-
Cisco IOS Security Command Reference
-
Introduction
-
aaa accounting through aaa local authentication attempts max-fail
-
aaa max-sessions through algorithm
-
all (profile map configuration) through browser-proxy
-
ca trust-point through clear eou
-
clear ip access-list counters through crl-cache none
-
crypto aaa attribute list through crypto ipsec transform-set
-
crypto isakmp aggressive-mode disable through crypto mib ipsec flowmib history tunnel size
-
crypto pki authenticate through ctype
-
database archive through dns
-
dnsix-dmdp retries through dynamic
-
E
-
F through H
-
icmp idle-timeout through ip http ezvpn
-
ip inspect through ip security strip
-
ip source-track through ivrf
-
K through L
-
mac access-group through max-users (WebVPN)
-
message retry count through outgoing
-
parameter through port-misuse
-
ppp accounting through quit
-
radius attribute nas-port-type through rate-limit (firewall)
-
reauthentication time through rsa-pubkey
-
sa ipsec through sessions maximum
-
set aggressive-mode client-endpoint through show class-map type urlfilter
-
show crypto ace redundancy through show crypto vlan
-
show diameter peer through show object-group
-
show parameter-map type consent through show users
-
show vlan group through switchport port-security violation
-
tacacs-server administration through title-color
-
traffic-export through zone security
-
Feedback
Table Of Contents
ip source-track export-interval
ip source-track syslog-interval
ip tcp intercept connection-timeout
ip tcp intercept finrst-timeout
ip tcp intercept max-incomplete
ip tcp intercept max-incomplete high
ip tcp intercept max-incomplete low
ip tcp intercept one-minute high
ip tcp intercept one-minute low
ip tcp intercept watch-timeout
ip trigger-authentication (global)
ip trigger-authentication (interface)
ip verify drop-rate compute interval
ip verify drop-rate compute window
ip verify drop-rate notify hold-down
ip verify unicast notification threshold
ip verify unicast reverse-path
ip verify unicast source reachable-via
ip vrf forwarding (server-group)
ip source-track
To enable IP source tracking for a specified host, use the ip source-track command in global configuration mode. To disable IP source tracking, use the no form of this command.
ip source-track ip-address
no ip source-track ip-address
Syntax Description
Defaults
IP address tracking is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
IP source tracking allows you to gather information about the traffic that is flowing to a host that is suspected of being under attack. It also allows you to easily trace a denial-of-service (DoS) attack to its entry point into the network.
After you have identified the destination that is being attacked, enable tracking for the destination address on the whole router by entering the ip source-track command.
Examples
The following example shows how to configure IP source tracking on all line cards and port adapters in the router. In this example, each line card or port adapter collects traffic flow data to host address 100.10.0.1 for 2 minutes before creating an internal system log entry; packet and flow information recorded in the system log is exported for viewing to the route processor or switch processor every 60 seconds.
Router# configure interfaceRouter(config)# ip source-track 10.10.0.1Router(config)# ip source-track syslog-interval 2Router(config)# ip source-track export-interval 60Related Commands
ip source-track address-limit
To configure the maximum number of destination hosts that can be simultaneously tracked at any given moment, use the ip source-track address-limit command in global configuration mode. To cancel this administrative limit and return to the default, use the no form of this command.
ip source-track address-limit number
no ip source-track address-limit number
Syntax Description
Defaults
An unlimited number of hosts can be tracked.
Command Modes
Global configuration
Command History
Usage Guidelines
After you have configured at least one destination IP address for source tracking (via the ip source-track command), you can limit the number of destination IP addresses that can be tracked via the ip source-track address-limit command.
Examples
The following example shows how to configure IP source tracking for data that flows to host 100.10.1.1 and limit IP source tracking to 10 IP addresses:
Router(config)# ip source-track 100.10.0.1Router(config)# ip source-track address-limit 10Related Commands
ip source-track
Enables IP source tracking for a specified host.
show ip source-track
Displays traffic flow statistics for tracked IP host addresses.
ip source-track export-interval
To set the time interval (in seconds) in which IP source tracking statistics are exported from the line card to the route processor (RP), use the ip source-track export-interval command in global configuration mode. To return to default functionality, use the no form of this command.
ip source-track export-interval number
no ip source-track export-interval number
Syntax Description
Defaults
Traffic flow information is exported from the line card to the RP every 30 seconds.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip source-track export-interval command to specify the frequency in which IP source tracking information is sent to the RP for viewing.
Note
This command can be issued only on distributed platforms such as the gigabit route processor (GRP) and the route switch processor (RSP).
Examples
The following example shows how to configure IP source tracking on all line cards and port adapters in the router. In this example, each line card or port adapter collects traffic flow data to host address 100.10.0.1 for 2 minutes before creating an internal system log entry; packet and flow information recorded in the system log is exported for viewing to the route processor or switch processor every 60 seconds.
Router# configure interfaceRouter(config)# ip source-track 10.10.0.1Router(config)# ip source-track syslog-interval 2Router(config)# ip source-track export-interval 60Related Commands
ip source-track syslog-interval
To set the time interval (in minutes) in which syslog messages are generated if IP source tracking is enabled on a device, use the ip source-track syslog-interval command in global configuration mode. To cancel this setting and disable syslog generation, use the no form of this command.
ip source-track syslog-interval number
no ip source-track syslog-interval number
Syntax Description
Defaults
Syslog messages are not generated.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip source-track syslog-interval command to track the source interfaces of traffic that are destined to a particular address.
Examples
The following example shows how to configure IP source tracking on all line cards and port adapters in the router. In this example, each line card or port adapter collects traffic flow data to host address 100.10.0.1 for 2 minutes before creating an internal system log entry; packet and flow information recorded in the system log is exported for viewing to the route processor or switch processor every 60 seconds.
Router# configure interfaceRouter(config)# ip source-track 10.10.0.1Router(config)# ip source-track syslog-interval 2Router(config)# ip source-track export-interval 60Related Commands
ip source-track
Enables IP source tracking for a specified host.
show ip source-track
Displays traffic flow statistics for tracked IP host addresses.
ip ssh
To configure Secure Shell (SSH) control parameters on your router, use the ip ssh command in global configuration mode. To restore the default value, use the no form of this command.
ip ssh [timeout seconds | authentication-retries integer]
no ip ssh [timeout seconds | authentication-retries integer]
Syntax Description
Command Default
SSH control parameters are set to default router values.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Before you configure SSH on your router, you must enable the SSH server using the crypto key generate rsa command.
Examples
The following examples configure SSH control parameters on your router:
ip ssh timeout 120ip ssh authentication-retries 3ip ssh break-string
To configure a string that, when received from a Secure Shell (SSH) client, will cause the Cisco IOS SSH server to transmit a break signal out an asynchronous line, use the ip ssh break-string command in global configuration mode. To remove the string, use the no form of this command.
ip ssh break-string string
no ip ssh break-string string
Syntax Description
Defaults
Break signal is not enabled
Command Modes
Global configuration
Command History
12.3(2)
This command was introduced.
12.3(2)T
This command was integrated into Cisco IOS Release 12.3(2)T.
Usage Guidelines
Note
Note
Examples
The following example shows that the control-B character (ASCII 2) has been set as the SSH break string:
Router (config)# ip ssh break-string \002Related Commands
ip ssh dh min size
To configure the modulus size on the Secure Shell (SSH) server, use the ip ssh dh min size command in privileged EXEC mode. To disable the configuration, use the no form of this command.
ip ssh dh min size [number]
no ip ssh dh min size
Syntax Description
Command Default
Bit key support is disabled.
Command Modes
Privileged EXEC (#)
Command History
12.4(20)T
This command was introduced.
15.1(2)S
This command was integrated into Cisco IOS Release 15.1(2)S.
Usage Guidelines
Use the ip ssh dh min size command to ensure that the CLI is successfully parsed from either the client side or the server side.
Examples
The following example shows how to set the minimum modulus size to 2048 bits:
Router> enableRouter# ip ssh dh min size 2048Related Commands
ip ssh dscp
To specify the IP differentiated services code point (DSCP) value that can be set for a Secure Shell (SSH) configuration, use the ip ssh dscp command in global configuration mode. To restore the default value, use the no form of this command.
ip ssh dscp number
no ip ssh dscp number
Syntax Description
Command Default
The IP DSCP value is not specified.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
IP DSCP values can be configured on both the SSH client and the SSH server for SSH traffic that is generated on either end.
Examples
The following example shows that the DSCP value is set to 35:
Router(config)# ip ssh dscp 35Related Commands
ip ssh maxstartups
To set the maximum concurrent sessions allowed on a Secure Shell (SSH), use the ip ssh maxstartups command in global configuration mode. To disable the configuration, use the no form of this command.
ip ssh maxstartups [number]
no ip ssh maxstartups [number]
Syntax Description
number
(Optional) Number of connections to be accepted concurrently. The range is from 2 to 128. The default is 128.
Command Default
The number of maximum concurrent sessions is 128.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
You must create RSA keys to enable SSH. The RSA key must be at least 768 bits for SSHv2.
Examples
The following example shows how to set the maximum concurrent sessions allowed on a SSH to 100:
Router# configure terminalRouter(config)# ip ssh maxstartups 100Related Commands
debug ip ssh
Displays debugging messages for SSH.
ip ssh
Configures SSH control parameters on your router.
ip ssh port
To enable secure access to tty (asynchronous) lines, use the ip ssh port command in global configuration mode. To disable this functionality, use the no form of this command.
ip ssh port por-tnum rotary group
no ip ssh port por-tnum rotary group
Syntax Description
port-num
Specifies the port, such as 2001, to which Secure Shell (SSH) needs to connect.
rotary group
Specifies the defined rotary that should search for a valid name.
Defaults
This command is disabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
The ip ssh port command supports a functionality that replaces reverse Telnet with SSH. Use this command to securely access the devices attached to the serial ports of a router and to perform the following tasks:
•
•
Examples
The following example shows how to configure the SSH Terminal-Line Access feature on a modem that is used for dial-out on lines 1 through 200:
line 1 200no execlogin authentication defaultrotary 1transport input sship ssh port 2000 rotary 1The following example shows how to configure the SSH Terminal-Line Access feature to access the console ports of various devices that are attached to the serial ports of the router. For this type of access, each line is put into its own rotary, and each rotary is used for a single port. In this example, lines 1 through 3 are used, and the port (line) mappings of the configuration are as follows: Port 2001 = Line 1, Port 2002 = Line 2, and Port 2003 = Line 3.
line 1no execlogin authentication defaultrotary 1transport input sshline 2no execlogin authentication defaultrotary 2transport input sshline 3no execlogin authentication defaultrotary 3transport input sship ssh port 2001 rotary 1 3From any UNIX or UNIX-like device, the following command is typically used to form an SSH session:ssh -c 3des -p 2002 router.example.comThis command will initiate an SSH session using the Triple DES cipher to the device known as "router.example.com," which uses port 2002. This device will connect to the device on Line 2, which was associated with port 2002. Similarly, many Windows SSH packages have related methods of selecting the cipher and the port for this access.
