terminates a SSH connection on your router.
|
ip ssh
|
Configures SSH control parameters on your router.
|
ip ssh rsa keypair-name
|
Specifies which RSA key pair to use for a SSH connection.
|
show ip ssh
|
Displays the SSH connections of your router.
|
ip tacacs source-interface
To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration or server-group configuration mode. To disable use of the specified interface IP address, use the no form of this command.
ip tacacs source-interface subinterface-name
no ip tacacs source-interface
Syntax Description
subinterface-name
|
Name of the interface that TACACS+ uses for all of its outgoing packets.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Server-group configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
12.3(7)T
|
This command was introduced in server-group configuration mode.
|
Usage Guidelines
Use this command to set the IP address of a subinterface for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.
This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.
The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this situation, add an IP address to the subinterface or bring the interface to the up state.
Note
This command can be configured globally or in server-group configuration mode. If this command is configured in the server-group configuration mode, the IP address of the specified interface is used for packets that are going only to servers that are defined in that server group. If this command is not configured in server-group configuration mode, the global configuration applies.
Examples
The following example makes TACACS+ use the IP address of subinterface "s2" for all outgoing TACACS+ packets:
ip tacacs source-interface s2
In the following example, TACACS+ is to use the IP address of Loopback0 for packets that are going only to server 10.1.1.1:
aaa group server tacacs+ tacacs1
server-private 10.1.1.1 port 19 key cisco
ip tacacs source-interface Loopback0
ip address 10.0.0.2 255.0.0.0
Related Commands
Command
|
Description
|
ip radius source-interface
|
Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.
|
ip telnet source-interface
|
Allows a user to select an address of an interface as the source address for Telnet connections.
|
ip tftp source-interface
|
Allows a user to select the interface whose address will be used as the source address for TFTP connections.
|
ip vrf forwarding (server-group)
|
Configures the VRF reference of an AAA RADIUS or TACACS+ server group.
|
server-private
|
Configures the IP address of the private RADIUS or TACACS+ server for the group server.
|
ip tcp intercept connection-timeout
To change how long a TCP connection will be managed by the TCP intercept after no activity, use the ip tcp intercept connection-timeout command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept connection-timeout seconds
no ip tcp intercept connection-timeout [seconds]
Syntax Description
seconds
|
Time (in seconds) that the software will still manage the connection after no activity. The minimum value is 1 second. The default is 86,400 seconds (24 hours).
|
Defaults
86,400 seconds (24 hours)
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2 F
|
This command was introduced.
|
Usage Guidelines
Use the ip tcp intercept connection-timeout command to change how long a TCP connection will be managed by the TCP intercept after a period of inactivity.
Examples
The following example sets the software to manage the connection for 12 hours (43,200 seconds) after no activity:
ip tcp intercept connection-timeout 43200
ip tcp intercept drop-mode
To set the TCP intercept drop mode, use the ip tcp intercept drop-mode command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept drop-mode [oldest | random]
no ip tcp intercept drop-mode [oldest | random]
Syntax Description
oldest
|
(Optional) Software drops the oldest partial connection. This is the default.
|
random
|
(Optional) Software drops a randomly selected partial connection.
|
Defaults
oldest
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2 F
|
This command was introduced.
|
Usage Guidelines
If the number of incomplete connections exceeds 1100 or the number of connections arriving in the last 1 minute exceeds 1100, the TCP intercept feature becomes more aggressive. When this happens, each new arriving connection causes the oldest partial connection to be deleted, and the initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish the connection will be cut in half).
Note that the 1100 thresholds can be configured with the ip tcp intercept max-incomplete high and
ip tcp intercept one-minute high commands.
Use the ip tcp intercept drop-mode command to change the dropping strategy from oldest to a random drop.
Examples
The following example sets the drop mode to random:
ip tcp intercept drop-mode random
Related Commands
Command
|
Description
|
ip tcp intercept max-incomplete high
|
Defines the maximum number of incomplete connections allowed before the software enters aggressive mode.
|
ip tcp intercept max-incomplete low
|
Defines the number of incomplete connections below which the software leaves aggressive mode.
|
ip tcp intercept one-minute high
|
Defines the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode.
|
ip tcp intercept one-minute low
|
Defines the number of connection requests below which the software leaves aggressive mode.
|
ip tcp intercept finrst-timeout
To change how long after receipt of a reset or FIN-exchange the software ceases to manage the connection, use the ip tcp intercept finrst-timeout command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept finrst-timeout seconds
no ip tcp intercept finrst-timeout [seconds]
Syntax Description
seconds
|
Time (in seconds) after receiving a reset or FIN-exchange that the software ceases to manage the connection. The minimum value is 1 second. The default is 5 seconds.
|
Defaults
5 seconds
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2 F
|
This command was introduced.
|
Usage Guidelines
Even after the two ends of the connection are joined, the software intercepts packets being sent back and forth. Use this command if you need to adjust how soon after receiving a reset or FIN-exchange the software stops intercepting packets.
Examples
The following example sets the software to wait for 10 seconds before it leaves intercept mode:
ip tcp intercept finrst-timeout 10
ip tcp intercept list
To enable TCP intercept, use the ip tcp intercept list command in global configuration mode. To disable TCP intercept, use the no form of this command.
ip tcp intercept list access-list-number
no ip tcp intercept list access-list-number
Syntax Description
access-list-number
|
Extended access list number in the range from 100 to 199.
|
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2 F
|
This command was introduced.
|
Usage Guidelines
The TCP intercept feature intercepts TCP connection attempts and shields servers from TCP SYN-flood attacks, also known as denial-of-service attacks.
TCP packets matching the access list are presented to the TCP intercept code for processing, as determined by the ip tcp intercept mode command. The TCP intercept code either intercepts or watches the connections.
To have all TCP connection attempts submitted to the TCP intercept code, have the access list match everything.
Examples
The following example configuration defines access list 101, causing the software to intercept packets for all TCP servers on the 192.168.1.0/24 subnet:
ip tcp intercept list 101
access-list 101 permit tcp any 192.168.1.0 0.0.0.255
Related Commands
Command
|
Description
|
access-list (IP extended)
|
Defines an extended IP access list.
|
ip tcp intercept mode
|
Changes the TCP intercept mode.
|
show tcp intercept connections
|
Displays TCP incomplete and established connections.
|
show tcp intercept statistics
|
Displays TCP intercept statistics.
|
ip tcp intercept max-incomplete high
To define the maximum number of incomplete connections allowed before the software enters aggressive mode, use the ip tcp intercept max-incomplete high command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept max-incomplete high number
no ip tcp intercept max-incomplete high [number]
Syntax Description
number
|
Defines the number of incomplete connections allowed, above which the software enters aggressive mode. The range is from 1 to 2147483647. The default is 1100.
|
Defaults
1100 incomplete connections
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2 F
|
This command was introduced.
|
Usage Guidelines
If the number of incomplete connections exceeds the number configured, the TCP intercept feature becomes aggressive. The following are the characteristics of aggressive mode:
•
Each new arriving connection causes the oldest partial connection to be deleted.
