-
Cisco IOS IPv6 Command Reference
-
Introduction
-
aaa accounting multicast default through clear ipv6 mobile home-agents
-
clear ipv6 mobile traffic through debug bgp vpnv6 unicast
-
debug crypto ipv6 ipsec through debug ipv6 pim
-
debug ipv6 pim df-election through ip http server
-
ip name-server through ipv6 general-prefix
-
ipv6 hello-interval eigrp through ipv6 mld static-group
-
ipv6 mobile home-agent (global configuration) through ipv6 ospf database-filter all out
-
ipv6 ospf dead-interval through ipv6 split-horizon eigrp
-
ipv6 summary-address eigrp through mpls ldp router-id
-
mpls traffic-eng auto-bw timers through route-map
-
router-id (IPv6) through show bgp ipv6 labels
-
show bgp ipv6 neighbors through show crypto isakmp peers
-
show crypto isakmp policy through show ipv6 eigrp neighbors
-
show ipv6 eigrp topology through show ipv6 nat statistics
-
show ipv6 nat translations through show ipv6 protocols
-
show ipv6 rip through snmp-server host
-
snmp-server user through vrf forwarding
-
Table Of Contents
clear ipv6 multicast aaa authorization
clear mls cef ipv6 accounting per-prefix
clear ipv6 mobile traffic
To clear statistics associated with Mobile IPv6 traffic, use the clear ipv6 mobile traffic command in privileged EXEC mode.
clear ipv6 mobile traffic
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The clear ipv6 mobile traffic command clears the statistics about the received binding updates and transmitted binding acknowledgments on a mobile node.
Examples
In the following example, statistics about binding updates and binding acknowledgments are cleared:
Router# clear ipv6 mobile trafficRouter# show ipv6 mobile trafficMIPv6 statistics:Rcvd: 0 total0 truncated, 0 format errors0 checksum errorsBinding Updates received:00 no HA option, 0 BU's length0 options' length, 0 invalid CoASent: 0 generatedBinding Acknowledgements sent:00 accepted (0 prefix discovery required)0 reason unspecified, 0 admin prohibited0 insufficient resources, 0 home reg not supported0 not home subnet, 0 not home agent for node0 DAD failed, 0 sequence numberBinding Errors sent:00 no binding, 0 unknown MHHome Agent Traffic:0 registrations, 0 deregistrationsunknown time since last accepted HA registrationunknown time since last failed HA registrationunknown last failed registration codeTraffic forwarded:0 tunneled, 0 reversed tunneledDynamic Home Agent Address Discovery:0 requests received, 0 replies sentMobile Prefix Discovery:0 solicitations received, 0 advertisements sentRelated Commands
binding
Configures binding options for the Mobile IPv6 home agent feature in home agent configuration mode.
show ipv6 mobile home-agent
Displays neighboring home agents.
clear ipv6 multicast aaa authorization
To clear parameters that restrict user access to an IPv6 multicast network, use the clear ipv6 multicast aaa authorization command in privileged EXEC mode.
clear ipv6 multicast aaa authorization [interface-type interface-number]
Syntax Description
interface-type interface-number
Interface type and number. For more information, use the question mark (?) online help function.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Using the clear ipv6 multicast aaa authorization command without the optional interface-type and interface-number arguments will clear all authorization parameters on a network.
Examples
The following example clears all configured authorization parameters on an IPv6 network:
Router# clear ipv6 multicast aaa authorization FastEthernet 1/0Related Commands
aaa authorization multicast default
Sets parameters that restrict user access to an IPv6 multicast network.
clear ipv6 nat translation
To clear dynamic Network Address Translation—Protocol Translation (NAT-PT) translations from the dynamic state table, use the clear ipv6 nat translation command in privileged EXEC mode.
clear ipv6 nat translation *
Syntax Description
Command Default
Entries are deleted from the dynamic translation state table when they time out.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to clear entries from the dynamic translation state table before they time out. Static translation configuration is not affected by this command.
Examples
The following example shows the NAT-PT entries before and after the dynamic translation state table is cleared. Note that all the dynamic NAT-PT mappings are cleared, but the static NAT-PT configurations remain.
Router# show ipv6 nat translationsProt IPv4 source IPv6 sourceIPv4 destination IPv6 destination--- --- ---192.168.123.2 2001::2--- --- ---192.168.122.10 2001::10tcp 192.168.124.8,11047 3002::8,11047192.168.123.2,23 2001::2,23udp 192.168.124.8,52922 3002::8,52922192.168.123.2,69 2001::2,69Router# clear ipv6 nat translation *Router# show ipv6 nat translationsProt IPv4 source IPv6 sourceIPv4 destination IPv6 destination--- --- ---192.168.123.2 2001::2--- --- ---192.168.122.10 2001::10Related Commands
ipv6 nat
Designates that traffic originating from or destined for the interface is subject to NAT-PT.
show ipv6 nat translations
Displays active NAT-PT translations.
clear ipv6 neighbors
To delete all entries in the IPv6 neighbor discovery cache, except static entries, use the clear ipv6 neighbors command in privileged EXEC mode.
clear ipv6 neighbors
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example deletes all entries, except static entries, in the neighbor discovery cache:
Router# clear ipv6 neighborsRelated Commands
ipv6 neighbor
Configures a static entry in the IPv6 neighbor discovery cache.
show ipv6 neighbors
Displays IPv6 neighbor discovery cache information.
clear ipv6 nhrp
To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, use the clear ipv6 nhrp command in privileged EXEC mode.
clear ipv6 nhrp [ipv6-address | counters]
Syntax Description
ipv6-address
(Optional) The IPv6 network to delete.
counters
(Optional) Specifies NHRP counters to delete.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command does not clear any static (configured) IPv6-to-nonbroadcast multiaccess (NBMA) address mappings from the NHRP cache.
Examples
The following example shows how to clear all dynamic entries from the NHRP cache for the interface:
Router# clear ipv6 nhrpRelated Commands
clear ipv6 ospf
To clear the Open Shortest Path First (OSPF) state based on the OSPF routing process ID, use the clear ipv6 ospf command in privileged EXEC mode.
clear ipv6 ospf [process-id] {process | force-spf | redistribution}
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
When the process keyword is used with the clear ipv6 ospf command, the OSPF database is cleared and repopulated, and then the shortest path first (SPF) algorithm is performed. When the force-spf keyword is used with the clear ipv6 ospf command, the OSPF database is not cleared before the SPF algorithm is performed.
Use the process-id option to clear only one OSPF process. If the process-id option is not specified, all OSPF processes are cleared.
Examples
The following example starts the SPF algorithm without clearing the OSPF database:
Router# clear ipv6 ospf force-spfclear ipv6 ospf counters
To clear the Open Shortest Path First (OSPF) state based on the OSPF routing process ID, use the clear ipv6 ospf command in privileged EXEC mode.
clear ipv6 ospf [process-id] counters [neighbor [neighbor-interface | neighbor-id]]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the neighbor neighbor-interface option to clear counters for all neighbors on a specified interface. If the neighbor neighbor-interface option is not used, all OSPF counters are cleared.