Related Commands
ip ssh precedence
To specify the IP precedence value that can be set for a Secure Shell (SSH) configuration, use the ip ssh precedence command in global configuration mode. To restore the default value, use the no form of this command.
ip ssh precedence number
no ip ssh precedence number
Syntax Description
Command Default
The IP precedence value is not specified.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
IP precedence values can be configured on both the SSH client and the SSH server for SSH traffic that is generated on either end.
Examples
The following example shows that up to six IP precedence values can be set:
Router(config)# ip precedence value 6Related Commands
ip ssh dscp
Specifies the IP DSCP value that can be set for an SSH configuration.
ip ssh pubkey-chain
To configure Secure Shell RSA (SSH-RSA) keys for user and server authentication on the SSH server, use the ip ssh pubkey-chain command in global configuration mode. To remove SSH-RSA keys for user and server authentication on the SSH server, use the no form of this command.
ip ssh pubkey-chain
no ip ssh pubkey-chain
Syntax Description
This command has no arguments or keywords.
Command Default
SSH-RSA keys are not configured.
Command Modes
Global configuration (config)
Command History
15.0(1)M
This command was introduced.
15.1(1)S
This command was integrated into Cisco IOS Release 15.1(1)S.
Usage Guidelines
Use the ip ssh pubkey-chain command to ensure SSH server and user public key authentication.
Examples
The following example shows how to enable public key generation:
Router(config)# ip ssh pubkey-chainRelated Commands
ip ssh rsa keypair-name
To specify which Rivest, Shimar, and Adelman (RSA) key pair to use for a Secure Shell (SSH) connection, use the ip ssh rsa keypair-name command in global configuration mode. To disable the key pair that was configured, use the no form of this command.
ip ssh rsa keypair-name keypair-name
no ip ssh rsa keypair-name keypair-name
Syntax Description
Command Default
If this command is not configured, SSH will use the first RSA key pair that is enabled.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Using the ip ssh rsa keypair-name command, you can enable an SSH connection using RSA keys that you have configured using the keypair-name argument. Previously, SSH was tied to the first RSA keys that were generated (that is, SSH was enabled when the first RSA key pair was generated). The previous behavior still exists, but by using the ip ssh rsa keypair-name command, you can overcome that behavior. If you configure the ip ssh rsa keypair-name command with a key pair name, SSH is enabled if the key pair exists, or SSH will be enabled if the key pair is generated later. If you use this command, you are not forced to configure a hostname and a domain name.
Note
Examples
The following example shows how to specify the RSA key pair "sshkeys" for an SSH connection:
Router# configure terminalRouter(config)# ip ssh rsa keypair-name sshkeysRelated Commands
ip ssh source-interface
To specify the IP address of an interface as the source address for a Secure Shell (SSH) client device, use the ip ssh source-interface command in global configuration mode. To remove the IP address as the source address, use the no form of this command.
ip ssh source-interface interface
no ip ssh source-interface interface
Syntax Description
Defaults
The address of the closest interface to the destination is used as the source address (the closest interface is the output interface through which the SSH packet is sent).
Command Modes
Global configuration
Command History
Usage Guidelines
By specifying this command, you can force the SSH client to use the IP address of the source interface as the source address.
Examples
In the following example, the IP address assigned to Ethernet interface 0 will be used as the source address for the SSH client:
ip ssh source-interface ethernet0ip ssh stricthostkeycheck
To enable strict host key checking on the Secure Shell (SSH) server, use the ip ssh stricthostcheck command in global configuration mode. To disable strict host key checking, use the no form of this command.
ip ssh stricthostkeycheck
no ip ssh stricthostkeycheck
Syntax Description
This command has no arguments or keywords.
Command Default
Strict host key checking on the SSH server is not enabled.
Command Modes
Global configuration (config)
Command History
15.0(1)M
This command was introduced.
15.1(1)S
This command was integrated into Cisco IOS Release 15.1(1)S.
Usage Guidelines
Use the ip ssh stricthostkeycheck command to ensure SSH server side strict checking. Configuring the ip ssh stricthostkeycheck command authenticates all servers.
Note
•
Examples
The following example shows how to enable strict host key checking:
Router(config)# ip ssh stricthostkeycheckRelated Commands
ip ssh pubkey-chain
Configures SSH-RSA keys for user and server authentication on the SSH server.
ip ssh version
To specify the version of Secure Shell (SSH) to be run on a router, use the ip ssh version command in global configuration mode. To disable the version of SSH that was configured and to return to compatibility mode, use the no form of this command.
ip ssh version [1 | 2]
no ip ssh version [1 | 2]
Syntax Description
Defaults
If this command is not configured, SSH operates in compatibility mode, that is, Version 1 and Version 2 are both supported.
Command Modes
Global configuration
Command History
Usage Guidelines
You can use this command with the 2 keyword to ensure that your router will not inadvertently establish a weaker SSH Version 1 connection.
Examples
The following example shows that only SSH Version 1 support is configured:
Router (config)# ip ssh version 1The following example shows that only SSH Version 2 is configured:
Router (config)# ip ssh version 2The following example shows that SSH Versions 1 and 2 are configured:
Router (config)# no ip ssh versionRelated Commands
ip tacacs source-interface
To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration or server-group configuration mode. To disable use of the specified interface IP address, use the no form of this command.
ip tacacs source-interface subinterface-name
no ip tacacs source-interface
Syntax Description
Command Default
None
Command Modes
Global configuration (config)
Server-group configuration (server-group)
Command History
Usage Guidelines
Use this command to set the IP address of a subinterface for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.
This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.
The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this situation, add an IP address to the subinterface or bring the interface to the up state.
Note
Examples
The following example makes TACACS+ use the IP address of subinterface "s2" for all outgoing TACACS+ packets:
ip tacacs source-interface s2In the following example, TACACS+ is to use the IP address of Loopback0 for packets that are going only to server 10.1.1.1:
aaa group server tacacs+ tacacs1server-private 10.1.1.1 port 19 key ciscoip vrf forwarding ciscoip tacacs source-interface Loopback0ip vrf ciscord 100:1interface Loopback0ip address 10.0.0.2 255.0.0.0ip vrf forwarding ciscoRelated Commands
ip tcp intercept connection-timeout
To change how long a TCP connection will be managed by the TCP intercept after no activity, use the ip tcp intercept connection-timeout command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept connection-timeout seconds
no ip tcp intercept connection-timeout [seconds]
Syntax Description
seconds
Time (in seconds) that the software will still manage the connection after no activity. The minimum value is 1 second. The default is 86,400 seconds (24 hours).
Defaults
86,400 seconds (24 hours)
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip tcp intercept connection-timeout command to change how long a TCP connection will be managed by the TCP intercept after a period of inactivity.
Examples
The following example sets the software to manage the connection for 12 hours (43,200 seconds) after no activity:
ip tcp intercept connection-timeout 43200ip tcp intercept drop-mode
To set the TCP intercept drop mode, use the ip tcp intercept drop-mode command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept drop-mode [oldest | random]
no ip tcp intercept drop-mode [oldest | random]
Syntax Description
oldest
(Optional) Software drops the oldest partial connection. This is the default.
random
(Optional) Software drops a randomly selected partial connection.
Defaults
oldest
Command Modes
Global configuration
Command History
Usage Guidelines
If the number of incomplete connections exceeds 1100 or the number of connections arriving in the last 1 minute exceeds 1100, the TCP intercept feature becomes more aggressive. When this happens, each new arriving connection causes the oldest partial connection to be deleted, and the initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish the connection will be cut in half).
Note that the 1100 thresholds can be configured with the ip tcp intercept max-incomplete high and
ip tcp intercept one-minute high commands.Use the ip tcp intercept drop-mode command to change the dropping strategy from oldest to a random drop.
Examples
The following example sets the drop mode to random:
ip tcp intercept drop-mode randomRelated Commands
ip tcp intercept finrst-timeout
To change how long after receipt of a reset or FIN-exchange the software ceases to manage the connection, use the ip tcp intercept finrst-timeout command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept finrst-timeout seconds
no ip tcp intercept finrst-timeout [seconds]
Syntax Description
seconds
Time (in seconds) after receiving a reset or FIN-exchange that the software ceases to manage the connection. The minimum value is 1 second. The default is 5 seconds.
Defaults
5 seconds
Command Modes
Global configuration
Command History
Usage Guidelines
Even after the two ends of the connection are joined, the software intercepts packets being sent back and forth. Use this command if you need to adjust how soon after receiving a reset or FIN-exchange the software stops intercepting packets.
Examples
The following example sets the software to wait for 10 seconds before it leaves intercept mode:
ip tcp intercept finrst-timeout 10ip tcp intercept list
To enable TCP intercept, use the ip tcp intercept list command in global configuration mode. To disable TCP intercept, use the no form of this command.
ip tcp intercept list access-list-number
no ip tcp intercept list access-list-number
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
The TCP intercept feature intercepts TCP connection attempts and shields servers from TCP SYN-flood attacks, also known as denial-of-service attacks.
TCP packets matching the access list are presented to the TCP intercept code for processing, as determined by the ip tcp intercept mode command. The TCP intercept code either intercepts or watches the connections.
To have all TCP connection attempts submitted to the TCP intercept code, have the access list match everything.
Examples
The following example configuration defines access list 101, causing the software to intercept packets for all TCP servers on the 192.168.1.0/24 subnet:
ip tcp intercept list 101!access-list 101 permit tcp any 192.168.1.0 0.0.0.255Related Commands
ip tcp intercept max-incomplete
To define either the number of incomplete connections below which the software leaves aggressive mode or the maximum number of incomplete connections allowed before the software enters aggressive mode, use the ip tcp intercept max-incomplete command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept max-incomplete low number high number
no ip tcp intercept max-incomplete [low number high number]
Syntax Description
Command Default
The number of incomplete connections below which the software leaves aggressive mode is 900.
The maximum number of incomplete connections allowed before the software enters aggressive mode is 1100.
Command Modes
Global configuration
Command History
Usage Guidelines
There are two factors that determine aggressive mode: connection requests and incomplete connections.
By default, if both the number of connection requests and the number of incomplete connections is 900 or lower, aggressive mode ends.
By default, if either the number of connection requests or the number of incomplete connections is 1100 or greater, aggressive mode begins.
The number of connection requests may be defined by the ip tcp intercept one-minute command and the number of incomplete connections may be defined by the ip tcp intercept max-incomplete command.