•
The initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish the connection is cut in half).
•
The watch-timeout is cut in half (from 30 seconds to 15 seconds).
You can change the drop strategy from the oldest connection to a random connection with the
ip tcp intercept drop-mode command.
Note
The two factors that determine aggressive mode (connection requests and incomplete connections) are related and work together. When the value of either ip tcp intercept one-minute high or ip tcp intercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, aggressive mode ends.
The software will back off from its aggressive mode when the number of incomplete connections falls below the number specified by the ip tcp intercept max-incomplete low command.
Examples
The following example allows 1500 incomplete connections before the software enters aggressive mode:
ip tcp intercept max-incomplete high 1500
Related Commands
Command
|
Description
|
ip tcp intercept drop-mode
|
Sets the TCP intercept drop mode.
|
ip tcp intercept max-incomplete low
|
Defines the number of incomplete connections below which the software leaves aggressive mode.
|
ip tcp intercept one-minute high
|
Defines the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode.
|
ip tcp intercept one-minute low
|
Defines the number of connection requests below which the software leaves aggressive mode.
|
ip tcp intercept max-incomplete low
To define the number of incomplete connections below which the software leaves aggressive mode, use the ip tcp intercept max-incomplete low command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept max-incomplete low number
no ip tcp intercept max-incomplete low [number]
Syntax Description
number
|
Defines the number of incomplete connections below which the software leaves aggressive mode. The range is 1 to 2147483647. The default is 900.
|
Defaults
900 incomplete connections
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2 F
|
This command was introduced.
|
Usage Guidelines
When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, the TCP intercept feature leaves aggressive mode.
Note
The two factors that determine aggressive mode (connection requests and incomplete connections) are related and work together. When the value of either ip tcp intercept one-minute high or ip tcp intercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, aggressive mode ends.
See the ip tcp intercept max-incomplete high command for a description of aggressive mode.
Examples
The following example sets the software to leave aggressive mode when the number of incomplete connections falls below 1000:
ip tcp intercept max-incomplete low 1000
Related Commands
Command
|
Description
|
ip tcp intercept drop-mode
|
Sets the TCP intercept drop mode.
|
ip tcp intercept max-incomplete high
|
Defines the maximum number of incomplete connections allowed before the software enters aggressive mode.
|
ip tcp intercept one-minute high
|
Defines the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode.
|
ip tcp intercept one-minute low
|
Defines the number of connection requests below which the software leaves aggressive mode.
|
ip tcp intercept mode
To change the TCP intercept mode, use the ip tcp intercept mode command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept mode {intercept | watch}
no ip tcp intercept mode [intercept | watch]
Syntax Description
intercept
|
Active mode in which the TCP intercept software intercepts TCP packets from clients to servers that match the configured access list and performs intercept duties. This is the default.
|
watch
|
Monitoring mode in which the software allows connection attempts to pass through the router and watches them until they are established.
|
Defaults
intercept
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2 F
|
This command was introduced.
|
Usage Guidelines
When TCP intercept is enabled, it operates in intercept mode by default. In intercept mode, the software actively intercepts TCP SYN packets from clients to servers that match the specified access list. For each SYN, the software responds on behalf of the server with an ACK and SYN, and waits for an ACK of the SYN from the client. When that ACK is received, the original SYN is sent to the server, and the code then performs a three-way handshake with the server. Then the two half-connections are joined.
In watch mode, the software allows connection attempts to pass through the router, but watches them until they become established. If they fail to become established in 30 seconds (or the value set by the ip tcp intercept watch-timeout command), a Reset is sent to the server to clear its state.
Examples
The following example sets the mode to watch mode:
ip tcp intercept mode watch
Related Commands
Command
|
Description
|
ip tcp intercept watch-timeout
|
Defines how long the software will wait for a watched TCP intercept connection to reach established state before sending a reset to the server.
|
ip tcp intercept one-minute high
To define the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode, use the ip tcp intercept one-minute high command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept one-minute high number
no ip tcp intercept one-minute high [number]
Syntax Description
number
|
Specifies the number of connection requests that can be received in the last one-minute sample period before the software enters aggressive mode. The range is 1 to 2147483647. The default is 1100.
|
Defaults
1100 connection requests
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2 F
|
This command was introduced.
|
Usage Guidelines
If the number of connection requests exceeds the number value configured, the TCP intercept feature becomes aggressive. The following are the characteristics of aggressive mode:
•
Each new arriving connection causes the oldest partial connection to be deleted.
•
The initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish the connection is cut in half).
•
The watch-timeout is cut in half (from 30 seconds to 15 seconds).
You can change the drop strategy from the oldest connection to a random connection with the ip tcp intercept drop-mode command.
Note
The two factors that determine aggressive mode (connection requests and incomplete connections) are related and work together. When the value of either ip tcp intercept one-minute high or ip tcp intercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, aggressive mode ends.
Examples
The following example allows 1400 connection requests before the software enters aggressive mode:
ip tcp intercept one-minute high 1400
Related Commands
Command
|
Description
|
ip tcp intercept drop-mode
|
Sets the TCP intercept drop mode.
|
ip tcp intercept max-incomplete high
|
Defines the maximum number of incomplete connections allowed before the software enters aggressive mode.
|
ip tcp intercept max-incomplete low
|
Defines the number of incomplete connections below which the software leaves aggressive mode.
|
ip tcp intercept one-minute low
|
Defines the number of connection requests below which the software leaves aggressive mode.
|
ip tcp intercept one-minute low
To define the number of connection requests below which the software leaves aggressive mode, use the ip tcp intercept one-minute low command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept one-minute low number
no ip tcp intercept one-minute low [number]
Syntax Description
number
|
Defines the number of connection requests in the last one-minute sample period below which the software leaves aggressive mode. The range is from 1 to 2147483647. The default is 900.
|
Defaults
900 connection requests
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2 F
|
This command was introduced.
|
Usage Guidelines
When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, the TCP intercept feature leaves aggressive mode.
Note
The two factors that determine aggressive mode (connection requests and incomplete connections) are related and work together. When the value of either ip tcp intercept one-minute high or ip tcp intercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, aggressive mode ends.
See the ip tcp intercept one-minute high command for a description of aggressive mode.