Use the neighbor neighbor-id option to clear counters at a specified neighbor. If the neighbor neighbor-id option is not used, all OSPF counters are cleared.
Examples
The following example provides detailed information on a neighbor router:
Router# show ipv6 ospf neighbor detailNeighbor 10.0.0.1In the area 1 via interface Serial19/0Neighbor:interface-id 21, link-local address FE80::A8BB:CCFF:FE00:6F00Neighbor priority is 1, State is FULL, 6 state changesOptions is 0x194AE05Dead timer due in 00:00:37Neighbor is up for 00:00:15Index 1/1/1, retransmission queue length 0, number of retransmission 1First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)Last retransmission scan length is 1, maximum is 1Last retransmission scan time is 0 msec, maximum is 0 msecThe following example clears all neighbors on the specified interface:
Router# clear ipv6 ospf counters neighbor s19/0The following example now shows that there have been 0 state changes since the clear ipv6 ospf counters neighbor s19/0 command was used:
Router# show ipv6 ospf neighbor detailNeighbor 10.0.0.1In the area 1 via interface Serial19/0Neighbor:interface-id 21, link-local address FE80::A8BB:CCFF:FE00:6F00Neighbor priority is 1, State is FULL, 0 state changesOptions is 0x194AE05Dead timer due in 00:00:39Neighbor is up for 00:00:43Index 1/1/1, retransmission queue length 0, number of retransmission 1First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)Last retransmission scan length is 1, maximum is 1Last retransmission scan time is 0 msec, maximum is 0 msecRelated Commands
show ipv6 ospf neighbor
Displays OSPF neighbor information on a per-interface basis.
clear ipv6 ospf events
To clear the Open Shortest Path First (OSPF) for IPv6 event log content based on the OSPF routing process ID, use the clear ipv6 ospf events command in privileged EXEC mode.
clear ipv6 ospf [process-id] events
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the optional process-id argument to clear the IPv6 event log content of a specified OSPF routing process. If the process-id argument is not used, all event log content is cleared.
Examples
The following example enables the clearing of OSPF for IPv6 event log content for routing process 1:
Router# clear ipv6 ospf 1 eventsclear ipv6 pim counters
To reset the Protocol Independent Multicast (PIM) traffic counters, use the clear ipv6 pim counters command in privileged EXEC mode.
clear ipv6 pim counters
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Using the clear ipv6 pim counters command will reset all PIM traffic counters.
Examples
The following example resets the PIM traffic counters:
Router# clear ipv6 pim countersRelated Commands
clear ipv6 pim limit
To clear Protocol Independent Multicast (PIM) statistics, use the clear ipv6 pim limit command in privileged EXEC mode.
clear ipv6 pim limit [interface]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
The clear ipv6 pim limit command clears IPv6 PIM interface statistics. If the optional interface argument is enabled, only statistics for the specified interface are cleared.
Examples
The following example clears PIM interface limit statistics:
Router# clear ipv6 pim limitRelated Commands
clear ipv6 pim reset
To delete all entries from the topology table and reset the Multicast Routing Information Base (MRIB) connection, use the clear ipv6 pim reset command in privileged EXEC mode.
clear ipv6 pim reset
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Using the clear ipv6 pim reset command breaks the PIM-MRIB connection, clears the topology table, and then reestablishes the PIM-MRIB connection. This procedure forces MRIB resynchronization.
CautionUse the clear ipv6 pim reset command with caution, as it clears all PIM protocol information from the PIM topology table. Use of the clear ipv6 pim reset command should be reserved for situations where PIM and MRIB communication are malfunctioning.
Examples
The following example deletes all entries from the topology table and resets the MRIB connection:
Router# clear ipv6 pim resetclear ipv6 pim topology
To clear the Protocol Independent Multicast (PIM) topology table, use the clear ipv6 pim topology command in privileged EXEC mode.
clear ipv6 pim topology [group-name | group-address]
Syntax Description
Command Default
When the command is used with no arguments, all group entries located in the PIM topology table are cleared of PIM protocol information.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command clears PIM protocol information from all group entries located in the PIM topology table. Information obtained from the MRIB table is retained. If a multicast group is specified, only those group entries are cleared.
Examples
The following example clears all group entries located in the PIM topology table:
Router# clear ipv6 pim topologyclear ipv6 prefix-list
To reset the hit count of the IPv6 prefix list entries, use the clear ipv6 prefix-list command in privileged EXEC mode.
clear ipv6 prefix-list [prefix-list-name] [ipv6-prefix/prefix-length]
Syntax Description
Command Default
The hit count is automatically cleared for all IPv6 prefix lists.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The clear ipv6 prefix-list command is similar to the clear ip prefix-list command, except that it is IPv6-specific.
The hit count is a value indicating the number of matches to a specific prefix list entry.
Examples
The following example clears the hit count from the prefix list entries for the prefix list named first_list that match the network mask 2001:0DB8::/35.
Router# clear ipv6 prefix-list first_list 2001:0DB8::/35Related Commands
clear ipv6 rip
To delete routes from the IPv6 Routing Information Protocol (RIP) routing table, use the clear ipv6 rip command in privileged EXEC mode.
clear ipv6 rip [name]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
When the name argument is specified, only routes for that process are deleted from the IPv6 RIP routing table and, if installed, from the IPv6 routing table. If no name argument is specified, all IPv6 RIP routes are deleted.
Use the show ipv6 rip command to display IPv6 RIP routes.
Examples
The following example deletes all the IPv6 routes for the RIP process called one:
Router# clear ipv6 rip oneRelated Commands
clear ipv6 route
To delete routes from the IPv6 routing table, use the clear ipv6 route command in privileged EXEC mode.
clear ipv6 route {ipv6-address | ipv6-prefix/prefix-length | *}
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The clear ipv6 route command is similar to the clear ip route command, except that it is IPv6-specific.
When the ipv6-address or ipv6-prefix/prefix-length argument is specified, only that route is deleted from the IPv6 routing table. When the * keyword is specified, all routes are deleted from the routing table (the per-destination maximum transmission unit [MTU] cache is also cleared).
Examples
The following example deletes the IPv6 network 2001:0DB8::/35:
Router# clear ipv6 route 2001:0DB8::/35Related Commands
ipv6 route
Establishes static IPv6 routes.
show ipv6 route
Displays the current contents of the IPv6 routing table.
clear ipv6 traffic
To reset IPv6 traffic counters, use the clear ipv6 traffic command in privileged EXEC mode.
clear ipv6 traffic [interface-type interface-number]
Syntax Description
interface-type interface-number
Interface type and number. For more information, use the question mark (?) online help function.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Using this command resets the counters in the output from the show ipv6 traffic command.