Characteristics of Aggressive Mode
The following are the characteristics of aggressive mode:
•
•
•
Examples
The following example sets the software to leave aggressive mode when the number of incomplete connections falls below 1000 and allows 1500 incomplete connections before the software enters aggressive mode. The running configuration is also shown.
Router(config)# ip tcp intercept max-incomplete low 1000 high 1500Router(config)# show running config | i ip tcpip tcp intercept one-minute low 1000 high 1400Related Commands
ip tcp intercept max-incomplete high
Note
To define the maximum number of incomplete connections allowed before the software enters aggressive mode, use the ip tcp intercept max-incomplete high command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept max-incomplete high number
no ip tcp intercept max-incomplete high [number]
Syntax Description
number
Defines the number of incomplete connections allowed, above which the software enters aggressive mode. The range is from 1 to 2147483647. The default is 1100.
Defaults
1100 incomplete connections
Command Modes
Global configuration
Command History
Usage Guidelines
Note
If the number of incomplete connections exceeds the number configured, the TCP intercept feature becomes aggressive. The following are the characteristics of aggressive mode:
•
•
•
You can change the drop strategy from the oldest connection to a random connection with the
ip tcp intercept drop-mode command.
Note
The software will back off from its aggressive mode when the number of incomplete connections falls below the number specified by the ip tcp intercept max-incomplete low command.
Examples
The following example allows 1500 incomplete connections before the software enters aggressive mode:
ip tcp intercept max-incomplete high 1500Related Commands
ip tcp intercept max-incomplete low
Note
To define the number of incomplete connections below which the software leaves aggressive mode, use the ip tcp intercept max-incomplete low command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept max-incomplete low number
no ip tcp intercept max-incomplete low [number]
Syntax Description
number
Defines the number of incomplete connections below which the software leaves aggressive mode. The range is 1 to 2147483647. The default is 900.
Defaults
900 incomplete connections
Command Modes
Global configuration
Command History
Usage Guidelines
Note
When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, the TCP intercept feature leaves aggressive mode.
Note
See the ip tcp intercept max-incomplete high command for a description of aggressive mode.
Examples
The following example sets the software to leave aggressive mode when the number of incomplete connections falls below 1000:
ip tcp intercept max-incomplete low 1000Related Commands
ip tcp intercept mode
To change the TCP intercept mode, use the ip tcp intercept mode command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept mode {intercept | watch}
no ip tcp intercept mode [intercept | watch]
Syntax Description
Defaults
intercept
Command Modes
Global configuration
Command History
Usage Guidelines
When TCP intercept is enabled, it operates in intercept mode by default. In intercept mode, the software actively intercepts TCP SYN packets from clients to servers that match the specified access list. For each SYN, the software responds on behalf of the server with an ACK and SYN, and waits for an ACK of the SYN from the client. When that ACK is received, the original SYN is sent to the server, and the code then performs a three-way handshake with the server. Then the two half-connections are joined.
In watch mode, the software allows connection attempts to pass through the router, but watches them until they become established. If they fail to become established in 30 seconds (or the value set by the ip tcp intercept watch-timeout command), a Reset is sent to the server to clear its state.
Examples
The following example sets the mode to watch mode:
ip tcp intercept mode watchRelated Commands
ip tcp intercept watch-timeout
Defines how long the software will wait for a watched TCP intercept connection to reach established state before sending a reset to the server.
ip tcp intercept one-minute
To define both the number of connection requests below which the software leaves aggressive mode and the number of connection requests that can be received before the software enters aggressive mode, use the ip tcp intercept one-minute command in global configuration mode. To restore the default connection request settings, use the no form of this command.
ip tcp intercept one-minute low number high number
no ip tcp intercept one-minute [low number high number]
Syntax Description
Command Default
The default number of connection requests below which the software leaves aggressive mode is 900.
The default number of connection requests received before the software enters aggressive mode is 1100.
Command Modes
Global configuration
Command History
Usage Guidelines
There are two factors that determine aggressive mode: connection requests and incomplete connections.
By default, if both the number of connection requests and the number of incomplete connections is 900 or lower, aggressive mode ends.
By default, if either the number of connection requests or the number of incomplete connections is 1100 or greater, aggressive mode begins.
The number of connection requests may be defined by the ip tcp intercept one-minute command and the number of incomplete connections may be defined by the ip tcp intercept max-incomplete command. The default number of connection requests
Characteristics of Aggressive Mode
The following are the characteristics of aggressive mode:
•
•
•
Examples
The following example sets the software to leave aggressive mode when the number of connection requests falls below 1000 and allows 1400 connection requests before the software enters aggressive mode. The the running configuration is then shown.
Router(config)# ip tcp intercept one-minute low 1000 high 1400Router(config)# show running configuration | i ip tcpip tcp intercept one-minute low 1000 high 1400Related Commands
ip tcp intercept one-minute high
Note
To define the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode, use the ip tcp intercept one-minute high command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept one-minute high number
no ip tcp intercept one-minute high [number]
Syntax Description
Defaults
1100 connection requests
Command Modes
Global configuration
Command History
Usage Guidelines
Note
If the number of connection requests exceeds the number value configured, the TCP intercept feature becomes aggressive. The following are the characteristics of aggressive mode:
•
•
•
You can change the drop strategy from the oldest connection to a random connection with the ip tcp intercept drop-mode command.
Note
Examples
The following example allows 1400 connection requests before the software enters aggressive mode:
ip tcp intercept one-minute high 1400Related Commands
ip tcp intercept one-minute low
Note
To define the number of connection requests below which the software leaves aggressive mode, use the ip tcp intercept one-minute low command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept one-minute low number
no ip tcp intercept one-minute low [number]
Syntax Description
number
Defines the number of connection requests in the last one-minute sample period below which the software leaves aggressive mode. The range is from 1 to 2147483647. The default is 900.
Defaults
900 connection requests
Command Modes
Global configuration
Command History
Usage Guidelines
Note
When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low, the TCP intercept feature leaves aggressive mode.
Note
See the ip tcp intercept one-minute high command for a description of aggressive mode.
Examples
The following example sets the software to leave aggressive mode when the number of connection requests falls below 1000:
ip tcp intercept one-minute low 1000Related Commands
ip tcp intercept watch-timeout
To define how long the software will wait for a watched TCP intercept connection to reach established state before sending a reset to the server, use the ip tcp intercept watch-timeout command in global configuration mode. To restore the default, use the no form of this command.
ip tcp intercept watch-timeout seconds
no ip tcp intercept watch-timeout [seconds]
Syntax Description
seconds
Time (in seconds) that the software waits for a watched connection to reach established state before sending a Reset to the server. The minimum value is 1 second. The default is 30 seconds.
Defaults
30 seconds
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command if you have set the TCP intercept to passive watch mode and you want to change the default time the connection is watched. During aggressive mode, the watch timeout time is cut in half.
Examples
The following example sets the software to wait 60 seconds for a watched connection to reach established state before sending a Reset to the server:
ip tcp intercept watch-timeout 60Related Commands
ip traffic-export apply
To apply an IP traffic export profile or an IP traffic capture profile to a specific interface, use the ip traffic-export apply command in interface configuration mode. To remove an IP traffic export profile or an IP traffic capture profile from an interface, use the no form of this command.
ip traffic-export apply profile-name
no ip traffic-export apply profile-name
Cisco 1841, Cisco 2800 Series, and Cisco 3800 Series
ip traffic-export apply profile-name size size
no ip traffic-export apply profile-name
Syntax Description
Defaults
If you do not use this command, a sucessfully configured profile is not active.
Command Modes
Interface configuration
Command History
Usage Guidelines
After you configure at least one export profile, use the ip traffic-export apply command to activate IP traffic export on the specified ingress interface.
After you configure a capture profile, use the ip traffic-export apply command to activate IP traffic capture on the specified ingress interface, and to specify the size of the local capture buffer.
Examples
The following example shows how to apply the export profile "corp1" to interface Fast Ethernet 0/0.
Router(config)# ip traffic-export profile corp1Router(config-rite)# interface FastEthernet 0/1Router(config-rite)# bidirectionalRouter(config-rite)# mac-address 00a.8aab.90a0Router(config-rite)# outgoing sample one-in-every 50Router(config-rite)# incoming access-list spam_aclRouter(config-rite)# exitRouter(config)# interface FastEthernet 0/0Router(config-if)# ip traffic-export apply corp1The following example shows how to apply the capture profile "corp2" to interface Fast Ethernet 0/0, and specify a capture buffer of 10,000,000 bytes.
Router(config)# ip traffic-export profile corp2 mode_captureRouter(config-rite)# bidirectionalRouter(config-rite)# outgoing sample one-in-every 50Router(config-rite)# incoming access-list ham_aclRouter(config-rite)# length 512Router(config-rite)# exitRouter(config)# interface FastEthernet 0/0Router(config-if)# ip traffic-export apply corp2 size 10000000After a profile is activated on the interface, a logging message such as the following will appear:
%RITE-5-ACTIVATE: Activated IP traffic export on interface FastEthernet 0/0.After a profile is removed from the interface, a logging message such as the following will appear:
%RITE-5-DEACTIVATE: Deactivated IP traffic export on interface FastEthernet 0/0.If you attempt to apply an incomplete profile to an interface, you will receive the following message:
Router(config-if)# ip traffic-export apply newoneRITE: profile newone has missing outgoing interfaceRelated Commands
ip traffic-export profile
To create or edit an IP traffic export profile or an IP traffic capture profile and enable the profile on an ingress interface, use the ip traffic-export profile command in global configuration mode. To remove an IP traffic export profile from your router configuration, use the no form of this command.
ip traffic-export profile profile-name
no ip traffic-export profile profile-name
Cisco 1841, Cisco 2800 Series, and Cisco 3800 Series Routers
ip traffic-export profile profile-name mode {capture | export}
no ip traffic-export profile profile-name
Syntax Description
profile-name
IP traffic export profile name.
mode {capture | export}
Specifies either capture or export mode.
•
•
Defaults
A profile does not exist.
Command Modes
Global configuration
Command History
Usage Guidelines
The ip traffic-export profile command allows you to begin a profile that can be configured to capture or export IP packets as they arrive on or leave from a selected router ingress interface.
When exporting IP packets, a designated egress interface exports IP packets out of the router. So, the router can export unaltered IP packets to a directly connected device.
When capturing IP packets, the packets are stored in local router memory. They may then be dumped to an external device.
IP Traffic Export Profiles
All exported IP traffic configurations are specified by profiles, which consist of RITE-related command-line interface (CLI) commands that control various attributes of both incoming and outgoing IP traffic. You can configure a router with multiple profiles. (Each profile must have a different name.) You can apply different profiles on different interfaces.
The two profiles to configure are:
•
•
Use interface and mac-address commands to successfully create a profile. If you do not issue these commands, the user will receive a profile incomplete messages such as the following:
ip traffic-export profile newone! No outgoing interface configured! No destination mac-address configuredAfter you configure your profiles, you can apply the profiles to an interface with the ip traffic-export apply profile command, which will activate it.
