Cisco IOS IPv6 Command Reference
clear ipv6 mobile traffic through debug bgp vpnv6 unicast

Table Of Contents

clear ipv6 mobile traffic

clear ipv6 multicast aaa authorization

clear ipv6 nat translation

clear ipv6 neighbors

clear ipv6 nhrp

clear ipv6 ospf

clear ipv6 ospf counters

clear ipv6 ospf events

clear ipv6 pim counters

clear ipv6 pim reset

clear ipv6 pim topology

clear ipv6 prefix-list

clear ipv6 rip

clear ipv6 route

clear ipv6 traffic

clear mls cef ipv6 accounting per-prefix

codec(DSP farm profile)

context

copy

crypto ipsec profile

crypto isakmp identity

crypto isakmp key

crypto isakmp peer

crypto isakmp policy

crypto isakmp profile

crypto key generate rsa

crypto keyring

crypto pki authenticate

crypto pki enroll

crypto pki import

ctunnel mode

debug adjacency

debug bgp ipv6 dampening

debug bgp ipv6 updates

debug bgp vpnv6 unicast


clear ipv6 mobile traffic

To clear statistics associated with Mobile IPv6 traffic, use the clear ipv6 mobile traffic command in privileged EXEC mode.

clear ipv6 mobile traffic

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

The clear ipv6 mobile traffic command clears the statistics about the received binding updates and transmitted binding acknowledgments on a mobile node.

Examples

In the following example, statistics about binding updates and binding acknowledgments are cleared:

Router# clear ipv6 mobile traffic 

Router# show ipv6 mobile traffic

MIPv6 statistics:
  Rcvd: 0 total
      0 truncated, 0 format errors
      0 checksum errors
    Binding Updates received:0
      0 no HA option, 0 BU's length
      0 options' length, 0 invalid CoA
  Sent: 0 generated
    Binding Acknowledgements sent:0
      0 accepted (0 prefix discovery required)
      0 reason unspecified, 0 admin prohibited
      0 insufficient resources, 0 home reg not supported
      0 not home subnet, 0 not home agent for node
      0 DAD failed, 0 sequence number
    Binding Errors sent:0
      0 no binding, 0 unknown MH
  Home Agent Traffic:
    0 registrations, 0 deregistrations
    unknown time since last accepted HA registration
    unknown time since last failed HA registration
    unknown last failed registration code
    Traffic forwarded:
      0 tunneled, 0 reversed tunneled
    Dynamic Home Agent Address Discovery:
      0 requests received, 0 replies sent
    Mobile Prefix Discovery:
      0 solicitations received, 0 advertisements sent

Related Commands

Command
Description

binding

Configures binding options for the Mobile IPv6 home agent feature in home agent configuration mode.

show ipv6 mobile home-agent

Displays neighboring home agents.


clear ipv6 multicast aaa authorization

To clear parameters that restrict user access to an IPv6 multicast network, use the clear ipv6 multicast aaa authorization command in privileged EXEC mode.

clear ipv6 multicast aaa authorization [interface-type interface-number]

Syntax Description

interface-type interface-number

Interface type and number. For more information, use the question mark (?) online help function.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.4(4)T

This command was introduced.


Usage Guidelines

Using the clear ipv6 multicast aaa authorization command without the optional interface-type and interface-number arguments will clear all authorization parameters on a network.

Examples

The following example clears all configured authorization parameters on an IPv6 network:

Router# clear ipv6 multicast aaa authorization FastEthernet 1/0

Related Commands

Command
Description

aaa authorization multicast default

Sets parameters that restrict user access to an IPv6 multicast network.


clear ipv6 nat translation

To clear dynamic Network Address Translation—Protocol Translation (NAT-PT) translations from the dynamic state table, use the clear ipv6 nat translation command in privileged EXEC mode.

clear ipv6 nat translation *

Syntax Description

*

Clears all dynamic NAT-PT translations.


Command Default

Entries are deleted from the dynamic translation state table when they time out.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.


Usage Guidelines

Use this command to clear entries from the dynamic translation state table before they time out. Static translation configuration is not affected by this command.

Examples

The following example shows the NAT-PT entries before and after the dynamic translation state table is cleared. Note that all the dynamic NAT-PT mappings are cleared, but the static NAT-PT configurations remain.

Router# show ipv6 nat translations

Prot  IPv4 source              IPv6 source 
      IPv4 destination         IPv6 destination 
---   ---                      --- 
      192.168.123.2            2001::2 

---   ---                      --- 
      192.168.122.10           2001::10 

tcp   192.168.124.8,11047      3002::8,11047 
      192.168.123.2,23         2001::2,23 

udp   192.168.124.8,52922      3002::8,52922 
      192.168.123.2,69         2001::2,69

Router# clear ipv6 nat translation *

Router# show ipv6 nat translations

Prot  IPv4 source              IPv6 source 
      IPv4 destination         IPv6 destination 
---   ---                      --- 
      192.168.123.2            2001::2 

---   ---                      --- 
      192.168.122.10           2001::10 

Related Commands

Command
Description

ipv6 nat

Designates that traffic originating from or destined for the interface is subject to NAT-PT.

show ipv6 nat translations

Displays active NAT-PT translations.


clear ipv6 neighbors

To delete all entries in the IPv6 neighbor discovery cache, except static entries, use the clear ipv6 neighbors command in privileged EXEC mode.

clear ipv6 neighbors

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.


Examples

The following example deletes all entries, except static entries, in the neighbor discovery cache:

Router# clear ipv6 neighbors

Related Commands

Command
Description

ipv6 neighbor

Configures a static entry in the IPv6 neighbor discovery cache.

show ipv6 neighbors

Displays IPv6 neighbor discovery cache information.


clear ipv6 nhrp

To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, use the clear ipv6 nhrp command in privileged EXEC mode.

clear ipv6 nhrp [ipv6-address | counters]

Syntax Description

ipv6-address

(Optional) The IPv6 network to delete.

counters

(Optional) Specifies NHRP counters to delete.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.4(20)T

This command was introduced.


Usage Guidelines

This command does not clear any static (configured) IPv6-to-nonbroadcast multiaccess (NBMA) address mappings from the NHRP cache.

Examples

The following example shows how to clear all dynamic entries from the NHRP cache for the interface:

Router# clear ipv6 nhrp 

Related Commands

Command
Description

show ipv6 nhrp

Displays the NHRP cache.


clear ipv6 ospf

To clear the Open Shortest Path First (OSPF) state based on the OSPF routing process ID, use the clear ipv6 ospf command in privileged EXEC mode.

clear ipv6 ospf [process-id] {process | force-spf | redistribution}

Syntax Description

process-id

(Optional) Internal identification. It is locally assigned and can be any positive integer. The number used here is the number assigned administratively when enabling the OSPF routing process.

process

Restarts the OSPF process.

force-spf

Starts the shortest path first (SPF) algorithm without first clearing the OSPF database.

redistribution

Clears OSPF route redistribution.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.0(24)S

This command was introduced.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

15.0(1)M

This command was integrated into Cisco IOS Release 12.5(1)M.


Usage Guidelines

When the process keyword is used with the clear ipv6 ospf command, the OSPF database is cleared and repopulated, and then the shortest path first (SPF) algorithm is performed. When the force-spf keyword is used with the clear ipv6 ospf command, the OSPF database is not cleared before the SPF algorithm is performed.

Use the process-id option to clear only one OSPF process. If the process-id option is not specified, all OSPF processes are cleared.

Examples

The following example starts the SPF algorithm without clearing the OSPF database:

Router# clear ipv6 ospf force-spf

clear ipv6 ospf counters

To clear the Open Shortest Path First (OSPF) state based on the OSPF routing process ID, use the clear ipv6 ospf command in privileged EXEC mode.

clear ipv6 ospf [process-id] counters [neighbor [neighbor-interface | neighbor-id]]

Syntax Description

process-id

(Optional) Internal identification. It is locally assigned and can be any positive integer. The number used here is the number assigned administratively when enabling the OSPF routing process.

neighbor

(Optional) Neighbor statistics per interface or neighbor ID.

neighbor-interface

(Optional) Neighbor interface.

neighbor-id

(Optional) IPv6 or IP address of the neighbor.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.0(24)S

This command was introduced.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.


Usage Guidelines

Use the neighbor neighbor-interface option to clear counters for all neighbors on a specified interface. If the neighbor neighbor-interface option is not used, all OSPF counters are cleared.

Use the neighbor neighbor-id option to clear counters at a specified neighbor. If the neighbor neighbor-id option is not used, all OSPF counters are cleared.

Examples

The following example provides detailed information on a neighbor router:

Router# show ipv6 ospf neighbor detail

 Neighbor 10.0.0.1
    In the area 1 via interface Serial19/0
    Neighbor:interface-id 21, link-local address FE80::A8BB:CCFF:FE00:6F00
    Neighbor priority is 1, State is FULL, 6 state changes
    Options is 0x194AE05
    Dead timer due in 00:00:37
    Neighbor is up for 00:00:15
    Index 1/1/1, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec

The following example clears all neighbors on the specified interface:

Router# clear ipv6 ospf counters neighbor s19/0

The following example now shows that there have been 0 state changes since the clear ipv6 ospf counters neighbor s19/0 command was used:

Router# show ipv6 ospf neighbor detail

 Neighbor 10.0.0.1
    In the area 1 via interface Serial19/0
    Neighbor:interface-id 21, link-local address FE80::A8BB:CCFF:FE00:6F00
    Neighbor priority is 1, State is FULL, 0 state changes
    Options is 0x194AE05
    Dead timer due in 00:00:39
    Neighbor is up for 00:00:43
    Index 1/1/1, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec

Related Commands

Command
Description

show ipv6 ospf neighbor

Displays OSPF neighbor information on a per-interface basis.


clear ipv6 ospf events

To clear the Open Shortest Path First (OSPF) for IPv6 event log content based on the OSPF routing process ID, use the clear ipv6 ospf events command in privileged EXEC mode.

clear ipv6 ospf [process-id] events

Syntax Description

process-id

(Optional) Internal identification. It is locally assigned and can be any positive integer. The number used here is the number assigned administratively when enabling the OSPF routing process.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(33)SRC

This command was introduced.

12.2(33)SB

This command was integrated into Cisco IOS Release 12.2(33)SB.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.


Usage Guidelines

Use the optional process-id argument to clear the IPv6 event log content of a specified OSPF routing process. If the process-id argument is not used, all event log content is cleared.

Examples

The following example enables the clearing of OSPF for IPv6 event log content for routing process 1:

Router# clear ipv6 ospf 1 events

clear ipv6 pim counters

To reset the Protocol Independent Multicast (PIM) traffic counters, use the clear ipv6 pim counters command in privileged EXEC mode.

clear ipv6 pim counters

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.0(26)S

This command was introduced.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.


Usage Guidelines

Using the clear ipv6 pim counters command will reset all PIM traffic counters.

Examples

The following example resets the PIM traffic counters:

Router# clear ipv6 pim counters

Related Commands

Command
Description

show ipv6 pim traffic

Displays the PIM traffic counters.


clear ipv6 pim reset

To delete all entries from the topology table and reset the Multicast Routing Information Base (MRIB) connection, use the clear ipv6 pim reset command in privileged EXEC mode.

clear ipv6 pim reset

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(2)T

This command was introduced.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.0(26)S

This command was integrated into Cisco IOS Release 12.0(26)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.


Usage Guidelines

Using the clear ipv6 pim reset command breaks the PIM-MRIB connection, clears the topology table, and then reestablishes the PIM-MRIB connection. This procedure forces MRIB resynchronization.


Caution Use the clear ipv6 pim reset command with caution, as it clears all PIM protocol information from the PIM topology table. Use of the clear ipv6 pim reset command should be reserved for situations where PIM and MRIB communication are malfunctioning.

Examples

The following example deletes all entries from the topology table and resets the MRIB connection:

Router# clear ipv6 pim reset

clear ipv6 pim topology

To clear the Protocol Independent Multicast (PIM) topology table, use the clear ipv6 pim topology command in privileged EXEC mode.

clear ipv6 pim topology [group-name | group-address]

Syntax Description

group-name | group-address

(Optional) IPv6 address or name of the multicast group.


Command Default

When the command is used with no arguments, all group entries located in the PIM topology table are cleared of PIM protocol information.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(2)T

This command was introduced.

12.2(18)S

This command was integrated into Cisco IOS Release 12.2(18)S.

12.0(26)S

This command was integrated into Cisco IOS Release 12.0(26)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.


Usage Guidelines

This command clears PIM protocol information from all group entries located in the PIM topology table. Information obtained from the MRIB table is retained. If a multicast group is specified, only those group entries are cleared.

Examples

The following example clears all group entries located in the PIM topology table:

Router# clear ipv6 pim topology

clear ipv6 prefix-list

To reset the hit count of the IPv6 prefix list entries, use the clear ipv6 prefix-list command in privileged EXEC mode.

clear ipv6 prefix-list [prefix-list-name] [ipv6-prefix/prefix-length]

Syntax Description

prefix-list-name

(Optional) The name of the prefix list from which the hit count is to be cleared.

ipv6-prefix

(Optional) The IPv6 network from which the hit count is to be cleared.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

/prefix-length

(Optional) The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.


Command Default

The hit count is automatically cleared for all IPv6 prefix lists.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.


Usage Guidelines

The clear ipv6 prefix-list command is similar to the clear ip prefix-list command, except that it is IPv6-specific.

The hit count is a value indicating the number of matches to a specific prefix list entry.

Examples

The following example clears the hit count from the prefix list entries for the prefix list named first_list that match the network mask 2001:0DB8::/35.

Router# clear ipv6 prefix-list first_list 2001:0DB8::/35

Related Commands

Command
Description

ipv6 prefix-list

Creates an entry in an IPv6 prefix list.

ipv6 prefix-list sequence-number

Enables the generation of sequence numbers for entries in an IPv6 prefix list.

show ipv6 prefix-list

Displays information about an IPv6 prefix list or prefix list entries.


clear ipv6 rip

To delete routes from the IPv6 Routing Information Protocol (RIP) routing table, use the clear ipv6 rip command in privileged EXEC mode.

clear ipv6 rip [name]

Syntax Description

name

(Optional) Name of an IPv6 RIP process.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.0(22)S

This command was introduced.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.


Usage Guidelines

When the name argument is specified, only routes for that process are deleted from the IPv6 RIP routing table and, if installed, from the IPv6 routing table. If no name argument is specified, all IPv6 RIP routes are deleted.