Examples
The following example sets the software to leave aggressive mode when the number of connection requests falls below 1000:
ip tcp intercept one-minute low 1000
Related Commands
Command
|
Description
|
ip tcp intercept drop-mode
|
Sets the TCP intercept drop mode.
|
ip tcp intercept max-incomplete high
|
Defines the maximum number of incomplete connections allowed before the software enters aggressive mode.
|
ip tcp intercept max-incomplete low
|
Defines the number of incomplete connections below which the software leaves aggressive mode.
|
ip tcp intercept one-minute high
|
Defines the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode.
|
ip tcp intercept watch-timeout
To define how long the software will wait for a watched TCP intercept connection to reach established state before sending a reset to the server, use the ip tcp intercept watch-timeout command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept watch-timeout seconds
no ip tcp intercept watch-timeout [seconds]
Syntax Description
seconds
|
Time (in seconds) that the software waits for a watched connection to reach established state before sending a Reset to the server. The minimum value is 1 second. The default is 30 seconds.
|
Defaults
30 seconds
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2 F
|
This command was introduced.
|
Usage Guidelines
Use this command if you have set the TCP intercept to passive watch mode and you want to change the default time the connection is watched. During aggressive mode, the watch timeout time is cut in half.
Examples
The following example sets the software to wait 60 seconds for a watched connection to reach established state before sending a Reset to the server:
ip tcp intercept watch-timeout 60
Related Commands
Command
|
Description
|
ip tcp intercept mode
|
Changes the TCP intercept mode.
|
ip traffic-export apply profile
To apply an IP traffic export profile to a specific interface, use the ip traffic-export apply profile command in interface configuration mode. To remove an IP traffic export profile from an interface, use the no form of this command.
ip traffic-export apply profile profile-name
no ip traffic-export apply profile profile-name
Syntax Description
profile-name
|
Name of the profile that is to be applied to a specified interface.
The profile-name argument must match a name that was specified via the ip traffic-export profile command.
|
Defaults
If this command is not issued, a sucessfully configured profile is not active.
Command Modes
Interface configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
12.2(25)S
|
This command was integrated into Cisco IOS Release 12.2(25)S.
|
Usage Guidelines
After you have configured at least one profile, you should use the ip traffic-export apply profile command to activate an IP traffic export on the specified ingress interface.
Examples
The following example shows how to apply the profile "corp1" to interface Fast Ethernet 0/0:
Router(config)# ip traffic-export profile corp1
Router(config-rite)# interface FastEthernet 0/1
Router(config-rite)# bidirectional
Router(config-rite)# mac-address 00a.8aab.90a0
Router(config-rite)# outgoing sample one-in-every 50
Router(config-rite)# incoming access-list spam_acl
Router(config-rite)# exit
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip traffic-export apply corp1
After the profile is activated on the interface, a logging message such as the following will appear:
%RITE-5-ACTIVATE: Activated IP traffic export on interface FastEthernet 0/0.
After the profile is removed from the interface, a logging message such as the following will appear:
%RITE-5-DEACTIVATE: Deactivated IP traffic export on interface FastEthernet 0/0.
If you attempt to apply an incomplete profile to an interface, you will receive the following message:
Router(config-if)# ip traffic-export apply newone
RITE: profile newone has missing outgoing interface
Related Commands
Command
|
Description
|
ip traffic-export profile
|
Creates or edits an IP traffic export profile and enables the profile on an ingress interface.
|
ip traffic-export profile
To create or edit an IP traffic export profile and enable the profile on an ingress interface, use the ip traffic-export profile command in global configuration mode. To remove an IP traffic export profile from your router configuration, use the no form of this command.
ip traffic-export profile profile-name
no ip traffic-export profile profile-name
Syntax Description
profile-name
|
IP traffic export profile name.
|
Defaults
A profile does not exist.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
12.2(25)S
|
This command was integrated into Cisco IOS Release 12.2(25)S.
|
Usage Guidelines
The ip traffic-export profile command allows you to begin a profile that can be configured to export IP packets as they arrive on or leave from a selected router ingress interface. A designated egress interface exports the captured IP packets out of the router. Thus, the router can export unaltered IP packets to a directly connected device.
IP Traffic Export Profiles
All exported IP traffic configurations are specified via profiles, which consist of RITE-related command-line interfaces (CLIs) that control various attributes of both incoming and outgoing IP traffic. You can configure a router with multiple profiles. (Each profile must have a different name.) You can apply different profiles on different interfaces.
The two profiles that you should configure are as follows:
•
The global configuration profile, which is configured via the ip traffic-export profile command.
•
The submode configuration profile, which is configured via any of the following RITE commands—bidirectional, incoming, interface, mac-address, and outgoing.
The interface and mac-address commands are required to successfully create a profile. If these commands are not issued, the user will receive a profile incomplete messages such as the following:
ip traffic-export profile newone
! No outgoing interface configured
! No destination mac-address configured
After you configure your profiles, you can apply (which will activate) the profile to an interface via the ip traffic-export apply profile command.
Examples
The following example shows how to configure the profile "corp1," which will send captured IP traffic to host "00a.8aab.90a0" at the interface "FastEthernet 0/1." This profile is also configured to export one in every 50 packets and to allow incoming traffic only from the access control list (ACL) "ham_ACL."
Router(config)# ip traffic-export profile corp1
Router(config-rite)# interface FastEthernet 0/1
Router(config-rite)# bidirectional
Router(config-rite)# mac-address 00a.8aab.90a0
Router(config-rite)# outgoing sample one-in-every 50
Router(config-rite)# incoming access-list ham_acl
Router(config-rite)# exit
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip traffic-export apply corp1
Related Commands
Command
|
Description
|
bidirectional
|
Enables incoming and outgoing IP traffic to be exported across a monitored interface.
|
incoming
|
Configures filtering for incoming export traffic.
|
interface (RITE)
|
Specifies the outgoing interface for exporting traffic
|
ip traffic-export apply profile
|
Applies an IP traffic export profile to a specific interface.
|
mac-address
|
Specifies the Ethernet address of the destination host.
|
outgoing
|
Configures filtering for outgoing export traffic.
|
ip trigger-authentication (global)
To enable the automated part of double authentication at a device, use the ip trigger-authentication command in global configuration mode. To disable the automated part of double authentication, use the no form of this command.
ip trigger-authentication [timeout seconds] [port number]
no ip trigger-authentication
Syntax Description
timeout seconds
|
(Optional) Specifies how frequently the local device sends a User Datagram Protocol (UDP) packet to the remote host to request the user's username and password (or PIN). The default is 90 seconds. See "The Timeout Keyword" in the Usage Guidelines section for details.
|
port number
|
(Optional) Specifies the UDP port to which the local router should send the UPD packet requesting the user's username and password (or PIN). The default is port 7500. See "The Port Keyword" in the Usage Guidelines section for details.
|
Defaults
The default timeout is 90 seconds, and the default port number is 7500.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
Configure this command on the local device (router or network access server) that remote users dial in to. Use this command only if the local device has already been configured to provide double authentication; this command enables automation of the second authentication of double authentication.
The timeout Keyword
During the second authentication stage of double authentication—when the remote user is authenticated—the remote user must send a username and password (or PIN) to the local device. With automated double authentication, the local device sends a UDP packet to the remote user's host during the second user-authentication stage. This UDP packet triggers the remote host to launch a dialog box requesting a username and password (or PIN).
