-
Cisco IOS Security Command Reference
-
Introduction
-
aaa accounting through aaa local authentication attempts max-fail
-
aaa max-sessions through algorithm
-
all (profile map configuration) through browser-proxy
-
ca trust-point through clear eou
-
clear ip access-list counters through crl-cache none
-
crypto aaa attribute list through crypto ipsec transform-set
-
crypto isakmp aggressive-mode disable through crypto mib ipsec flowmib history tunnel size
-
crypto pki authenticate through ctype
-
database archive through dns
-
dnsix-dmdp retries through dynamic
-
E
-
F through H
-
icmp idle-timeout through ip http ezvpn
-
ip inspect through ip security strip
-
ip source-track through ivrf
-
K through L
-
mac access-group through max-users (WebVPN)
-
message retry count through outgoing
-
parameter through port-misuse
-
ppp accounting through quit
-
radius attribute nas-port-type through rate-limit (firewall)
-
reauthentication time through rsa-pubkey
-
sa ipsec through sessions maximum
-
set aggressive-mode client-endpoint through show class-map type urlfilter
-
show crypto ace redundancy through show crypto vlan
-
show diameter peer through show object-group
-
show parameter-map type consent through show users
-
show vlan group through switchport port-security violation
-
tacacs-server administration through title-color
-
traffic-export through zone security
-
Feedback
Table Of Contents
key config-key password-encryption
logging ip access-list cache (global configuration)
logging ip access-list cache (interface configuration)
keepalive (isakmp profile)
To allow the gateway to send dead peer detection (DPD) messages to the peer, use the keepalive command in Internet Security Association Key Management Protocol (ISAKMP) profile configuration mode. To return to the default, use the no form of this command.
keepalive seconds retry retry-seconds
no keepalive seconds retry retry-seconds
Syntax Description
seconds
Number of seconds between DPD messages. The range is from 10 to 3600 seconds.
retry retry-seconds
Number of seconds between retries if DPD message fails. The range is from 2 to 60 seconds.
Defaults
If this command is not configured, a DPD message is not sent to the client.
Command Modes
ISAKMP profile configuration (config-isa-prof)
Command History
12.2(15)T
This command was introduced.
Cisco IOS XE Release 2.6
This command was integrated into Cisco IOS XE Release 2.6.
Usage Guidelines
Use this command to enable the gateway (instead of the client) to send DPD messages to the client. Internet Key Exchange (IKE) DPD is a new keepalive scheme that sends messages to let the router know that the client is still connected.
Examples
The following example shows that DPD messages have been configured to be sent every 60 seconds and every 5 seconds between retries if the peer does not respond:
crypto isakmp profile vpnprofilekeepalive 60 retry 5kerberos clients mandatory
To cause the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server, use the kerberos clients mandatory command in global configuration mode. To make Kerberos optional, use the no form of this command.
kerberos clients mandatory
no kerberos clients mandatory
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
If this command is not configured and the user has Kerberos credentials stored locally, the rsh, rcp, rlogin, and telnet commands attempt to negotiate the Kerberos protocol with the remote server and will use the non-Kerberized protocols if unsuccessful.
If this command is not configured and the user has no Kerberos credentials, the standard protocols for rcp and rsh are used to negotiate.
Examples
The following example causes the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server:
kerberos clients mandatoryRelated Commands
kerberos credentials forward
To force all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication, use the kerberos credentials forward command in global configuration mode. To turn off forwarding of Kerberos credentials, use the no form of this command.
kerberos credentials forward
no kerberos credentials forward
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
Enable credentials forwarding to have users' ticket granting tickets (TGTs) forwarded to the host on which they authenticate. In this way, users can connect to multiple hosts in the Kerberos realm without running the KINIT program each time they need to get a TGT.
Examples
The following example forces all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication:
kerberos credentials forwardRelated Commands
kerberos instance map
To map Kerberos instances to Cisco IOS privilege levels, use the kerberos instance map command in global configuration mode. To remove a Kerberos instance map, use the no form of this command.
kerberos instance map instance privilege-level
no kerberos instance map instance
Syntax Description
Defaults
Privilege level 1
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to create user instances with access to administrative commands.
Examples
The following example sets the privilege level to 15 for authenticated Kerberos users with the admin instance in Kerberos realm:
kerberos instance map admin 15Related Commands
kerberos local-realm
To specify the Kerberos realm in which the router is located, use the kerberos local-realm command in global configuration mode. To remove the specified Kerberos realm from this router, use the no form of this command.
kerberos local-realm kerberos-realm
no kerberos local-realm
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
The router can be located in more than one realm at a time. However, there can only be one instance of Kerberos local-realm. The realm specified with this command is the default realm.
Examples
The following example specify the Kerberos realm in which the router is located as EXAMPLE.COM:
kerberos local-realm EXAMPLE.COMRelated Commands
kerberos password
To set the password shared with the key distribution center, use the kerberos password command in global configuration mode. To disable the configured password, use the no form of this command.
kerberos password [text-string]
no kerberos password [text-string]
Syntax Description
Command Default
The password is not set.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Kerberos is a network authentication protocol that allows a secured way of node communication in a nonsecure network.
Examples
The following example shows how to set the password:
Router# configure terminalRouter(config)# kerberos password treas123Related Commands
kerberos preauth
To specify a preauthentication method to use to communicate with the key distribution center (KDC), use the kerberos preauth command in global configuration mode. To disable Kerberos preauthentication, use the no form of this command.
kerberos preauth [encrypted-unix-timestamp | encrypted-kerberos-timestamp | none]
no kerberos preauth
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
It is more secure to use a preauthentication for communications with the KDC. However, communication with the KDC will fail if the KDC does not support this particular version of kerberos preauth. If that happens, turn off the preauthentication with the none option.
The no form of this command is equivalent to using the none keyword.
Examples
The following example enables Kerberos preauthentication:
kerberos preauth encrypted-unix-timestampThe following example disables Kerberos preauthentication:
kerberos preauth noneRelated Commands
kerberos processes
To set the number of kerberos processes to service requests, use the kerberos processes command in global configuration mode. To disable the configuration, use the no form of this command.
kerberos processes number
no kerberos processes
Syntax Description
Command Default
The default process is 1.