Use the show ipv6 rip command to display IPv6 RIP routes.

Examples

The following example deletes all the IPv6 routes for the RIP process called one:

Router# clear ipv6 rip one

Related Commands

Command
Description

show ipv6 rip

Displays the current contents of the IPv6 RIP routing table.


clear ipv6 route

To delete routes from the IPv6 routing table, use the clear ipv6 route command in privileged EXEC mode.

clear ipv6 route {ipv6-address | ipv6-prefix/prefix-length | *}

Syntax Description

ipv6-address

The address of the IPv6 network to delete from the table.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

ipv6-prefix

The IPv6 network number to delete from the table.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

/prefix-length

The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

*

Clears all IPv6 routes.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.


Usage Guidelines

The clear ipv6 route command is similar to the clear ip route command, except that it is IPv6-specific.

When the ipv6-address or ipv6-prefix/prefix-length argument is specified, only that route is deleted from the IPv6 routing table. When the * keyword is specified, all routes are deleted from the routing table (the per-destination maximum transmission unit [MTU] cache is also cleared).

Examples

The following example deletes the IPv6 network 2001:0DB8::/35:

Router# clear ipv6 route 2001:0DB8::/35

Related Commands

Command
Description

ipv6 route

Establishes static IPv6 routes.

show ipv6 route

Displays the current contents of the IPv6 routing table.


clear ipv6 traffic

To reset IPv6 traffic counters, use the clear ipv6 traffic command in privileged EXEC mode.

clear ipv6 traffic [interface-type interface-number]

Syntax Description

interface-type interface-number

Interface type and number. For more information, use the question mark (?) online help function.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S and output fields were added.

12.2(13)T

The modification to add output fields was integrated into this release.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

12.2(33)XN

The optional interface-type and interface-number arguments were added.


Usage Guidelines

Using this command resets the counters in the output from the show ipv6 traffic command.

Examples

The following example resets the IPv6 traffic counters. The output from the show ipv6 traffic command shows that the counters are reset:

Router# clear ipv6 traffic

Router# show ipv6 traffic

IPv6 statistics:
  Rcvd:  1 total, 1 local destination
         0 source-routed, 0 truncated
         0 format errors, 0 hop count exceeded
         0 bad header, 0 unknown option, 0 bad source
         0 unknown protocol, 0 not a router
         0 fragments, 0 total reassembled
         0 reassembly timeouts, 0 reassembly failures
  Sent:  1 generated, 0 forwarded
         0 fragmented into 0 fragments, 0 failed
         0 encapsulation failed, 0 no route, 0 too big
  Mcast: 0 received, 0 sent

ICMP statistics:
  Rcvd: 1 input, 0 checksum errors, 0 too short
        0 unknown info type, 0 unknown error type
        unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port
        parameter: 0 error, 0 header, 0 option
        0 hopcount expired, 0 reassembly timeout,0 too big
        0 echo request, 0 echo reply
        0 group query, 0 group report, 0 group reduce
        0 router solicit, 0 router advert, 0 redirects
        0 neighbor solicit, 1 neighbor advert
Sent: 1 output
        unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port
        parameter: 0 error, 0 header, 0 option
        0 hopcount expired, 0 reassembly timeout,0 too big
        0 echo request, 0 echo reply
        0 group query, 0 group report, 0 group reduce
        0 router solicit, 0 router advert, 0 redirects
        0 neighbor solicit, 1 neighbor advert

UDP statistics:
  Rcvd: 0 input, 0 checksum errors, 0 length errors
        0 no port, 0 dropped
  Sent: 0 output

TCP statistics:
  Rcvd: 0 input, 0 checksum errors
  Sent: 0 output, 0 retransmitted

Related Commands

Command
Description

show ipv6 traffic

Displays IPv6 traffic statistics.


clear mls cef ipv6 accounting per-prefix

To clear information about the IPv6 per-prefix accounting statistics, use the clear mls cef ipv6 accounting per-prefix command in privileged EXEC mode.

clear mls cef ipv6 accounting per-prefix {all | ipv6-address/mask [instance]}

Syntax Description

all

Clears all per-prefix accounting statistics information.

ipv6-address/mask

Entry IPv6 address and mask. The format used is X:X:X:X::X/mask, where the valid values for mask are from 0 to 128.

instance

(Optional) VPN routing and forwarding instance name.


Command Default

This command has no default settings.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(17a)SX

This command was introduced on the Supervisor Engine 720.

12.2(17d)SXB

Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Usage Guidelines

When entering the ipv6-address/mask arguments, use this format, X:X:X:X::X/mask, where the valid values for mask are from 0 to 128.

Examples

This example shows how to clear all information about the per-prefix accounting statistics:

Router# clear mls cef ipv6 accounting per-prefix all

codec(DSP farm profile)

To specify the codecs that are supported by a digital signal processor (DSP) farm profile, use the codec command in DSP farm profile configuration mode. To remove the codec, use the no form of this command.

codec {codec-type | pass-through}

no codec {codec-type | pass-through}

Syntax Description

codec-type

Specifies the codec preferred.

g711alaw—G.711 a-law 64,000 bits per second (bps).

g711ulaw—G.711 mu-law 64,000 bps.

g722r-64G.722-64 at 64,000 bps

g729abr8—G.729 ANNEX A and B 8000 bps.

g729ar8—G.729 ANNEX A and R 8000 bps.

g729br8—G.729 ANNEX B 8000 bps.

g729r8—G.729 8000 bps.

pass-through

Enables codec pass-through. Supported for transcoding and MTP profiles.


Command Default

Transcoding

g711alaw

g711ulaw

g729abr8

g729ar8

Conferencing

g711alaw

g711ulaw

g729abr8

g729ar8

g729br8

g729r8

MTP

g711ulaw

Command Modes

DSP farm profile configuration (config-dspfarm-profile)

Command History

Release
Modification

12.3(8)T

This command was introduced.

12.4(4)T

The pass-through keyword was added.

12.4(11)XJ2

The gsmefr and gsmfr keywords were removed as configurable codec options for all platforms.

12.4(15)T

This command was integrated into Cisco IOS Release 12.4(15)T.

12.4(15)XY

The g722r-64 keyword was added.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

12.4(22)T

Support for IPv6 was added.


Usage Guidelines

Only one codec is supported for each media termination point (MTP) profile. To support multiple codecs, you must define a separate MTP profile for each codec.

Table 9 shows the relationship between DSP farm functions and codecs.

Table 9 DSP Farm Functions and Codec Relationships

DSP Farm Function
Supported Codec

Transcoding

g711alaw

g711ulaw

g729abr8

g729ar8

Conferencing

g711alaw

g711ulaw

g729abr8

g729ar8

g729br8

g729r8

MTP

g711ulaw


Hardware MTPs support only G.711 a-law and G.711 mu-law. If you configure a profile as a hardware MTP and you want to change the codec to other than G.711, you must first remove the hardware MTP by using the no maximum sessions hardware command.

The pass-through keyword is supported for transcoding and MTP profiles only; the keyword is not supported for conferencing profiles. To support the Resource Reservation Protocol (RSVP) agent on a Skinny Client Control Protocol (SCCP) device, you must use the codec pass-through command. In the pass-through mode, the SCCP device processes the media stream by using a pure software MTP, regardless of the nature of the stream. This enables video and data streams to be processed in addition to audio. When the pass-through mode is set in a transcoding profile, no transcoding is done for the session; the transcoding device performs a pure software MTP function. The pass-through mode can be used for secure RTP sessions.

Examples

The following example shows the call density and codec complexity set to g729abr8:

Router(config)# dspfarm profile 123 transcode
Router(config-dspfarm-profile)# codec g729abr8

Related Commands

Command
Description

associate application

Associates the SCCP protocol to the DSP farm profile.

dspfarm profile

Enters DSP farm profile configuration mode and defines a profile for DSP farm services.

maximum sessions (DSP Farm profile)

Specifies the maximum number of sessions that are supported by the profile.

rsvp

Enables RSVP support on a transcoding or MTP device.

shutdown (DSP Farm profile)

Disables a DSP farm profile.


context

To associate a Simple Network Management Protocol (SNMP) context with a particular virtual private network (VPN) routing and forwarding (VRF) instance, use the context command in VRF configuration mode. To disassociate an SNMP context from a VPN, use the no form of this command.

context context-name

no context context-name

Syntax Description

context-name

Name of the SNMP VPN context, up to 32 characters.


Command Default

No SNMP contexts are associated with VPNs.

Command Modes

VRF configuration

Command History

Release
Modification

12.0(23)S

This command was introduced.

12.3(2)T

This command was integrated into Cisco IOS Release 12.3(2)T.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.

12.2(33)SRB

Support for IPv6 was added.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.2(33)SB

This command was integrated into Cisco IOS Release 12.2(33)SB.


Usage Guidelines

Before you use this command to associate an SNMP context with a VPN, you must do the following:

Issue the snmp-server context command to create an SNMP context

Associate a VPN with a context so that the specific MIB data for that VPN exists in that context.

Associate a VPN group with the context of the VPN using the snmp-server group command with the context context-name keyword and argument.

SNMP contexts provide VPN users with a secure way of accessing MIB data. When a VPN is associated with a context, MIB data for that VPN exists in that context. Associating a VPN with a context helps enable service providers to manage networks with multiple VPNs. Creating and associating a context with a VPN enables a provider to prevent the users of one VPN from accessing information about users of other VPNs on the same networking device.

A route distinguisher (RD) is required when you configure an SNMP context. An RD creates routing and forwarding tables and specifies the default route distinguisher for a VPN. The RD is added to the beginning of a IPv4 prefix to make it globally unique. An RD is either ASN relative, which means it is composed of an autonomous system number and an arbitrary number, or it is IP address relative and composed of an IP address and an arbitrary number.

Examples

The following example shows how to create an SNMP context named context1 and associate the context with the VRF named vrf1:

Router(config)# snmp-server context1
Router(config)# ip vrf vrf1
Router(config-vrf)# rd 100:120
Router(config-vrf)# context context1

Related Commands

Command
Description

ip vrf

Enters VRF configuration mode for the configuration of a VRF.

snmp mib community-map

Associates an SNMP community with an SNMP context, engine ID, or security name.

snmp mib target list

Creates a list of target VRFs and hosts to associate with an SNMP v1 or v2c community.

snmp-server context

Creates an SNMP context.

snmp-server group

Configures a new SNMP group, or a table that maps SNMP users to SNMP views.

snmp-server trap authentication vrf

Controls VRF-specific SNMP authentication failure notifications.

snmp-server user

Configures a new user to an SNMP group.


copy

To copy any file from a source to a destination, use the copy command in privileged EXEC or diagnostic mode.

copy [/erase] [/verify | /noverify] source-url destination-url

Syntax Description

/erase

(Optional) Erases the destination file system before copying.

Note This option is typically provided on platforms with limited memory to allow for an easy way to clear local flash memory space.

/verify

(Optional) Verifies the digital signature of the destination file. If verification fails, the file is deleted from the destination file system. This option applies to Cisco IOS software image files only.

/noverify

(Optional) If the file being copied is an image file, this keyword disables the automatic image verification that occurs after an image is copied.

Note This keyword is often issued if the file verify auto command is enabled, which automatically verifies the digital signature of all images that are copied.

source-url

The location URL (or alias) of the source file or directory to be copied. The source can be either local or remote, depending upon whether the file is being downloaded or uploaded.

destination-url

The destination URL (or alias) of the copied file or directory. The destination can be either local or remote, depending upon whether the file is being downloaded or uploaded.


The exact format of the source and destination URLs varies according to the file or directory location. You may enter either an alias keyword for a particular file or a filename that follows the standard Cisco IOS file system syntax (filesystem:[/filepath][/filename]).

Table 10 shows two keyword shortcuts to URLs.

Table 10 Common Keyword Aliases to URLs

Keyword
Source or Destination

running-config

(Optional) Keyword alias for the system:running-config URL.
The system:running-config keyword represents the current running configuration file. This keyword does not work in more and show file EXEC command syntaxes.

startup-config

(Optional) Keyword alias for the nvram:startup-config URL.
The nvram:startup-config keyword represents the configuration file used during initialization (startup). This file is contained in NVRAM for all platforms except the Cisco 7000 family, which uses the CONFIG_FILE environment variable to specify the startup configuration. The Cisco 4500 series cannot use the copy running-config startup-config command. This keyword does not work in more and show file EXEC command syntaxes.


The following tables list URL prefix keywords by file system type. The available file systems will vary by platform. If you do not specify a URL prefix keyword, the router looks for a file in the current directory.

Table 11 lists URL prefix keywords for Special (opaque) file systems. Table 12 lists them for remote file systems, and Table 13 lists them for local writable storage.

Table 11 URL Prefix Keywords for Special File Systems 

Keyword
Source or Destination

cns:

Source URL for Cisco Networking Services files.

flh:

Source URL for flash load helper log files.

logging

Source URL which copies messages from the logging buffer to a file.

modem:

Destination URL for loading modem firmware on to supported networking devices.

null:

Null destination for copies or files. You can copy a remote file to null to determine its size.

nvram:

Router NVRAM. You can copy the startup configuration to NVRAM or from NVRAM.

obfl:

Source or destination URL for Onboard Failure Logging files.

stby-nvram:

Router NVRAM on the standby hardware. You can copy the startup configuration to NVRAM or from NVRAM.

stby-obfl:

Source or destination URL for Onboard Failure Logging files on the standby hardware.

system:

Source or destination URL for system memory, which includes the running configuration.

tar:

Source URL for the archive file system.

tmpsys:

Source or destination URL for the temporary system files.

xmodem:

Source or destination for a file from a network machine that uses the Xmodem protocol.

ymodem:

Source or destination for a file from a network machine that uses the Ymodem protocol.


Table 12 URL Prefix Keywords for Remote File Systems

Keyword
Source or Destination

ftp:

Source or destination URL for FTP network server. The syntax for this alias is as follows:
ftp:[[[//username [:password]@]location]/directory]/filename.

http://

Source or destination URL for an HTTP server (also called a web server). The syntax for this alias is as follows:
http://[[username:password]@]{hostname | host-ip}[/filepath]/filename

https://

Source or destination URL for a Secure HTTP (HTTPS) server. HTTPS uses Secure Socket Layer (SSL) encryption. The syntax for this alias is as follows:
https://[[username:password]@]{hostname | host-ip}[/filepath]/filename

rcp:

Source or destination URL for a remote copy protocol (rcp) network server. The syntax for this alias is as follows:
rcp:[[[//username@]location]/directory]/filename

scp:

Source or destination URL for a network server that supports Secure Shell (SSH) and accepts copies of files using the secure copy protocol (scp). The syntax for this alias is as follows:
scp://username@location[/directory][/filename]

tftp:

Source or destination URL for a TFTP network server. The syntax for this alias is as follows:
tftp:[[//location]/directory]/filename.