If the local device does not receive a valid response to the UDP packet within a timeout period, the local device will send another UDP packet. The device will continue to send UDP packets at the timeout intervals until it receives a response and can authenticate the user.
By default, the UDP packet timeout interval is 90 seconds. Use the timeout keyword to specify a different interval.
(This timeout also applies to how long entries will remain in the remote host table; see the show ip trigger-authentication command for details.)
The port Keyword
As described in the previous section, the local device sends a UDP packet to the remote user's host to request the user's username and password (or PIN). This UDP packet is sent to UDP port 7500 by default. (The remote host client software listens to UDP port 7500 by default.) If you need to change the port number because port 7500 is used by another application, you should change the port number using the port keyword. If you change the port number you need to change it in both places—both on the local device and in the remote host client software.
Examples
The following example globally enables automated double authentication and sets the timeout to 120 seconds:
ip trigger-authentication timeout 120
Related Commands
Command
|
Description
|
ip trigger-authentication (interface)
|
Specifies automated double authentication at an interface.
|
show ip trigger-authentication
|
Displays the list of remote hosts for which automated double authentication has been attempted.
|
ip trigger-authentication (interface)
To specify automated double authentication at an interface, use the ip trigger-authentication command in interface configuration mode. To turn off automated double authentication at an interface, use the no form of this command.
ip trigger-authentication
no ip trigger-authentication
Syntax Description
This command has no arguments or keywords.
Defaults
Automated double authentication is not enabled for specific interfaces.
Command Modes
Interface configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
Configure this command on the local router or network access server that remote users dial into. Use this command only if the local device has already been configured to provide double authentication and if automated double authentication has been enabled with the ip trigger-authentication (global) command.
This command causes double authentication to occur automatically when users dial into the interface.
Examples
The following example turns on automated double authentication at the ISDN BRI interface BRI0:
ip trigger-authentication
Related Commands
Command
|
Description
|
ip trigger-authentication (global)
|
Enables the automated part of double authentication at a device.
|
ip urlfilter alert
To enable URL filtering system alert messages, use the ip urlfilter alert command in global configuration mode. To disable the system alert, use the no form of this command.
ip urlfilter alert [vrf vrf-name]
no ip urlfilter alert
Syntax Description
vrf vrf-name
|
(Optional) Enables URL filtering system alert messages only for the specified Virtual Routing and Forwarding (VRF) interface.
|
Defaults
URL filtering messages are enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(11)YU
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(14)T
|
The vrf vrf-name keyword/argument pair was added.
|
Usage Guidelines
Use the ip urlfilter alert command to display system messages, such as a server entering allow mode, a server going down, or a URL that is too long for the lookup request.
Examples
The following example shows how to enable URL filtering alert messages:
ip inspect name test http urlfilter
ip urlfilter exclusive-domain permit .weapons.com
ip urlfilter exclusive-domain deny .nbc.com
ip urlfilter exclusive-domain permit www.cisco.com
ip urlfilter server vendor websense 192.168.3.1
Afterward, system alert messages such as the following are displayed:
%URLF-3-SERVER_DOWN:Connection to the URL filter server 10.92.0.9 is down
This level three LOG_ERR-type message is displayed when a configured URL filter server (UFS) goes down. When this happens, the firewall will mark the configured server as secondary and try to bring up one of the other secondary servers and mark that server as the primary server. If there is no other server configured, the firewall will enter into allow mode and display the URLF-3-ALLOW_MODE message described.
%URLF-3-ALLOW_MODE:Connection to all URL filter servers are down and ALLOW MODE is OFF
This LOG_ERR type message is displayed when all UFSs are down and the system enters into allow mode.
Note
Whenever the system goes into allow mode (all filter servers are down), a periodic keepalive timer will be triggered that will try to bring up a server by opening a TCP connection.
%URLF-5-SERVER_UP:Connection to an URL filter server 10.92.0.9 is made, the system is
returning from ALLOW MODE
This LOG_NOTICE-type message is displayed when the UFSs are detected as being up and the system is returning from allow mode.
%URLF-4-URL_TOO_LONG:URL too long (more than 3072 bytes), possibly a fake packet?
This LOG_WARNING-type message is displayed when the URL in a lookup request is too long; any URL longer than 3K will be dropped.
%URLF-4-MAX_REQ:The number of pending request exceeds the maximum limit <1000>
This LOG_WARNING-type message is displayed when the number of pending requests in the system exceeds the maximum limit and all further requests are dropped.
ip urlfilter allowmode
To turn on the default mode (allow mode) of the filtering algorithm, use the ip urlfilter allowmode command in global configuration mode. To disable the default mode, use the no form of this command.
ip urlfilter allowmode [on | off] [vrf vrf-name]
no ip urlfilter allowmode [on | off]
Syntax Description
on
|
(Optional) Allow mode is on.
|
off
|
(Optional) Allow mode is off.
|
vrf vrf-name
|
(Optional) Turns on the default mode of the filtering algorithm only for the specified Virtual Routing and Forwarding (VRF) interface.
|
Defaults
Allow mode is off.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(11)YU
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(14)T
|
The vrf vrf-name keyword/argument pair was added.
|
Usage Guidelines
The system will go into allow mode when connections to all vendor servers (Websense or N2H2) are down. The system will return to normal mode when a connection to at least one web vendor server is up. Allow mode directs your system to forward or drop all packets on the basis of the configurable allow mode setting: if allow mode is on and the vendor servers are down, the HTTP requests will be allowed to pass; if allow mode is off and the vendor servers are down, the HTTP requests will be forbidden.
Examples
The following example shows how to enable allow mode on your system:
ip urlfilter allowmode on
Afterward, the following alert message will be displayed when the system goes into allow mode:
%URLF-3-ALLOW_MODE: Connection to all URL filter servers are down and ALLOW MODE if OFF
The following alert message will be displayed when the system returns from allow mode:
%URLF-5-SERVER_UP: Connection to an URL filter server 12.0.0.3 is made, the system is
returning from allow mode
ip urlfilter audit-trail
To log messages into the syslog server or router, use the ip urlfilter audit-trail command in global configuration mode. To disable this functionality, use the no form of this command.
ip urlfilter audit-trail [vrf vrf-name]
no ip urlfilter audit-trail
Syntax Description
vrf vrf-name
|
(Optional) Logs messages into the syslog server or router only for the specified Virtual Routing and Forwarding (VRF) interface.
|
Defaults
This command is disabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(11)YU
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(14)T
|
The vrf vrf-name keyword/argument pair was added.
|
Usage Guidelines
Use the ip urlfilter audit-trail command to log messages such as URL request status (allow or deny) into your syslog server.