IP Traffic Capture Profiles
On the Cisco 1841, Cisco 2800 series, and Cisco 3800 series routers, you can also configure IP traffic capture. A captured IP traffic configuration is specified by a profile, which consists of RITE-related command-line interface (CLI) commands that control various attributes of both incoming and outgoing IP traffic.
The two profiles that you should configure are:
•
•
After you configure your profiles, you can apply the profiles to an interface with the ip traffic-export apply profile command, which will activate it.
When the IP traffic capture profile is applied to an interface, use the traffic-export command to control the capture of the traffic.
Note
Examples
The following example shows how to configure the profile "corp1," which sends captured IP traffic to host "00a.8aab.90a0" at the interface "FastEthernet 0/1." This profile is also configured to export 1 in every 50 packets and to allow incoming traffic only from the access control list (ACL) "ham_ACL."
Router(config)# ip traffic-export profile corp1Router(config-rite)# interface FastEthernet 0/1Router(config-rite)# bidirectionalRouter(config-rite)# mac-address 00a.8aab.90a0Router(config-rite)# outgoing sample one-in-every 50Router(config-rite)# incoming access-list ham_aclRouter(config-rite)# exitRouter(config)# interface FastEthernet 0/0Router(config-if)# ip traffic-export apply corp1The following example shows how to configure the profile "corp2," which captures IP traffic and stores it in a local router memory buffer of 10,000,000 bytes. This profile also captures 1 in every 50 packets and allows incoming traffic only from the access control list (ACL) "ham_ACL."
Router(config)# ip traffic-export profile corp2 mode captureRouter(config-rite)# bidirectionalRouter(config-rite)# outgoing sample one-in-every 50Router(config-rite)# incoming access-list ham_aclRouter(config-rite)# length 512Router(config-rite)# exitRouter(config)# interface FastEthernet 0/0Router(config-if)# ip traffic-export apply corp2 size 10000000Related Commands
ip trigger-authentication (global)
To enable the automated part of double authentication at a device, use the ip trigger-authentication command in global configuration mode. To disable the automated part of double authentication, use the no form of this command.
ip trigger-authentication [timeout seconds] [port number]
no ip trigger-authentication
Syntax Description
Defaults
The default timeout is 90 seconds, and the default port number is 7500.
Command Modes
Global configuration
Command History
Usage Guidelines
Configure this command on the local device (router or network access server) that remote users dial in to. Use this command only if the local device has already been configured to provide double authentication; this command enables automation of the second authentication of double authentication.
The timeout Keyword
During the second authentication stage of double authentication—when the remote user is authenticated—the remote user must send a username and password (or PIN) to the local device. With automated double authentication, the local device sends a UDP packet to the remote user's host during the second user-authentication stage. This UDP packet triggers the remote host to launch a dialog box requesting a username and password (or PIN).
If the local device does not receive a valid response to the UDP packet within a timeout period, the local device will send another UDP packet. The device will continue to send UDP packets at the timeout intervals until it receives a response and can authenticate the user.
By default, the UDP packet timeout interval is 90 seconds. Use the timeout keyword to specify a different interval.
(This timeout also applies to how long entries will remain in the remote host table; see the show ip trigger-authentication command for details.)
The port Keyword
As described in the previous section, the local device sends a UDP packet to the remote user's host to request the user's username and password (or PIN). This UDP packet is sent to UDP port 7500 by default. (The remote host client software listens to UDP port 7500 by default.) If you need to change the port number because port 7500 is used by another application, you should change the port number using the port keyword. If you change the port number you need to change it in both places—both on the local device and in the remote host client software.
Examples
The following example globally enables automated double authentication and sets the timeout to 120 seconds:
ip trigger-authentication timeout 120Related Commands
ip trigger-authentication (interface)
To specify automated double authentication at an interface, use the ip trigger-authentication command in interface configuration mode. To turn off automated double authentication at an interface, use the no form of this command.
ip trigger-authentication
no ip trigger-authentication
Syntax Description
This command has no arguments or keywords.
Defaults
Automated double authentication is not enabled for specific interfaces.
Command Modes
Interface configuration
Command History
Usage Guidelines
Configure this command on the local router or network access server that remote users dial into. Use this command only if the local device has already been configured to provide double authentication and if automated double authentication has been enabled with the ip trigger-authentication (global) command.
This command causes double authentication to occur automatically when users dial into the interface.
Examples
The following example turns on automated double authentication at the ISDN BRI interface BRI0:
interface BRI0ip trigger-authenticationencapsulation pppppp authentication chapRelated Commands
ip trigger-authentication (global)
Enables the automated part of double authentication at a device.
ip urlfilter alert
To enable URL filtering system alert messages, use the ip urlfilter alert command in global configuration mode. To disable the system alert, use the no form of this command.
ip urlfilter alert [vrf vrf-name]
no ip urlfilter alert
Syntax Description
vrf vrf-name
(Optional) Enables URL filtering system alert messages only for the specified Virtual Routing and Forwarding (VRF) interface.
Defaults
URL filtering messages are enabled.
Command Modes
Global configuration
Command History
12.2(11)YU
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
Use the ip urlfilter alert command to display system messages, such as a server entering allow mode, a server going down, or a URL that is too long for the lookup request.
Examples
The following example shows how to enable URL filtering alert messages:
ip inspect name test http urlfilterip urlfilter cache 5ip urlfilter exclusive-domain permit .weapons.comip urlfilter exclusive-domain deny .nbc.comip urlfilter exclusive-domain permit www.cisco.comip urlfilter audit-trailip urlfilter alertip urlfilter server vendor websense 192.168.3.1Afterward, system alert messages such as the following are displayed:
%URLF-3-SERVER_DOWN:Connection to the URL filter server 10.92.0.9 is downThis level three LOG_ERR-type message is displayed when a configured URL filter server (UFS) goes down. When this happens, the firewall will mark the configured server as secondary and try to bring up one of the other secondary servers and mark that server as the primary server. If there is no other server configured, the firewall will enter into allow mode and display the URLF-3-ALLOW_MODE message described.
%URLF-3-ALLOW_MODE:Connection to all URL filter servers are down and ALLOW MODE is OFFThis LOG_ERR type message is displayed when all UFSs are down and the system enters into allow mode.
Note
%URLF-5-SERVER_UP:Connection to an URL filter server 10.92.0.9 is made, the system is returning from ALLOW MODEThis LOG_NOTICE-type message is displayed when the UFSs are detected as being up and the system is returning from allow mode.
%URLF-4-URL_TOO_LONG:URL too long (more than 3072 bytes), possibly a fake packet?This LOG_WARNING-type message is displayed when the URL in a lookup request is too long; any URL longer than 3K will be dropped.
%URLF-4-MAX_REQ:The number of pending request exceeds the maximum limit <1000>This LOG_WARNING-type message is displayed when the number of pending requests in the system exceeds the maximum limit and all further requests are dropped.
ip urlfilter allowmode
To turn on the default mode (allow mode) of the filtering algorithm, use the ip urlfilter allowmode command in global configuration mode. To disable the default mode, use the no form of this command.
ip urlfilter allowmode [on | off] [vrf vrf-name]
no ip urlfilter allowmode [on | off]
Syntax Description
Defaults
Allow mode is off.
Command Modes
Global configuration
Command History
12.2(11)YU
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
The system will go into allow mode when connections to all vendor servers (Websense or N2H2) are down. The system will return to normal mode when a connection to at least one web vendor server is up. Allow mode directs your system to forward or drop all packets on the basis of the configurable allow mode setting: if allow mode is on and the vendor servers are down, the HTTP requests will be allowed to pass; if allow mode is off and the vendor servers are down, the HTTP requests will be forbidden.
Examples
The following example shows how to enable allow mode on your system:
ip urlfilter allowmode onAfterward, the following alert message will be displayed when the system goes into allow mode:
%URLF-3-ALLOW_MODE: Connection to all URL filter servers are down and ALLOW MODE if OFFThe following alert message will be displayed when the system returns from allow mode:
%URLF-5-SERVER_UP: Connection to an URL filter server 12.0.0.3 is made, the system is returning from allow modeip urlfilter audit-trail
To log messages into the syslog server or router, use the ip urlfilter audit-trail command in global configuration mode. To disable this functionality, use the no form of this command.
ip urlfilter audit-trail [vrf vrf-name]
no ip urlfilter audit-trail
Syntax Description
vrf vrf-name
(Optional) Logs messages into the syslog server or router only for the specified Virtual Routing and Forwarding (VRF) interface.
Defaults
This command is disabled.
Command Modes
Global configuration
Command History
12.2(11)YU
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
Use the ip urlfilter audit-trail command to log messages such as URL request status (allow or deny) into your syslog server.
Examples
The following example shows how to enable syslog message logging:
ip inspect name test http urlfilterip urlfilter cache 5ip urlfilter exclusive-domain permit .weapons.comip urlfilter exclusive-domain deny .nbc.comip urlfilter exclusive-domain permit www.cisco.comip urlfilter audit-trailip urlfilter alertip urlfilter server vendor websense 209.165.202.130Afterward, audit trail messages such as the following are displayed and logged into the log server:
%URLF-6-SITE_ALLOWED:Client 209.165.201.15:12543 accessed server 10.76.82.21:8080This message is logged for each request whose destination IP address is found in the cache. It includes the source IP address, source port number, destination IP address, and destination port number. The URL is not logged in this case because the IP address of the request is found in the cache; thus, parsing the request and extracting the URL is a waste of time.
%URLF-4-SITE-BLOCKED: Access denied for the site `www.sports.com'; client 209.165.200.230:34557 server 209.165.201.2:80This message is logged when a request finds a match against one of the blocked domains in the exclusive-domain list or the corresponding entry in the IP cache.
%URLF-6-URL_ALLOWED:Access allowed for URL http://www.N2H2.com/; client 209.165.200.230:54123 server 192.168.0.1:80This message is logged for each URL request that is allowed by the vendor server (Websense or N2H2). It includes the allowed URL, source IP address, source port number, destination IP address, and destination port number. Longer URLs will be truncated to 300 bytes and then logged.
%URLF-6-URL_BLOCKED:Access denied URL http://www.google.com; client 209.165.200.230:54678 server 209.165.201.2:80This message is logged for each URL request that is blocked by the vendor server. It includes the blocked URL, source IP address, source port number, destination IP address, and destination port number. Longer URLs will be truncated to 300 bytes and then logged.
ip urlfilter cache
To configure cache parameters, use the ip urlfilter cache command in global configuration mode. To clear the configuration, use the no form of this command.
ip urlfilter cache number [vrf vrf-name]
no ip urlfilter cache number
Syntax Description
Defaults
Maximum number of destination IP addresses is 5000.