Command Modes
Global configuration (config)
Command History
Examples
The following example shows how to set the number of kerberos processes to 10:
Router# configure terminalRouter(config)# kerberos processes 10Related Commands
debug kerberos
Displays information associated with the Kerberos Authentication Subsystem.
kerberos realm
To map a host name or Domain Name System (DNS) domain to a Kerberos realm, use the kerberos realm command in global configuration mode. To remove a Kerberos realm map, use the no form of this command.
kerberos realm {dns-domain | host} kerberos-realm
no kerberos realm {dns-domain | host} kerberos-realm
Syntax Description
dns-domain
Name of a DNS domain or host.
host
Name of a DNS host.
kerberos-realm
Name of the Kerberos realm to which the specified domain or host belongs.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
DNS domains are specified with a leading dot (.) character; host names cannot begin with a dot (.) character. There can be multiple entries of this line.
A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase characters. The router can be located in more than one realm at a time. Kerberos realm names must be in all uppercase characters.
Examples
The following example maps the domain name "example.com" to the Kerberos realm, EXAMPLE.COM:
kerberos realm .example.com EXAMPLE.COMRelated Commands
kerberos retry
To configure the number of retry attempts for the key distribution center (KDC) sessions, use the kerberos retry command in global configuration mode. To return to the default setting (4 retries), use the no form of this command.
kerberos retry number
no kerberos retry
Syntax Description
Command Default
The default value is four retry attempts.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
When multiple KDCs are configured, there is no way to control the timeout so that failover occurs. This causes common client applications to fail before the next KDC is contacted. Therefore, the kerberos retry command enables you to establish stable communication with the KDCs.
Examples
The following example shows how to configure the retry value for the KDC session:
Router> enableRouter# configure terminalRouter(config)# kerberos retry 3Related Commands
kerberos server
To specify the location of the Kerberos server for a given Kerberos realm, use the kerberos server command in global configuration mode. To remove a Kerberos server for a specified Kerberos realm, use the no form of this command.
kerberos server kerberos-realm {host-name | ip-address} [port-number]
no kerberos server kerberos-realm {host-name | ip-address}
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
Use the kerberos server command to specify the location of the Kerberos server for a given realm.
Examples
The following example specifies 192.168.47.66 as the Kerberos server for the Kerberos realm EXAMPLE.COM:
kerberos server EXAMPLE.COM 192.168.47.66Related Commands
kerberos srvtab entry
To retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration, use the kerberos srvtab entry command in global configuration mode. To remove a SRVTAB entry from the router's configuration, use the no form of this command.
kerberos srvtab entry kerberos-principal principal-type timestamp key-version number key-type key-length encrypted-keytab
no kerberos srvtab entry kerberos-principal principal-type
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
When you use the kerberos srvtab remote command to copy the SRVTAB file from a remote host (generally the KDC), it parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with a private DES key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory router configuration command to write the router's running configuration to NVRAM.
If you reload a configuration, with a SRVTAB encrypted with a private DES key, on to a router that does not have a private DES key defined, the router displays a message informing you that the SRVTAB entry has been corrupted, and discards the entry.
If you change the private DES key and reload an old version of the router's configuration that contains SRVTAB entries encrypted with the old private DES keys, the router will restore your Kerberos SRVTAB entries, but the SRVTAB keys will be corrupted. In this case, you must delete your old Kerberos SRVTAB entries and reload your Kerberos SRVTABs on to the router using the kerberos srvtab remote command.
Although you can configure kerberos srvtab entry on the router manually, generally you would not do this because the keytab is encrypted automatically by the router when you copy the SRVTAB using the kerberos srvtab remote command.
Examples
In the following example, host/new-router.example.com@EXAMPLE.COM is the host, 0 is the type, 817680774 is the timestamp, 1 is the version of the key, 1 indicates the DES is the encryption type, 8 is the number of bytes, and .cCN.YoU.okK is the encrypted key:
kerberos srvtab entry host/new-router.example.com@EXAMPLE.COM 0 817680774 1 1 8 .cCN.YoU.okKRelated Commands
kerberos srvtab remote
Retrieves a krb5 SRVTAB file from the specified host.
key config-key
Defines a private DES key for the router.
kerberos srvtab remote
To retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration, use the kerberos srvtab remote command in global configuration mode.
kerberos srvtab remote {boot_device:URL}
Syntax Description
URL
Machine that has the Kerberos SRVTAB file.
ip-address
IP address of the machine that has the Kerberos SRVTAB file.
filename
Name of the SRVTAB file.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
When you use the kerberos srvtab remote command to copy the SRVTAB file from the remote host (generally the key distribution center [KDC]), it parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with the private Data Encryption Standard (DES) key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory configuration command to write the router's running configuration to NVRAM.
Examples
The following example copies the SRVTAB file residing on b1.example.com to a router named s1.example.com:
kerberos srvtab remote tftp://b1.example.com/s1.example.com-new-srvtabRelated Commands
kerberos timeout
To configure the timeout for key distribution center (KDC) requests, use the kerberos timeout command in global configuration mode. To return to the default setting (5 seconds), use the no form of this command.
kerberos timeout seconds
no kerberos timeout
Syntax Description
seconds
Timeout, in seconds, for KDC requests. The value range is from 1 to 10. The default value is 5 seconds.
Command Default
The timeout for KDC requests is 5 seconds.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
When multiple KDCs are configured, there is no way to control the timeout so that failover occurs. This causes common client applications to fail before the next KDC is contacted. Therefore, the kerberos retry command enables you to establish stable communication with the KDCs.
Examples
The following example shows how to configure the timeout value for KDC requests:
Router> enableRouter# configure terminalRouter(config)# kerberos timeout 3Related Commands
key (isakmp-group)
To specify the Internet Key Exchange (IKE) preshared key for group policy attribute definition, use the key command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove a preshared key, use the no form of this command.
key name
no key name
Syntax Description
name
IKE preshared key that matches the password entered on the client.
Note
This value must match the "password" field that is defined in the Cisco VPN Client 3.x configuration GUI.
Defaults
No default behavior or values.
Command Modes
ISAKMP group configuration (config-isakmp-group)
Command History
Usage Guidelines
Use the key command to specify the IKE preshared key when defining group policy information for Mode Configuration push. (It follows the crypto isakmp client configuration group command.) You must configure this command if the client identifies itself to the router with a preshared key. (You do not have to enable this command if the client uses a certificate for identification.)