Examples
The following example shows how to enable syslog message logging:
ip inspect name test http urlfilter
ip urlfilter exclusive-domain permit .weapons.com
ip urlfilter exclusive-domain deny .nbc.com
ip urlfilter exclusive-domain permit www.cisco.com
ip urlfilter server vendor websense 209.165.202.130
Afterward, audit trail messages such as the following are displayed and logged into the log server:
%URLF-6-SITE_ALLOWED:Client 209.165.201.15:12543 accessed server 10.76.82.21:8080
This message is logged for each request whose destination IP address is found in the cache. It includes the source IP address, source port number, destination IP address, and destination port number. The URL is not logged in this case because the IP address of the request is found in the cache; thus, parsing the request and extracting the URL is a waste of time.
%URLF-4-SITE-BLOCKED: Access denied for the site `www.sports.com'; client
209.165.200.230:34557 server 209.165.201.2:80
This message is logged when a request finds a match against one of the blocked domains in the exclusive-domain list or the corresponding entry in the IP cache.
%URLF-6-URL_ALLOWED:Access allowed for URL http://www.N2H2.com/; client
209.165.200.230:54123 server 192.168.0.1:80
This message is logged for each URL request that is allowed by the vendor server (Websense or N2H2). It includes the allowed URL, source IP address, source port number, destination IP address, and destination port number. Longer URLs will be truncated to 300 bytes and then logged.
%URLF-6-URL_BLOCKED:Access denied URL http://www.google.com; client 209.165.200.230:54678
server 209.165.201.2:80
This message is logged for each URL request that is blocked by the vendor server. It includes the blocked URL, source IP address, source port number, destination IP address, and destination port number. Longer URLs will be truncated to 300 bytes and then logged.
ip urlfilter cache
To configure cache parameters, use the ip urlfilter cache command in global configuration mode. To clear the configuration, use the no form of this command.
ip urlfilter cache number [vrf vrf-name]
no ip urlfilter cache number
Syntax Description
number
|
Maximum number of destination IP addresses that can be cached into the cache table. The default value is 5000.
|
vrf vrf-name
|
(Optional) Configures cache parameters only for the specified Virtual Routing and Forwarding (VRF) interface.
|
Defaults
Maximum number of destination IP addresses is 5000.
The cache table is cleared out every 12 hours.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(11)YU
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(14)T
|
The vrf vrf-name keyword/argument pair was added.
|
Usage Guidelines
The cache table consists of the most recently requested IP addresses and respective authorization status for each IP address.
The caching algorithm involves three parameters—the maximum number of IP addresses that can be cached, an idle time, and an absolute time. The algorithm also involves two timers—idle timer and absolute timer. The idle timer is a small periodic timer (1 minute) that checks to see whether the number of cached IP addresses in the cache table exceeds 80 percent of the maximum limit. If the cached IP addresses have exceeded 80 percent, it will start removing idle entries; if it has not exceeded 80 percent, it will quit and wait for the next cycle. The absolute timer is a large periodic timer (1 hour) that is used to remove all of the elapsed entries. (The age of an elapsed entry is greater than the absolute time.) An elapsed entry will also be removed during cache lookup.
The idle time value is fixed at 10 minutes. The absolute time value is taken from the vendor server look-up response, which is often greater than 15 hours. The absolute value for cache entries made out of exclusive-domains is 12 hours. The maximum number of cache entries is configurable by enabling the ip urlfilter cache command.
Note
The vendor server is not able to inform the Cisco IOS firewall of filtering policy changes in the database.
Examples
The following example shows how to configure the cache table to hold a maximum of five destination IP addresses:
ip inspect name test http urlfilter
ip urlfilter exclusive-domain permit .weapons.com
ip urlfilter exclusive-domain deny .nbc.com
ip urlfilter exclusive-domain permit www.cisco.com
ip urlfilter server vendor websense 192.168.3.1
Related Commands
Command
|
Description
|
clear ip urlfilter cache
|
Clears the cache table.
|
show ip urlfilter cache
|
Displays the destination IP addresses that are cached into the cache table.
|
ip urlfilter exclusive-domain
To add or remove a domain name to or from the exclusive domain list so that the firewall does not have to send lookup requests to the vendor server, use the ip urlfilter exclusive-domain command in global configuration mode. To remove a domain name from the exclusive domain name list, use the no form of this command.
ip urlfilter exclusive-domain {permit | deny} domain-name [vrf vrf-name]
no ip urlfilter exclusive-domain {permit | deny} domain-name
Syntax Description
permit
|
Permits all traffic destined for the specified domain name.
|
deny
|
Blocks all traffic destined for the specified domain name.
|
domain-name
|
Domain name that is added or removed from the exclusive domain name list; for example, www.cisco.com.
|
vrf vrf-name
|
(Optional) Adds or removes a domain name only for the specified Virtual Routing and Forwarding (VRF) interface.
|
Defaults
This command is not enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(11)YU
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(14)T
|
The vrf vrf-name keyword/argument pair was added.
|
Usage Guidelines
The ip urlfilter exclusive-domain command allows you to specify a list of domain names (exclusive domains) so that the firewall will not create a lookup request for the HTTP traffic that is destined for one of the domains in the exclusive list. Thus, you can avoid sending look-up requests to the web server for HTTP traffic that is destined for a host that is completely allowed to all users.
Flexibility when entering domain names is also provided; that is, the user can enter the complete domain name or a partial domain name.
Complete Domain Name
If the user adds a complete domain name, such as "www.cisco.com," to the exclusive domain list, all HTTP traffic whose URLs are destined for this domain (such as www.cisco.com/news and www.cisco.com/index) will be excluded from the URL filtering policies of the vendor server (Websense or N2H2), and on the basis of the configuration, the URLs will be permitted or blocked (denied).
Partial Domain Name
If the user adds only a partial domain name to the exclusive domain list, such as ".cisco.com," all URLs whose domain names end with this partial domain name (such as www.cisco.com/products and www.cisco.com/eng) will be excluded from the URL filtering policies of the vendor server (Websense or N2H2), and on the basis of the configuration, the URLs will be permitted or blocked (denied).
Examples
The following example shows how to add the complete domain name "www.cisco.com" to the exclusive domain name list. This configuration will block all traffic destined to the www.cisco.com domain.
ip urlfilter exclusive-domain deny www.cisco.com
The following example shows how to add the partial domain name ".cisco.com" to the exclusive domain name list. This configuration will permit all traffic destined to domains that end with .cisco.com.
ip urlfilter exclusive-domain permit .cisco.com
ip urlfilter max-request
To set the maximum number of outstanding requests that can exist at any given time, use the ip urlfilter max-request command in global configuration mode. To disable this function, use the no form of this command.
ip urlfilter max-request number [vrf vrf-name]
no ip urlfilter max-request number
Syntax Description
number
|
Maximum number of outstanding requests. The default value is 1000.
|
vrf vrf-name
|
(Optional) Sets the maximum number of outstanding requests only for the specified Virtual Routing and Forwarding (VRF) interface.
|
Defaults
Maximum number of requests is 1000.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(11)YU
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(14)T
|
The vrf vrf-name keyword/argument pair was added.
|
Usage Guidelines
If the specified maximum number of outstanding requests is exceeded, new requests will be dropped.