The cache table is cleared out every 12 hours.
Command Modes
Global configuration
Command History
12.2(11)YU
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
The cache table consists of the most recently requested IP addresses and respective authorization status for each IP address.
The caching algorithm involves three parameters—the maximum number of IP addresses that can be cached, an idle time, and an absolute time. The algorithm also involves two timers—idle timer and absolute timer. The idle timer is a small periodic timer (1 minute) that checks to see whether the number of cached IP addresses in the cache table exceeds 80 percent of the maximum limit. If the cached IP addresses have exceeded 80 percent, it will start removing idle entries; if it has not exceeded 80 percent, it will quit and wait for the next cycle. The absolute timer is a large periodic timer (1 hour) that is used to remove all of the elapsed entries. (The age of an elapsed entry is greater than the absolute time.) An elapsed entry will also be removed during cache lookup.
The idle time value is fixed at 10 minutes. The absolute time value is taken from the vendor server look-up response, which is often greater than 15 hours. The absolute value for cache entries made out of exclusive-domains is 12 hours. The maximum number of cache entries is configurable by enabling the ip urlfilter cache command.
Note
Examples
The following example shows how to configure the cache table to hold a maximum of five destination IP addresses:
ip inspect name test http urlfilterip urlfilter cache 5ip urlfilter exclusive-domain permit .weapons.comip urlfilter exclusive-domain deny .nbc.comip urlfilter exclusive-domain permit www.cisco.comip urlfilter audit-trailip urlfilter alertip urlfilter server vendor websense 192.168.3.1Related Commands
clear ip urlfilter cache
Clears the cache table.
show ip urlfilter cache
Displays the destination IP addresses that are cached into the cache table.
ip urlfilter exclusive-domain
To add or remove a domain name to or from the exclusive domain list so that the firewall does not have to send lookup requests to the vendor server, use the ip urlfilter exclusive-domain command in global configuration mode. To remove a domain name from the exclusive domain name list, use the no form of this command.
ip urlfilter exclusive-domain {permit | deny} domain-name [vrf vrf-name]
no ip urlfilter exclusive-domain {permit | deny} domain-name
Syntax Description
Defaults
This command is not enabled.
Command Modes
Global configuration
Command History
12.2(11)YU
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
The ip urlfilter exclusive-domain command allows you to specify a list of domain names (exclusive domains) so that the firewall will not create a lookup request for the HTTP traffic that is destined for one of the domains in the exclusive list. Thus, you can avoid sending look-up requests to the web server for HTTP traffic that is destined for a host that is completely allowed to all users.
Flexibility when entering domain names is also provided; that is, the user can enter the complete domain name or a partial domain name.
Complete Domain Name
If the user adds a complete domain name, such as "www.cisco.com," to the exclusive domain list, all HTTP traffic whose URLs are destined for this domain (such as www.cisco.com/news and www.cisco.com/index) will be excluded from the URL filtering policies of the vendor server (Websense or N2H2), and on the basis of the configuration, the URLs will be permitted or blocked (denied).
Partial Domain Name
If the user adds only a partial domain name to the exclusive domain list, such as ".cisco.com," all URLs whose domain names end with this partial domain name (such as www.cisco.com/products and www.cisco.com/eng) will be excluded from the URL filtering policies of the vendor server (Websense or N2H2), and on the basis of the configuration, the URLs will be permitted or blocked (denied).
Examples
The following example shows how to add the complete domain name "www.cisco.com" to the exclusive domain name list. This configuration will block all traffic destined to the www.cisco.com domain.
ip urlfilter exclusive-domain deny www.cisco.comThe following example shows how to add the partial domain name ".cisco.com" to the exclusive domain name list. This configuration will permit all traffic destined to domains that end with .cisco.com.
ip urlfilter exclusive-domain permit .cisco.comip urlfilter max-request
To set the maximum number of outstanding requests that can exist at any given time, use the ip urlfilter max-request command in global configuration mode. To disable this function, use the no form of this command.
ip urlfilter max-request number [vrf vrf-name]
no ip urlfilter max-request number
Syntax Description
Defaults
Maximum number of requests is 1000.
Command Modes
Global configuration
Command History
12.2(11)YU
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
If the specified maximum number of outstanding requests is exceeded, new requests will be dropped.
Note
Examples
The following example shows how to configure the maximum number of outstanding requests to 950:
ip inspect name url_filter httpip urlfilter max-request 950Related Commands
ip inspect name
Defines a set of inspection rules.
ip urlfilter server vendor
Configures a vendor server for URL filtering.
ip urlfilter max-resp-pak
To configure the maximum number of HTTP responses that the firewall can keep in its packet buffer, use the ip urlfilter max-resp-pak command in global configuration mode. To return to the default, use the no form of this command.
ip urlfilter max-resp-pak number [vrf vrf-name]
no ip urlfilter max-resp-pak number
Syntax Description
Defaults
200 HTTP responses
Command Modes
Global configuration
Command History
12.2(11)YU
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
When an HTTP request arrives at a Cisco IOS firewall, the firewall forwards the request to the web server while simultaneously sending a URL look-up request to the vendor server (Websense or N2H2). If the vendor server reply arrives before the HTTP response, the firewall will know whether to permit or block the HTTP response; if the HTTP response arrives before the vendor server reply, the firewall will not know whether to allow or block the response, so the firewall will drop the response until it hears from the vendor server. The ip urlfilter max-resp-pak command allows you to configure your firewall to store the HTTP responses in a buffer, which allows your firewall to store a maximum of 200 HTTP responses. Each response will remain in the buffer until an allow or deny message is received from the vendor server. If the vendor server reply allows the URL, the firewall will release the HTTP response from the buffer to the end user; if the vendor server reply denies the URL, the firewall will discard the HTTP response from the buffer and close the connection to both ends.
Examples
The following example shows how to configure your firewall to hold 150 HTTP responses:
ip urlfilter max-resp-pak 150ip urlfilter server vendor
To configure a vendor server for URL filtering, use the ip urlfilter server vendor command in global configuration mode. To remove a server from your configuration, use the no form of this command.
ip urlfilter server vendor {websense | n2h2} ip-address [port port-number] [timeout seconds] [retransmit number] [outside] [vrf vrf-name]
no ip urlfilter server vendor {websense | n2h2} ip-address [port port-number] [timeout seconds] [retransmit number] [outside]
Syntax Description
Defaults
A vendor server is not configured.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip urlfilter server vendor command to configure a Websense or N2H2 server, which will interact with the Cisco IOS Firewall to filter HTTP requests on the basis of a specified policy—global filtering, user- or group-based filtering, keyword-based filtering, category-based filtering, or customized filtering.
If the firewall has not received a response from the vendor server within the time specified in the timeout seconds keyword and argument, the firewall will check the retransmit number keyword and argument configured for the vendor server. If the firewall has not exceeded the maximum retransmit tries allowed, it will resend the HTTP lookup request. If the firewall has exceeded the maximum retransmit tries allowed, it will delete the outstanding request from the queue and check the status of the allow mode value. The firewall will forward the request if the allow mode is on; otherwise, it will drop the request.
By default, URL lookup requests that are made to the vendor server contain non-natted client IP addresses because the vendor server is deployed on the inside network. The outside keyword allows the vendor server to be deployed on the outside network, thereby, allowing Cisco IOS software to send the natted IP address of the client in the URL lookup request.
Primary and Secondary Servers
When users configure multiple vendor servers, the firewall will use only one server at a time—the primary server; all other servers are called secondary servers. When the primary server becomes unavailable for any reason, it becomes a secondary server and one of the secondary servers becomes the primary server.
A firewall marks a primary server as down when sending a request to or receiving a response from the server fails. When a primary server goes down, the system will go to the beginning of the configured servers list and try to activate the first server on the list. If the first server on the list is unavailable, it will try the second server on the list; the system will keep trying to activate a server until it is successful or until it reaches the end of the server list. If the system reaches the end of the server list, it will set a flag indicating that all of the servers are down, and it will enter allow mode.
Examples
The following example shows how to configure the Websense server for URL filtering:
ip inspect name test http urlfilterip urlfilter cache 5ip urlfilter exclusive-domain permit .weapons.comip urlfilter exclusive-domain deny .nbc.comip urlfilter exclusive-domain permit www.cisco.comip urlfilter audit-trailip urlfilter alertip urlfilter server vendor websense 192.168.3.1Related Commands
ip urlfilter source-interface
To allow the URL filter to specify the interface whose IP address is used as the source IP address while a TCP connection is made to the URL filter server (Websense or N2H2), use the ip urlfilter source-interface command in global configuration mode. To disable the option, use the no form of this command.
ip urlfilter source-interface interface-type [vrf vrf-name]
no ip urlfilter source-interface [vrf vrf-name]
Syntax Description
interface-type
The interface type that is used as the source IP address.
vrf vrf-name
(Optional) Specifies the Virtual Routing and Forwarding (VRF) interface.
Command Default
The URL filter to specify a source interface for TCP is not defined.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The ip urlfilter source-interface command is used to define the source interface from which the URL filter request is sent. This command is recommended to be configured if the URL filter server can only be routed through certain interfaces on the router.
Examples
The following example shows that the URL filtering server is routed to the Ethernet interface type:
Router(config)# ip urlfilter source-interface ethernetRelated Commands
ip urlfilter truncate
To allow the URL filter to truncate long URLs to the server, use the ip urlfilter truncate command in global configuration mode. To disable the truncating option, use the no form of this command.
ip urlfilter truncate {script-parameters | hostname} [vrf vrf-name]
no ip urlfilter truncate {script-parameters | hostname} [vrf vrf-name]
Syntax Description
Command Default
URLs that are longer than the maximum supported length are not truncated, and the HTTP request is rejected.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
If both the script-parameters and hostname keywords are configured, the script-parameters keyword takes precedence over the hostname keyword. If both the keywords are configured and the script parameters URL is truncated and the maximum supported URL length is exceeded, the URL is truncated up to the hostname.
Note
Examples
The following example shows that the URL is to be truncated up to the script options:
ip urlfilter truncate script-parametersThe following example shows that the URL is to be truncated up to the hostname:
ip urlfilter truncate hostnameRelated Commands
ip urlfilter urlf-server-log
To enable the logging of system messages on the URL filtering server, use the ip urlfilter urlf-server-log command in global configuration mode. To disable the logging of system messages, use the no form of this command.
ip urlfilter urlf-server-log [vrf vrf-name]
no ip urlfilter urlf-server-log
Syntax Description
vrf vrf-name
(Optional) Enables the logging of system messages on the URL filtering server only for the specified Virtual Routing and Forwarding (VRF) interface.
Defaults
This command is disabled.
Command Modes
Global configuration
Command History
12.2(11)YU
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T
The vrf vrf-name keyword/argument pair was added.