Table 13 URL Prefix Keywords for Local Writable Storage File Systems 

Alias
Source or Destination

bootflash:

Source or destination URL for boot flash memory.

disk0: and disk1:

Source or destination URL of disk-based media.

flash:

Source or destination URL for flash memory. This alias is available on all platforms. For platforms that lack a flash: device, note that flash: is aliased to slot0:, allowing you to refer to the main flash memory storage area on all platforms.

harddisk:

Source or destination URL of the active harddisk file system.

slavebootflash:

Source or destination URL for internal flash memory on the slave RSP card of a router configured for HSA.

slaveram:

NVRAM on a slave RSP card of a router configured for HSA.

slaveslot0:

Source or destination URL of the first Personal Computer Memory Card International Association (PCMCIA) card on a slave RSP card of a router configured for HSA.

slaveslot1:

Source or destination URL of the second PCMCIA slot on a slave RSP card of a router configured for HSA.

slot0:

Source or destination URL of the first PCMCIA flash memory card.

slot1:

Source or destination URL of the second PCMCIA flash memory card.

stby-bootflash:

Source or destination URL for boot flash memory in standby RP.

stby-harddisk:

Source or destination URL for the standby harddisk.

stby-usb[0-1]:

Source or destination URL for the Universal Serial Bus (USB) flash drive that has been plugged into the router and is located on the standby RP.

usb[0-1]:

Source or destination URL for the Universal Serial Bus (USB) flash drive that has been plugged into the router and is located on the active RP.

usbflash[0-9]:

Source or destination URL for the Universal Serial Bus (USB) flash drive that has been plugged into the router.

usbtoken[0-9]:

Source or destination URL for the USB eToken that has been plugged into the router.


Command Modes

Privileged EXEC (#)

Diagnostic (diag)

Command History

Release
Modification

11.3T

This command was introduced.

12.3(2)T

The http:// and https:// keywords were added as supported remote source locations (file system URL prefixes) for files.

This command was enhanced to support copying files to servers that support SSH and the scp.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(18)S

The /verify and /noverify keywords were added.

12.0(26)S

The /verify and /noverify keywords were integrated into Cisco IOS Release 12.0(26)S.

12.3(4)T

The /verify and /noverify keywords were integrated into Cisco IOS Release 12.3(4)T.

12.3(7)T

The http:// and https:// keywords were enhanced to support file uploads.

12.3(14)T

The usbflash[0-9]: and usbtoken[0-9]: keywords were added to support USB storage.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.4(11)T

This command was integrated into the Cisco 7200VXR NPE-G2 platform.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

The Cisco ASR1000 series routers became available, and introduced the copy command in diagnostic mode.


Usage Guidelines

The fundamental function of the copy command is to allow you to copy a file (such as a system image or configuration file) from one location to another location. The source and destination for the file is specified using a Cisco IOS File System URL, which allows you to specify any supported local or remote file location. The file system being used (such as a local memory source, or a remote server) dictates the syntax used in the command.

You can enter on the command line all necessary source- and destination-URL information and the username and password to use, or you can enter the copy command and have the router prompt you for any missing information.

For local file systems, two commonly used aliases exist for the system:running-config and nvram:startup-config files; these aliases are running-config and startup-config, respectively.


Timesaver Aliases are used to reduce the amount of typing you need to perform. For example, it is easier to type copy run start (the abbreviated form of the copy running-config startup-config command) than it is to type copy system:r nvram:s (the abbreviated form of the copy system:running-config nvram:startup-config command). These aliases also allow you to continue using some of the common commands used in previous versions of Cisco IOS software.


The entire copying process may take several minutes and differs from protocol to protocol and from network to network.

The colon is required after the file system URL prefix keywords (such as flash). In some cases, file system prefixes that did not require colons in earlier software releases are allowed for backwards compatibility, but use of the colon is recommended.

In the URL syntax for ftp:, http:, https:, rcp:, scp: and tftp:, the location is either an IP address or a host name. The filename is specified relative to the directory used for file transfers.

The following sections contain usage guidelines for the following topics:

Understanding Invalid Combinations of Source and Destination

Understanding Character Descriptions

Understanding Partitions

Using rcp

Using FTP

Using HTTP or HTTPS

Storing Images on Servers

Copying from a Server to Flash Memory

Verifying Images

Copying a Configuration File from a Server to the Running Configuration

Copying a Configuration File from a Server to the Startup Configuration

Storing the Running or Startup Configuration on a Server

Saving the Running Configuration to the Startup Configuration

Using CONFIG_FILE, BOOT, and BOOTLDR Environment Variables

Using the Copy Command with the Dual RSP Feature

Using the copy command with the ASR1000 Series Routers

Understanding Invalid Combinations of Source and Destination

Some invalid combinations of source and destination exist. Specifically, you cannot copy:

From a running configuration to a running configuration

From a startup configuration to a startup configuration

From a device to the same device (for example, the copy flash: flash: command is invalid)

Understanding Character Descriptions

Table 14 describes the characters that you may see during processing of the copy command.

Table 14 copy Character Descriptions

Character
Description

!

For network transfers, an exclamation point indicates that the copy process is taking place. Each exclamation point indicates the successful transfer of ten packets (512 bytes each).

.

For network transfers, a period indicates that the copy process timed out. Many periods in a row typically mean that the copy process may fail.

O

For network transfers, an uppercase O indicates that a packet was received out of order and the copy process may fail.

e

For flash erasures, a lowercase e indicates that a device is being erased.

E

An uppercase E indicates an error. The copy process may fail.

V

A series of uppercase Vs indicates the progress during the verification of the image checksum.


Understanding Partitions

You cannot copy an image or configuration file to a flash partition from which you are currently running. For example, if partition 1 is running the current system image, copy the configuration file or image to partition 2. Otherwise, the copy operation will fail.

You can identify the available flash partitions by entering the show file system EXEC command.

Using rcp

The rcp requires a client to send a remote username upon each rcp request to a server. When you copy a configuration file or image between the router and a server using rcp, the Cisco IOS software sends the first valid username it encounters in the following sequence:

1. The remote username specified in the copy command, if a username is specified.

2. The username set by the ip rcmd remote-username global configuration command, if the command is configured.

3. The remote username associated with the current tty (terminal) process. For example, if the user is connected to the router through Telnet and was authenticated through the username command, the router software sends the Telnet username as the remote username.

4. The router host name.

For the rcp copy request to process, an account must be defined on the network server for the remote username. If the network administrator of the destination server did not establish an account for the remote username, this command will not run. If the server has a directory structure, the configuration file or image is written to or copied from the directory associated with the remote username on the server. For example, if the system image resides in the home directory of a user on the server, specify that username as the remote username.

If you are writing to the server, the rcp server must be properly configured to accept the rcp write request from the user on the router. For UNIX systems, add an entry to the .rhosts file for the remote user on the rcp server. Suppose the router contains the following configuration lines:

hostname Rtr1
ip rcmd remote-username User0

If the router IP address translates to Router1.company.com, then the .rhosts file for User0 on the rcp server should contain the following line:

Router1.company.com Rtr1

Refer to the documentation for your rcp server for more details.

If you are using a personal computer as a file server, the computer must support the remote shell protocol (rsh).

Using FTP

The FTP protocol requires a client to send a username and password with each FTP request to a remote FTP server. Use the ip ftp username and ip ftp password global configuration commands to specify a default username and password for all copy operations to or from an FTP server. Include the username in the copy command syntax if you want to specify a username for that copy operation only.

When you copy a file from the router to a server using FTP, the Cisco IOS software sends the first valid username that it encounters in the following sequence:

1. The username specified in the copy command, if a username is specified.

2. The username set by the ip ftp username command, if the command is configured.

3. Anonymous.

The router sends the first valid password in the following list:

1. The password specified in the copy command, if a password is specified.

2. The password set by the ip ftp password command, if the command is configured.

3. The router forms a password username@routername.domain. The variable username is the username associated with the current session, routername is the configured host name, and domain is the domain of the router.

The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept the FTP write request from the user on the router.


Note The Syslog message will display 'xxxx' in place of the password entered in the syntax of the copy {ftp:} command.


If the server has a directory structure, the configuration file or image is written to or copied from the directory associated with the username on the server. For example, if the system image resides in the home directory of a user on the server, specify that username as the remote username.

Refer to the documentation for your FTP server for details on setting up the server.

Using HTTP or HTTPS

Copying a file to or from a remote HTTP or HTTPS server, to or from a local file system, is performed using the embedded Secure HTTP client that is integrated in Cisco IOS software. The HTTP client is enabled by default.

Downloading files from a remote HTTP or HTTPS server is performed using the HTTP client integrated in Cisco IOS software.

If a username and password are not specified in the copy command syntax, the system uses the default HTTP client username and password, if configured.

When you copy a file from a remote HTTP or HTTPS server, the Cisco IOS software sends the first valid username that it encounters in the following sequence:

1. The username specified in the copy command, if a username is specified.

2. The username set by the ip http client username command, if the command is configured.

3. Anonymous.

The router sends the first valid password in the following list:

1. The password specified in the copy command, if a password is specified.

2. The password set by the ip http client password command, if the command is configured.

3. The router forms the password username@routername.domain. The variable username is the username associated with the current session, routername is the configured host name, and domain is the domain of the router.

Storing Images on Servers

Use the copy flash: destination-url command (for example, copy flash: tftp:) to copy a system image or boot image from flash memory to a network server. You can use the copy of the image as a backup copy. Also, you can also use the image backup file to verify that the image in flash memory is the same as that in the original file.

Copying from a Server to Flash Memory

Use the copy destination-url flash: command (for example, copy tftp: flash:) to copy an image from a server to flash memory.

On Class B file system platforms, the system provides an option to erase existing flash memory before writing onto it.


Note Verify the image in flash memory before booting the image.


Verifying Images

When copying a new image to your router, you should confirm that the image was not corrupted during the copy process. You can verify the integrity of the image in any of the following ways:

Depending on the destination file system type, a checksum for the image file may be displayed when the copy command completes. You can verify this checksum by comparing it to the checksum value provided for your image file on Cisco.com.


Caution If the checksum values do not match, do not reboot the router. Instead, reissue the copy command and compare the checksums again. If the checksum is repeatedly wrong, copy the original image back into flash memory before you reboot the router from flash memory. If you have a corrupted image in flash memory and try to boot from flash memory, the router will start the system image contained in ROM (assuming booting from a network server is not configured). If ROM does not contain a fully functional system image, the router might not function and will need to be reconfigured through a direct console port connection.

Use the /verify keyword.

Enable automatic image verification by default by issuing the file verify auto command. This command will automatically check the integrity of each file that is copied via the copy command (without specifying the /verify option) to the router unless the /noverify keyword is specified.

Use the UNIX 'diff' command. This method can also be applied to file types other than Cisco IOS images. If you suspect that a file is corrupted, copy the suspect file and the original file to a UNIX server. (The file names may need to be modified if you try to save the files in the same directory.) Then run the UNIX 'diff' command on the two files. If there is no difference, then the file has not been corrupted.

Copying a Configuration File from a Server to the Running Configuration

Use the copy {ftp: | rcp: | scp: | tftp:} running-config command to load a configuration file from a network server to the running configuration of the router. (Note that running-config is the alias for the system:running-config keyword.) The configuration will be added to the running configuration as if the commands were typed in the command-line interface (CLI). Thus, the resulting configuration file will be a combination of the previous running configuration and the loaded configuration file, with the loaded configuration file having precedence.

You can copy either a host configuration file or a network configuration file. Accept the default value of host to copy and load a host configuration file containing commands that apply to one network server in particular. Enter network to copy and load a network configuration file containing commands that apply to all network servers on a network.

Copying a Configuration File from a Server to the Startup Configuration

Use the copy {ftp: | rcp: | scp: | tftp:} nvram:startup-config command to copy a configuration file from a network server to the router startup configuration. These commands replace the startup configuration file with the copied configuration file.

Storing the Running or Startup Configuration on a Server

Use the copy system:running-config {ftp: | rcp: | scp: | tftp:} command to copy the current configuration file to a network server using FTP, rcp, scp, or TFTP. Use the copy nvram:startup-config {ftp: | rcp: | scp: | tftp:} command to copy the startup configuration file to a network server.

The configuration file copy can serve as a backup copy.

Saving the Running Configuration to the Startup Configuration

Use the copy system:running-config nvram:startup-config command to copy the running configuration to the startup configuration.


Note Some specific commands might not get saved to NVRAM. You will need to enter these commands again if you reboot the machine. These commands are noted in the documentation. We recommend that you keep a listing of these settings so you can quickly reconfigure your router after rebooting.


If you issue the copy system:running-config nvram:startup-config command from a bootstrap system image, a warning will instruct you to indicate whether you want your previous NVRAM configuration to be overwritten and configuration commands to be lost. This warning does not appear if NVRAM contains an invalid configuration or if the previous configuration in NVRAM was generated by a bootstrap system image.

On all platforms except Class A file system platforms, the copy system:running-config nvram:startup-config command copies the currently running configuration to NVRAM.

On the Class A flash file system platforms, the copy system:running-config nvram:startup-config command copies the currently running configuration to the location specified by the CONFIG_FILE environment variable. This variable specifies the device and configuration file used for initialization. When the CONFIG_FILE environment variable points to NVRAM or when this variable does not exist (such as at first-time startup), the software writes the current configuration to NVRAM. If the current configuration is too large for NVRAM, the software displays a message and stops executing the command.

When the CONFIG_FILE environment variable specifies a valid device other than nvram: (that is, flash:, bootflash:, slot0:, or slot1:), the software writes the current configuration to the specified device and filename, and stores a distilled version of the configuration in NVRAM. A distilled version is one that does not contain access list information. If NVRAM already contains a copy of a complete configuration, the router prompts you to confirm the copy.

Using CONFIG_FILE, BOOT, and BOOTLDR Environment Variables

For the Class A flash file system platforms, specifications are as follows:

The CONFIG_FILE environment variable specifies the configuration file used during router initialization.

The BOOT environment variable specifies a list of bootable images on various devices.