Examples
The following example resets the IPv6 traffic counters. The output from the show ipv6 traffic command shows that the counters are reset:
Router# clear ipv6 trafficRouter# show ipv6 trafficIPv6 statistics:Rcvd: 1 total, 1 local destination0 source-routed, 0 truncated0 format errors, 0 hop count exceeded0 bad header, 0 unknown option, 0 bad source0 unknown protocol, 0 not a router0 fragments, 0 total reassembled0 reassembly timeouts, 0 reassembly failuresSent: 1 generated, 0 forwarded0 fragmented into 0 fragments, 0 failed0 encapsulation failed, 0 no route, 0 too bigMcast: 0 received, 0 sentICMP statistics:Rcvd: 1 input, 0 checksum errors, 0 too short0 unknown info type, 0 unknown error typeunreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 portparameter: 0 error, 0 header, 0 option0 hopcount expired, 0 reassembly timeout,0 too big0 echo request, 0 echo reply0 group query, 0 group report, 0 group reduce0 router solicit, 0 router advert, 0 redirects0 neighbor solicit, 1 neighbor advertSent: 1 outputunreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 portparameter: 0 error, 0 header, 0 option0 hopcount expired, 0 reassembly timeout,0 too big0 echo request, 0 echo reply0 group query, 0 group report, 0 group reduce0 router solicit, 0 router advert, 0 redirects0 neighbor solicit, 1 neighbor advertUDP statistics:Rcvd: 0 input, 0 checksum errors, 0 length errors0 no port, 0 droppedSent: 0 outputTCP statistics:Rcvd: 0 input, 0 checksum errorsSent: 0 output, 0 retransmittedRelated Commands
clear mls cef ipv6 accounting per-prefix
To clear information about the IPv6 per-prefix accounting statistics, use the clear mls cef ipv6 accounting per-prefix command in privileged EXEC mode.
clear mls cef ipv6 accounting per-prefix {all | ipv6-address/mask [instance]}
Syntax Description
Command Default
This command has no default settings.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
When entering the ipv6-address/mask arguments, use this format, X:X:X:X::X/mask, where the valid values for mask are from 0 to 128.
Examples
This example shows how to clear all information about the per-prefix accounting statistics:
Router# clear mls cef ipv6 accounting per-prefix allcodec(DSP farm profile)
To specify the codecs that are supported by a digital signal processor (DSP) farm profile, use the codec command in DSP farm profile configuration mode. To remove the codec, use the no form of this command.
codec {codec-type | pass-through}
no codec {codec-type | pass-through}
Syntax Description
Command Default
Transcoding
•
•
•
•
Conferencing
•
•
•
•
•
•
MTP
•
Command Modes
DSP farm profile configuration (config-dspfarm-profile)
Command History
Usage Guidelines
Only one codec is supported for each media termination point (MTP) profile. To support multiple codecs, you must define a separate MTP profile for each codec.
Table 10 shows the relationship between DSP farm functions and codecs.
Hardware MTPs support only G.711 a-law and G.711 mu-law. If you configure a profile as a hardware MTP and you want to change the codec to other than G.711, you must first remove the hardware MTP by using the no maximum sessions hardware command.
The pass-through keyword is supported for transcoding and MTP profiles only; the keyword is not supported for conferencing profiles. To support the Resource Reservation Protocol (RSVP) agent on a Skinny Client Control Protocol (SCCP) device, you must use the codec pass-through command. In the pass-through mode, the SCCP device processes the media stream by using a pure software MTP, regardless of the nature of the stream. This enables video and data streams to be processed in addition to audio. When the pass-through mode is set in a transcoding profile, no transcoding is done for the session; the transcoding device performs a pure software MTP function. The pass-through mode can be used for secure RTP sessions.
Examples
The following example shows the call density and codec complexity set to g729abr8:
Router(config)# dspfarm profile 123 transcodeRouter(config-dspfarm-profile)# codec g729abr8Related Commands
context
To associate a Simple Network Management Protocol (SNMP) context with a particular virtual private network (VPN) routing and forwarding (VRF) instance, use the context command in VRF configuration mode. To disassociate an SNMP context from a VPN, use the no form of this command.
context context-name
no context context-name
Syntax Description
Command Default
No SNMP contexts are associated with VPNs.
Command Modes
VRF configuration
Command History
Usage Guidelines
Before you use this command to associate an SNMP context with a VPN, you must do the following:
•
•
•
SNMP contexts provide VPN users with a secure way of accessing MIB data. When a VPN is associated with a context, MIB data for that VPN exists in that context. Associating a VPN with a context helps enable service providers to manage networks with multiple VPNs. Creating and associating a context with a VPN enables a provider to prevent the users of one VPN from accessing information about users of other VPNs on the same networking device.
A route distinguisher (RD) is required when you configure an SNMP context. An RD creates routing and forwarding tables and specifies the default route distinguisher for a VPN. The RD is added to the beginning of a IPv4 prefix to make it globally unique. An RD is either ASN relative, which means it is composed of an autonomous system number and an arbitrary number, or it is IP address relative and composed of an IP address and an arbitrary number.
Examples
The following example shows how to create an SNMP context named context1 and associate the context with the VRF named vrf1:
Router(config)# snmp-server context1Router(config)# ip vrf vrf1Router(config-vrf)# rd 100:120Router(config-vrf)# context context1Related Commands
crypto ipsec profile
To define the IP Security (IPsec) parameters that are to be used for IPsec encryption between two IPsec routers and to enter IPsec profile configuration mode, use the crypto ipsec profile command in global configuration mode. To delete an IPsec profile, use the no form of this command.
crypto ipsec profile name
no crypto ipsec profile name
Syntax Description
Command Default
An IPsec profile is not defined.
Command Modes
Global configuration
Command History
Usage Guidelines
An IPsec profile abstracts the IPsec policy settings into a single profile that can be used in other parts of the Cisco IOS configuration.
The IPsec profile shares most of the same commands with the crypto map configuration, but only a subset of the commands are valid in an IPsec profile. Only commands that pertain to an IPsec policy can be issued under an IPsec profile; you cannot specify the IPsec peer address or the access control list (ACL) to match the packets that are to be encrypted.
After this command has been enabled, the following commands can be configured under an IPsec profile:
•
•
•
•
•
•
•
•
•
After enabling this command, the only parameter that must be defined under the profile is the transform set via the set transform-set command.
For more information on transform sets, refer to the section "Defining Transform Sets" in the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide.
Examples
The following example shows how to configure a crypto map that uses an IPsec profile:
crypto ipsec transform-set cat-transforms esp-des esp-sha-hmacmode transport!crypto ipsec profile cat-profileset transform-set cat-transformsset pfs group2!interface Tunnel1ip address 192.168.1.1 255.255.255.252tunnel source FastEthernet2/0tunnel destination 10.13.7.67tunnel protection ipsec profile cat-profileRelated Commands
crypto isakmp identity
To define the identity used by the router when participating in the Internet Key Exchange (IKE) protocol, use the crypto isakmp identity command in global configuration mode. Set an Internet Security Association Key Management Protocol (ISAKMP) identity whenever you specify preshared keys. To reset the ISAKMP identity to the default value (address), use the no form of this command.
crypto isakmp identity {address | hostname}
no crypto isakmp identity
Syntax Description
Command Default
The IP address is used for the ISAKMP identity.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify an ISAKMP identity either by IP address or by host name.
The address keyword is typically used when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE negotiations, and the IP address is known.
The hostname keyword should be used if there is more than one interface on the peer that might be used for IKE negotiations, or if the interface's IP address is unknown (such as with dynamically assigned IP addresses).