Examples
The following example shows how to specify the preshared key "cisco":
crypto isakmp client configuration group defaultkey ciscodns 10.2.2.2 10.3.2.3pool dogacl 199Related Commands
acl
Configures split tunneling.
crypto isakmp client configuration group
Specifies the DNS domain to which a group belongs.
key config-key
To define a private DES key for the router, use the key config-key command in global configuration mode. To delete a private Data Encryption Standard (DES) key from the router, use the no form of this command.
key config-key 1 string
no key config-key 1 string
Syntax Description
1
Key number. This number is always 1.
string
Private DES key (can be up to eight alphanumeric characters).
Defaults
No DES-key defined.
Command Modes
Global configuration
Command History
Usage Guidelines
This command defines a private DES key for the router that will not show up in the router configuration. This private DES key can be used to DES-encrypt certain parts of the router's configuration.
Caution
Examples
The following example sets keyxx as the private DES key on the router:
key config-key 1 keyxxRelated Commands
key config-key password-encryption
To store a type 6 encryption key in private NVRAM, use the key config-key password-encryption command in global configuration mode. To disable the encryption, use the no form of this command.
key config-key password-encryption [text]
no key config-key password-encryption [text]
Syntax Description
Defaults
No type 6 password encryption
Command Modes
Global configuration
Command History
Usage Guidelines
You can securely store plain text passwords in type 6 format in NVRAM using a command-line interface (CLI). Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. Use the key config-key password-encryption command with the password encryption aes command to configure and enable the password (symmetric cipher Advanced Encryption Standard [AES] is used to encrypt the keys). The password (key) configured using the key config-key password-encryption command is the master encryption key that is used to encrypt all other keys in the router.
If you configure the password encryption aes command without configuring the key config-key password-encryption command, the following message is printed at startup or during any nonvolatile generation (NVGEN) process, such as when the show running-config or copy running-config startup-config commands have been configured:
"Can not encrypt password. Please configure a configuration-key with `key config-key'"Changing a Password
If the password (master key) is changed, or reencrypted, using the key config-key password-encryption command), the list registry passes the old key and the new key to the application modules that are using type 6 encryption.
Deleting a Password
If the master key that was configured using the key config-key password-encryption command is deleted from the system, a warning is printed (and a confirm prompt is issued) that states that all type 6 passwords will become useless. As a security measure, after the passwords have been encrypted, they will never be decrypted in the Cisco IOS software. However, passwords can be reencrypted as explained in the previous paragraph.
Caution
Unconfiguring Password Encryption
If you later unconfigure password encryption using the no password encryption aes command, all existing type 6 passwords are left unchanged, and as long as the password (master key) that was configured using the key config-key password-encryption command exists, the type 6 passwords will be decrypted as and when required by the application.
Storing Passwords
Because no one can "read" the password (configured using the key config-key password-encryption command), there is no way that the password can be retrieved from the router. Existing management stations cannot "know" what it is unless the stations are enhanced to include this key somewhere, in which case the password needs to be stored securely within the management system. If configurations are stored using TFTP, the configurations are not standalone, meaning that they cannot be loaded onto a router. Before or after the configurations are loaded onto a router, the password must be manually added (using the key config-key password-encryption command). The password can be manually added to the stored configuration but is not recommended because adding the password manually allows anyone to decrypt all passwords in that configuration.
Configuring New or Unknown Passwords
If you enter or cut and paste cipher text that does not match the master key, or if there is no master key, the cipher text is accepted or saved, but an alert message is printed. The alert message is as follows:
"ciphertext>[for username bar>] is incompatible with the configured master key."If a new master key is configured, all the plain keys are encrypted and made type 6 keys. The existing type 6 keys are not encrypted. The existing type 6 keys are left as is.
If the old master key is lost or unknown, you have the option of deleting the master key using the no key config-key password-encryption command. Deleting the master key using the no key config-key password-encryption command causes the existing encrypted passwords to remain encrypted in the router configuration. The passwords will not be decrypted.
Examples
The following example shows that a type 6 encryption key is to be stored in NVRAM:
Router (config)# key config-key password-encryptionRelated Commands
password encryption aes
Enables a type 6 encrypted preshared key.
password logging
Provides a log of debugging output for a type 6 password operation.
keyring
To configure a keyring with an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the keyring command in ISAKMP profile configuration mode. To remove the keyring from the ISAKMP profile, use the no form of this command.
keyring keyring-name
no keyring keyring-name
Syntax Description
keyring-name
The keyring name, which must match the keyring name that was defined in the global configuration.
Defaults
If this command is not used, the ISAKMP profile uses the keys defined in the global configuration.
Command Modes
ISAKMP profile configuration (config-isa-prof)
Command History
12.2(15)T
This command was introduced.
Cisco IOS XE Release 2.6
This command was integrated into Cisco IOS XE Release 2.6.
Usage Guidelines
The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile. If no keyring is defined in the profile, the global keys that were defined in the global configuration are used.
Examples
The following example shows that "vpnkeyring" is configured as the keyring name:
crypto isakmp profile vpnprofilekeyring vpnkeyringkeyring (IKEv2 profile)
To specify a locally defined or accounting, authentication and authorization (AAA)-based keyring, use the keyring command in IKEv2 profile configuration mode. To delete the keyring, use the no form of this command.
keyring [aaa] name
no keyring
Syntax Description
aaa
(Optional) Specifies the AAA-based preshared keys list name.
name
The keyring name for a locally defined keyring or AAA method list for an AAA-based keyring.
Command Default
A keyring is not specified.
Command Modes
IKEv2 profile configuration (crypto-ikev2-profile)
Command History
15.1(1)T
This command was introduced.
Cisco IOS XE Release 3.3S
This command was integrated into Cisco IOS XE Release 3.3S.
Usage Guidelines
Use this command to specify a keyring for use with the local and remote preshared key authentication methods. Only one keyring can be configured either local or AAA based.
Note
Examples
The following example shows how to configure an AAA-based keyring and assign the keyring to a profile:
Router(config)# aaa new-modelRouter(config)# aaa authentication login aaa-psk-list default group radiusRouter(config)# crypto ikev2 profile profile1Router(config-ikev2-profile)# keyring aaa aaa-psk-listThe following example shows how to configure a locally defined keyring:
Router(config)# crypto ikev2 profile profile1Router(config-ikev2-profile)# keyring keyring1Related Commands
key-string (IKE)
To specify the Rivest, Shamir, and Adelman (RSA) public key of the remote peer, use the key-string command in public key configuration mode. To remove the RSA public key, use the no form of this command.
key-string key-string
no key-string key-string
Syntax Description
key-string
Enter the key in hexadecimal format. While entering the key data, you can press Return to continue entering data.