The BOOTLDR environment variable specifies the flash device and filename containing the rxboot image that ROM uses for booting.

Cisco 3600 routers do not use a dedicated boot helper image (rxboot), which many other routers use to help with the boot process. Instead, the BOOTLDR ROM monitor environment variable identifies the flash memory device and filename that are used as the boot helper; the default is the first system image in flash memory.

To view the contents of environment variables, use the show bootvar EXEC command. To modify the CONFIG_FILE environment variable, use the boot config global configuration command. To modify the BOOTLDR environment variable, use the boot bootldr global configuration command. To modify the BOOT environment variable, use the boot system global configuration command. To save your modifications, use the copy system:running-config nvram:startup-config command.

When the destination of a copy command is specified by the CONFIG_FILE or BOOTLDR environment variable, the router prompts you for confirmation before proceeding with the copy. When the destination is the only valid image in the BOOT environment variable, the router also prompts you for confirmation before proceeding with the copy.

Using the Copy Command with the Dual RSP Feature

The Dual RSP feature allows you to install two Route Switch Processor (RSP) cards in a single router on the Cisco 7507 and Cisco 7513 platforms.

On a Cisco 7507 or Cisco 7513 router configured for Dual RSPs, if you copy a file to nvram:startup-configuration with automatic synchronization disabled, the system prompts whether you also want to copy the file to the slave startup configuration. The default answer is yes. If automatic synchronization is enabled, the system automatically copies the file to the slave startup configuration each time you use a copy command with nvram:startup-configuration as the destination.

Using the copy command with the ASR1000 Series Routers

The copy command is available in both privileged EXEC and diagnostic mode on the Cisco ASR1000 series routers. Because the copy command is available in diagnostic mode, it can be used to copy all types of files between directories and remote locations even in the event of an IOS failure.

Examples

The following examples illustrate uses of the copy command:

Verifying the Integrity of the Image Before It Is Copied Example

Copying an Image from a Server to Flash Memory Examples

Saving a Copy of an Image on a Server Examples

Copying a Configuration File from a Server to the Running Configuration Example

Copying a Configuration File from a Server to the Startup Configuration Example

Copying the Running Configuration to a Server Example

Copying the Startup Configuration to a Server Example

Saving the Current Running Configuration Example

Moving Configuration Files to Other Locations Examples

Copying a File from a Remote Web Server Examples

Copying an Image from the Master RSP Card to the Slave RSP Card Example

Verifying the Integrity of the Image Before It Is Copied Example

The following example shows how to specify image verification before copying an image:

Router# copy /verify tftp://10.1.1.1/cisco/c7200-js-mz disk0:

Destination filename [c7200-js-mz]? 
Accessing tftp://10.1.1.1/cisco/c7200-js-mz...
Loading cisco/c7200-js-mz from 10.1.1.1 (via FastEthernet0/0):!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 19879944 bytes]

19879944 bytes copied in 108.632 secs (183003 bytes/sec)
Verifying file integrity of disk0:/c7200-js-mz  
.........................................................................................
..........................................................................................
..........................................................................................
......................Done!
Embedded Hash 		MD5 :CFA258948C4ECE52085DCF428A426DCD
Computed Hash    			MD5 :CFA258948C4ECE52085DCF428A426DCD
CCO Hash            			MD5 :44A7B9BDDD9638128C35528466318183

Signature Verified

Copying an Image from a Server to Flash Memory Examples

The following examples use a copy rcp:, copy tftp:, or copy ftp: command to copy an image file from a server to flash memory:

Copying an Image from a Server to Flash Memory Example

Copying an Image from a Server to a Flash Memory Using Flash Load Helper Example

Copying an Image from a Server to a Flash Memory Card Partition Example

Copying an Image from a Server to Flash Memory Example

The following example copies a system image named file1 from the remote rcp server with an IP address of 172.16.101.101 to flash memory. On Class B file system platforms, the Cisco IOS software allows you to first erase the contents of flash memory to ensure that enough flash memory is available to accommodate the system image.

Router# copy rcp://netadmin@172.16.101.101/file1 flash:file1 

Destination file name [file1]?
Accessing file 'file1' on 172.16.101.101...
Loading file1 from 172.16.101.101 (via Ethernet0): ! [OK]

Erase flash device before writing? [confirm]
Flash contains files. Are you sure you want to erase? [confirm]

Copy 'file1' from server
  as 'file1' into Flash WITH erase? [yes/no] yes
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee...erased
Loading file1 from 172.16.101.101 (via Ethernet0): !
[OK - 984/8388608 bytes]

Verifying checksum... OK (0x14B3)
Flash copy took 0:00:01 [hh:mm:ss]

Copying an Image from a Server to a Flash Memory Using Flash Load Helper Example

The following example copies a system image into a partition of flash memory. The system will prompt for a partition number only if there are two or more read/write partitions or one read-only and one read/write partition and dual flash bank support in boot ROMs. If the partition entered is not valid, the process terminates. You can enter a partition number, a question mark (?) for a directory display of all partitions, or a question mark and a number (?number) for directory display of a particular partition. The default is the first read/write partition. In this case, the partition is read-only and has dual flash bank support in boot ROM, so the system uses flash Load Helper.

Router# copy tftp: flash: 

System flash partition information:
Partition   Size     Used    Free    Bank-Size   State       Copy-Mode
    1       4096K    2048K   2048K   2048K       Read Only   RXBOOT-FLH
    2       4096K    2048K   2048K   2048K       Read/Write  Direct

[Type ?<no> for partition directory; ? for full directory; q to abort]
Which partition? [default = 2]

                               **** NOTICE ****
Flash load helper v1.0
This process will accept the copy options and then terminate
the current system image to use the ROM based image for the copy.
Routing functionality will not be available during that time.
If you are logged in via telnet, this connection will terminate.
Users with console access can see the results of the copy operation.
                               ---- ******** ----
Proceed? [confirm]
System flash directory, partition 1:
File  Length   Name/status
  1   3459720  master/igs-bfpx.100-4.3
[3459784 bytes used, 734520 available, 4194304 total]
Address or name of remote host [255.255.255.255]? 172.16.1.1 
Source file name? master/igs-bfpx-100.4.3 
Destination file name [default = source name]?

Loading master/igs-bfpx.100-4.3 from 172.16.1.111: !
Erase flash device before writing? [confirm]
Flash contains files. Are you sure? [confirm]
Copy 'master/igs-bfpx.100-4.3' from TFTP server
as 'master/igs-bfpx.100-4.3' into Flash WITH erase? [yes/no] yes 

Copying an Image from a Server to a Flash Memory Card Partition Example

The following example copies the file c3600-i-mz from the rcp server at IP address 172.23.1.129 to the flash memory card in slot 0 of a Cisco 3600 series router, which has only one partition. As the operation progresses, the Cisco IOS software prompts you to erase the files on the flash memory PC card to accommodate the incoming file. This entire operation takes 18 seconds to perform, as indicated at the end of the example.

Router# copy rcp: slot0:

PCMCIA Slot0 flash

Partition   Size    Used      Free      Bank-Size  State          Copy Mode
  1         4096K   3068K     1027K     4096K      Read/Write     Direct
  2         4096K   1671K     2424K     4096K      Read/Write     Direct
  3         4096K      0K     4095K     4096K      Read/Write     Direct
  4         4096K   3825K      270K     4096K      Read/Write     Direct

[Type ?<no> for partition directory; ? for full directory; q to abort]
Which partition? [default = 1] 

PCMCIA Slot0 flash directory, partition 1:
File  Length   Name/status
  1   3142288  c3600-j-mz.test  
[3142352 bytes used, 1051952 available, 4194304 total]
Address or name of remote host [172.23.1.129]? 
Source file name? /tftpboot/images/c3600-i-mz 
Destination file name [/tftpboot/images/c3600-i-mz]? 
Accessing file '/tftpboot/images/c3600-i-mz' on 172.23.1.129...
Connected to 172.23.1.129
Loading 1711088 byte file c3600-i-mz: ! [OK]

Erase flash device before writing? [confirm]
Flash contains files. Are you sure you want to erase? [confirm]

Copy '/tftpboot/images/c3600-i-mz' from server
  as '/tftpboot/images/c3600-i-mz' into Flash WITH erase? [yes/no] yes 
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Connected to 172.23.1.129
Loading 1711088 byte file c3600-i-mz: 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Verifying checksum...  OK (0xF89A)
Flash device copy took 00:00:18 [hh:mm:ss]

Saving a Copy of an Image on a Server Examples

The following examples use copy commands to copy image files to a server for storage:

Copy an Image from Flash Memory to an rcp Server Example

Copy an Image from Flash Memory to an SSH Server Using scp Example

Copy an Image from a Partition of Flash Memory to a Server Example

Copying an Image from a Flash Memory File System to an FTP Server Example

Copying an Image from Boot Flash Memory to a TFTP Server Example

Copy an Image from Flash Memory to an rcp Server Example

The following example copies a system image from flash Memory to an rcp server using the default remote username. Because the rcp server address and filename are not included in the command, the router prompts for it.

Router# copy flash: rcp:

IP address of remote host [255.255.255.255]? 172.16.13.110
Name of file to copy? gsxx
writing gsxx - copy complete

Copy an Image from Flash Memory to an SSH Server Using scp Example

The following example shows how to use scp to copy a system image from flash memory to a server that supports SSH:

Router# copy flash:c4500-ik2s-mz.scp scp://user1@host1/ 

Address or name of remote host [host1]? 
Destination username [user1]? 
Destination filename [c4500-ik2s-mz.scp]? 
Writing c4500-ik2s-mz.scp 
Password: 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

Before you can use the server-side functionality, SSH, authentication, and authorization must be properly configured so the router can determine whether a user is at the right privilege level. The scp server-side functionality is configured with the ip scp server enable command.

Copy an Image from a Partition of Flash Memory to a Server Example

The following example copies an image from a particular partition of flash memory to an rcp server using a remote username of netadmin1.

The system will prompt if there are two or more partitions. If the partition entered is not valid, the process terminates. You have the option to enter a partition number, a question mark (?) for a directory display of all partitions, or a question mark and a number (?number) for a directory display of a particular partition. The default is the first partition.

Router# configure terminal
Router# ip rcmd remote-username netadmin1
Router# end
Router# copy flash: rcp:
System flash partition information:
Partition   Size     Used    Free    Bank-Size   State       Copy-Mode
    1       4096K    2048K   2048K   2048K       Read Only   RXBOOT-FLH
    2       4096K    2048K   2048K   2048K       Read/Write  Direct
[Type ?<number> for partition directory; ? for full directory; q to abort]
Which partition? [1] 2

System flash directory, partition 2:
File  Length   Name/status
  1   3459720  master/igs-bfpx.100-4.3
[3459784 bytes used, 734520 available, 4194304 total]
Address or name of remote host [ABC.CISCO.COM]?
Source file name? master/igs-bfpx.100-4.3
Destination file name [master/igs-bfpx.100-4.3]?
Verifying checksum for 'master/igs-bfpx.100-4.3' (file # 1)... OK
Copy 'master/igs-bfpx.100-4.3' from Flash to server
as 'master/igs-bfpx.100-4.3'? [yes/no] yes
!!!!...
Upload to server done
Flash copy took 0:00:00 [hh:mm:ss]

Copying an Image from a Flash Memory File System to an FTP Server Example

The following example copies the file c3600-i-mz from partition 1 of the flash memory card in slot 0 to an FTP server at IP address 172.23.1.129:

Router# show slot0: partition 1

PCMCIA Slot0 flash directory, partition 1:
File  Length   Name/status
  1   1711088 c3600-i-mz 
[1711152 bytes used, 2483152 available, 4194304 total]

Router# copy slot0:1:c3600-i-mz ftp://myuser:mypass@172.23.1.129/c3600-i-mz

Verifying checksum for '/tftpboot/cisco_rules/c3600-i-mz' (file # 1)...  OK
Copy '/tftpboot/cisco_rules/c3600-i-mz' from Flash to server
  as 'c3700-i-mz'? [yes/no] yes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Upload to server done
Flash device copy took 00:00:23 [hh:mm:ss]

Copying an Image from Boot Flash Memory to a TFTP Server Example

The following example copies an image from boot flash memory to a TFTP server:

Router# copy bootflash:file1 tftp://192.168.117.23/file1

Verifying checksum for 'file1' (file # 1)... OK
Copy 'file1' from Flash to server
  as 'file1'? [yes/no]y
!!!!...
Upload to server done
Flash copy took 0:00:00 [hh:mm:ss]

Copying a Configuration File from a Server to the Running Configuration Example

The following example copies and runs a configuration filename host1-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101:

Router# copy rcp://netadmin1@172.16.101.101/host1-confg system:running-config

Configure using host1-confg from 172.16.101.101? [confirm]
Connected to 172.16.101.101
Loading 1112 byte file host1-confg:![OK]
Router#
%SYS-5-CONFIG: Configured from host1-config by rcp from 172.16.101.101

Copying a Configuration File from a Server to the Startup Configuration Example

The following example copies a configuration file host2-confg from a remote FTP server to the startup configuration. The IP address is172.16.101.101, the remote username is netadmin1, and the remote password is ftppass.

Router# copy ftp://netadmin1:ftppass@172.16.101.101/host2-confg nvram:startup-config 

Configure using rtr2-confg from 172.16.101.101?[confirm]
Connected to 172.16.101.101
Loading 1112 byte file rtr2-confg:![OK]
[OK]
Router#
%SYS-5-CONFIG_NV:Non-volatile store configured from rtr2-config by  
FTP from 172.16.101.101

Copying the Running Configuration to a Server Example

The following example specifies a remote username of netadmin1. Then it copies the running configuration file named rtr2-confg to the netadmin1 directory on the remote host with an IP address of 172.16.101.101.

Router# configure terminal 
Router(config)# ip rcmd remote-username netadmin1 
Router(config)# end 
Router# copy system:running-config rcp: 
Remote host[]? 172.16.101.101 

Name of configuration file to write [Rtr2-confg]?
Write file rtr2-confg on host 172.16.101.101?[confirm]
Building configuration...[OK]
Connected to 172.16.101.101

Copying the Startup Configuration to a Server Example

The following example copies the startup configuration to a TFTP server:

Router# copy nvram:startup-config tftp:

Remote host[]? 172.16.101.101 

Name of configuration file to write [rtr2-confg]? <cr>
Write file rtr2-confg on host 172.16.101.101?[confirm] <cr>
![OK]

Saving the Current Running Configuration Example

The following example copies the running configuration to the startup configuration. On a Class A flash file system platform, this command copies the running configuration to the startup configuration specified by the CONFIG_FILE variable.

copy system:running-config nvram:startup-config

The following example shows the warning that the system provides if you try to save configuration information from bootstrap into the system:

Router(boot)# copy system:running-config nvram:startup-config 

Warning: Attempting to overwrite an NVRAM configuration written
by a full system image. This bootstrap software does not support
the full configuration command set. If you perform this command now,
some configuration commands may be lost.
Overwrite the previous NVRAM configuration?[confirm]

Enter no to escape writing the configuration information to memory.