As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.
Examples
The following example uses preshared keys at two peers and sets both their ISAKMP identities to IP address.
At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified.
crypto isakmp identity addresscrypto isakmp key sharedkeystring address 192.168.1.33At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified.
crypto isakmp identity addresscrypto isakmp key sharedkeystring address 10.0.0.1
Note
The following example uses preshared keys at two peers and sets both their ISAKMP identities to host name.
At the local peer the ISAKMP identity is set and the preshared key is specified.
crypto isakmp identity hostnamecrypto isakmp key sharedkeystring hostname RemoteRouter.example.comip host RemoteRouter.example.com 192.168.0.1At the remote peer the ISAKMP identity is set and the same preshared key is specified.
crypto isakmp identity hostnamecrypto isakmp key sharedkeystring hostname LocalRouter.example.comip host LocalRouter.example.com 10.0.0.1 10.0.0.2In the above example, host names are used for the peers' identities because the local peer has two interfaces that might be used during an IKE negotiation.
In the above example the IP addresses are also mapped to the host names; this mapping is not necessary if the routers' host names are already mapped in DNS.
Related Commands
crypto ipsec security-association lifetime
Specifies the authentication method within an IKE policy.
crypto isakmp key
Configures a preshared authentication key.
crypto isakmp key
To configure a preshared authentication key, use the crypto isakmp key command in global configuration mode. To delete a preshared authentication key, use the no form of this command.
crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 ipv6-address/ipv6-prefix | hostname hostname} [no-xauth]
no crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 ipv6-address/ipv6-prefix | hostname hostname} [no-xauth]
Syntax Description
Command Default
There is no default preshared authentication key.
Command Modes
Global configuration
Command History
Usage Guidelines
You must use this command to configure a key whenever you specify preshared keys in an Internet Key Exchange (IKE) policy; you must enable this command at both peers.
If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peers—otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The crypto isakmp key command is the second task required to configure the preshared keys at the peers. (The first task is accomplished using the crypto isakmp identity command.)
Use the address keyword if the remote peer ISAKMP identity was set with its IP address.
With the address keyword, you can also use the mask argument to indicate the remote peer ISAKMP identity will be established using the preshared key only. If the mask argument is used, preshared keys are no longer restricted between two users.
Note
When using IKE main mode, preshared keys are indexed by IP address only because the identity payload has not yet been received. This means that the hostname keyword in the identity statement is not used to look up a preshared key and will be used only when sending and processing the identity payloads later in the main mode exchange. The identity keyword can be used when preshared keys are used with IKE aggressive mode, and keys may be indexed by identity types other than IP address as the identity payload is received in the first IKE aggressive mode packet.
If crypto isakmp identity hostname is configured as identity, the preshared key must be configured with the peer's IP address for the process to work when using IKE in main mode.
Use the no-xauth keyword to prevent the router from prompting the peer for Xauth information (username and password). This keyword disables Xauth for static IPSec peers. The no-xauth keyword should be enabled when configuring the preshared key for router-to-router IPSec—not VPN-client-to-Cisco-IOS IPSec.
Output for the crypto isakmp key command will show that the preshared key is either encrypted or unencrypted. An output example for an unencrypted preshared key would be as follows:
crypto isakmp key test123 address 10.1.0.1An output example for a type 6 encrypted preshared key would be as follows:
crypto isakmp key 6 RHZE[JACMUI\bcbTdELISAAB address 10.1.0.1Examples
In the following example, the remote peer "RemoteRouter" specifies an ISAKMP identity by address:
crypto isakmp identity addressNow, the preshared key must be specified at each peer.
In the following example, the local peer specifies the preshared key and designates the remote peer by its IP address and a mask:
crypto isakmp key 0 sharedkeystring address 172.21.230.33 255.255.255.255In the following example for IPv6, the peer specifies the preshared key and designates the remote peer with an IPv6 address:
crypto isakmp key 0 my-preshare-key-0 address ipv6 3ffe:1001::2/128Related CommandsI
crypto isakmp peer
To enable an IP Security (IPSec) peer for Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto isakmp peer command in global configuration mode. To disable this functionality, use the no form of this command.
crypto isakmp peer {address {ipv4-address | ipv6 ipv6-address} | hostname fqdn-hostname}
no crypto isakmp peer {address {ipv4-address | ipv6 ipv6-address} | hostname fqdn-hostname}
Syntax Description
Command Default
None
Command Modes
Global configuration
Command History
Usage Guidelines
After enabling this command, you can use the set aggressive-mode client-endpoint and set aggressive-mode password commands to specify RADIUS tunnel attributes in the Internet Security Association and Key Management Protocol (ISAKMP) peer policy for IPSec peers.
Instead of keeping your preshared keys on the hub router, you can scale your preshared keys by storing and retrieving them from an AAA server. The preshared keys are stored in the AAA server as Internet Engineering Task Force (IETF) RADIUS tunnel attributes and are retrieved when a user tries to "speak" to the hub router. The hub router retrieves the preshared key from the AAA server and the spokes (the users) initiate aggressive mode to the hub by using the preshared key that is specified in the ISAKMP peer policy as a RADIUS tunnel attribute.
Examples
The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:
crypto isakmp peer ip-address 209.165.200.230 vrf vpn1set aggressive-mode client-endpoint user-fqdn user@cisco.comset aggressive-mode password cisco123Related Commands
crypto isakmp policy
To define an Internet Key Exchange (IKE) policy, use the crypto isakmp policy command in global configuration mode. To delete an IKE policy, use the no form of this command.
crypto isakmp policy priority
no crypto isakmp policy priority
Syntax Description
priority
Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest.
Command Default
Default IKE policies are in use.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
IKE policies define a set of parameters to be used during the IKE negotiation. Use this command to specify the parameters to be used during an IKE negotiation. (These parameters are used to create the IKE security association [SA].)
This command invokes the Internet Security Association Key Management Protocol (ISAKMP) policy configuration (config-isakmp) command mode. While in the ISAKMP policy configuration command mode, some of the commands for which you can specify parameters are as follows:
•
•
•
•
•
If you do not specify any given parameter, the default value will be used for that parameter.
To exit the config-isakmp command mode, type exit.
You can configure multiple IKE policies on each peer participating in IPsec. When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer.
Examples
The following example shows how to manually configure two policies for the peer:
crypto isakmp policy 15hash md5authentication rsa-siggroup 2lifetime 5000crypto isakmp policy 20authentication pre-sharelifetime 10000The above configuration results in the following policies:
Router# show crypto isakmp policyProtection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: preshared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limitThe following sample output from the show crypto isakmp policy command displays the default IKE policies when the manually configured IKE policies with priorities 15 and 20 have been removed.