Defaults
No default behavior or values
Command Modes
Public key configuration (config-pubkey)
Command History
Usage Guidelines
Before using this command, you must enter the rsa-pubkey command in the crypto keyring mode.
If possible, to avoid mistakes, you should cut and paste the key data (instead of attempting to type in the data).
To complete the command, you must return to the global configuration mode by typing quit at the config-pubkey prompt.
Examples
The following example manually specifies the RSA public keys of an IP Security (IPSec) peer:
Router(config)# crypto keyring vpnkeyringRouter(conf-keyring)# rsa-pubkey name host.vpn.comRouter(config-pubkey-key)# address 10.5.5.1Router(config-pubkey)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(conf-keyring)# exitRelated Commands
language
To specify the language to be used in a webvpn context, use the language command in webvpn context configuration mode. To remove the language, use the no form of this command.
language {Japanese | customize language-name device:file}
no language {Japanese | customize language-name device:file}
Syntax Descriptionno language {Japanese | customize language-name device:file}
Command Default
English is the language.
Command Modes
Webvpn context configuration (config-webvpn-context)
Command History
Examples
The following example shows that the language to be used is Japanese:
Router (config)# webvpn contextRouter (config-webvpn-context)# language JapaneseThe following example shows that the language (mylang) is to be customized from the file "lang.js," which is in flash:
Router (config)# webvpn contextRouter (config-webvpn-context)# language customize mylang flash:lang.jsRelated Commands
webvpn create template
Creates templates for multilanguage support for messages in an SSL VPN.
ldap attribute-map
To configure a dynamic Lightweight Directory Access Protocol (LDAP) attribute map, use the ldap attribute-map command in global configuration mode. To remove the attribute maps, use the no form of this command.
ldap attribute-map map-name
no ldap attribute-map map-name
Syntax Description
Command Default
Default mapping is applied.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
You can create LDAP attribute maps to map your existing user-defined LDAP attribute names and values to Cisco attribute names and values that are compatible. You can then bind these attribute maps to LDAP server configuration or remove them as required. The default map is displayed using the show ldap attributes command.
Examples
The following command shows how to create an unpopulated LDAP attribute map table named att_map_1:
Router(config)# ldap attribute-map att_map_1Related Commands
ldap search
To search a Lightweight Directory Access Protocol (LDAP) server, use the ldap search command in privileged EXEC mode.
ldap search server-address port-number search-base scope-number search-filter ssl
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example shows how to search an LDAP server:
Router# ldap search 10.0.0.1 265 c 2 sea sslRelated Commands
ldap server
To define a Lightweight Directory Access Protocol (LDAP) server and enter LDAP server configuration mode, use the ldap server command in global configuration mode. To remove an LDAP server configuration, use the no form of this command.
ldap server name
no ldap server name
Syntax Description
Command Default
No LDAP server is configured.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
You can define the following parameters in LDAP server configuration mode:
•
•
•
•
Examples
The following example shows how to define an LDAP server named server1:
Router(config)# ldap server server1Related Commands
ipv4 (ldap)
Creates an IPv4 address within an LDAP server address pool.
transport port (ldap)
Configures the transport protocol for establishing a connection with the LDAP server.
length (RITE)
To specify the length the captured portion of the packets being captured in IP traffic export capture mode, use the length command in RITE configuration mode. To return to the default condition of capturing entire packets, use the no form of this command.
length bytes
no length
Syntax Description
bytes
The length in bytes of the packet captured in IP traffic export capture mode. Acceptable values are 128, 256, and 512.
Command Default
When you do not use this command, the entire packet is captured.
Command Modes
RITE configuration
Command History
Usage Guidelines
Use this command to limit the length of the portion of the packets being captured in IP traffic export capture mode. The captured portion of the packets are limited to 128, 256, or 512 bytes. If you do not use the length command, entire packets are captured.
Examples
The following example shows the use of the length command in the configuration of IP traffic export capture mode profile "corp2":
Router(config)# ip traffic-export profile corp2 mode_captureRouter(config-rite)# bidirectionalRouter(config-rite)# outgoing sample one-in-every 50Router(config-rite)# incoming access-list ham_aclRouter(config-rite)# length 512Router(config-rite)# exitRouter(config)# interface FastEthernet 0/0Router(config-if)# ip traffic-export apply corp2 size 10000000Related Commands
lifetime (certificate server)
To specify the lifetime of the certification authority (CA) or a certificate, use the lifetime command in certificate server configuration mode. To return to the default lifetime values, use the no form of this command.
lifetime {ca-certificate | certificate} days [hours [minutes]]
no lifetime {ca-certificate | certificate}
Syntax Description
Command Default
The default CA certificate lifetime is 1095 days, or 3 years.
The default certificate lifetime is 365 days, or 1 year.
Command Modes
Certificate server configuration (cs-server)
Command History
Usage Guidelines
After you enable a certificate server via the crypto pki server command, use the lifetime command if you wish to specify lifetime values other than the default values for the CA certificate and the certificate of the certificate server.
After the certificate generates its signed certificate, the lifetime cannot be changed. All certificates are valid when they are issued.
Examples
The following example shows how to set the lifetime value for the CA to 30 days:
Router(config)# ip http serverRouter(config)# crypto pki server mycertserverRouter(cs-server)# lifetime ca certificate 30Related Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
lifetime (IKE policy)
To specify the lifetime of an Internet Key Exchange (IKE) security association (SA), use the lifetime command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. To reset the SA lifetime to the default value, use the no form of this command.
lifetime seconds
no lifetime
Syntax Description
seconds
Number of many seconds for each each SA should exist before expiring. Use an integer from 60 to 86,400 seconds, which is the default value.
Command Default
The default is 86,400 seconds (one day).
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify how long an IKE SA exists before expiring.
When IKE begins negotiations, the first thing it does is agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the SA's lifetime expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. New IPSec SAs are negotiated before current IPSec SAs expire.
So, to save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.