Moving Configuration Files to Other Locations Examples

On some routers, you can store copies of configuration files on a flash memory device. Five examples follow:

Copying the Startup Configuration to a Flash Memory Device Example

Copying the Running Configuration to a Flash Memory Device Example

Copying to the Running Configuration from a Flash Memory Device Example

Copying to the Startup Configuration from a Flash Memory Device Example

Copying a Configuration File from one Flash Device to Another Example

Copying the Startup Configuration to a Flash Memory Device Example

The following example copies the startup configuration file (specified by the CONFIG_FILE environment variable) to a flash memory card inserted in slot 0:

Router# copy nvram:startup-config slot0:router-confg

Copying the Running Configuration to a Flash Memory Device Example

The following example copies the running configuration from the router to the flash memory PC card in slot 0:

Router# copy system:running-config slot0:berlin-cfg 

Building configuration...
5267 bytes copied in 0.720 secs

Copying to the Running Configuration from a Flash Memory Device Example

The following example copies the file named ios-upgrade-1 from the flash memory card in slot 0 to the running configuration:

Router# copy slot0:4:ios-upgrade-1 system:running-config

Copy 'ios-upgrade-1' from flash device
  as 'running-config' ? [yes/no] yes 

Copying to the Startup Configuration from a Flash Memory Device Example

The following example copies the router-image file from the flash memory to the startup configuration:

Router# copy flash:router-image nvram:startup-config

Copying a Configuration File from one Flash Device to Another Example

The following example copies the file running-config from the first partition in internal flash memory to the flash memory PC card in slot 1. The checksum of the file is verified, and its copying time of 30 seconds is displayed.

Router# copy flash: slot1:

System flash

Partition   Size    Used      Free      Bank-Size  State          Copy Mode
  1         4096K   3070K     1025K     4096K      Read/Write     Direct
  2        16384K   1671K    14712K     8192K      Read/Write     Direct

[Type ?<no> for partition directory; ? for full directory; q to abort]
Which partition? [default = 1] 

System flash directory, partition 1: 
File  Length   Name/status
  1   3142748  dirt/images/mars-test/c3600-j-mz.latest 
  2   850      running-config 
[3143728 bytes used, 1050576 available, 4194304 total]

PCMCIA Slot1 flash directory:
File  Length   Name/status
  1   1711088  dirt/images/c3600-i-mz 
  2   850      running-config 
[1712068 bytes used, 2482236 available, 4194304 total]
Source file name? running-config 
Destination file name [running-config]? 
Verifying checksum for 'running-config' (file # 2)...  OK
Erase flash device before writing? [confirm] 
Flash contains files. Are you sure you want to erase? [confirm] 

Copy 'running-config' from flash: device
  as 'running-config' into slot1: device WITH erase? [yes/no] yes 
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
!
 [OK - 850/4194304 bytes]

Flash device copy took 00:00:30 [hh:mm:ss]
Verifying checksum...  OK (0x16)

Copying a File from a Remote Web Server Examples

In the following example, the file config1 is copied from a remote server to flash memory using HTTP:

Router# copy http://www.example.com:8080/configs/config1 flash:config1 

In the following example, a default username and password for HTTP Client communications is configured, and then the file sample.scr is copied from a secure HTTP server using HTTPS:

Router# configure terminal 
Router(config)# ip http client username joeuser 
Router(config)# ip http client password letmein 
Router(config)# end 
Router# copy https://www.example_secure.com/scripts/sample.scr flash: 

In the following example, an HTTP proxy server is specified before using the copy http:// command:

Router# configure terminal 
Router(config)# ip http client proxy-server edge2 proxy-port 29 
Router(config)# end 
Router# copy http://www.example.com/configs/config3 flash:/configs/config3

Copying an Image from the Master RSP Card to the Slave RSP Card Example

The following example copies the router-image file from the flash memory card inserted in slot 1 of the master RSP card to slot 0 of the slave RSP card in the same router:

Router# copy slot1:router-image slaveslot0:

Related Commands

Command
Description

boot config

Specifies the device and filename of the configuration file from which the router configures itself during initialization (startup).

boot system

Specifies the system image that the router loads at startup.

cd

Changes the default directory or file system.

copy xmodem: flash:

Copies any file from a source to a destination.

copy ymodem: flash:

Copies any file from a source to a destination.

delete

Deletes a file on a flash memory device.

dir

Displays a list of files on a file system.

erase

Erases a file system.

ip rcmd remote-username

Configures the remote username to be used when requesting a remote copy using rcp.

ip scp server enable

Enables scp server-side functionality.

reload

Reloads the operating system.

show bootvar

Displays the contents of the BOOT environment variable, the name of the configuration file pointed to by the CONFIG_FILE environment variable, the contents of the BOOTLDR environment variable, and the configuration register setting.

show (flash file system)

Displays the layout and contents of a flash memory file system.

slave auto-sync config

Turns on automatic synchronization of configuration files for a Cisco 7507 or Cisco 7513 router that is configured for Dual RSP Backup.

verify bootflash:

File system or directory containing the files to list, followed by a colon.


crypto ipsec profile

To define the IP Security (IPsec) parameters that are to be used for IPsec encryption between two IPsec routers and to enter IPsec profile configuration mode, use the crypto ipsec profile command in global configuration mode. To delete an IPsec profile, use the no form of this command.

crypto ipsec profile name

no crypto ipsec profile name

Syntax Description

name

Profile name.


Command Default

An IPsec profile is not defined.

Command Modes

Global configuration

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.4(4)T

Support for IPv6 was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.


Usage Guidelines

An IPsec profile abstracts the IPsec policy settings into a single profile that can be used in other parts of the Cisco IOS configuration.

The IPsec profile shares most of the same commands with the crypto map configuration, but only a subset of the commands are valid in an IPsec profile. Only commands that pertain to an IPsec policy can be issued under an IPsec profile; you cannot specify the IPsec peer address or the access control list (ACL) to match the packets that are to be encrypted.

After this command has been enabled, the following commands can be configured under an IPsec profile:

default—Lists the commands that can be configured under the crypto ipsec profile command.

description—Describes the crypto map statement policy.

dialer—Specifies dialer-related commands.

redundancy—Specifies a redundancy group name.

set-identity—Specifies identity restrictions.

set isakmp-profile—Specifies an ISAKMP profile.

set pfs—Specifies perfect forward secrecy (PFS) settings.

set security-association—Defines security association parameters.

set-transform-set—Specifies a list of transform sets in order of priority.

After enabling this command, the only parameter that must be defined under the profile is the transform set via the set transform-set command.

For more information on transform sets, refer to the section "Defining Transform Sets" in the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide.

Examples

The following example shows how to configure a crypto map that uses an IPsec profile:

crypto ipsec transform-set cat-transforms esp-des esp-sha-hmac
 mode transport
!
crypto ipsec profile cat-profile
 set transform-set cat-transforms
 set pfs group2
!
interface Tunnel1
 ip address 192.168.1.1 255.255.255.252
 tunnel source FastEthernet2/0
 tunnel destination 10.13.7.67
 tunnel protection ipsec profile cat-profile

Related Commands

Command
Description

crypto ipsec transform-set

Defines a transform set.

set pfs

Specifies that IPsec should ask for PFS when requesting new security associations for a crypto map entry.

set transform-set

Specifies which transform sets can be used with the crypto map entry.

tunnel protection

Associates a tunnel interface with an IPsec profile.


crypto isakmp identity

To define the identity used by the router when participating in the Internet Key Exchange (IKE) protocol, use the crypto isakmp identity command in global configuration mode. Set an Internet Security Association Key Management Protocol (ISAKMP) identity whenever you specify preshared keys. To reset the ISAKMP identity to the default value (address), use the no form of this command.

crypto isakmp identity {address | hostname}

no crypto isakmp identity

Syntax Description

address

Sets the ISAKMP identity to the IP address of the interface that is used to communicate to the remote peer during IKE negotiations.

hostname

Sets the ISAKMP identity to the host name concatenated with the domain name (for example, myhost.example.com).


Command Default

The IP address is used for the ISAKMP identity.

Command Modes

Global configuration

Command History

Release
Modification

11.3 T

This command was introduced.

12.4(4)T

Support for IPv6 was added.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

Use this command to specify an ISAKMP identity either by IP address or by host name.

The address keyword is typically used when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE negotiations, and the IP address is known.

The hostname keyword should be used if there is more than one interface on the peer that might be used for IKE negotiations, or if the interface's IP address is unknown (such as with dynamically assigned IP addresses).

As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.

Examples

The following example uses preshared keys at two peers and sets both their ISAKMP identities to IP address.

At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified.

crypto isakmp identity address
crypto isakmp key sharedkeystring address 192.168.1.33

At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified.

crypto isakmp identity address
crypto isakmp key sharedkeystring address 10.0.0.1

Note In the preceding example if the crypto isakmp identity command had not been performed, the ISAKMP identities would have still been set to IP address, the default identity.


The following example uses preshared keys at two peers and sets both their ISAKMP identities to host name.

At the local peer the ISAKMP identity is set and the preshared key is specified.

crypto isakmp identity hostname
crypto isakmp key sharedkeystring hostname RemoteRouter.example.com
ip host RemoteRouter.example.com 192.168.0.1

At the remote peer the ISAKMP identity is set and the same preshared key is specified.

crypto isakmp identity hostname
crypto isakmp key sharedkeystring hostname LocalRouter.example.com
ip host LocalRouter.example.com 10.0.0.1 10.0.0.2

In the above example, host names are used for the peers' identities because the local peer has two interfaces that might be used during an IKE negotiation.

In the above example the IP addresses are also mapped to the host names; this mapping is not necessary if the routers' host names are already mapped in DNS.

Related Commands

Command
Description

crypto ipsec security-association lifetime

Specifies the authentication method within an IKE policy.

crypto isakmp key

Configures a preshared authentication key.


crypto isakmp key

To configure a preshared authentication key, use the crypto isakmp key command in global configuration mode. To delete a preshared authentication key, use the no form of this command.

crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 ipv6-address/ipv6-prefix | hostname hostname} [no-xauth]

no crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 ipv6-address/ipv6-prefix | hostname hostname} [no-xauth]

Syntax Description

enc-type-digit

Specifies whether the password to be used is encrypted or unencrypted.

0—Specifies that an unencrypted password follows.

6—Specifies that an encrypted password follows.

keystring

Specifies the preshared key. Use any combination of alphanumeric or special characters up to 128 bytes. Special characters include the following: !?"#$%&'()*+,-./:;<=>@[\]^_`~. (Type "CTRL-V" before the "?" symbol to avoid invoking help.) This preshared key must be identical at both peers.

address

Use this keyword if the remote peer Internet Security Association Key Management Protocol (ISAKMP) identity was set with its IP or IPv6 address. The peer-address argument specifies the IP or IPv6 address of the remote peer.

peer-address

Specifies the IP address of the remote peer.

mask

(Optional) Specifies the subnet address of the remote peer. (The argument can be used only if the remote peer ISAKMP identity was set with its IP address.)

ipv6

Specifies that an IPv6 address of a remote peer will be used.

ipv6-address

IPv6 address of the remote peer.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

ipv6-prefix

IPv6 prefix of the remote peer.

hostname hostname

Fully qualified domain name (FQDN) of the peer. The hostname keyword and hostname argument are not supported by IPv6.

no-xauth

(Optional) Use this keyword if router-to-router IP Security (IPSec) is on the same crypto map as a Virtual Private Network (VPN)-client-to-Cisco-IOS IPSec. This keyword prevents the router from prompting the peer for extended authentication (Xauth) information (username and password).


Command Default

There is no default preshared authentication key.

Command Modes

Global configuration

Command History

Release
Modification

11.3T

This command was introduced.

12.1(1)T

The mask argument was added.

12.2(4)T

The no-xauth keyword was added.

12.3(2)T

This command was modified so that output shows that the preshared key is either encrypted or unencrypted.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.4(4)T

The ipv6 keyword and the ipv6-address and ipv6-prefix arguments were added.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.


Usage Guidelines

You must use this command to configure a key whenever you specify preshared keys in an Internet Key Exchange (IKE) policy; you must enable this command at both peers.

If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peers—otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The crypto isakmp key command is the second task required to configure the preshared keys at the peers. (The first task is accomplished using the crypto isakmp identity command.)

Use the address keyword if the remote peer ISAKMP identity was set with its IP address.

With the address keyword, you can also use the mask argument to indicate the remote peer ISAKMP identity will be established using the preshared key only. If the mask argument is used, preshared keys are no longer restricted between two users.


Note If you specify mask, you must use a subnet address. (The subnet address 0.0.0.0 is not recommended because it encourages group preshared keys, which allow all peers to have the same group key, thereby reducing the security of your user authentication.)


When using IKE main mode, preshared keys are indexed by IP address only because the identity payload has not yet been received. This means that the hostname keyword in the identity statement is not used to look up a preshared key and will be used only when sending and processing the identity payloads later in the main mode exchange. The identity keyword can be used when preshared keys are used with IKE aggressive mode, and keys may be indexed by identity types other than IP address as the identity payload is received in the first IKE aggressive mode packet.

If crypto isakmp identity hostname is configured as identity, the preshared key must be configured with the peer's IP address for the process to work when using IKE in main mode.

Use the no-xauth keyword to prevent the router from prompting the peer for Xauth information (username and password). This keyword disables Xauth for static IPSec peers. The no-xauth keyword should be enabled when configuring the preshared key for router-to-router IPSec—not VPN-client-to-Cisco-IOS IPSec.

Output for the crypto isakmp key command will show that the preshared key is either encrypted or unencrypted. An output example for an unencrypted preshared key would be as follows:

crypto isakmp key test123 address 10.1.0.1

An output example for a type 6 encrypted preshared key would be as follows:

crypto isakmp key 6 RHZE[JACMUI\bcbTdELISAAB address 10.1.0.1

Examples

In the following example, the remote peer "RemoteRouter" specifies an ISAKMP identity by address:

crypto isakmp identity address

Now, the preshared key must be specified at each peer.