Note
Allow mode is not considered because it should be used only when servers are down.
Examples
The following example shows how to configure the maximum number of outstanding requests to 950:
ip inspect name url_filter http
ip urlfilter max-request 950
Related Commands
Command
|
Description
|
ip inspect name
|
Defines a set of inspection rules.
|
ip urlfilter server vendor
|
Configures a vendor server for URL filtering.
|
ip urlfilter max-resp-pak
To configure the maximum number of HTTP responses that the firewall can keep in its packet buffer, use the ip urlfilter max-resp-pak command in global configuration mode. To return to the default, use the no form of this command.
ip urlfilter max-resp-pak number [vrf vrf-name]
no ip urlfilter max-resp-pak number
Syntax Description
number
|
Maximum number of HTTP responses that can be stored in the packet buffer of the firewall. After the maximum number has been reached, the firewall will drop further responses. The default, and absolute maximum, value is 200.
|
vrf vrf-name
|
(Optional) Sets the maximum number of HTTP responses only for the specified Virtual Routing and Forwarding (VRF) interface.
|
Defaults
200 HTTP responses
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(11)YU
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(14)T
|
The vrf vrf-name keyword/argument pair was added.
|
Usage Guidelines
When an HTTP request arrives at a Cisco IOS firewall, the firewall forwards the request to the web server while simultaneously sending a URL look-up request to the vendor server (Websense or N2H2). If the vendor server reply arrives before the HTTP response, the firewall will know whether to permit or block the HTTP response; if the HTTP response arrives before the vendor server reply, the firewall will not know whether to allow or block the response, so the firewall will drop the response until it hears from the vendor server. The ip urlfilter max-resp-pak command allows you to configure your firewall to store the HTTP responses in a buffer, which allows your firewall to store a maximum of 200 HTTP responses. Each response will remain in the buffer until an allow or deny message is received from the vendor server. If the vendor server reply allows the URL, the firewall will release the HTTP response from the buffer to the end user; if the vendor server reply denies the URL, the firewall will discard the HTTP response from the buffer and close the connection to both ends.
Examples
The following example shows how to configure your firewall to hold 150 HTTP responses:
ip urlfilter max-resp-pak 150
ip urlfilter server vendor
To configure a vendor server for URL filtering, use the ip urlfilter server vendor command in global configuration mode. To remove a server from your configuration, use the no form of this command.
ip urlfilter server vendor {websense | n2h2} ip-address [port port-number] [timeout seconds]
[retransmit number] [outside] [vrf vrf-name]
no ip urlfilter server vendor {websense | n2h2} ip-address [port port-number] [timeout seconds]
[retransmit number] [outside]
Syntax Description
websense
|
Websense server will be used.
|
n2h2
|
N2H2 server will be used.
|
ip-address
|
IP address of the vendor server.
|
port port-number
|
(Optional) Port number that the vendor server listens on. The default port number is 15868.
|
timeout seconds
|
(Optional) Length of time, in seconds, that the Cisco IOS firewall will wait for a response from the vendor server. The default timeout is 5 seconds.
|
retransmit number
|
(Optional) Number of times the Cisco IOS firewall will retransmit the request when a response does not arrive for the request. The default value is two times.
|
outside
|
(Optional) Vendor server will be deployed on the outside network.
|
vrf vrf-name
|
(Optional) Configures a vendor server for URL filtering only for the specified Virtual Routing and Forwarding (VRF) interface.
|
Defaults
A vendor server is not configured.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(11)YU
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(2)T
|
The outside keyword was added.
|
12.3(14)T
|
The vrf vrf-name keyword/argument pair was added.
|
Usage Guidelines
Use the ip urlfilter server vendor command to configure a Websense or N2H2 server, which will interact with the Cisco IOS Firewall to filter HTTP requests on the basis of a specified policy—global filtering, user- or group-based filtering, keyword-based filtering, category-based filtering, or customized filtering.
If the firewall has not received a response from the vendor server within the time specified in the timeout seconds keyword and argument, the firewall will check the retransmit number keyword and argument configured for the vendor server. If the firewall has not exceeded the maximum retransmit tries allowed, it will resend the HTTP lookup request. If the firewall has exceeded the maximum retransmit tries allowed, it will delete the outstanding request from the queue and check the status of the allow mode value. The firewall will forward the request if the allow mode is on; otherwise, it will drop the request.
By default, URL lookup requests that are made to the vendor server contain non-natted client IP addresses because the vendor server is deployed on the inside network. The outside keyword allows the vendor server to be deployed on the outside network, thereby, allowing Cisco IOS software to send the natted IP address of the client in the URL lookup request.
Primary and Secondary Servers
When users configure multiple vendor servers, the firewall will use only one server at a time—the primary server; all other servers are called secondary servers. When the primary server becomes unavailable for any reason, it becomes a secondary server and one of the secondary servers becomes the primary server.
A firewall marks a primary server as down when sending a request to or receiving a response from the server fails. When a primary server goes down, the system will go to the beginning of the configured servers list and try to activate the first server on the list. If the first server on the list is unavailable, it will try the second server on the list; the system will keep trying to activate a server until it is successful or until it reaches the end of the server list. If the system reaches the end of the server list, it will set a flag indicating that all of the servers are down, and it will enter allow mode.
Examples
The following example shows how to configure the Websense server for URL filtering:
ip inspect name test http urlfilter
ip urlfilter exclusive-domain permit .weapons.com
ip urlfilter exclusive-domain deny .nbc.com
ip urlfilter exclusive-domain permit www.cisco.com
ip urlfilter server vendor websense 192.168.3.1
Related Commands
Command
|
Description
|
ip urlfilter allowmode
|
Turns on the default mode (allow mode) of the filtering algorithm.
|
ip urlfilter max-request
|
Sets the maximum number of outstanding requests that can exist at any given time.
|
ip urlfilter urlf-server-log
To enable the logging of system messages on the URL filtering server, use the ip urlfilter urlf-server-log command in global configuration mode. To disable the logging of system messages, use the no form of this command.
ip urlfilter urlf-server-log [vrf vrf-name]
no ip urlfilter urlf-server-log
Syntax Description
vrf vrf-name
|
(Optional) Enables the logging of system messages on the URL filtering server only for the specified Virtual Routing and Forwarding (VRF) interface.
|
Defaults
This command is disabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(11)YU
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(14)T
|
The vrf vrf-name keyword/argument pair was added.
|
Usage Guidelines
Use the ip urlfilter urlf-server-log command to enable Cisco IOS to send a log request immediately after the URL lookup request. The firewall will not make a URL lookup request if the destination IP address is in the cache, but it will still make a log request to the server. (The log request contains the URL, hostname, source IP address, and the destination IP address.) The server records the log request into its own log server so your can view this information as necessary.
Examples
The following example shows how to enable system message logging on the URL filter server:
ip urlfilter urlf-server-log
ip verify unicast source reachable-via
To enable Unicast Reverse Path Forwarding (Unicast RPF), use the ip verify unicast source reachable-via command in interface configuration mode. To disable Unicast RPF, use the no form of this command.
ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [list]
no ip verify unicast source reachable-via
Syntax Description
rx
|
Examines incoming packets to determine whether the source address is in the Forwarding Information Base (FIB) and permits the packet only if the source is reachable through the interface on which the packet was received (sometimes referred to as strict mode).
|
any
|
Examines incoming packets to determine whether the source address is in the FIB and permits the packet if the source is reachable through any interface (sometimes referred to as loose mode).
|
allow-default
|
(Optional) Allows the use of the default route for RPF verification.
|
allow-self-ping
|
(Optional) Allows a router to ping its own interface or interfaces.
Caution  Use caution when enabling the allow-self-ping keyword. This keyword opens a denial-of-service (DoS) hole.
|
list
|
(Optional) Specifies a numbered access control list (ACL) in the following ranges:
• 1 to 99 (IP standard access list)
• 100 to 199 (IP extended access list)
• 1300 to 2699 (IP standard access list, expanded range)
|
Command Default
Unicast RPF is disabled.
Command Modes
Interface configuration
Command History
Release
|
Modification
|
11.1(CC), 12.0
|
This command was introduced. This command was not included in Cisco IOS Release 11.2 or 11.3.
|
12.1(2)T
|
Added ACL support using the list argument. Added per-interface statistics on dropped or suppressed packets.
|
12.0(15) S
|
This command replaced the ip verify unicast reverse-path command, and the following keywords were added: allow-default, allow-self-ping, rx, and any.
|
12.1(8a)E
|
This command was integrated into Cisco IOS Release 12.1(8a)E.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.2(14)SX
|
Support for this command was introduced on the Supervisor Engine 720.
|
12.2(17d)SXB
|
Support for this command was introduced on the Supervisor Engine 2.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
Usage Guidelines
Use the ip verify unicast source reachable-via interface command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate DoS attacks on the basis of source IP address spoofing.
To use Unicast RPF, enable CEF switching or distributed CEF (dCEF) switching in the router. There is no need to configure the input interface for CEF switching. As long as CEF is running on the router, individual interfaces can be configured with other switching modes.
Note
It is very important for CEF to be configured globally in the router. Unicast RPF will not work without CEF.
Note
Unicast RPF is an input function and is applied on the interface of a router only in the ingress direction.
When Unicast RPF is enabled on an interface, the router examines all packets that are received on that interface. The router checks to make sure that the source address appears in the FIB. If the rx keyword is selected, the source address must match the interface on which the packet was received. If the any keyword is selected, the source address must be present only in the FIB. This ability to "look backwards" is available only when Cisco Express Forwarding (CEF) is enabled on the router because the lookup relies on the presence of the FIB. CEF generates the FIB as part of its operation.
Note
If the source address of an incoming packet is resolved to a null adjacency, the packet will be dropped. The null interface is treated as an invalid interface by the new form of the Unicast RPF command. The older form of the command syntax did not exhibit this behavior.
Unicast RPF checks to determine whether any packet that is received at a router interface arrives on one of the best return paths to the source of the packet. If a reverse path for the packet is not found, Unicast RPF can drop or forward the packet, depending on whether an ACL is specified in the Unicast RPF command. If an ACL is specified in the command, when (and only when) a packet fails the Unicast RPF check, the ACL is checked to determine whether the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF.
If no ACL is specified in the ip verify unicast source reachable-via command, the router drops the forged or malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are updated.
Unicast RPF events can be logged by specifying the logging option for the ACL entries that are used by the ip verify unicast source reachable-via command. Log information can be used to gather such information about the attack, as source address, time, and so on.
Strict Mode RPF
If the source address is in the FIB and reachable only through the interface on which the packet was received, the packet is passed. The syntax for this method is ip verify unicast source reachable-via rx.
Exists-Only (or Loose Mode) RPF
If the source address is in the FIB and reachable through any interface on the router, the packet is passed. The syntax for this method is ip verify unicast source reachable-via any.
Because this Unicast RPF option passes packets regardless of which interface the packet enters, it is often used on Internet Service Provider (ISP) routers that are "peered" with other ISP routers (where asymmetrical routing typically occurs). Packets using source addresses that have not been allocated on the Internet, which are often used for spoofed source addresses, are dropped by this Unicast RPF option. All other packets that have an entry in the FIB are passed.
allow-default
Normally, sources found in the FIB, but only by way of the default route will be dropped. Specifying the allow-default keyword option will override this behavior. You must specify the allow-default keyword in the command to permit Unicast RPF to successfully match on prefixes that are known through the default route to pass these packets.
allow-self-ping
This keyword allows the router to ping its own interface or interfaces. By default, when Unicast RPF is enabled, packets that are generated by the router and destined to the router are dropped, thereby, making certain troubleshooting and management tasks difficult to accomplish. Issue the allow-self-ping keyword to enable self-pinging.
Caution 
Caution should be used when enabling the
allow-self-ping keyword because this option opens a potential DoS hole.
Where to Use RPF in Your Network
Unicast RPF strict mode may be used on interfaces in which only one path allows packets from valid source networks (networks contained in the FIB). Unicast RPF strict mode may also be used in cases for which a router has multiple paths to a given network, as long as the valid networks are switched via the incoming interfaces. Packets for invalid networks will be dropped. For example, routers at the edge of the network of an ISP are likely to have symmetrical reverse paths. Unicast RPF strict mode may still be applicable in certain multihomed situations, provided that optional Border Gateway Protocol (BGP) attributes, such as weight and local preference, are used to achieve symmetric routing.

Note
With Unicast RPF, all equal-cost "best" return paths are considered valid. This means that Unicast RPF works in cases where multiple return paths exist, provided that each path is equal to the others in terms of the routing cost (number of hops, weights, and so on) and as long as the route is in the FIB. Unicast RPF also functions where Enhanced Internet Gateway Routing Protocol (EIGRP) variants are being used and unequal candidate paths back to the source IP address exist.
Unicast RPF loose mode may be used on interfaces in which asymmetric paths allow packets from valid source networks (networks contained in the FIB). Routers that are in the core of the ISP network have no guarantee that the best forwarding path out of the router will be the path selected for packets returning to the router.
Examples
The following example uses a very simple single-homed ISP connection to demonstrate the concept of Unicast RPF. In this example, an ISP peering router is connected via a single serial interface to one upstream ISP. Hence, traffic flows into and out of the ISP will be symmetric. Because traffic flows will be symmetric, a Unicast RPF strict-mode deployment can be configured.