Note that when your local peer initiates an IKE negotiation between itself and a remote peer, an IKE policy can be selected only if the lifetime of the remote peer's policy is shorter than or equal to the lifetime of the local peer's policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. To restate this behavior: If the two peer's policies' lifetimes are not the same, the initiating peer's lifetime must be longer and the responding peer's lifetime must be shorter, and the shorter lifetime will be used.
Examples
The following example configures an IKE policy with a security association lifetime of 600 seconds (10 minutes), and all other parameters are set to the defaults:
crypto isakmp policy 15lifetime 600exitRelated Commands
lifetime (IKEv2 profile)
To specify the lifetime for an Internet Key Exchange Version 2 (IKEv2) security association (SA), use the lifetime command in IKEv2 profile configuration mode. To reset the SA lifetime to the default value, use the no form of this command.
lifetime seconds
no lifetime
Syntax Description
seconds
The time that each IKE SA should exist before expiring. Use an integer from 60 to 86,400 seconds.
Command Default
The default is 86,400 seconds (one day).
Command Modes
IKEv2 profile configuration (config-ikev2-profile)
Command History
15.1(1)T
This command was introduced.
Cisco IOS XE Release 3.3S
This command was integrated into Cisco IOS XE Release 3.3S.
Usage Guidelines
Use this command to specify the lifetime of an IKE SA. When IKE begins negotiations, IKE agrees on the security parameters for its session that are referenced by an SA at each peer. The SA is retained by each peer until the SA expires, and before an SA expires, it can be reused by subsequent IKE negotiations, which saves time when setting up new IKE SA. Although, SA with a shorter lifetime limits the exposure to attacks, to save time configure an IKE SA that has a longer lifetime. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.
Examples
The following example configures an IKEv2 profile with a security association lifetime of 600 seconds (10 minutes), and all other parameters are set to the defaults:
Router(config)# crypto ikev2 profile profile2Router(config-ikev2-profile)# lifetime 600Related Commands
crypto ikev2 profile
Defines an IKEv2 profile.
show crypto ikev2 profile
Displays the IKEv2 profile.
lifetime crl
To define the lifetime of the certificate revocation list (CRL) that is used by the certificate server, use the lifetime crl command in certificate server configuration mode. To return to the default value of 1 week, use the no form of this command.
lifetime crl time
no lifetime crl time
Syntax Description
time
Lifetime value, in hours, of the CRL. Maximum lifetime value is 336 hours (2 weeks). The default value is 168 hours (1 week).
Defaults
168 hours (1 week)
Command Modes
Certificate server configuration
Command History
Usage Guidelines
After you create a certificate server via the crypto pki server command, use the lifetime crl command if you want to specify a value other than the default value for the CRL. The lifetime value is added to the CRL when the CRL is created.
The CRL is written to the specified database location as ca-label.crl.
Examples
The following example shows how to set the lifetime value for the CRL to 24 hours:
Router(config)# ip http serverRouter(config)# crypto pki server mycertserverRouter(cs-server)# lifetime crl 24Related Commands
lifetime enrollment-request
To specify how long an enrollment request should stay in the enrollment database, use the lifetime enrollment-request command in certificate server configuration mode. To return to the default value of 1 week, use the no form of this command.
lifetime enrollment-request time
no lifetime enrollment-request
Syntax Description
time
Lifetime value, in hours, of an enrollment request. The maximum lifetime value is 1000 hours. The default value is 168 hours (1 week).
Defaults
Lifetime value default is 168 hours.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
After the certificate server receives an enrollment request, it can leave the request in pending, reject it, or grant it. The request is left in the Enrollment Request Database for the lifetime of the enrollment request until the client polls the certificate server for the result of the request.
Examples
The following example shows how to set the lifetime value for the enrollment request to 24 hours:
Router (config)# crypto pki server mycsRouter (cs-server)# lifetime enrollment-request 24Related Commands
Related Commands*0
list (LSP Attributes)
To display the contents of a label switched path (LSP) attribute list, use the list command in LSP Attributes configuration mode.
list
Syntax Description
This command has no arguments or keywords.
Command Default
Contents of an LSP attribute list is not displayed.
Command Modes
LSP Attributes configuration (config-lsp-attr)
Command History
Usage Guidelines
This command displays the contents of the LSP attribute list. You can display each of the following configurable LSP attributes using the list command: affinity, auto-bw, bandwidth, lockdown, priority, protection, and record-route.
Examples
The following example shows how to display the contents of an LSP attribute list identified with the string priority:
!Router(config)# mpls traffic-eng lsp attributes priorityRouter(config-lsp-attr)# priority 0 0Router(config-lsp-attr)# listpriority 0 0Router(config-lsp-attr)#Related Commands
mpls traffic-eng lsp attributes
Creates or modifies an LSP attribute list.
show mpls traffic-eng lsp attributes
Displays global LSP attribute lists.
list (WebVPN)
To list the currently configured access control list (ACL) entries sequentially, use the list command in webvpn acl configuration mode. This command has no no form.
list
Syntax Description
This command has no arguments or keywords.
Command Default
Currently configured ACL entries are not listed.
Command Modes
Webvpn acl configuration
Command History
Usage Guidelines
Before using this command, you must have configured the web context and the acl command.
Examples
The following example shows that currently configured ACL entries are to be listed:
webvpn context context1acl acl1listRelated Commands
webvpn context
Configures the WebVPN context and enters SSL VPN configuration mode.
acl
Defines an ACL using a SSL VPN gateway at the Application Layer level.
li-view
To initialize a lawful intercept view, use the li-view command in global configuration mode.
li-view li-password user username password password
Syntax Description
Defaults
A lawful intercept view cannot be accessed.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Like a command-line interface (CLI) view, a lawful intercept view restricts access to specified commands and configuration information. Specifically, a lawful intercept view allows a user to secure access to lawful intercept commands that are held within the TAP-MIB, which is a special set of Network Management Protocol (SNMP) commands that stores information about calls and users.