In the following example, the local peer specifies the preshared key and designates the remote peer by its IP address and a mask:

crypto isakmp key 0 sharedkeystring address 172.21.230.33  255.255.255.255

In the following example for IPv6, the peer specifies the preshared key and designates the remote peer with an IPv6 address:

crypto isakmp key 0 my-preshare-key-0 address ipv6 3ffe:1001::2/128

Related CommandsI

Command
Description

crypto ipsec security-association lifetime

Specifies the authentication method within an IKE policy.

crypto isakmp identity

Defines the identity the router uses when participating in the IKE protocol.

ip host

Defines a static host name-to-address mapping in the host cache.


crypto isakmp peer

To enable an IP Security (IPSec) peer for Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto isakmp peer command in global configuration mode. To disable this functionality, use the no form of this command.

crypto isakmp peer {address {ipv4-address | ipv6 ipv6-address} | hostname fqdn-hostname}

no crypto isakmp peer {address {ipv4-address | ipv6 ipv6-address} | hostname fqdn-hostname}

Syntax Description

address ip-address

Address of the peer router.

ipv4-address

IPv4 address of the peer router.

ipv6 ipv6-address

IPv6 address of the peer router.

hostname

Hostname of the peer router.

fqdn-hostname

Fully qualified domain name (FQDN) of the peer router.


Command Default

None

Command Modes

Global configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.

12.2(15)T

The vrf keyword and fvrf-name argument were added.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.4(4)T

The ipv6 keyword and ipv6-address argument were added.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.


Usage Guidelines

After enabling this command, you can use the set aggressive-mode client-endpoint and set aggressive-mode password commands to specify RADIUS tunnel attributes in the Internet Security Association and Key Management Protocol (ISAKMP) peer policy for IPSec peers.

Instead of keeping your preshared keys on the hub router, you can scale your preshared keys by storing and retrieving them from an AAA server. The preshared keys are stored in the AAA server as Internet Engineering Task Force (IETF) RADIUS tunnel attributes and are retrieved when a user tries to "speak" to the hub router. The hub router retrieves the preshared key from the AAA server and the spokes (the users) initiate aggressive mode to the hub by using the preshared key that is specified in the ISAKMP peer policy as a RADIUS tunnel attribute.

Examples

The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:

crypto isakmp peer ip-address 209.165.200.230 vrf vpn1
 set aggressive-mode client-endpoint user-fqdn user@cisco.com
 set aggressive-mode password cisco123

Related Commands

Command
Description

crypto map isakmp authorization list

Enables IKE querying of AAA for tunnel attributes in aggressive mode.

set aggressive-mode client-endpoint

Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration.

set aggressive-mode password

Specifies the Tunnel-Password attribute within an ISAKMP peer configuration.


crypto isakmp policy

To define an Internet Key Exchange (IKE) policy, use the crypto isakmp policy command in global configuration mode. To delete an IKE policy, use the no form of this command.

crypto isakmp policy priority

no crypto isakmp policy priority

Syntax Description

priority

Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest.


Command Default

Default IKE policies are in use.

Command Modes

Global configuration (config)

Command History

Release
Modification

11.3T

This command was introduced.

12.4(4)T

Support for IPv6 was added.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.4(20)T

The command default was modified. Support for eight default IKE (ISAKMP) policies was added.

Cisco IOS XE Release 2.4

This command was implemented on the Cisco ASR 1000 series routers.


Usage Guidelines

IKE policies define a set of parameters to be used during the IKE negotiation. Use this command to specify the parameters to be used during an IKE negotiation. (These parameters are used to create the IKE security association [SA].)

This command invokes the Internet Security Association Key Management Protocol (ISAKMP) policy configuration (config-isakmp) command mode. While in the ISAKMP policy configuration command mode, some of the commands for which you can specify parameters are as follows:

authentication; default = RSA signatures

encryption (IKE policy); default = 56-bit DES-CBC

group (IKE policy); default = 768-bit Diffie-Hellman

hash (IKE policy); default = SHA-1

lifetime (IKE policy); default = 86,400 seconds (one day)

If you do not specify any given parameter, the default value will be used for that parameter.

To exit the config-isakmp command mode, type exit.

You can configure multiple IKE policies on each peer participating in IPsec. When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer.

Examples

The following example shows how to manually configure two policies for the peer:

crypto isakmp policy 15
 hash md5
 authentication rsa-sig
 group 2
 lifetime 5000
crypto isakmp policy 20
 authentication pre-share
 lifetime 10000

The above configuration results in the following policies:

Router# show crypto isakmp policy

Protection suite priority 15
	encryption algorithm:	DES - Data Encryption Standard (56 bit keys)
	hash algorithm:	Message Digest 5
	authentication method:	Rivest-Shamir-Adleman Signature
	Diffie-Hellman Group:	#2 (1024 bit)
	lifetime:	5000 seconds, no volume limit
Protection suite priority 20
	encryption algorithm:	DES - Data Encryption Standard (56 bit keys)
	hash algorithm:	Secure Hash Standard
	authentication method:	preshared Key
	Diffie-Hellman Group:	#1 (768 bit)
	lifetime:	10000 seconds, no volume limit
Default protection suite
	encryption algorithm:	DES - Data Encryption Standard (56 bit keys)
	hash algorithm:	Secure Hash Standard
	authentication method:	Rivest-Shamir-Adleman Signature
	Diffie-Hellman Group:	#1 (768 bit)
	lifetime:	86400 seconds, no volume limit

The following sample output from the show crypto isakmp policy command displays the default IKE policies when the manually configured IKE policies with priorities 15 and 20 have been removed.

Router(config)# no crypto isakmp policy 15
Router(config)# no crypto isakmp policy 20
Router(config)# exit
R1# show crypto isakmp policy

Default IKE policy
Protection suite of priority 65507
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Protection suite of priority 65508
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Protection suite of priority 65509
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.
        hash algorithm:         Message Digest 5
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Protection suite of priority 65510
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Protection suite of priority 65511
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Protection suite of priority 65512
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Protection suite of priority 65513
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Protection suite of priority 65514
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit

Related Commands

Command
Description

encryption (IKE policy)

Specifies the encryption algorithm within an IKE policy.

group (IKE policy)

Specifies the Diffie-Hellman group identifier within an IKE policy.

hash (IKE policy)

Specifies the hash algorithm within an IKE policy.

lifetime (IKE policy)

Specifies the lifetime of an IKE SA.

show crypto isakmp default policy

Displays the default IKE (ISAKMP) policies currently in use.

show crypto isakmp policy

Displays the parameters for each IKE policy.


crypto isakmp profile

To define an Internet Security Association and Key Management Protocol (ISAKMP) profile and to audit IP security (IPsec) user sessions, use the crypto isakmp profile command in global configuration mode. To delete a crypto ISAKMP profile, use the no form of this command.

crypto isakmp profile profile-name [accounting aaa-list]

no crypto isakmp profile profile-name [accounting aaa-list]

Syntax Description

profile-name

Name of the user profile. To associate a user profile with the RADIUS server, the user profile name must be identified.

accounting aaa-list

(Optional) Name of a client accounting list.


Command Defaults

No profile exists if the command is not used.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.4(2)T

Support for dynamic virtual tunnel interfaces was added.

12.4(4)T

Support for IPv6 was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.


Usage Guidelines

Defining an ISAKMP Profile

An ISAKMP profile can be viewed as a repository of Phase 1 and Phase 1.5 commands for a set of peers. The Phase 1 configuration includes commands to configure such things as keepalive, identity matching, and the authorization list. The Phase 1.5 configuration includes commands to configure such things as extended authentication (Xauth) and mode configuration.

The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. Also, there must be at least one match identity command defined in the ISAKMP profile for it to be complete.

After enabling this command and entering ISAKMP profile configuration mode, you can configure the following commands:

accounting—Enables authentication, authorization, and accounting (AAA) accounting.

ca trust-point—Specifies certificate authorities.

client—Specifies client configuration settings.

default—Lists subcommands for the crypto isakmp profile command.

description—Specifies a description of this profile.

initiate mode—Initiates a mode.

isakmp authorization—ISAKMP authorization parameters.

keepalive—Sets a keepalive interval.

keyring—Specifies a keyring.

local-address—Specifies the interface to use as the local address of this ISAKMP profile.

match—Matches the values of the peer.

qos-group—Applies a quality of service (QoS) policy class map for this profile.

self-identity—Specifies the identity.

virtual-template—Specifies the virtual template for the dynamic interface.

vrf—Specifies the Virtual Private Network routing and forwarding (VRF) instance to which the profile is related.

Auditing IPSec User Sessions

Use this command to audit multiple user sessions that are terminating on the IPSec gateway.


Note The crypto isakmp profile command and the crypto map (global IPSec) command are mutually exclusive. If a profile is present (the crypto isakmp profile command has been used), with no accounting configured but with the global command present (the crypto isakmp profile command without the accounting keyword), accounting will occur using the attributes in the global command.


Dynamic Virtual Tunnel Interfaces

Support for dynamic virtual tunnel interfaces allows for the virtual profile to be mapped into a specified virtual template.

Examples

ISAKAMP Profile Matching Peer Identities Example

The following example shows how to define an ISAKMP profile and match the peer identities:

crypto isakmp profile vpnprofile
 match identity address 10.76.11.53

ISAKAMP Profile with Accounting Example

The following accounting example shows that an ISAKMP profile is configured:

aaa new-model
!
!
aaa authentication login cisco-client group radius
aaa authorization network cisco-client group radius 
aaa accounting network acc start-stop broadcast group radius
aaa session-id common
!
crypto isakmp profile cisco
vrf cisco
match identity group cclient
 client authentication list cisco-client
 isakmp authorization list cisco-client
 client configuration address respond
 accounting acc
!
crypto dynamic-map dynamic 1
 set transform-set aswan 
 set isakmp-profile cisco
 reverse-route
!
!
radius-server host 172.16.1.4 auth-port 1645 acct-port 1646
radius-server key nsite

Related Commands

Command
Description

crypto map (global IPsec)

Enters crypto map configuration mode and creates or modifies a crypto map entry, creates a crypto profile that provides a template for configuration of dynamically created crypto maps, or configures a client accounting list.

debug crypto isakmp

Displays messages about IKE events.

match identity

Matches an identity from a peer in an ISAKMP profile.

tunnel protection

Associates a tunnel interface with an IP Security (IPsec) profile.

virtual template

Specifies which virtual template to be used to clone virtual access interfaces.


crypto key generate rsa

To generate Rivest, Shamir, and Adelman (RSA) key pairs, use the crypto key generate rsa command in global configuration mode.

crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label] [exportable] [modulus modulus-size] [storage devicename:] [on devicename:]

Syntax Description

general-keys

(Optional) Specifies that a general-purpose key pair will be generated, which is the default.

usage-keys

(Optional) Specifies that two RSA special-usage key pairs, one encryption pair and one signature pair, will be generated.

signature

(Optional) Specifies that the RSA public key generated will be a signature special usage key.

encryption

(Optional) Specifies that the RSA public key generated will be an encryption special usage key.

label key-label

(Optional) Specifies the name that is used for an RSA key pair when they are being exported.

If a key label is not specified, the fully qualified domain name (FQDN) of the router is used.

exportable

(Optional) Specifies that the RSA key pair can be exported to another Cisco device, such as a router.

modulus modulus-size

(Optional) Specifies the IP size of the key modulus.

By default, the modulus of a certification authority (CA) key is 1024 bits. The recommended modulus for a CA key is 2048 bits. The range of a CA key modulus is from 350 to 4096 bits.

Note Effective with Cisco IOS XE Release 2.4, the maximum key size was expanded to 4096 bits for private key operations. The maximum for private key operations prior to Cisco IOS XE Release 2.4 was 2048 bits.

storage devicename:

(Optional) Specifies the key storage location. The name of the storage device is followed by a colon (:).

on devicename:

(Optional) Specifies that the RSA key pair will be created on the specified device, including a Universal Serial Bus (USB) token, local disk, or NVRAM. The name of the device is followed by a colon (:).

Keys created on a USB token have a maximum size of 1024 bits.


Command Default

RSA key pairs do not exist.

Command Modes

Global configuration

Command History

Release
Modification

11.3

This command was introduced.

12.2(8)T

The key-label argument was added.

12.2(15)T

The exportable keyword was added.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.4(4)T

The storage keyword and devicename: argument were added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(11)T

The storage keyword and devicename: argument were implemented on the Cisco 7200VXR NPE-G2 platform.

The signature, encryption and on keywords and devicename: argument were added.

12.4(24)T

Support for IPv6 Secure Neighbor Discovery (SeND) was added.

XE 2.4

The maximum RSA key size was expanded from 2048 to 4096 bits for private key operations.


Usage Guidelines

Use this command to generate RSA key pairs for your Cisco device (such as a router).

RSA keys are generated in pairs—one public RSA key and one private RSA key.

If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.


Note Before issuing this command, ensure that your router has a hostname and IP domain name configured (with the hostname and ip domain-name commands). You will be unable to complete the crypto key generate rsa command without a hostname and IP domain name. (This situation is not true when you generate only a named key pair.)



Note Secure Shell (SSH) may generate an additional RSA key pair if you generate a key pair on a router having no RSA keys. The additional key pair is used only by SSH and will have a name such as {router_FQDN}.server. For example, if a router name is "router1.cisco.com," the key name is "router1.cisco.com.server."


This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.


Note If the configuration is not saved to NVRAM, the generated keys are lost on the next reload of the router.


There are two mutually exclusive types of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either special-usage keys or general-purpose keys.

Special-Usage Keys

If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair will be used with any IKE policy that specifies RSA encrypted keys as the authentication method.

A CA is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA-encrypted nonces. (However, you could specify more than one IKE policy and have RSA signatures specified in one policy and RSA-encrypted nonces in another policy.)

If you plan to have both types of RSA authentication methods in your IKE policies, you may prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key.)

General-Purpose Keys

If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted keys. Therefore, a general-purpose key pair might get used more frequently than a special-usage key pair.

Named Key Pairs

If you generate a named key pair using the key-label argument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate.

Modulus Length

When you generate RSA keys, you will be prompted to enter a modulus length. The longer the modulus, the stronger the security. However a longer modules takes longer to generate (see Table 15 for sample times) and takes longer to use.