Router(config)# no crypto isakmp policy 15Router(config)# no crypto isakmp policy 20Router(config)# exitR1# show crypto isakmp policyDefault IKE policyProtection suite of priority 65507encryption algorithm: AES - Advanced Encryption Standard (128 bit key.hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #5 (1536 bit)lifetime: 86400 seconds, no volume limitProtection suite of priority 65508encryption algorithm: AES - Advanced Encryption Standard (128 bit key.hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman group: #5 (1536 bit)lifetime: 86400 seconds, no volume limitProtection suite of priority 65509encryption algorithm: AES - Advanced Encryption Standard (128 bit key.hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #5 (1536 bit)lifetime: 86400 seconds, no volume limitProtection suite of priority 65510encryption algorithm: AES - Advanced Encryption Standard (128 bit key.hash algorithm: Message Digest 5authentication method: Pre-Shared KeyDiffie-Hellman group: #5 (1536 bit)lifetime: 86400 seconds, no volume limitProtection suite of priority 65511encryption algorithm: Three key triple DEShash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #2 (1024 bit)lifetime: 86400 seconds, no volume limitProtection suite of priority 65512encryption algorithm: Three key triple DEShash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman group: #2 (1024 bit)lifetime: 86400 seconds, no volume limitProtection suite of priority 65513encryption algorithm: Three key triple DEShash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #2 (1024 bit)lifetime: 86400 seconds, no volume limitProtection suite of priority 65514encryption algorithm: Three key triple DEShash algorithm: Message Digest 5authentication method: Pre-Shared KeyDiffie-Hellman group: #2 (1024 bit)lifetime: 86400 seconds, no volume limitRelated Commands
crypto isakmp profile
To define an Internet Security Association and Key Management Protocol (ISAKMP) profile and to audit IP security (IPsec) user sessions, use the crypto isakmp profile command in global configuration mode. To delete a crypto ISAKMP profile, use the no form of this command.
crypto isakmp profile profile-name [accounting aaa-list]
no crypto isakmp profile profile-name [accounting aaa-list]
Syntax Description
profile-name
Name of the user profile. To associate a user profile with the RADIUS server, the user profile name must be identified.
accounting aaa-list
(Optional) Name of a client accounting list.
Command Defaults
No profile exists if the command is not used.
Command Modes
Global configuration
Command History
Usage Guidelines
Defining an ISAKMP Profile
An ISAKMP profile can be viewed as a repository of Phase 1 and Phase 1.5 commands for a set of peers. The Phase 1 configuration includes commands to configure such things as keepalive, identity matching, and the authorization list. The Phase 1.5 configuration includes commands to configure such things as extended authentication (Xauth) and mode configuration.
The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. Also, there must be at least one match identity command defined in the ISAKMP profile for it to be complete.
After enabling this command and entering ISAKMP profile configuration mode, you can configure the following commands:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Auditing IPSec User Sessions
Use this command to audit multiple user sessions that are terminating on the IPSec gateway.
Note
Dynamic Virtual Tunnel Interfaces
Support for dynamic virtual tunnel interfaces allows for the virtual profile to be mapped into a specified virtual template.
Examples
ISAKAMP Profile Matching Peer Identities Example
The following example shows how to define an ISAKMP profile and match the peer identities:
crypto isakmp profile vpnprofilematch identity address 10.76.11.53ISAKAMP Profile with Accounting Example
The following accounting example shows that an ISAKMP profile is configured:
aaa new-model!!aaa authentication login cisco-client group radiusaaa authorization network cisco-client group radiusaaa accounting network acc start-stop broadcast group radiusaaa session-id common!crypto isakmp profile ciscovrf ciscomatch identity group cclientclient authentication list cisco-clientisakmp authorization list cisco-clientclient configuration address respondaccounting acc!crypto dynamic-map dynamic 1set transform-set aswanset isakmp-profile ciscoreverse-route!!radius-server host 172.16.1.4 auth-port 1645 acct-port 1646radius-server key nsiteRelated Commands
crypto key generate rsa
To generate Rivest, Shamir, and Adelman (RSA) key pairs, use the crypto key generate rsa command in global configuration mode.
crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label] [exportable] [modulus modulus-size] [storage devicename:][redundancy][on devicename:]
Syntax Description
Command Default
RSA key pairs do not exist.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to generate RSA key pairs for your Cisco device (such as a router).
RSA keys are generated in pairs—one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Note
Note
This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.
Note
There are two mutually exclusive types of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either special-usage keys or general-purpose keys.
Special-Usage Keys
If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair will be used with any IKE policy that specifies RSA encrypted keys as the authentication method.
A CA is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA-encrypted nonces. (However, you could specify more than one IKE policy and have RSA signatures specified in one policy and RSA-encrypted nonces in another policy.)
If you plan to have both types of RSA authentication methods in your IKE policies, you may prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key.)
General-Purpose Keys
If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted keys. Therefore, a general-purpose key pair might get used more frequently than a special-usage key pair.
Named Key Pairs
If you generate a named key pair using the key-label argument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate.
Modulus Length
When you generate RSA keys, you will be prompted to enter a modulus length. The longer the modulus, the stronger the security. However a longer modules takes longer to generate (see Table 11 for sample times) and takes longer to use.
Cisco IOS software does not support a modulus greater than 4096 bits. A length of less than 512 bits is normally not recommended. In certain situations, the shorter modulus may not function properly with IKE, so we recommend using a minimum modulus of 1024 bits.
Note
The largest private RSA key modulus is 2048 bits. Therefore, the largest RSA private key a router may generate or import is 2048 bits.
The recommended modulus for a CA is 2048 bits; the recommended modulus for a client is 1024 bits.
Additional limitations may apply when RSA keys are generated by cryptographic hardware. For example, when RSA keys are generated by the Cisco VPN Services Port Adapter (VSPA), the RSA key modulus must be a minimum of 384 bits and must be a multiple of 64.
Specifying a Storage Location for RSA Keys
When you issue the crypto key generate rsa command with the storage devicename: keyword and argument, the RSA keys will be stored on the specified device. This location will supersede any crypto key storage command settings.
Specifying a Device for RSA Key Generation
As of Cisco IOS Release 12.4(11)T and later releases, you may specify the device where RSA keys are generated. Devices supported include NVRAM, local disks, and USB tokens. If your router has a USB token configured and available, the USB token can be used as cryptographic device in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication of credentials to be performed on the token. The private key never leaves the USB token and is not exportable. The public key is exportable.
RSA keys may be generated on a configured and available USB token, by the use of the on devicename: keyword and argument. Keys that reside on a USB token are saved to persistent token storage when they are generated. The number of keys that can be generated on a USB token is limited by the space available. If you attempt to generate keys on a USB token and it is full you will receive the following message:
% Error in generating keys:no available resourcesKey deletion will remove the keys stored on the token from persistent storage immediately. (Keys that do not reside on a token are saved to or deleted from nontoken storage locations when the copy or similar command is issued.)
For information on configuring a USB token, see "Storing PKI Credentials" chapter in the Cisco IOS Security Configuration Guide, Release 12.4T. For information on using on-token RSA credentials, see the "Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment" chapter in the Cisco IOS Security Configuration Guide, Release 12.4T.
Specifying RSA Key Redundancy Generationon a Device
You can specify redundancy for existing keys only if they are exportable.