Commands available in lawful intercept view belong to one of the following categories:
•
•
Note
Examples
The following example shows how to configure a lawful intercept view, add users to the view, and verify the users that were added to the view:
!Initialize the LI-View.Router(config)# li-view lipass user li_admin password li_adminpass00:19:25:%PARSER-6-LI_VIEW_INIT:LI-View initialized.Router(config)# end! Enter the LI-View; that is, check to see what commands are available within the view.Router# enable view li-viewPassword:Router#00:22:57:%PARSER-6-VIEW_SWITCH:successfully set to view 'li-view'.Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# parser view li-viewRouter(config-view)# ?View commands:commands Configure commands for a viewdefault Set a command to its defaultsexit Exit from view configuration modename New LI-View name ===This option only resides in LI View.no Negate a command or set its defaultspassword Set a password associated with CLI viewsRouter(config-view)#! NOTE:LI View configurations are never shown as part of `running-configuration'.! Configure LI Users.Router(config)# username lawful-intercept li-user1 password li-user1passRouter(config)# username lawful-intercept li-user2 password li-user2pass! Displaying LI User information.Router# show users lawful-interceptli_adminli-user1li-user2Router#Related Commands
show users
Displays information about the active lines on the router.
username
Establishes a username-based authentication system.
load-balance (server-group)
To enable RADIUS server load balancing for a named RADIUS server group, use the load-balance command in server group configuration mode. To disable named RADIUS server load balancing, use the no form of this command.
load-balance method least-outstanding [batch-size number] [ignore-preferred-server]
no load-balance
Syntax Description
Command Defaults
If this command is not configured, named RADIUS server load balancing will not occur.
Command Modes
Server group configuration
Command History
Examples
The following example shows load balancing enabled for a named RADIUS server group. It is shown in three parts: the current configuration of RADIUS command output, debug output, and AAA server status information.
Server Configuration and Enabling Load Balancing for Named RADIUS Server Group Example
The following shows the relevant RADIUS configuration:
Router# show running-config...aaa group server radius server-group1server 192.0.2.238 auth-port 2095 acct-port 2096server 192.0.2.238 auth-port 2015 acct-port 2016load-balance method least-outstanding batch-size 5!aaa authentication ppp default group server-group1aaa accounting network default start-stop group server-group1...The lines in the current configuration of RADIUS command output above are defined as follows:
•
•
•
•
Debug Output for Named RADIUS Server Group Example
The debug output below shows the selection of a preferred server and the processing of requests for the configuration above.
Router#*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002C):No preferred server available.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Obtaining least loaded server.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:No more transactions in batch. Obtaining a new server.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Obtaining a new least loaded server.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Server[0] load:0*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Server[1] load:0*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Selected Server[0] with load 0*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:[5] transactions remaining in batch.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002C):Server (192.0.2.238:2095,2096) now being used as preferred server*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002D):No preferred server available.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Obtaining least loaded server.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:[4] transactions remaining in batch. Reusing server.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002D):Server (192.0.2.238:2095,2096) now being used as preferred server*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002E):No preferred server available.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Obtaining least loaded server.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:[3] transactions remaining in batch. Reusing server.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002E):Server (192.0.2.238:2095,2096) now being used as preferred server*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002F):No preferred server available.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Obtaining least loaded server.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:[2] transactions remaining in batch. Reusing server.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(0000002F):Server (192.0.2.238:2095,2096) now being used as preferred server*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(00000030):No preferred server available.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:Obtaining least loaded server.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT:[1] transactions remaining in batch. Reusing server.*Feb 28 13:51:16.019:AAA/SG/SERVER_SELECT(00000030):Server (192.0.2.238:2095,2096) now being used as preferred server*Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT(00000031):No preferred server available.*Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:Obtaining least loaded server.*Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:No more transactions in batch. Obtaining a new server.*Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:Obtaining a new least loaded server.*Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:Server[1] load:0*Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:Server[0] load:5*Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:Selected Server[1] with load 0*Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:[5] transactions remaining in batch.*Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT(00000031):Server (192.0.2.238:2015,2016) now being used as preferred server*Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT(00000032):No preferred server available.*Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:Obtaining least loaded server.*Feb 28 13:51:16.023:AAA/SG/SERVER_SELECT:[4] transactions remaining in batch. Reusing server....Server Status Information for Named RADIUS Server Group Example
The output below shows the AAA server status for the named RADIUS server group configuration example.
Router# show aaa serversRADIUS:id 8, priority 1, host 192.0.2.238, auth-port 2095, acct-port 2096State:current UP, duration 3781s, previous duration 0sDead:total time 0s, count 0Quarantined:NoAuthen:request 0, timeouts 0Response:unexpected 0, server error 0, incorrect 0, time 0msTransaction:success 0, failure 0Author:request 0, timeouts 0Response:unexpected 0, server error 0, incorrect 0, time 0msTransaction:success 0, failure 0Account:request 0, timeouts 0Response:unexpected 0, server error 0, incorrect 0, time 0msTransaction:success 0, failure 0Elapsed time since counters last cleared:0mRADIUS:id 9, priority 2, host 192.0.2.238, auth-port 2015, acct-port 2016State:current UP, duration 3781s, previous duration 0sDead:total time 0s, count 0Quarantined:NoAuthen:request 0, timeouts 0Response:unexpected 0, server error 0, incorrect 0, time 0msTransaction:success 0, failure 0Author:request 0, timeouts 0Response:unexpected 0, server error 0, incorrect 0, time 0msTransaction:success 0, failure 0Account:request 0, timeouts 0Response:unexpected 0, server error 0, incorrect 0, time 0msTransaction:success 0, failure 0Elapsed time since counters last cleared:0mRouter#The output shows the status of two RADIUS servers. Both servers are alive, and no requests have been processed since the counters were cleared 0 minutes ago.
Related Commands
load classification
To load a traffic classification definition file (TCDF) for a Flexible Packet Matching (FPM) configuration, use the load classification command in global configuration mode. To unload all TCDFs from a specified location or a single TCDF, use the no form of this command.
load classification location:filename
no load classification location:filename
Syntax Description
Command Default
No TCDF is loaded onto the router.
Command Modes
Global configuration
Command History
Usage Guidelines
A TCDF is an Extensible Markup Language (XML) file that you create in a text file or using an XML editor. FPM uses a TCDF to define classes of traffic and to specify actions to apply to the traffic classes for the purpose of blocking attacks on the network. Traffic classification behavior defined in a TCDF is identical to that configured using the command-line interface (CLI).
Use the load classification command to load the TCDF onto the routing device. The location to which you load the file must be local to the device. After the TCDF is loaded, you can use service policy CLI commands to attach the TCDF policies to a specific interface or interfaces. TCDP classes and policies, which are loaded, display as normal policies and classes when you issue a show command.
The TCDF requires that a relevant protocol header description file (PHDF) is already loaded onto the system through the use of the load protocol command. Standard PHDFs are provided with the FPM feature.