Usage Guidelines
Use the ip urlfilter urlf-server-log command to enable Cisco IOS to send a log request immediately after the URL lookup request. The firewall will not make a URL lookup request if the destination IP address is in the cache, but it will still make a log request to the server. (The log request contains the URL, hostname, source IP address, and the destination IP address.) The server records the log request into its own log server so your can view this information as necessary.
Examples
The following example shows how to enable system message logging on the URL filter server:
ip urlfilter urlf-server-logip verify drop-rate compute interval
To configure the interval of time between Unicast Reverse Path Forwarding (RPF) drop rate computations, use the ip verify drop-rate compute interval command in global configuration mode. To reset the interval to the default value, use the no form of this command.
ip verify drop-rate compute interval seconds
no ip verify drop-rate compute interval
Syntax Description
seconds
Interval, in seconds, between Unicast RPF drop rate computations. The range is from 30 to 300. The default is 30.
Command Default
The drop rate is not computed.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The configured value applies for the computation of all Unicast RPF drop rates (global and per interface).
The value for the compute interval must be less than or equal to the value configured using the ip verify drop-rate compute window command. If you configure the no form of the ip verify drop-rate compute interval command while the cipUrpfDropRateWindow value is configured to be less than the default compute interval value, the following message appears on the console:
"urpf drop rate window < interval"This error message means the command was not executed. The compute interval remains at the configured value rather than changing to the default value.
Examples
The following example shows how to configure a compute interval of 45 seconds:
Router> enableRouter# configure terminalRouter(config)# ip verify drop-rate compute interval 45Related Commands
ip verify drop-rate compute window
To configure the interval of time during which the Unicast Reverse Path Forwarding (RPF) drop count is collected for the drop rate computation, use the ip verify drop-rate compute window command in global configuration mode. To reset the window to the default value, use the no form of this command.
ip verify drop-rate compute window seconds
no ip verify drop-rate compute window
Syntax Description
seconds
Interval, in seconds, during which the Unicast RPF drop count is accumulated for the drop rate computation. The range is from 30 to 300. The default is 300.
Command Default
The drop rate is not calculated.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
This command configures the sliding window that begins the configured number of seconds prior to the computation and ends with the Unicast RPF drop rate computation. The configured value applies for the computation of all Unicast RPF drop rates (global and per interface).
The value configured for the "compute window" must be greater than or equal to the value configured using the ip verify drop-rate compute interval command. If you configure the no form of the ip verify drop-rate compute window command while the cipUrpfDropRateInterval value is configured to be greater than the default compute window value, the following message appears on the console:
"urpf drop rate window < interval"This error message means that the command was not executed. The compute window remains at the configured value rather than changing to the default value.
Examples
The following example shows how to configure a compute window of 60 seconds:
Router> enableRouter# configure terminalRouter(config)# ip verify drop-rate compute window 60Related Commands
ip verify drop-rate notify hold-down
To configure the minimum time between Unicast Reverse Path Forwarding (RPF) drop rate notifications, use the ip verify drop-rate notify hold-down command in global configuration mode. To reset the hold-down time to the default value, use the no form of this command.
ip verify drop-rate notify hold-down seconds
no ip verify drop-rate notify hold-down
Syntax Description
seconds
Minimum time, in seconds, between Unicast RPF drop rate notifications. The range is from 30 to 300. The default is 300.
Command Default
No notifications are sent.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The configured value applies for the computation of all Unicast RPF drop rates (global and per interface).
Examples
The following example shows how to configure a notify hold-down time of 40 seconds:
Router> enableRouter# configure terminalRouter(config)# ip verify drop-rate notify hold-down 40Related Commands
ip verify unicast notification threshold
To configure the threshold value used to determine whether to send a Unicast Reverse Path Forwarding (RPF) drop rate notification, use the ip verify unicast notification threshold command in interface configuration mode. To set the notification threshold back to the default value, use the no form of this command.
ip verify unicast notification threshold rate-val
no ip verify unicast notification threshold
Syntax Description
rate-val
Threshold value, in packets per second, used to determine whether to send a Unicast RPF drop rate notification. The range is from 0 to 4294967295. The default is 1000.
Command Default
No notifications are sent.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
This command configures the threshold Unicast RPF drop rate which, when exceeded, triggers a notification. Configuring a value of 0 means that any Unicast RPF packet drop triggers a notification.
Examples
The following example shows how to configure a notification threshold value of 900 on Ethernet interface 3/0:
Router> enableRouter# configure terminalRouter(config# interface ethernet 3/0
Router(config-if)# ip verify unicast notification threshold 900Related Commands
ip verify unicast reverse-path
Note
To enable Unicast Reverse Path Forwarding (Unicast RPF), use the ip verify unicast reverse-path command in interface configuration mode. To disable Unicast RPF, use the no form of this command.
ip verify unicast reverse-path [list]
no ip verify unicast reverse-path [list]
Syntax Description
Command Default
Unicast RPF is disabled.
Command Modes
Interface configuration mode (config-if)
Command History
Usage Guidelines
Use the ip verify unicast reverse-path interface command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that are received by a router. Malformed or forged source addresses can indicate denial of service (DoS) attacks on the basis of source IP address spoofing.
When Unicast RPF is enabled on an interface, the router examines all packets that are received on that interface. The router checks to ensure that the source address appears in the Forwarding Information Base (FIB) and that it matches the interface on which the packet was received. This "look backwards" ability is available only when Cisco Express Forwarding (CEF) is enabled on the router because the lookup relies on the presence of the FIB. CEF generates the FIB as part of its operation.
To use Unicast RPF, enable CEF switching or distributed CEF (dCEF) switching in the router. There is no need to configure the input interface for CEF switching. As long as CEF is running on the router, individual interfaces can be configured with other switching modes.
Note
Note
The Unicast Reverse Path Forwarding feature checks to determine whether any packet that is received at a router interface arrives on one of the best return paths to the source of the packet. The feature does this by doing a reverse lookup in the CEF table. If Unicast RPF does not find a reverse path for the packet, Unicast RPF can drop or forward the packet, depending on whether an ACL is specified in the Unicast Reverse Path Forwarding command. If an ACL is specified in the command, then when (and only when) a packet fails the Unicast RPF check, the ACL is checked to determine whether the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF.
If no ACL is specified in the Unicast Reverse Path Forwarding command, the router drops the forged or malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are updated.
Unicast RPF events can be logged by specifying the logging option for the ACL entries used by the Unicast Reverse Path Forwarding command. Log information can be used to gather information about the attack, such as source address, time, and so on.
Where to Use RPF in Your Network
Unicast RPF may be used on interfaces in which only one path allows packets from valid source networks (networks contained in the FIB). Unicast RPF may also be used in cases for which a router has multiple paths to a given network, as long as the valid networks are switched via the incoming interfaces. Packets for invalid networks will be dropped. For example, routers at the edge of the network of an Internet Service Provider (ISP) are likely to have symmetrical reverse paths. Unicast RPF may still be applicable in certain multi-homed situations, provided that optional Border Gateway Protocol (BGP) attributes such as weight and local preference are used to achieve symmetric routing.
With Unicast RPF, all equal-cost "best" return paths are considered valid. This means that Unicast RPF works in cases where multiple return paths exist, provided that each path is equal to the others in terms of the routing cost (number of hops, weights, and so on) and as long as the route is in the FIB. Unicast RPF also functions where Enhanced Internet Gateway Routing Protocol (EIGRP) variants are being used and unequal candidate paths back to the source IP address exist.
For example, routers at the edge of the network of an ISP are more likely to have symmetrical reverse paths than routers that are in the core of the ISP network. Routers that are in the core of the ISP network have no guarantee that the best forwarding path out of the router will be the path selected for packets returning to the router. In this scenario, you should use the new form of the command, ip verify unicast source reachable-via, if there is a chance of asymmetrical routing.
Examples
The following example shows that the Unicast Reverse Path Forwarding feature has been enabled on a serial interface:
ip cef! or "ip cef distributed" for RSP+VIP based routers!interface serial 5/0/0ip verify unicast reverse-pathThe following example uses a very simple single-homed ISP to demonstrate the concepts of ingress and egress filters used in conjunction with Unicast RPF. The example illustrates an ISP-allocated classless interdomain routing (CIDR) block 192.168.202.128/28 that has both inbound and outbound filters on the upstream interface. Be aware that ISPs are usually not single-homed. Hence, provisions for asymmetrical flows (when outbound traffic goes out one link and returns via a different link) need to be designed into the filters on the border routers of the ISP.
ip cef distributed!interface Serial 5/0/0description Connection to Upstream ISPip address 192.168.200.225 255.255.255.255no ip redirectsno ip directed-broadcastno ip proxy-arpip verify unicast reverse-pathip access-group 111 inip access-group 110 out!access-list 110 permit ip 192.168.202.128 10.0.0.31 anyaccess-list 110 deny ip any any logaccess-list 111 deny ip host 10.0.0.0 any logaccess-list 111 deny ip 172.16.0.0 255.255.255.255 any logaccess-list 111 deny ip 10.0.0.0 255.255.255.255 any logaccess-list 111 deny ip 172.16.0.0 255.255.255.255 any logaccess-list 111 deny ip 192.168.0.0 255.255.255.255 any logaccess-list 111 deny ip 209.165.202.129 10.0.0.31 any logaccess-list 111 permit ip any anyThe following example demonstrates the use of ACLs and logging with Unicast RPF. In this example, extended ACL 197 provides entries that deny or permit network traffic for specific address ranges. Unicast RPF is configured on interface Ethernet 0 to check packets arriving at that interface.
For example, packets with a source address of 192.168.201.10 arriving at interface Ethernet 0 are dropped because of the deny statement in ACL 197. In this case, the ACL information is logged (the logging option is turned on for the ACL entry) and dropped packets are counted per-interface and globally. Packets with a source address of 192.168.201.100 arriving at interface Ethernet 0 are forwarded because of the permit statement in ACL 197. ACL information about dropped or suppressed packets is logged (the logging option is turned on for the ACL entry) to the log server.
ip cef distributed!int eth0/1/1ip address 192.168.200.1 255.255.255.255ip verify unicast reverse-path 197!int eth0/1/2ip address 192.168.201.1 255.255.255.255!access-list 197 deny ip 192.168.201.0 10.0.0.63 any log-inputaccess-list 197 permit ip 192.168.201.64 10.0.0.63 any log-inputaccess-list 197 deny ip 192.168.201.128 10.0.0.63 any log-inputaccess-list 197 permit ip 192.168.201.192 10.0.0.63 any log-inputaccess-list 197 deny ip host 10.0.0.0 any log-inputaccess-list 197 deny ip 172.16.0.0 255.255.255.255 any log-inputaccess-list 197 deny ip 10.0.0.0 255.255.255.255 any log-inputaccess-list 197 deny ip 172.16.0.0 255.255.255.255 any log-inputaccess-list 197 deny ip 192.168.0.0 255.255.255.255 any log-inputRelated Commands
ip verify unicast source reachable-via
To enable Unicast Reverse Path Forwarding (Unicast RPF), use the ip verify unicast source reachable-via command in interface configuration mode. To disable Unicast RPF, use the no form of this command.
ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [list] [12-src] [phys-if]
no ip verify unicast source reachable-via
Syntax Description
Command Default
Unicast RPF is disabled.
Source IPv4 and source MAC address binding is disabled
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ip verify unicast source reachable-via interface command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate DoS attacks based on source IP address spoofing.
To use Unicast RPF, enable Cisco Express Forwarding or distributed Cisco Express Forwarding in the router. There is no need to configure the input interface for Cisco Express Forwarding. As long as Cisco Express Forwarding is running on the router, individual interfaces can be configured with other switching modes.
Note
Note
When Unicast RPF is enabled on an interface, the router examines all packets that are received on that interface. The router checks to make sure that the source address appears in the FIB. If the rx keyword is selected, the source address must match the interface on which the packet was received. If the any keyword is selected, the source address must be present only in the FIB. This ability to "look backwards" is available only when Cisco Express Forwarding is enabled on the router because the lookup relies on the presence of the FIB. Cisco Express Forwarding generates the FIB as part of its operation.
Note
Unicast RPF checks to determine whether any packet that is received at a router interface arrives on one of the best return paths to the source of the packet. If a reverse path for the packet is not found, Unicast RPF can drop or forward the packet, depending on whether an ACL is specified in the Unicast RPF command. If an ACL is specified in the command, when (and only when) a packet fails the Unicast RPF check, the ACL is checked to determine whether the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF.
If no ACL is specified in the ip verify unicast source reachable-via command, the router drops the forged or malformed packet immediately, and no ACL logging occurs. The router and interface Unicast RPF counters are updated.
Unicast RPF events can be logged by specifying the logging option for the ACL entries that are used by the ip verify unicast source reachable-via command. Log information can be used to gather information about the attack, such as source address, time, and so on.
Strict Mode RPF
If the source address is in the FIB and reachable only through the interface on which the packet was received, the packet is passed. The syntax for this method is ip verify unicast source reachable-via rx.
Exists-Only (or Loose Mode) RPF
If the source address is in the FIB and reachable through any interface on the router, the packet is passed. The syntax for this method is ip verify unicast source reachable-via any.
Because this Unicast RPF option passes packets regardless of which interface the packet enters, it is often used on Internet service provider (ISP) routers that are "peered" with other ISP routers (where asymmetrical routing typically occurs). Packets using source addresses that have not been allocated on the Internet, which are often used for spoofed source addresses, are dropped by this Unicast RPF option. All other packets that have an entry in the FIB are passed.
allow-default
Normally, sources found in the FIB but only by way of the default route will be dropped. Specifying the allow-default keyword option will override this behavior. You must specify the allow-default keyword in the command to permit Unicast RPF to successfully match on prefixes that are known through the default route to pass these packets.
allow-self-ping
This keyword allows the router to ping its own interface or interfaces. By default, when Unicast RPF is enabled, packets that are generated by the router and destined to the router are dropped, thereby, making certain troubleshooting and management tasks difficult to accomplish. Issue the allow-self-ping keyword to enable self-pinging.
Caution
Using RPF in Your Network
Use Unicast RPF strict mode on interfaces where only one path allows packets from valid source networks (networks contained in the FIB). Also, use Unicast RPF strict mode when a router has multiple paths to a given network, as long as the valid networks are switched through the incoming interfaces. Packets for invalid networks will be dropped. For example, routers at the edge of the network of an ISP are likely to have symmetrical reverse paths. Unicast RPF strict mode is applicable in certain multihomed situations, provided that optional Border Gateway Protocol (BGP) attributes, such as weight and local preference, are used to achieve symmetric routing.
Note
Use Unicast RPF loose mode on interfaces where asymmetric paths allow packets from valid source networks (networks contained in the FIB). Routers that are in the core of the ISP network have no guarantee that the best forwarding path out of the router will be the path selected for packets returning to the router.
IP and MAC Address Spoof Prevention on Cisco 7600 Series Routers
In Release 12.2(33)SRC and later, use the l2-src keyword to enable source IPv4 and source MAC address binding and the phys-if keyword to verify the source IP input interface. To disable source IPv4 and source MAC address binding, use the no form of the ip verify unicast source reachable-via command.The phys-if keyword can be used on Gigabit virtual interfaces (GVI) interfaces; the l2-src keyword can be used on GVI and Ethernet-like interfaces.
If an inbound packet fails either of these security checks, it will be dropped and the Unicast RPF dropped-packet counter will be incremented. The only exception occurs if a numbered access control list has been specified as part of the Unicast RPF command in strict mode, and the ACL permits the packet. In this case the packet will be forwarded and the Unicast RPF suppressed-drops counter will be incremented.
Note
Possible keyword combinations for Unicast PRF include the following:
allow-defaultallow-self-pingl2-srcphys-if<ACL-number>allow-default allow-self-pingallow-default l2-srcallow-default phys-ifallow-default <ACL-number>allow-self-ping l2-srcallow-self-ping phys-ifallow-self-ping <ACL-number>l2-src phys-ifl2-src <ACL-number>phys-if <ACL-number>allow-default allow-self-ping l2-srcallow-default allow-self-ping phys-ifallow-default allow-self-ping <ACL-number>allow-default l2-src phys-ifallow-default l2-src <ACL-number>allow-default phys-if <ACL-number>allow-self-ping l2-src phys-ifallow-self-ping l2-src <ACL-number>allow-self-ping phys-if <ACL-number>l2-src phys-if <ACL-number>allow-default allow-self-ping l2-src phys-ifallow-default allow-self-ping l2-src <ACL-number>allow-default allow-self-ping phys-if <ACL-number>allow-default l2-src phys-if <ACL-number>allow-self-ping l2-src phys-if <ACL-number>allow-default allow-self-ping l2-src phys-if <ACL-number>Examples
Single-homed ISP Connection with Unicast RPF
The following example uses a very simple single-homed ISP connection to demonstrate the concept of Unicast RPF. In this example, an ISP peering router is connected through a single serial interface to one upstream ISP. Hence, traffic flows into and out of the ISP will be symmetric. Because traffic flows will be symmetric, a Unicast RPF strict-mode deployment can be configured.
ip cef! or "ip cef distributed" for Route Switch Processor+Versatile Interface Processor-(RSP+VIP-) based routers.!interface Serial5/0/0description - link to upstream ISP (single-homed)ip address 192.168.200.225 255.255.255.252no ip redirectsno ip directed-broadcastsno ip proxy-arpip verify unicast source reachable-viaACLs and Logging with Unicast RPF
The following example demonstrates the use of ACLs and logging with Unicast RPF. In this example, extended ACL 197 provides entries that deny or permit network traffic for specific address ranges. Unicast RPF is configured on interface Ethernet 0 to check packets arriving at that interface.
For example, packets with a source address of 192.168.201.10 arriving at interface Ethernet 0 are dropped because of the deny statement in ACL 197. In this case, the ACL information is logged (the logging option is turned on for the ACL entry) and dropped packets are counted per-interface and globally. Packets with a source address of 192.168.201.100 arriving at interface Ethernet 0 are forwarded because of the permit statement in ACL 197. ACL information about dropped or suppressed packets is logged (the logging option is turned on for the ACL entry) to the log server.
ip cef distributed!int eth0/1/1ip address 192.168.200.1 255.255.255.0ip verify unicast source reachable-via rx 197!int eth0/1/2ip address 192.168.201.1 255.255.255.0!access-list 197 deny ip 192.168.201.0 0.0.0.63 any log-inputaccess-list 197 permit ip 192.168.201.64 0.0.0.63 any log-inputaccess-list 197 deny ip 192.168.201.128 0.0.0.63 any log-inputaccess-list 197 permit ip 192.168.201.192 0.0.0.63 any log-inputaccess-list 197 deny ip host 0.0.0.0 any log-inputaccess-list 197 deny ip 172.16.0.0 0.255.255.255 any log-inputaccess-list 197 deny ip 10.0.0.0 0.255.255.255 any log-inputaccess-list 197 deny ip 172.16.0.0 0.15.255.255 any log-inputaccess-list 197 deny ip 192.168.0.0 0.0.255.255 any log-inputMAC Address Binding on Cisco 7600 Series Routers
The following example enables source IPv4 and source MAC address binding on VLAN 10.
Router# configure terminalRouter(config)# interface VLAN 10Router(config-if)# ip address 10.0.0.1 255.255.255.0Router(config-if)# ip verify unicast source reachable-via rx l2-srcRelated Commands
ip virtual-reassembly
To enable virtual fragment reassembly (VFR) on an interface, use the ip virtual-reassembly command in interface configuration mode. To disable VFR on an interface, use the no form of this command.
ip virtual-reassembly [max-reassemblies number] [max-fragments number] [timeout seconds] [drop-fragments]
no ip virtual-reassembly [max-reassemblies number] [max-fragments number] [timeout seconds] [drop-fragments]
Syntax Description
Defaults
VFR is not enabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
A buffer overflow attack can occur when an attacker continuously sends a large number of incomplete IP fragments, causing the firewall to lose time and memory while trying to reassemble the fake packets.
The max-reassemblies number option and the max-fragments number option allow you to configure maximum threshold values to avoid a buffer overflow attack and to control memory usage.
In addition to configuring the maximum threshold values, each IP datagram is associated with a managed timer. If the IP datagram does not receive all of the fragments within the specified time (which can be configured via the timeout seconds option), the timer will expire and the IP datagram (and all of its fragments) will be dropped.
Automatically Enabling or Disabling VFR
VFR is designed to work with any feature that requires fragment reassembly (such as Cisco IOS Firewall and NAT). Currently, NAT enables and disables VFR internally; that is, when NAT is enabled on an interface, VFR is automatically enabled on that interface.