Examples
The following example generates a general-usage 1024-bit RSA key pair on a USB token with the label "ms2" with crypto engine debugging messages shown:
Router(config)# crypto key generate rsa label ms2 modulus 1024 on usbtoken0:The name for the keys will be: ms2% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be on-token, non-exportable...Jan 7 02:41:40.895: crypto_engine: Generate public/private keypair [OK]Jan 7 02:44:09.623: crypto_engine: Create signatureJan 7 02:44:10.467: crypto_engine: Verify signatureJan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_CREATE_PUBKEY(hw)(ipsec)Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_PUB_DECRYPT(hw)(ipsec)Now, the on-token keys labeled "ms2" may be used for enrollment.
The following example generates special-usage RSA keys:
Router(config)# crypto key generate rsa usage-keysThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates general-purpose RSA keys:
Note
Router(config)# crypto key generate rsa general-keysThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates the general-purpose RSA key pair "exampleCAkeys":
crypto key generate rsa general-keys label exampleCAkeyscrypto ca trustpoint exampleCAkeysenroll url http://exampleCAkeys/certsrv/mscep/mscep.dllrsakeypair exampleCAkeys 1024 1024The following example specifies the RSA key storage location of "usbtoken0:" for "tokenkey1":
crypto key generate rsa general-keys label tokenkey1 storage usbtoken0:
The following example specifies the redundancy keyword:
Router(config)# crypto key generate rsa label MYKEYS redundancyThe name for the keys will be: MYKEYS
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable with redundancy...[OK]
Related Commands
crypto keyring
To define a crypto keyring to be used during Internet Key Exchange (IKE) authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.
crypto keyring keyring-name [vrf fvrf-name]
no crypto keyring keyring-name [vrf fvrf-name]
Syntax Description
Command Default
All the Internet Security Association and Key Management Protocol (ISAKMP) keys that were defined in the global configuration are part of the default global keyring.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the ISAKMP profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.
Examples
The following example shows that a keyring and its usage have been defined:
crypto keyring vpnkeyspre-shared-key address 10.72.23.11 key vpnsecretcrypto isakmp profile vpnprofilekeyring vpnkeysRelated Commands
crypto pki authenticate
To authenticate the certification authority (CA) (by getting the certificate of the CA), use the crypto pki authenticate command in global configuration mode.
crypto pki authenticate name
Syntax Description
name
The name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.
Command Default
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is required when you initially configure CA support at your router.
This command authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you enter this command.
If you are using Router Advertisements (RA) mode (using the enrollment command) when you issue the crypto pki authenticate command, then registration authority signing and encryption certificates will be returned from the CA and the CA certificate.
This command is not saved to the router configuration. However. the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the Rivest, Shamir, and Adelman (RSA) public key record (called the "RSA public key chain").
Note
error retrieving certificate :incomplete chain
If you receive an error message similar to this one, check the expiration date of your CA certificate. If the expiration date of your CA certificate is set after the year 2049, you must reduce the expiration date by a year or more.Examples
In the following example, the router requests the certificate of the CA. The CA sends its certificate and the router prompts the administrator to verify the certificate of the CA by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.
Router(config)# crypto pki authenticate mycaCertificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 0123Do you accept this certificate? [yes/no] y#Related Commands
crypto pki enroll
To obtain the certificates for your router from the certificate authority (CA), use the crypto pki enroll command in global configuration mode. To delete a current enrollment request, use the no form of this command.
crypto pki enroll name
no crypto pki enroll name
Syntax Description
name
The name of the CA. Use the same name as when you declared the CA using the crypto pki trustpoint command.
Command Default
No default behavior or values.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
This command requests certificates from the CA for all of your router's Rivest, Shamir, and Adelmen (RSA) key pairs. This task is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)
Your router needs a signed certificate from the CA for each RSA key pairs of your router; if you previously generated general-purpose keys, this command obtains the one certificate corresponding to the one general-purpose RSA key pair. If you previously generated special-usage keys, this command obtains two certificates corresponding to each of the special-usage RSA key pairs.
If you already have a certificate for your keys you are prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.)
The crypto pki enroll command is not saved in the router configuration.
Note
Note
Responding to Prompts
When you issue the crypto pki enroll command, you are prompted a number of times.
You are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's certificates. When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
Note
If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity.
You are also prompted to indicate whether your router's serial number should be included in the obtained certificate. The serial number is not used by IP Security (IPsec) or Internet Key Exchange, but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.
Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. A router has multiple IP addresses, any of which might be used with IPsec.
If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command.
Examples
In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, which checks the number. The fingerprint is correct, so the router administrator accepts the certificate.
There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation.
Router(config)# crypto pki enroll myca%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password: <mypassword>Re-enter password: <mypassword>% The subject name in the certificate will be: myrouter.example.com% Include the router serial number in the subject name? [yes/no]: yes% The serial number in the certificate will be: 03433678% Include an IP address in the subject name [yes/no]? yesInterface: ethernet0/0Request certificate from CA [yes/no]? yes% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto pki certificates' command will also show the fingerprint.Some time later, the router receives the certificate from the CA and displays the following confirmation message:
Router(config)# Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210%CRYPTO-6-CERTRET: Certificate received from Certificate AuthorityRouter(config)#If necessary, the router administrator can verify the displayed fingerprint with the CA administrator.
If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead:
%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate AuthorityThe subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the example, the RSA key pair was named "myrouter.example.com." (The router assigned this name.)
Requesting certificates for a router with special-usage keys would be the same as in the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:
%CRYPTO-6-CERTRET: Certificate received from Certificate AuthorityRelated Commands
crypto pki import
To import a certificate manually via TFTP or as a cut-and-paste at the terminal, use the crypto pki import command in global configuration mode.
crypto pki import name certificate
Syntax Description
name certificate
Name of the certification authority (CA). This name is the same name used when the CA was declared with the crypto pki trustpoint command.
Command Default
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
You must enter the crypto pki import command twice if usage keys (signature and encryption keys) are used. The first time the command is entered, one of the certificates is pasted into the router; the second time the command is entered, the other certificate is pasted into the router. (It does not matter which certificate is pasted first.)
Examples
The following example shows how to import a certificate via cut-and-paste. In this example, the CA trustpoint is "MS."
crypto pki trustpoint MSenroll terminalcrypto pki authenticate MS!crypto pki enroll MScrypto pki import MS certificateRelated Commands
ctunnel mode
To transport IPv4 and IPv6 packets over Connectionless Network Service (CLNS) tunnel (CTunnel), use the ctunnel mode command in interface configuration mode. To return the ctunnel to the default cisco mode, use the no form of this command.
ctunnel mode [gre | cisco]
no ctunnel mode
Syntax Description
gre
(Optional) Sets the ctunnel mode to Generic Routing Encapsulation (GRE) for transporting IPv6 packets over the CLNS network.
cisco
(Optional) Returns the ctunnel mode to the default cisco.
Command Default
Cisco encapsulation tunnel mode is the default.
Command Modes
Interface configuration
Command History
Usage Guidelines
GRE tunneling of IPv4 and IPv6 packets through CLNS-only networks enables Cisco ctunnels to interoperate with networking equipment from other vendors. This feature provides compliance with RFC 3147, Generic Routing Encapsulation over CLNS Networks, which should allow interoperation between Cisco equipment and that of other vendors. in which the same standard is implemented.