Examples
The following example shows how to create a TCDF for slammer packets (UDP 1434) for an FPM XML configuration. The match criteria defined within the class element is for slammer packets with an IP length not to exceed 404 (0x194) bytes, UDP port 1434 (0x59A), and pattern 0x4011010 at 224 bytes from start of the IP header. The policy "fpm-udp-policy" is defined with the action to drop slammer packets.
<?xml version="1.0" encoding="UTF-8"?><tcdf><class name="ip-udp" type="stack"><match><eq field="ip.protocol" value="0x11" next="udp"></eq></match></class><class name="slammer" type="access-control" match="all"><match><eq field="udp.dest-port" value="0x59A"></eq><eq field="ip.length" value="0x194"></eq><eq start="l3-start" offset="224" size="4" value="0x00401010"></eq></match></class><policy type="access-control" name="fpm-udp-policy"><class name="slammer"></class><action>drop</action></policy></tcdf>The following example shows how to load relevant PHDFs, load the TCDF file sql-slammer.tcdf, and attach the TCDF-defined policy to the interface Ethernet 0/1:
enableconfigure terminalload protocol localdisk1:ip.phdfload protocol localdisk1:tcp.phdfload protocol localdisk1:udp.phdfload classification localdisk1:sql-slammer.tcdfpolicy-map type access-control my-policy-1class ip-udpservice-policy fpm-udp-policyinterface Ethernet 0/1service-policy type access control input my-policy-1endThe following CLI output is associated with the TCDF described in the example:
Router# show class-map type stack. . .class-map type stack match-all ip-udpmatch field IP protocol eq 0x11 next UDP. . .Router# show class-map type access-control. . .class-map type access-control match-all slammermatch field UDP dest-port eq 0x59Amatch field IP length eq 0x194match start l3-start offset 224 size 4 eq 0x4011010. . .Router show policy-map my-policy-1. . .policy-map type access-control my-policy-1class slammerdrop. . .Related Commands
local-address
To limit the scope of an Internet Security Association and Key Management Protocol (ISAKMP) profile or an ISAKMP keyring configuration to a local termination address or interface, use the local-address command in ISAKMP profile configuration and keyring configuration modes. To remove the local address or interface, use the no form of this command.
local-address {interface-name | ip-address [vrf-tag]}
no local-address {interface-name | ip-address [vrf-tag]}
Syntax Description
interface-name
Name of the local interface.
ip-address
Local termination address.
vrf-tag
(Optional) Scope of the IP address will be limited to the VRF instance.
Defaults
If this command is not configured, the ISAKMP profile or ISAKMP keyring is available to all local addresses.
Command Modes
ISAKMP profile configuration
Keyring configurationCommand History
Examples
The following example shows that the scope of the ISAKMP profile is limited to interface serial2/0:
crypto isakmp profile profile1keyring keyring1match identity address 10.0.0.0 255.0.0.0local-address serial2/0The following example shows that the scope of the ISAKMP keyring is limited only to interface serial2/0:
crypto keyringlocal-address serial2/0pre-shared-key address 10.0.0.1The following example shows that the scope of the ISAKMP keyring is limited only to IP address 10.0.0.2:
crypto keyring keyring1local-address 10.0.0.2pre-shared-key address 10.0.0.2 keyThe following example shows that the scope of an ISAKMP keyring is limited to IP address 10.34.35.36 and that the scope is limited to VRF examplevrf1:
ip vrf examplevrf1rd 12:3456crypto keyring ring1local-address 10.34.35.36 examplevrf1interface ethernet2/0ip vrf forwarding examplevrf1ip address 10.34.35.36 255.255.0.0Related Commands
crypto isakmp profile
Defines an ISAKMP profile and audits IPSec user sessions.
crypto keyring
Defines a keyring and enters keyring configuration mode.
local-port (WebVPN)
To remap (forward) an application port number in a port forwarding list, use the local-port command in webvpn port-forward list configuration mode. To remove the application port mapping from the forwarding list, use the no form of this command.
local-port number remote-server name remote-port number description text-string
no local-port number
Syntax Description
Command Default
An application port number is not remapped.
Command Modes
Webvpn port-forward list configuration (config-webvpn-port-fwd)
Command History
Usage Guidelines
The local-port command is configured to add an entry to the port-forwarding list. The forward list is created with the port-forward command in webvpn context configuration mode. The remote port number is the well-known port to which the application listens. The local port number is the entry configured in the port forwarding list. A local port number can be configured only once in a given port-forwarding list.
Examples
The following example configures port forwarding for well-known e-mail application port numbers:
Router(config)# webvpn context context1Router(config-webvpn-context)# port-forward EMAILRouter(config-webvpn-port-fwd)# local-port 30016 remote-server mail.company.com remote-port 110 description POP3Router(config-webvpn-port-fwd)# local-port 30017 remote-server mail.company.com remote-port 25 description SMTPRouter(config-webvpn-port-fwd)# local-port 30018 remote-server mail.company.com remote-port 143 description IMAPRelated Commands
local priority
To set the local key server priority, use the local priority command in GDOI redundancy configuration mode. To remove the local key server priority that was set, use the no form of this command.
local priority number
no local priority number
Syntax Description
Command Default
If the local priority is not set by this command, the local priority defaults to 1.
Command Modes
GDOI redundancy configuration (gdoi-coop-ks-config)
Command History
12.4(11)T
This command was introduced.
Cisco IOS XE Release 2.3
This command was implemented on the Cisco ASR 1000 Aggregation Services Series Routers
Usage Guidelines
Configure the priority to determine the order of preference of the key servers (the higher priority device becomes the primary key server). If the priority of two devices is the same, the IP address is used to set the priority. The higher the IP address, the higher the priority.
Note
Examples
The following example shows that the key server 10.1.1.1 has the highest priority and, therefore, becomes the primary key server:
address ipv4 10.1.1.1redundancylocal priority 10peer address ipv4 10.41.2.5peer address ipv4 10.33.5.6address ipv4 10.41.2.5redundancypeer address ipv4 10.1.1.1peer address ipv4 10.33.5.6address ipv4 10.33.5.6redundancylocal priority 5peer address ipv4 10.41.2.5peer address ipv4 10.1.1.1Related Commands
lockdown (LSP Attributes)
To disable reoptimization of the label switched path (LSP), use the lockdown command in LSP Attributes configuration mode. To reenable reoptimization, use the no form of this command.
lockdown
no lockdown
Syntax Description
This command has no arguments or keywords.