Table 15 Sample Times by Modulus Length to Generate RSA Keys

Router
360 bits
512 bits
1024 bits
2048 bits (maximum)

Cisco 2500

11 seconds

20 seconds

4 minutes, 38 seconds

More than 1 hour

Cisco 4700

Less than 1 second

1 second

4 seconds

50 seconds


Cisco IOS software does not support a modulus greater than 4096 bits. A length of less than 512 bits is normally not recommended. In certain situations, the shorter modulus may not function properly with IKE, so we recommend using a minimum modulus of 1024 bits.


Note As of Cisco IOS Release 12.4(11)T, peer public RSA key modulus values up to 4096 bits are automatically supported.

The largest private RSA key modulus is 2048 bits. Therefore, the largest RSA private key a router may generate or import is 2048 bits.

The recommended modulus for a CA is 2048 bits; the recommended modulus for a client is 1024 bits.


Additional limitations may apply when RSA keys are generated by cryptographic hardware. For example, when RSA keys are generated by the Cisco VPN Services Port Adapter (VSPA), the RSA key modulus must be a minimum of 384 bits and must be a multiple of 64.

Specifying a Storage Location for RSA Keys

When you issue the crypto key generate rsa command with the storage devicename: keyword and argument, the RSA keys will be stored on the specified device. This location will supersede any crypto key storage command settings.

Specifying a Device for RSA Key Generation

As of Cisco IOS Release 12.4(11)T and later releases, you may specify the device where RSA keys are generated. Devices supported include NVRAM, local disks, and USB tokens. If your router has a USB token configured and available, the USB token can be used as cryptographic device in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication of credentials to be performed on the token. The private key never leaves the USB token and is not exportable. The public key is exportable.

RSA keys may be generated on a configured and available USB token, by the use of the on devicename: keyword and argument. Keys that reside on a USB token are saved to persistent token storage when they are generated. The number of keys that can be generated on a USB token is limited by the space available. If you attempt to generate keys on a USB token and it is full you will receive the following message:

% Error in generating keys:no available resources 

Key deletion will remove the keys stored on the token from persistent storage immediately. (Keys that do not reside on a token are saved to or deleted from nontoken storage locations when the copy or similar command is issued.)

For information on configuring a USB token, see "Storing PKI Credentials" chapter in the Cisco IOS Security Configuration Guide, Release 12.4T. For information on using on-token RSA credentials, see the "Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment" chapter in the Cisco IOS Security Configuration Guide, Release 12.4T.

Examples

The following example generates a general-usage 1024-bit RSA key pair on a USB token with the label "ms2" with crypto engine debugging messages shown:

Router(config)# crypto key generate rsa label ms2 modulus 1024 on usbtoken0:

The name for the keys will be: ms2 
% The key modulus size is 1024 bits 
% Generating 1024 bit RSA keys, keys will be on-token, non-exportable... 
Jan 7 02:41:40.895: crypto_engine: Generate public/private keypair [OK] 
Jan 7 02:44:09.623: crypto_engine: Create signature 
Jan 7 02:44:10.467: crypto_engine: Verify signature 
Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_CREATE_PUBKEY(hw)(ipsec) 
Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_PUB_DECRYPT(hw)(ipsec)

Now, the on-token keys labeled "ms2" may be used for enrollment.

The following example generates special-usage RSA keys:

Router(config)# crypto key generate rsa usage-keys

The name for the keys will be: myrouter.example.com

Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. 
Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK].

Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. 
Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK].

The following example generates general-purpose RSA keys:


Note You cannot generate both special-usage and general-purpose keys; you can generate only one or the other.


Router(config)# crypto key generate rsa general-keys

The name for the keys will be: myrouter.example.com

Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose 
Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK].


The following example generates the general-purpose RSA key pair "exampleCAkeys":

crypto key generate rsa general-keys label exampleCAkeys
crypto ca trustpoint exampleCAkeys
 enroll url http://exampleCAkeys/certsrv/mscep/mscep.dll
 rsakeypair exampleCAkeys 1024 1024

The following example specifies the RSA key storage location of "usbtoken0:" for "tokenkey1":

crypto key generate rsa general-keys label tokenkey1 storage usbtoken0:

Related Commands

Command
Description

copy

Copies any file from a source to a destination, use the copy command in privileged EXEC mode.

crypto key storage

Sets the default storage location for RSA key pairs.

debug crypto engine

Displays debug messages about crypto engines.

hostname

Specifies or modifies the hostname for the network server.

ip domain-name

Defines a default domain name to complete unqualified hostnames (names without a dotted-decimal domain name).

show crypto key mypubkey rsa

Displays the RSA public keys of your router.

show crypto pki certificates

Displays information about your PKI certificate, certification authority, and any registration authority certificates.


crypto keyring

To define a crypto keyring to be used during Internet Key Exchange (IKE) authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.

crypto keyring keyring-name [vrf fvrf-name]

no crypto keyring keyring-name [vrf fvrf-name]

Syntax Description

keyring-name

Name of the crypto keyring.

vrf fvrf-name

(Optional) Front door virtual routing and forwarding (FVRF) name to which the keyring will be referenced. The fvrf-name must match the FVRF name that was defined during virtual routing and forwarding (VRF) configuration. The vrf keyword and fvrf-name argument are not supported by IPv6.


Command Default

All the Internet Security Association and Key Management Protocol (ISAKMP) keys that were defined in the global configuration are part of the default global keyring.

Command Modes

Global configuration (config)

Command History

Release
Modification

12.2(15)T

This command was introduced.

12.4(4)T

Support for IPv6 was added.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.


Usage Guidelines

A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the ISAKMP profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.

Examples

The following example shows that a keyring and its usage have been defined:

crypto keyring vpnkeys
  pre-shared-key address 10.72.23.11 key vpnsecret
crypto isakmp profile vpnprofile
  keyring vpnkeys

Related Commands

Command
Description

pre-shared-key

Defines a preshared key to be used for IKE authentication.


crypto pki authenticate

To authenticate the certification authority (CA) (by getting the certificate of the CA), use the crypto pki authenticate command in global configuration mode.

crypto pki authenticate name

Syntax Description

name

The name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.


Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

11.3T

The crypto ca authenticate command was introduced.

12.3(7)T

This command replaced the crypto ca authenticate command.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(24)T

Support for IPv6 Secure Neighbor Discovery (SeND) was added.


Usage Guidelines

This command is required when you initially configure CA support at your router.

This command authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you enter this command.

If you are using Router Advertisements (RA) mode (using the enrollment command) when you issue the crypto pki authenticate command, then registration authority signing and encryption certificates will be returned from the CA and the CA certificate.

This command is not saved to the router configuration. However. the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the Rivest, Shamir, and Adelman (RSA) public key record (called the "RSA public key chain").


Note If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so that it remains available. If this happens, you must reenter the command. Cisco IOS software will not recognize CA certificate expiration dates set for beyond the year 2049. If the validity period of the CA certificate is set to expire after the year 2049, the following error message will be displayed when authentication with the CA server is attempted:

error retrieving certificate :incomplete chain

If you receive an error message similar to this one, check the expiration date of your CA certificate. If the expiration date of your CA certificate is set after the year 2049, you must reduce the expiration date by a year or more.


Examples

In the following example, the router requests the certificate of the CA. The CA sends its certificate and the router prompts the administrator to verify the certificate of the CA by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.

Router(config)# crypto pki authenticate myca

Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123
Do you accept this certificate? [yes/no] y#

Related Commands

Command
Description

debug crypto pki transactions

Displays debug messages for the trace of interaction (message type) between the CA and the router.

enrollment

Specifies the enrollment parameters of your CA.

show crypto pki certificates

Displays information about your certificate, the certificate of the CA, and any RA certificates.


crypto pki enroll

To obtain the certificates for your router from the certificate authority (CA), use the crypto pki enroll command in global configuration mode. To delete a current enrollment request, use the no form of this command.

crypto pki enroll name

no crypto pki enroll name

Syntax Description

name

The name of the CA. Use the same name as when you declared the CA using the crypto pki trustpoint command.


Command Default

No default behavior or values.

Command Modes

Global configuration (config)

Command History

Release
Modification

11.3T

The crypto ca enroll command was introduced.

12.3(7)T

This command replaced the crypto ca enroll command.

12.3(14)T

The command was modified to include self-signed certificate information.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.4(24)T

Support for IPv6 Secure Neighbor Discovery (SeND) was added.


Usage Guidelines

This command requests certificates from the CA for all of your router's Rivest, Shamir, and Adelmen (RSA) key pairs. This task is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)

Your router needs a signed certificate from the CA for each RSA key pairs of your router; if you previously generated general-purpose keys, this command obtains the one certificate corresponding to the one general-purpose RSA key pair. If you previously generated special-usage keys, this command obtains two certificates corresponding to each of the special-usage RSA key pairs.

If you already have a certificate for your keys you are prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.)

The crypto pki enroll command is not saved in the router configuration.


Note If your router reboots after you issue the crypto pki enroll command but before you receive the certificates, you must reissue the command.



Note If you are using a Secure Shell (SSH) service, you should set up specific RSA key pairs (different private keys) for the trustpoint and the SSH service. (If the Public Key Infrastructure [PKI] and the SSH infrastructure share the same default RSA key pair, a temporary disruption of SSH service could occur. The RSA key pair could become invalid or change because of the CA system, in which case you would not be able to log in using SSH. You could receive the following error message: "key changed, possible security problem.")


Responding to Prompts

When you issue the crypto pki enroll command, you are prompted a number of times.

You are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's certificates. When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.


Note This password is not stored anywhere, so you need to remember this password.


If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity.

You are also prompted to indicate whether your router's serial number should be included in the obtained certificate. The serial number is not used by IP Security (IPsec) or Internet Key Exchange, but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.

Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. A router has multiple IP addresses, any of which might be used with IPsec.

If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command.

Examples

In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, which checks the number. The fingerprint is correct, so the router administrator accepts the certificate.

There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation.

Router(config)# crypto pki enroll myca
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password: <mypassword>
Re-enter password: <mypassword>

% The subject name in the certificate will be: myrouter.example.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 03433678
% Include an IP address in the subject name [yes/no]? yes
Interface: ethernet0/0
Request certificate from CA [yes/no]? yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto pki certificates' command will also show the fingerprint.

Some time later, the router receives the certificate from the CA and displays the following confirmation message:

Router(config)#   Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210

%CRYPTO-6-CERTRET: Certificate received from Certificate Authority

Router(config)#

If necessary, the router administrator can verify the displayed fingerprint with the CA administrator.

If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead:

%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate Authority

The subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the example, the RSA key pair was named "myrouter.example.com." (The router assigned this name.)

Requesting certificates for a router with special-usage keys would be the same as in the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:

%CRYPTO-6-CERTRET: Certificate received from Certificate Authority

Related Commands

Command
Description

crypto map local address

Specifies and names an identifying interface to be used by the crypto map for IPsec traffic.

debug crypto pki messages

Displays debug messages for the details of the interaction (message dump) between the CA and the router.

debug crypto pki transactions

Displays debug messages for the trace of interaction (message type) between the CA and the router.

show crypto pki certificates

Displays information about your certificate, the certificate of the CA, and any RA certificates.


crypto pki import

To import a certificate manually via TFTP or as a cut-and-paste at the terminal, use the crypto pki import command in global configuration mode.

crypto pki import name certificate

Syntax Description

name certificate

Name of the certification authority (CA). This name is the same name used when the CA was declared with the crypto pki trustpoint command.


Command Default

No default behavior or values

Command Modes

Global configuration

Command History

Release
Modification

12.2(13)T

The crypto ca import command was introduced.

12.3(7)T

This command replaced the crypto ca import command.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(24)T

Support for IPv6 Secure Neighbor Discovery (SeND) was added.


Usage Guidelines

You must enter the crypto pki import command twice if usage keys (signature and encryption keys) are used. The first time the command is entered, one of the certificates is pasted into the router; the second time the command is entered, the other certificate is pasted into the router. (It does not matter which certificate is pasted first.)

Examples

The following example shows how to import a certificate via cut-and-paste. In this example, the CA trustpoint is "MS."

crypto pki trustpoint MS
 enroll terminal
 crypto pki authenticate MS
!
crypto pki enroll MS
crypto pki import MS certificate

Related Commands

Command
Description

crypto pki trustpoint

Declares the CA that your router should use.

enrollment

Specifies the enrollment parameters of your CA.

enrollment terminal

Specifies manual cut-and-paste certificate enrollment.


ctunnel mode

To transport IPv4 and IPv6 packets over Connectionless Network Service (CLNS) tunnel (CTunnel), use the ctunnel mode command in interface configuration mode. To return the ctunnel to the default cisco mode, use the no form of this command.

ctunnel mode [gre | cisco]

no ctunnel mode

Syntax Description

gre

(Optional) Sets the ctunnel mode to Generic Routing Encapsulation (GRE) for transporting IPv6 packets over the CLNS network.

cisco

(Optional) Returns the ctunnel mode to the default cisco.


Command Default

Cisco encapsulation tunnel mode is the default.

Command Modes

Interface configuration

Command History

Release
Modification

12.3(7)T

This command was introduced.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.


Usage Guidelines

GRE tunneling of IPv4 and IPv6 packets through CLNS-only networks enables Cisco ctunnels to interoperate with networking equipment from other vendors. This feature provides compliance with RFC 3147, Generic Routing Encapsulation over CLNS Networks, which should allow interoperation between Cisco equipment and that of other vendors. in which the same standard is implemented.

RFC 3147 specifies the use of GRE when tunneling packets. The implementation of this feature does not include support for GRE header fields such as those used to specify checksums, keys, or sequencing. Any packets received which specify the use of these features will be dropped.

The default ctunnel mode continues to use the standard Cisco encapsulation. Both ends of the tunnel must be configured with the same mode for it to work. If you want to tunnel ipv6 packets you must use the new gre mode.