If more than one feature attempts to automatically enable VFR on an interface, VFR will maintain a reference count to keep track of the number of features that have enabled VFR. When the reference count is reduced to zero, VFR is automatically disabled
Examples
The following example shows how to configure VFR on interfaces ethernet2/1, ethernet2/2, and serial3/0 to facilitate the firewall that is enabled in the outbound direction on interface serial3/0. In this example, the firewall rules that specify the list of LAN1 and LAN2 originating protocols (FTP, HTTP and SMTP) are to be inspected.
ip inspect name INTERNET-FW ftpip inspect name INTERNET-FW httpip inspect name INTERNET-FW smtp!!interface Loopback0ip address 10.0.1.1 255.255.255.255!interface Ethernet2/0ip address 10.4.21.9 255.255.0.0no ip proxy-arpno ip mroute-cacheduplex halfno cdp enable!interface Ethernet2/1description LAN1ip address 10.4.0.2 255.255.255.0ip virtual-reassemblyduplex half!interface Ethernet2/2description LAN2ip address 10.15.0.2 255.255.255.0ip virtual-reassemblyduplex half!interface Ethernet2/3no ip addressno ip mroute-cacheshutdownduplex half!interface Serial3/0description Internetip unnumbered Loopback0encapsulation pppip access-group 102 inip inspect INTERNET-FW outip virtual-reassemblyserial restart-delay 0Related Commands
show ip virtual-reassembly
Displays the configuration and statistical information of the VFR on a given interface.
ip vrf
To define a VPN routing and forwarding (VRF) instance and to enter VRF configuration mode, use the ip vrf command in global configuration mode. To remove a VRF instance, use the no form of this command.
ip vrf vrf-name
no ip vrf vrf-name
Syntax Description
Command Default
No VRFs are defined. No import or export lists are associated with a VRF. No route maps are associated with a VRF.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The ip vrf vrf-name command creates a VRF instance named vrf-name. To make the VRF functional, a route distinguisher (RD) must be created using the rd route-distinguisher command in VRF configuration mode. The rd route-distinguisher command creates the routing and forwarding tables and associates the RD with the VRF instance named vrf-name.
The ip vrf default command can be used to configure a VRF instance that is a NULL value until a default VRF name can be configured. This is typically before any VRF related AAA commands are configured.
Examples
The following example shows how to import a route map to a VRF instance named VPN1:
ip vrf vpn1rd 100:2route-target both 100:2route-target import 100:1Related Commands
ip vrf forwarding
To associate a Virtual Private Network (VPN) routing and forwarding (VRF) instance with a Diameter peer, use the ip vrf forwarding command in Diameter peer configuration mode. To enable Diameter peers to use the global (default) routing table, use the no form of this command.
ip vrf forwarding name
no ip vrf forwarding name
Syntax Description
Command Default
Diameter peers use the global routing table.
Command Modes
Diameter peer configuration (config-dia-peer)
Command History
12.4(9)T
This command was introduced.
12.2(54)SG
This command was integrated into Cisco IOS Release 12.2(54)SG.
Usage Guidelines
Use the ip vrf forwarding command to specify a VRF for a Diameter peer. If a VRF name is not configured for a Diameter server, the global routing table will be used.
If the VRF associated with the specified name has not been configured, the command will have no effect and this error message will appear: No VRF found with the name name.
Examples
The following example shows how to configure the VRF for a Diameter peer:
Router (config-dia-peer)# ip vrf forwarding diam_peer_1Related Commands
ip vrf forwarding (server-group)
To configure the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an authentication, authorization, and accounting (AAA) RADIUS or TACACS+ server group, use the ip vrf forwarding command in server-group configuration mode. To enable server groups to use the global (default) routing table, use the no form of this command.
ip vrf forwarding vrf-name
no ip vrf forwarding vrf-name
Syntax Description
Command Default
Server groups use the global routing table.
Command Modes
Server-group configuration (server-group)
Command History
Usage Guidelines
Use the ip vrf forwarding command to specify a VRF for a AAA RADIUS or TACACS+ server group. This command enables dial users to utilize AAA servers in different routing domains.
Examples
The following example shows how to configure the VRF user to reference the RADIUS server in a different VRF server group:
aaa group server radius sg_globalserver-private 172.16.0.0 timeout 5 retransmit 3!aaa group server radius sg_waterserver-private 10.10.0.0 timeout 5 retransmit 3 key waterip vrf forwarding waterThe following example shows how to configure the VRF user to reference the TACACS+ server in the server group tacacs1:
aaa group server tacacs+tacacs1server-private 10.1.1.1 port 19 key ciscoip vrf forwarding ciscoip tacacs source-interface Loopback0ip vrf ciscord 100:1interface Loopback0ip address 10.0.0.2 255.0.0.0ip vrf forwarding ciscoRelated Commands
ip wccp web-cache accelerated
To enable the hardware acceleration for WCCP version 1, use the ip wccp web-cache accelerated command in global configuration mode. To disable hardware acceleration, use the no form of this command.
ip wccp web-cache accelerated [[group-address group-address] | [redirect-list access-list] | [group-list access-list] | [password password]]
no ip wccp web-cache accelerated
Syntax Description
Defaults
Disabled
Command Modes
Global configuration (config)
Command History
Usage Guidelines
This command is supported on software releases later than cache engine software Release ACNS 4.2.1.
The group-address group-address option requires a multicast address that is used by the router to determine which cache engine should receive redirected messages. This option instructs the router to use the specified multicast IP address to coalesce the "I See You" responses for the "Here I Am" messages that it has received on this group address. In addition, the response is sent to the group address. The default is for no group-address to be configured, so that all "Here I Am" messages are responded to with a unicast reply.
The redirect-list access-list option instructs the router to use an access list to control the traffic that is redirected to the cache engines of the service group that is specified by the service-name given. The access-list argument specifies either a number from 1 to 99 to represent a standard or extended access-list number, or a name to represent a named standard or extended access list. The access list itself specifies the traffic that is permitted to be redirected. The default is for no redirect-list to be configured (all traffic is redirected).
The group-list access-list option instructs the router to use an access list to control the cache engines that are allowed to participate in the specified service group. The access-list argument specifies either a number from 1 to 99 to represent a standard access-list number, or a name to represent a named standard access list. The access list specifies which cache engines are permitted to participate in the service group. The default is for no group-list to be configured, so that all cache engines may participate in the service group.
The password can be up to seven characters. When you designate a password, the messages that are not accepted by the authentication are discarded. The password name is combined with the HMAC MD5 value to create security for the connection between the router and the cache engine.
Examples
The following example shows how to enable the hardware acceleration for WCCP version 1:
Router(config)# ip wccp web-cache acceleratedRelated Commands
ips signature update cisco
To initiate a one-time download of Cisco IOS Intrusion Prevention System (IPS) signatures from Cisco.com, use the ips signature update cisco command in Privileged EXEC mode.
ips signature update cisco {next | latest | signature} [username name password password]
Syntax Description
Defaults
Privileged EXEC mode (#)
Command History
Usage Guidelines
The ips signature update cisco command is used to initiate a one-time download of IPS signatures from Cisco.com. If you want IPS signatures to be periodically downloaded from Cisco.com, use the ip ips auto-update command in global configuration mode and subsequently the cisco command in IPS-auto-update configuration mode to enable automatic signature updates from Cisco.com.
If the username and password is not specified, then the username and password that is specified in the IPS auto update configuration is used. A user name and password must be configured for updating signatures directly from Cisco.com.
Examples
The following example shows how to get the latest automatic signature update from Cisco.com:
Router# ips signature update cisco latestRelated Commands
ip ips auto-update
Enables automatic signature updates for Cisco IOS IPS.
cisco
Enables automatic signature updates from Cisco.com.
ipv4 (ldap)
To create an IPv4 address within a Lightweight Directory Access Protocol (LDAP) server address pool, use the ipv4 command in LDAP server configuration mode. To delete an IPv4 address within an LDAP server address pool, use the no form of this command.
ipv4 ipv4-address
no ipv4 ipv4-address
Syntax Description
Command Default
No IPv4 addresses are created in the LDAP server address pool.
Command Modes
LDAP server configuration (config-ldap-server)
Command History
Examples
The following example shows how to create an IPv4 address in an LDAP server address pool:
Router(config)# ldap server server1Router(config-ldap-server)# ipv4 10.0.0.1Related Commands
ipv6 crypto map
To enable an IPv6 crypto map on an interface, use the ipv6 crypto map command in interface configuration mode. To disable, use the no form of this command.
ipv6 crypto map map-name
no ipv6 crypto map
Syntax Description
Command Default
No IPv6 crypto maps are enabled on the interface.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
This command differentiates IPv6 and IPv4 crypto maps.
Examples
The following example shows how to enable an IPv6 crypto map on an interface:
Router# configure terminalRouter(config)# interface ethernet 0/0Router(config-if)# ipv6 crypto map CM_V4Related Commands
isakmp authorization list
To configure an Internet Key Exchange (IKE) shared secret using the authentication, authorization, and accounting (AAA) server in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the isakmp authorization list command in ISAKMP profile configuration mode. To disable the shared secret, use the no form of this command.
isakmp authorization list list-name
no isakmp authorization list list-name
Syntax Description
list-name
AAA authorization list used for configuration mode attributes or preshared keys for aggressive mode.
Defaults
No default behaviors or values
Command Modes
ISAKMP profile configuration (config-isa-prof)
Command History
Usage Guidelines
This command allows you to retrieve a shared secret from an AAA server.
Examples
The following example shows that an IKE shared secret is configured using an AAA server on a router:
crypto isakmp profile vpnprofileisakmp authorization list ikessaaalistRelated Commands
issuer-name
To specify the distinguished name (DN) as the certification authority (CA) issuer name for the certificate server, use the issuer-name command in certificate server configuration mode. To clear the issuer name and return to the default, use the no form of this command.
issuer-name DN-string
no issuer-name DN-string
Syntax Description
Defaults
If the issuer name is not configured, CN = cs-label
Command Modes
Certificate server configuration
Command History
Usage Guidelines
The DN-string value cannot be changed after the certificate server generates its signed certificate.
Examples
The following example shows how to define an issuer name for the certificate server "mycertserver":
Router(config)# ip http serverRouter(config)# crypto pki server mycertserverRouter(cs-server)# database level minimalRouter(cs-server)# database url nvram:Router(cs-server)# issuer-name CN = ipsec_cs,L = My Town,C = USRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
ivrf
To specify a user-defined VPN routing and forwarding (VRF) or use the global VRF, use the ivrf command in IKEv2 profile configuration mode. To delete the VRF specification, use the no form of this command.
ivrf name
no ivrf
Syntax Description
Command Default
VRF is not specified.
Command Modes
IKEv2 profile configuration (config-ikev2-profile)
Command History
15.1(1)T
This command was introduced.
Cisco IOS XE Release 3.3S
This command was integrated into Cisco IOS XE Release 3.3S.
Usage Guidelines
Use this command to specify a user-defined VRF or a global VRF, which should be attached to static and dynamic crypto maps. The inside VRF (IVRF) for a tunnel interface should be configured on the tunnel interface. IVRF specifies the VRF for cleartext packets. The default value for IVRF is Forward VRF (FVRF).
Examples
The following example shows how to specify IVRF:
Router(config)# crypto ikev2 profile profile1Router(config-ikev2-profile)# ivrf vrf1Related Commands
crypto ikev2 profile
Defines an IKEv2 profile.
show crypto ikev2 profile
Displays the IKEv2 profile.