RFC 3147 specifies the use of GRE when tunneling packets. The implementation of this feature does not include support for GRE header fields such as those used to specify checksums, keys, or sequencing. Any packets received which specify the use of these features will be dropped.
The default ctunnel mode continues to use the standard Cisco encapsulation. Both ends of the tunnel must be configured with the same mode for it to work. If you want to tunnel ipv6 packets you must use the new gre mode.
Examples
The following example configures a CTunnel from one router to another and shows the CTunnel destination set to 49.0001.1111.1111.1111.00. The ctunnel mode is set to gre to transport IPv6 packets.
interface ctunnel 301ipv6 address 2001:0DB8:1111:2222::2/64ctunnel destination 49.0001.1111.1111.1111.00ctunnel mode greRelated Commands
debug adjacency
To enable the display of information about the adjacency database, use the debug adjacency command in privileged EXEC mode. To disable the display of these events, use the no form of this command.
debug adjacency [epoch | ipc | state | table] [prefix] [interface] [connectionid id] [link {ipv4 | ipv6 | mpls}]
no debug adjacency [epoch | ipc | state | table] [prefix] [interface] [connectionid id] [link {ipv4 | ipv6 | mpls}]
Syntax Description
Command Default
Debugging events are not displayed.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, you should use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Also, you should use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
You can use any combination of the prefix, interface, connectionid id, and link {ipv4 | ipv6 | mpls} keywords and arguments (in any order) as a filter to enable debugging for a specified subset of adjacencies.
Note
Examples
The following example shows how to display information on the adjacency database:
Router# debug adjacency*Jan 27 06:22:50.543: ADJ-ios_mgr: repopulate adjs on up event for Ethernet3/0*Jan 27 06:22:50.543: ADJ: IPV6 adj out of Ethernet3/0, addr FE80::20C:CFFF:FEDF:6854 (incomplete) no src set: init/update from interface*Jan 27 06:22:50.543: ADJ: IPV6 adj out of Ethernet3/0, addr FE80::20C:CFFF:FEDF:6854 (incomplete) no src set: set bundle to IPv6 adjacency oce*Jan 27 06:22:50.543: ADJ: IPV6 adj out of Ethernet3/0, addr FE80::20C:CFFF:FEDF:6854 (incomplete) no src set: allocated, setup and inserted OK*Jan 27 06:22:50.543: ADJ: IPV6 adj out of Ethernet3/0, addr FE80::20C:CFFF:FEDF:6854 (incomplete) src IPv6 ND: source IPv6 ND added OK*Jan 27 06:22:50.543: ADJ: IPV6 adj out of Ethernet3/0, addr FE80::20C:CFFF:FEDF:6854 (incomplete) src IPv6 ND: computed macstring (len 14): OK*Jan 27 06:22:50.543: ADJ: IPV6 adj out of Ethernet3/0, addr FE80::20C:CFFF:FEDF:6854 src IPv6 ND: made complete (macstring len 0 to 14/0 octets)00:04:40: %LINK-3-UPDOWN: Interface Ethernet3/0, changed state to up00:04:41: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet3/0, changedRelated Commands
debug bfd
To display debugging messages about Bidirectional Forwarding Detection (BFD), use the debug bfd command in privileged EXEC mode. To disable debugging output, use the no form of this command.
Cisco IOS Release 12.2(18)SXE, 12.4(4)T, and 12.2(33)SRA
debug bfd {event | packet [ip-address | ipv6-address]}
no debug bfd {event | packet [ip-address | ipv6-address]}
Cisco IOS Release 12.0(31)S
debug bfd {event | packet [ip-address] | ipc-error | ipc-event | oir-error | oir-event}
no debug bfd {event | packet [ip-address] | ipc-error | ipc-event | oir-error | oir-event}
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug bfd command can be used to troubleshoot the BFD feature.
Note
Examples
The following example shows output from the debug bfd packet command. The IP address has been specified in order to limit the packet information to one interface:
Router# debug bfd packet 172.16.10.5BFD packet debugging is on*Jan 26 14:47:37.645: Tx*IP: dst 172.16.10.1, plen 24. BFD: diag 2, St/D/P/F (1/0/0/0), mult 5, len 24, loc/rem discr 1 1, tx 1000000, rx 1000000 100000, timer 1000 ms, #103*Jan 26 14:47:37.645: %OSPF-5-ADJCHG: Process 10, Nbr 172.16.10.12 on Ethernet1/4 from FULL to DOWN, Neighbor Down: BFD node down*Jan 26 14:47:50.685: %OSPF-5-ADJCHG: Process 10, Nbr 172.16.10.12 on Ethernet1/4 from LOADING to FULL, Loading Done*Jan 26 14:48:00.905: Rx IP: src 172.16.10.1, plen 24. BFD: diag 0, St/D/P/F (1/0/0/0), mult 4, len 24, loc/rem discr 2 1, tx 1000000, rx 1000000 100000, timer 4000 ms, #50*Jan 26 14:48:00.905: Tx IP: dst 172.16.10.1, plen 24. BFD: diag 2, St/D/P/F (2/0/0/0), mult 5, len 24, loc/rem discr 1 2, tx 1000000, rx 1000000 100000, timer 1000 ms, #131*Jan 26 14:48:00.905: Rx IP: src 172.16.10.1, plen 24. BFD: diag 0, St/D/P/F (3/0/0/0), mult 4, len 24, loc/rem discr 2 1, tx 1000000, rx 1000000 100000, timer 4000 ms, #51*Jan 26 14:48:00.905: Tx IP: dst 172.16.10.1, plen 24. BFD: diag 0, St/D/P/F (3/0/0/0), mult 5, len 24, loc/rem discr 1 2, tx 1000000, rx 1000000 100000, timer 1000 ms, #132The following example shows output from the debug bfd event command when an interface between two BFD neighbor routers fails and then comes back online:
Router# debug bfd event22:53:48: BFD: bfd_neighbor - action:DESTROY, proc:1024, idb:FastEthernet0/1, neighbor:172.16.10.222:53:48: BFD: bfd_neighbor - action:DESTROY, proc:512, idb:FastEthernet0/1, neighbor:172.16.10.222:53:49: Session [172.16.10.1,172.16.10.2,Fa0/1,1], event DETECT TIMER EXPIRED, state UP -> FAILING...22:56:35: BFD: bfd_neighbor - action:CREATE, proc:1024, idb:FastEthernet0/1, neighbor:172.16.10.222:56:37: Session [172.16.10.1,172.16.10.2,Fa0/1,1], event RX IHY 0, state FAILING -> DOWN22:56:37: Session [172.16.10.1,172.16.10.2,Fa0/1,1], event RX IHY 0, state DOWN -> INIT22:56:37: Session [172.16.10.1,172.16.10.2,Fa0/1,1], event RX IHY 1, state INIT -> UPTable 12 describes the significant fields shown in the display.