Examples

The following example configures a CTunnel from one router to another and shows the CTunnel destination set to 49.0001.1111.1111.1111.00. The ctunnel mode is set to gre to transport IPv6 packets.

interface ctunnel 301
 ipv6 address 2001:0DB8:1111:2222::2/64
 ctunnel destination 49.0001.1111.1111.1111.00
 ctunnel mode gre

Related Commands

Command
Description

clns routing

Enables routing of CLNS packets.

ctunnel destination

Specifies the destination for the CTunnel.

debug ctunnel

Displays debug messages for the IP over a CLNS Tunnel feature.

interface ctunnel

Creates a virtual interface to transport IP over a CLNS tunnel.

ip address

Sets a primary or secondary IP address for an interface.


debug adjacency

To enable the display of information about the adjacency database, use the debug adjacency command in privileged EXEC mode. To disable the display of these events, use the no form of this command.

debug adjacency [epoch | ipc | state | table] [prefix] [interface] [connectionid id] [link {ipv4 | ipv6 | mpls}]

no debug adjacency [epoch | ipc | state | table] [prefix] [interface] [connectionid id] [link {ipv4 | ipv6 | mpls}]

Syntax Description

epoch

(Optional) Displays adjacency epoch events.

ipc

(Optional) Displays interprocess communication (IPC) events for adjacencies.

state

(Optional) Displays adjacency system state machine events.

table

(Optional) Displays adjacency table operations.

prefix

(Optional) Displays debugging events for the specified IP address or IPv6 address.

Note On the Cisco 10000 series routers, IPv6 is supported in Cisco IOS Release 12.2(28)SB and later releases.

interface

(Optional) Displays debugging events for the specified interface. For line cards, you must specify the line card if_number (interface number). Use the show cef interface command to obtain line card if_numbers.

connectionid id

(Optional) Displays debugging events for the specified client connection identification number.

link {ipv4 | ipv6 | mpls}

(Optional) Displays debugging events for the specified link type (IP, IPv6, or Multiprotocol Label Switching [MPLS] traffic).

Note On the Cisco 10000 series routers, IPv6 is supported in Cisco IOS Release 12.2(28)SB and later releases.


Command Default

Debugging events are not displayed.

Command Modes

Privileged EXEC (#)

Command History

Release
Modification

12.0(7)XE

This command was introduced on the Cisco 7600 series routers.

12.1(1)E

This command was implemented on the Cisco 7600 series routers.

12.2(14)SX

This command was implemented on the Supervisor Engine 720.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S, and the prefix, interface, connectionid id, and link {ipv4 | ipv6 | mpls} keywords and arguments were added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB and implemented on the Cisco 10000 series routers.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.


Usage Guidelines

Because debugging output is assigned high priority in the CPU process, you should use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Also, you should use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.

You can use any combination of the prefix, interface, connectionid id, and link {ipv4 | ipv6 | mpls} keywords and arguments (in any order) as a filter to enable debugging for a specified subset of adjacencies.


Note On the Cisco 10000 series routers, IPv6 is supported in Cisco IOS Release 12.2(28)SB and later releases.


Examples

The following example shows how to display information on the adjacency database:

Router# debug adjacency

*Jan 27 06:22:50.543: ADJ-ios_mgr: repopulate adjs on up event for Ethernet3/0
*Jan 27 06:22:50.543: ADJ: IPV6 adj out of Ethernet3/0, addr FE80::20C:CFFF:FEDF:6854 
(incomplete) no src set: init/update from interface
*Jan 27 06:22:50.543: ADJ: IPV6 adj out of Ethernet3/0, addr FE80::20C:CFFF:FEDF:6854 
(incomplete) no src set: set bundle to IPv6 adjacency oce
*Jan 27 06:22:50.543: ADJ: IPV6 adj out of Ethernet3/0, addr FE80::20C:CFFF:FEDF:6854 
(incomplete) no src set: allocated, setup and inserted OK
*Jan 27 06:22:50.543: ADJ: IPV6 adj out of Ethernet3/0, addr FE80::20C:CFFF:FEDF:6854 
(incomplete) src IPv6 ND: source IPv6 ND added OK
*Jan 27 06:22:50.543: ADJ: IPV6 adj out of Ethernet3/0, addr FE80::20C:CFFF:FEDF:6854 
(incomplete) src IPv6 ND: computed macstring (len 14): OK
*Jan 27 06:22:50.543: ADJ: IPV6 adj out of Ethernet3/0, addr FE80::20C:CFFF:FEDF:6854 src 
IPv6 ND: made complete (macstring len 0 to 14/0 octets)
00:04:40: %LINK-3-UPDOWN: Interface Ethernet3/0, changed state to up
00:04:41: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet3/0, changed 

Related Commands

Command
Description

clear adjacency

Clears the Cisco Express Forwarding adjacency table.

clear arp-cache

Deletes all dynamic entries from the ARP cache.

show adjacency

Displays Cisco Express Forwarding adjacency table information.

show mls cef adjacency

Displays information about the hardware Layer 3 switching adjacency node.


debug bgp ipv6 dampening

To display debugging messages for IPv6 Border Gateway Protocol (BGP) dampening, use the debug bgp ipv6 dampening command in privileged EXEC mode. To disable debugging messages for IPv6 BGP dampening, use the no form of this command.

debug bgp ipv6 {unicast | multicast} dampening [prefix-list prefix-list-name]

no debug bgp ipv6 {unicast | multicast} dampening [prefix-list prefix-list-name]

Syntax Description

unicast

Specifies IPv6 unicast address prefixes.

multicast

Specifies IPv6 multicast address prefixes.

prefix-list prefix-list-name

(Optional) Name of an IPv6 prefix list.


Command Default

Debugging for IPv6 BGP dampening packets is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(13)T

The prefix-list keyword was added.

12.0(24)S

The prefix-list keyword was added.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.


Usage Guidelines

The debug bgp ipv6 dampening command is similar to the debug ip bgp dampening command, except that it is IPv6-specific.

Use the prefix-list keyword and an argument to filter BGP IPv6 dampening debug information through an IPv6 prefix list.


Note By default, the network server sends the output from debug commands and system error messages to the console. To redirect debugging output, use the logging command options within global configuration mode. Destinations are the console, virtual terminals, internal buffer, and UNIX hosts running a syslog server.


Examples

The following is sample output from the debug bgp ipv6 dampening command:

Router# debug bgp ipv6 dampening

00:13:28:BGP(1):charge penalty for 2000:0:0:1::/64 path 2 1 with halflife-time 15 
reuse/suppress 750/2000
00:13:28:BGP(1):flapped 1 times since 00:00:00. New penalty is 1000
00:13:28:BGP(1):charge penalty for 2000:0:0:1:1::/80 path 2 1 with halflife-time 15 
reuse/suppress 750/2000
00:13:28:BGP(1):flapped 1 times since 00:00:00. New penalty is 1000
00:13:28:BGP(1):charge penalty for 2000:0:0:5::/64 path 2 1 with halflife-time 15 
reuse/suppress 750/2000
00:13:28:BGP(1):flapped 1 times since 00:00:00. New penalty is 1000
00:16:03:BGP(1):charge penalty for 2000:0:0:1::/64 path 2 1 with halflife-time 15 
reuse/suppress 750/2000
00:16:03:BGP(1):flapped 2 times since 00:02:35. New penalty is 1892

00:18:28:BGP(1):suppress 2000:0:0:1:1::/80 path 2 1 for 00:27:30 (penalty 2671)
00:18:28:halflife-time 15, reuse/suppress 750/2000
00:18:28:BGP(1):suppress 2000:0:0:1::/64 path 2 1 for 00:27:20 (penalty 2664)
00:18:28:halflife-time 15, reuse/suppress 750/2000

The following example shows output for the debug bgp ipv6 dampening command filtered through the prefix list named marketing:

Router# debug bgp ipv6 dampening prefix-list marketing

00:16:08:BGP(1):charge penalty for 2001:0DB8::/64 path 30 with halflife-time 15  
reuse/suppress 750/2000
00:16:08:BGP(1):flapped 1 times since 00:00:00. New penalty is 10

Table 16 describes the fields shown in the display.

Table 16 debug bgp ipv6 dampening Field Descriptions 

Field
Description

penalty

Numerical value of 1000 assigned to a route by a router configured for route dampening in another autonomous system each time a route flaps. Penalties are cumulative. The penalty for the route is stored in the BGP routing table until the penalty exceeds the suppress limit. If the penalty exceeds the suppress limit, the route state changes from history to damp.

flapped

Number of times a route is available, then unavailable, or vice versa.

halflife-time

Amount of time (in minutes) by which the penalty is decreased after the route is assigned a penalty. The halflife-time value is half of the half-life period (which is 15 minutes by default). Penalty reduction happens every 5 seconds.

reuse

The limit by which a route is unsuppressed. If the penalty for a flapping route decreases and falls below this reuse limit, the route is unsuppressed. That is, the route is added back to the BGP table and once again used for forwarding. The default reuse limit is 750. Routes are unsuppressed at 10-second increments. Every 10 seconds, the router determines which routes are now unsuppressed and advertises them to the world.

suppress

Limit by which a route is suppressed. If the penalty exceeds this limit, the route is suppressed. The default value is 2000.

maximum suppress limit
(not shown in sample output)

Maximum amount of time (in minutes) a route is suppressed. The default value is four times the half-life period.

damp state
(not shown in sample output)

State in which the route has flapped so often that the router will not advertise this route to BGP neighbors.


Related Commands

Command
Description

debug bgp ipv6 updates

Displays debugging messages for IPv6 BGP update packets.


debug bgp ipv6 updates

To display debugging messages for IPv6 Border Gateway Protocol (BGP) update packets, use the debug bgp ipv6 updates command in privileged EXEC mode. To disable debugging messages for IPv6 BGP update packets, use the no form of this command.

debug bgp ipv6 {unicast | multicast} updates [ipv6-address] [prefix-list prefix-list-name] [in | out]

no debug bgp ipv6 {unicast | multicast} updates [ipv6-address] [prefix-list prefix-list-name] [in | out]

Syntax Description

unicast

Specifies IPv6 unicast address prefixes.

multicast

Specifies IPv6 multicast address prefixes.

ipv6-address

(Optional) The IPv6 address of a BGP neighbor.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

prefix-list prefix-list-name

(Optional) Name of an IPv6 prefix list.

in

(Optional) Indicates inbound updates.

out

(Optional) Indicates outbound updates.


Command Default

Debugging for IPv6 BGP update packets is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(13)T

The prefix-list keyword was added.

12.0(24)S

The prefix-list keyword was added.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.


Usage Guidelines

The debug bgp ipv6 updates command is similar to the debug ip bgp updates command, except that it is IPv6-specific.

Use the prefix-list keyword to filter BGP IPv6 updates debugging information through an IPv6 prefix list.


Note By default, the network server sends the output from debug commands and system error messages to the console. To redirect debugging output, use the logging command options within global configuration mode. Destinations are the console, virtual terminals, internal buffer, and UNIX hosts running a syslog server. For complete information on debug commands and redirecting debugging output, refer to the Release 12.2 Cisco IOS Debug Command Reference.


Examples

The following is sample output from the debug bgp ipv6 updates command:

Router# debug bgp ipv6 updates

14:04:17:BGP(1):2000:0:0:2::2 computing updates, afi 1, neighbor version 0, table version 
1, starting at ::
14:04:17:BGP(1):2000:0:0:2::2 update run completed, afi 1, ran for 0ms, neighbor version 
0, start version 1, throttled to 1
14:04:19:BGP(1):sourced route for 2000:0:0:2::1/64 path #0 changed (weight 32768)
14:04:19:BGP(1):2000:0:0:2::1/64 route sourced locally
14:04:19:BGP(1):2000:0:0:2:1::/80 route sourced locally
14:04:19:BGP(1):2000:0:0:3::2/64 route sourced locally
14:04:19:BGP(1):2000:0:0:4::2/64 route sourced locally
14:04:22:BGP(1):2000:0:0:2::2 computing updates, afi 1, neighbor version 1, table version 
6, starting at ::
14:04:22:BGP(1):2000:0:0:2::2 send UPDATE (format) 2000:0:0:2::1/64, next 2000:0:0:2::1, 
metric 0, path 
14:04:22:BGP(1):2000:0:0:2::2 send UPDATE (format) 2000:0:0:2:1::/80, next 2000:0:0:2::1, 
metric 0, path 
14:04:22:BGP(1):2000:0:0:2::2 send UPDATE (prepend, chgflags:0x208) 2000:0:0:3::2/64, next 
2000:0:0:2::1, metric 0, path 
14:04:22:BGP(1):2000:0:0:2::2 send UPDATE (prepend, chgflags:0x208) 2000:0:0:4::2/64, next 
2000:0:0:2::1, metric 0, path 

The following is sample output from the debug bgp ipv6 updates command filtered through the prefix list named sales:

Router# debug bgp ipv6 updates prefix-list sales

00:18:26:BGP(1):2000:8493:1::2 send UPDATE (prepend, chgflags:0x208) 7878:7878::/64, next 
2001:0DB8::36C, metric 0, path 

Table 17 describes the significant fields shown in the display.

Table 17 debug bgp ipv6 updates Field Descriptions 

Field
Description

BGP(1):

BGP debugging for address family index (afi) 1.

afi

Address family index.

neighbor version

Version of the BGP table on the neighbor from which the update was received.

table version

Version of the BGP table on the router from which you entered the debug bgp ipv6 updates command.

starting at

Starting at the network layer reachability information (NLRI). BGP sends routing update messages containing NLRI to describe a route and how to get there. In this context, an NLRI is a prefix. A BGP update message carries one or more NLRI prefixes and the attributes of a route for the NLRI prefixes; the route attributes include a BGP next hop gateway address, community values, and other information.

route sourced locally

Indicates that a route is sourced locally and that updates are not sent for the route.

send UPDATE (format)

Indicates that an update message for a reachable network should be formatted. Addresses include prefix and next hop.

send UPDATE (prepend, chgflags:0x208)

Indicates that an update message about a path to a BGP peer should be written.


Related Commands

Command
Description

debug bgp ipv6 dampening

Displays debugging messages for IPv6 BGP dampening packets.


debug bgp vpnv6 unicast

To display Border Gateway Protocol (BGP) virtual private network (VPN) debugging output, use the debug bgp vpnv6 unicast command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug bgp vpnv6 unicast

no debug bgp vpnv6

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(33)SRB

This command was introduced.

12.2(33)SB

This command was integrated into Cisco IOS Release 12.2(33)SB.

12.2(33)SXI

This command was integrated into Cisco IOS Release 12.2(33)SXI.


Usage Guidelines

Use the debug bgp vpnv6 unicast command to help troubleshoot the BGP VPN.


Note By default, the network server sends the output from debug commands and system error messages to the console. To redirect debugging output, use the logging command options within global configuration mode. Destinations are the console, virtual terminals, internal buffer, and UNIX hosts running a syslog server. For complete information on debug commands and redirecting debugging output, refer to the Cisco IOS Debug Command Reference, Release 12.4.


Examples

The following example enables BGP debugging output for IPv6 VPN instances:

Router# debug bgp vpnv6 unicast