! or "ip cef distributed" for Route Switch Processor+Versatile Interface Processor-
(RSP+VIP-) based routers.
description - link to upstream ISP (single-homed)
ip address 192.168.200.225 255.255.255.252
no ip directed-broadcasts
ip verify unicast source reachable-via
Related Commands
Command
|
Description
|
ip cef
|
Enables CEF on the route processor card.
|
ip virtual-reassembly
To enable virtual fragment reassembly (VFR) on an interface, use the ip virtual-reassembly command in interface configuration mode. To disable VFR on an interface, use the no form of this command.
ip virtual-reassembly [max-reassemblies number] [max-fragments number] [timeout seconds]
[drop-fragments]
no ip virtual-reassembly [max-reassemblies number] [max-fragments number] [timeout
seconds] [drop-fragments]
Syntax Description
max-reassemblies number
|
(Optional) Maximum number of IP datagrams that can be reassembled at any given time. Default value: 64.
If the maximum value is reached, all fragments within the following fragment set will be dropped and an alert message will be logged to the syslog server.
|
max-fragments number
|
(Optional) Maximum number of fragments that are allowed per IP datagram (fragment set). Default value: 16.
If an IP datagram that is being reassembled receives more than the maximum allowed fragments, the IP datagram will be dropped and an alert message will be logged to the syslog server.
|
timeout seconds
|
(Optional) Timeout value, in seconds, for an IP datagram that is being reassembled. Default value: 3 seconds.
If an IP datagram does not receive all of the fragments within the specified time, the IP datagram (and all of its fragments) will be dropped.
|
drop-fragments
|
(Optional) Enables the VFR to drop all fragments that arrive on the configured interface. By default, this function is disabled.
|
Defaults
VFR is not enabled.
Command Modes
Interface configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
A buffer overflow attack can occur when an attacker continuously sends a large number of incomplete IP fragments, causing the firewall to lose time and memory while trying to reassemble the fake packets.
The max-reassemblies number option and the max-fragments number option allow you to configure maximum threshold values to avoid a buffer overflow attack and to control memory usage.
In addition to configuring the maximum threshold values, each IP datagram is associated with a managed timer. If the IP datagram does not receive all of the fragments within the specified time (which can be configured via the timeout seconds option), the timer will expire and the IP datagram (and all of its fragments) will be dropped.
Automatically Enabling or Disabling VFR
VFR is designed to work with any feature that requires fragment reassembly (such as Cisco IOS Firewall and NAT). Currently, NAT enables and disables VFR internally; that is, when NAT is enabled on an interface, VFR is automatically enabled on that interface.
If more than one feature attempts to automatically enable VFR on an interface, VFR will maintain a reference count to keep track of the number of features that have enabled VFR. When the reference count is reduced to zero, VFR is automatically disabled
Examples
The following example shows how to configure VFR on interfaces ethernet2/1, ethernet2/2, and serial3/0 to facilitate the firewall that is enabled in the outbound direction on interface serial3/0. In this example, the firewall rules that specify the list of LAN1 and LAN2 originating protocols (FTP, HTTP and SMTP) are to be inspected.
ip inspect name INTERNET-FW ftp
ip inspect name INTERNET-FW http
ip inspect name INTERNET-FW smtp!
ip address 1.1.1.1 255.255.255.255
ip address 9.4.21.9 255.255.0.0
ip address 14.0.0.2 255.255.255.0
ip address 15.0.0.2 255.255.255.0
ip inspect INTERNET-FW out
Related Commands
Command
|
Description
|
show ip virtual-reassembly
|
Displays the configuration and statistical information of the VFR on a given interface.
|
ip vrf forwarding (server-group)
To configure the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an authentication, authorization, and accounting (AAA) RADIUS or TACACS+ server group, use the ip vrf forwarding command in server-group configuration mode. To enable server groups to use the global (default) routing table, use the no form of this command.
ip vrf forwarding vrf-name
no ip vrf forwarding vrf-name
Syntax Description
vrf-name
|
Name assigned to a VRF.
|
Defaults
Server groups use the global routing table.
Command Modes
Server-group configuration
Command History
Release
|
Modification
|
12.2(2)DD
|
This command was introduced on the Cisco 7200 series and Cisco 7401ASR.
|
12.2(4)B
|
This command was integrated into Cisco IOS Release 12.2(4)B.
|
12.2(13)T
|
This command was integrated into Cisco IOS Release 12.2(13)T.
|
12.3(7)T
|
Functionality was added for TACACS+ servers.
|
Usage Guidelines
Use the ip vrf forwarding command to specify a VRF for a AAA RADIUS or TACACS+ server group. This command enables dial users to utilize AAA servers in different routing domains.
Examples
The following example shows how to configure the VRF user to reference the RADIUS server in a different VRF server group:
aaa group server radius sg_global
server-private 172.16.0.0 timeout 5 retransmit 3
aaa group server radius sg_water
server-private 10.10.0.0 timeout 5 retransmit 3 key water
The following example shows how to configure the VRF user to reference the TACACS+ server in the server group tacacs1:
aaa group server tacacs+ tacacs1
server-private 1.1.1.1 port 19 key cisco
ip tacacs source-interface Loopback0
ip address 10.0.0.2 255.0.0.0
Related Commands
Command
|
Description
|
aaa group server radius
|
Groups different RADIUS server hosts into distinct lists and distinct methods.
|
ip tacacs source-interface
|
Uses the IP address of a specified interface for all outgoing TACACS+ packets.
|
ip vrf forwarding (server-group)
|
Configures the VRF reference of an AAA RADIUS or TACACS+ server group.
|
server-private
|
Configures the IP address of the private RADIUS server for the group server.
|
isakmp authorization list
To configure an Internet Key Exchange (IKE) shared secret using the authentication, authorization, and accounting (AAA) server in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the isakmp authorization list command in ISAKMP profile configuration mode. To disable the shared secret, use the no form of this command.
isakmp authorization list list-name
no isakmp authorization list list-name
Syntax Description
list-name
|
AAA authorization list used for configuration mode attributes or preshared keys for aggresive mode.
|
Defaults
No default behaviors or values
Command Modes
ISAKMP profile configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
Usage Guidelines
This command allows you to retrieve a shared secret from an AAA server.
Examples
The following example shows that an IKE shared secret is configured using an AAA server on a router:
crypto isakmp profile vpnprofile
isakmp authorization list ikessaaalist
Related Commands
Command
|
Description
|
aaa authorization
|
Sets parameters that restrict user access to a network.
|
issuer-name
To specify the distinguished name (DN) as the certification authority (CA) issuer name for the certificate server, use the issuer-name command in certificate server configuration mode. To clear the issuer name and return to the default, use the no form of this command.
issuer-name DN-string
no issuer-name DN-string
Syntax Description
DN-string
|
Name of the DN string.
|
Defaults
If the issuer name is not configured, CN=cs-label
Command Modes
Certificate server configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
The DN-string value cannot be changed after the certificate server generates its signed certificate.
Examples
The following example shows how to define an issuer name for the certificate server "mycertserver":
Router(config)# ip http server
Router(config)# crypto pki server mycertserver
Router(cs-server)# database level minimal
Router(cs-server)# database url nvram:
Router(cs-server)# issuer-name CN=ipsec_cs,L=My Town,C=US
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|