The following example shows output from the debug bfd packet command when an interface between two BFD neighbor routers fails and then comes back online. The diagnostic code changes from 0 (No Diagnostic) to 1 (Control Detection Time Expired) because no BFD control packets could be sent (and therefore detected by the BFD peer) after the interface fails. When the interface comes back online, the diagnostic code changes back to 0 to signify that BFD packets can be sent and received by the BFD peers.
Router# debug bfd packet23:03:25: Rx IP: src 172.16.10.2, plen 24. BFD: diag 0, H/D/P/F (0/0/0/0), mult 3, len 24, loc/rem discr 5 1, tx 1000000, rx 10000723:03:25: Tx IP: dst 172.16.10.2, plen 24. BFD: diag 1, H/D/P/F (0/0/0/0), mult 5, len 24, loc/rem discr 1 5, tx 1000000, rx 100000823:03:25: Tx IP: dst 172.16.10.2, plen 24. BFD: diag 1, H/D/P/F (1/0/0/0), mult 5, len 24, loc/rem discr 1 5, tx 1000000, rx 1000009Table 13 describes the significant fields shown in the display.
debug bgp ipv6 dampening
To display debugging messages for IPv6 Border Gateway Protocol (BGP) dampening, use the debug bgp ipv6 dampening command in privileged EXEC mode. To disable debugging messages for IPv6 BGP dampening, use the no form of this command.
debug bgp ipv6 {unicast | multicast} dampening [prefix-list prefix-list-name]
no debug bgp ipv6 {unicast | multicast} dampening [prefix-list prefix-list-name]
Syntax Description
unicast
Specifies IPv6 unicast address prefixes.
multicast
Specifies IPv6 multicast address prefixes.
prefix-list prefix-list-name
(Optional) Name of an IPv6 prefix list.
Command Default
Debugging for IPv6 BGP dampening packets is not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug bgp ipv6 dampening command is similar to the debug ip bgp dampening command, except that it is IPv6-specific.
Use the prefix-list keyword and an argument to filter BGP IPv6 dampening debug information through an IPv6 prefix list.
Note
Examples
The following is sample output from the debug bgp ipv6 dampening command:
Router# debug bgp ipv6 dampening00:13:28:BGP(1):charge penalty for 2000:0:0:1::/64 path 2 1 with halflife-time 15 reuse/suppress 750/200000:13:28:BGP(1):flapped 1 times since 00:00:00. New penalty is 100000:13:28:BGP(1):charge penalty for 2000:0:0:1:1::/80 path 2 1 with halflife-time 15 reuse/suppress 750/200000:13:28:BGP(1):flapped 1 times since 00:00:00. New penalty is 100000:13:28:BGP(1):charge penalty for 2000:0:0:5::/64 path 2 1 with halflife-time 15 reuse/suppress 750/200000:13:28:BGP(1):flapped 1 times since 00:00:00. New penalty is 100000:16:03:BGP(1):charge penalty for 2000:0:0:1::/64 path 2 1 with halflife-time 15 reuse/suppress 750/200000:16:03:BGP(1):flapped 2 times since 00:02:35. New penalty is 189200:18:28:BGP(1):suppress 2000:0:0:1:1::/80 path 2 1 for 00:27:30 (penalty 2671)00:18:28:halflife-time 15, reuse/suppress 750/200000:18:28:BGP(1):suppress 2000:0:0:1::/64 path 2 1 for 00:27:20 (penalty 2664)00:18:28:halflife-time 15, reuse/suppress 750/2000The following example shows output for the debug bgp ipv6 dampening command filtered through the prefix list named marketing:
Router# debug bgp ipv6 dampening prefix-list marketing00:16:08:BGP(1):charge penalty for 2001:0DB8::/64 path 30 with halflife-time 15 reuse/suppress 750/200000:16:08:BGP(1):flapped 1 times since 00:00:00. New penalty is 10Table 14 describes the fields shown in the display.
Related Commands
debug bgp ipv6 updates
To display debugging messages for IPv6 Border Gateway Protocol (BGP) update packets, use the debug bgp ipv6 updates command in privileged EXEC mode. To disable debugging messages for IPv6 BGP update packets, use the no form of this command.
debug bgp ipv6 {unicast | multicast} updates [ipv6-address] [prefix-list prefix-list-name] [in | out]
no debug bgp ipv6 {unicast | multicast} updates [ipv6-address] [prefix-list prefix-list-name] [in | out]
Syntax Description
Command Default
Debugging for IPv6 BGP update packets is not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug bgp ipv6 updates command is similar to the debug ip bgp updates command, except that it is IPv6-specific.
Use the prefix-list keyword to filter BGP IPv6 updates debugging information through an IPv6 prefix list.
Note
Examples
The following is sample output from the debug bgp ipv6 updates command:
Router# debug bgp ipv6 updates14:04:17:BGP(1):2000:0:0:2::2 computing updates, afi 1, neighbor version 0, table version 1, starting at ::14:04:17:BGP(1):2000:0:0:2::2 update run completed, afi 1, ran for 0ms, neighbor version 0, start version 1, throttled to 114:04:19:BGP(1):sourced route for 2000:0:0:2::1/64 path #0 changed (weight 32768)14:04:19:BGP(1):2000:0:0:2::1/64 route sourced locally14:04:19:BGP(1):2000:0:0:2:1::/80 route sourced locally14:04:19:BGP(1):2000:0:0:3::2/64 route sourced locally14:04:19:BGP(1):2000:0:0:4::2/64 route sourced locally14:04:22:BGP(1):2000:0:0:2::2 computing updates, afi 1, neighbor version 1, table version 6, starting at ::14:04:22:BGP(1):2000:0:0:2::2 send UPDATE (format) 2000:0:0:2::1/64, next 2000:0:0:2::1, metric 0, path14:04:22:BGP(1):2000:0:0:2::2 send UPDATE (format) 2000:0:0:2:1::/80, next 2000:0:0:2::1, metric 0, path14:04:22:BGP(1):2000:0:0:2::2 send UPDATE (prepend, chgflags:0x208) 2000:0:0:3::2/64, next 2000:0:0:2::1, metric 0, path14:04:22:BGP(1):2000:0:0:2::2 send UPDATE (prepend, chgflags:0x208) 2000:0:0:4::2/64, next 2000:0:0:2::1, metric 0, pathThe following is sample output from the debug bgp ipv6 updates command filtered through the prefix list named sales:
Router# debug bgp ipv6 updates prefix-list sales00:18:26:BGP(1):2000:8493:1::2 send UPDATE (prepend, chgflags:0x208) 7878:7878::/64, next 2001:0DB8::36C, metric 0, pathTable 15 describes the significant fields shown in the display.
Related Commands
debug bgp ipv6 dampening
Displays debugging messages for IPv6 BGP dampening packets.
debug bgp vpnv6 unicast
To display Border Gateway Protocol (BGP) virtual private network (VPN) debugging output, use the debug bgp vpnv6 unicast command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug bgp vpnv6 unicast
no debug bgp vpnv6
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the debug bgp vpnv6 unicast command to help troubleshoot the BGP VPN.
Note
Examples
The following example enables BGP debugging output for IPv6 VPN instances:
Router# debug bgp vpnv6 unicast