Command Default
Reoptimization of the LSP is enabled.
Command Modes
LSP Attributes configuration (config-lsp-attr)
Command History
Usage Guidelines
Use this command to set up in an LSP attribute list the disabling of reoptimization of an LSP triggered by a timer, or the issuance of the mpls traffic-eng reoptimize command, or a configuration change that requires the resignalling of an LSP.
To associate the LSP lockdown attribute and the LSP attribute list with a path option for an LSP, you must configure the tunnel mpls traffic-eng path option command with the attributes string keyword and argument, where string is the identifier for the specific LSP attribute list.
Examples
The following example shows how to configure disabling of reoptimization in an LSP attribute list:
Configure terminal!mpls traffic-eng lsp attributes 4bandwidth 1000priority 1 1lockdownendRelated Commands
mpls traffic-eng lsp attributes
Creates or modifies an LSP attribute list.
show mpls traffic-eng lsp attributes
Displays global LSP attribute lists.
log (policy-map)
To generate a log of messages, use the log command in policy-map configuration mode. To disable the log, use the no form of this command.
log
no log
Syntax Description
This command has no arguments or keywords.
Command Default
None
Command Modes
Policy-map configuration
Command History
Usage Guidelines
You can use this command only after entering the following commands:
•
•
•
Examples
The following example generates a log of messages:
policy-map type inspect http mypolicylogRelated Commands
log (parameter-map type)
To log the firewall activity for an inspect parameter map, use the log command in parameter-map type inspect configuration mode.
log {dropped-packets {disable | enable} | summary [flows number] [time-interval seconds]}
Syntax Description
Command Default
The firewall activity is not captured.
Command Modes
Parameter-map type inspect configuration (config-profile)
Command History
Usage Guidelines
Use this command to log the firewall activity as follows:
•
•
•
If the flow is specified as zero as log summary flow 0, the log activity is turned off and summary logs are not printed until the flow count is greater than zero.
To display the summary logs, use the show policy-firewall summary-log and clear policy-firewall summary-log to clear the summary logs.
Examples
The following examples show how to configure the summary logs in two scenarios.
In the following example, the summary logs are printed for 40 flows every 2 minutes:
Router(config)# parameter-map type inspect globalRouter(config-profile)# log summary flows 40 time-interval 120In the following example, the summary logs are printed for 30 flows at the default time interval of 1 minute:Router(config)# parameter-map type inspect globalRouter(config-profile)# log summary flows 30In the above example, the flow is not configured. Hence, the summary logs are printed by default for 16 flows every 30 seconds:Router(config)# parameter-map type inspect globalRouter(config-profile)# log summary time-interval 30Related Commands
log (type access-control)
To generate log messages for a predefined traffic class, use the log command in policy-map class configuration mode. To disable the log, use the no form of this command.
log [all]
no log [all]
Syntax Description
Command Default
Log messages are disabled.
Command Modes
Policy-map class configuration (config-pmap-c)
Command History
Usage Guidelines
If the log command is specified with the all keyword, then this command can only be used with a predefined session-based Flexible Packet Matching (FPM) traffic class that was created with the class-map type access-control command.
The log all command is used when configuring a policy map that can be attached to one or more interfaces to specify a service policy that is created with the policy-map type access-control command.
Examples
The following example shows how to configure a class map and policy map to specify the protocol stack class, the match criteria and action to take, and a combination of classes using session-based (flow-based) and nonsession-based actions. The log command's all keyword is associated with the action to be taken on the policy.
Router(config)# class-map type access-control match-all my-HTTPRouter(config-cm)# match field tcp destport eq 8080Router(config-cm)# match start tcp payload-start offset 20 size 10 regex "GET"Router(config)# class-map type access-control match-all my-FTPRouter(config-cmap)# match field tcp destport eq 21Router(config)# class-map type access-control match all class1Router(config-cmap)# match class my-HTTP sessionRouter(config-cmap)# match start tcp payload-start offset 40 size 20 regex "abc.*def"Router(config)# policy-map type access-control my_http_policyRouter(config-pmap)# class class1Router(config-pmap-c)# log allRouter(config)# interface gigabitEthernet 0/1Router(config-if)# service-policy type access-control input my_http_policyRelated Commands
logging dmvpn
To display Dynamic Multipoint VPN (DMVPN)-specific system logging information, use the logging dmvpn command in global configuration mode. To turn off logging, use the no form of this command.
logging dmvpn [rate-limit rate]
no logging dmvpn [rate-limit rate]
Syntax Description
rate-limit rate
(Optional) Specifies the number of DMVPN syslog messages generated per minute. The range is from 1 to 10000.
•
Command Default
DMVPN system logging messages are not enabled.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the logging dmvpn rate-limit rate command to specify the rate at which the DMVPN-specific syslog messages are displayed. In Cisco IOS Release 12.4(24)T and earlier releases, the rate argument specifies the minimum interval, in seconds, between two DMVPN syslog messages, with a range of 0 to 3600, and a default value of 60.
In Cisco IOS Release 15.0(1)M and later releases, the rate argument specifies the number of DMVPN syslog messages per minute. If you have upgraded to Release Cisco IOS 15.0(1)M or later releases, you must reconfigure the DMVPN rate limit settings.
Examples
The following example shows how to configure the router to display five DMVPN-specific syslog messages per minute:
Router> enableRouter# configure terminalRouter(config)# logging dmvpn rate-limit 5The following example shows a sample system log with DMVPN messages:
%DMVPN-7-CRYPTO_SS: Tunnel101-192.0.2.1 socket is UP
%DMVPN-5-NHRP_NHS: Tunnel101 192.0.2.251 is UP
%DMVPN-5-NHRP_CACHE: Client 192.0.2.2 on Tunnel1 Registered.
%DMVPN-5-NHRP_CACHE: Client 192.0.2.2 on Tunnel101 came UP.
%DMVPN-3-NHRP_ERROR: Registration Request failed for 192.0.2.251 on Tunnel101
Related Commands
logging enabled
To enable syslog messages, use the logging enabled command in parameter-map-type consent configuration mode.
logging enabled
Syntax Description
This command has no arguments or keywords.
Command Default
Logging messages are not enabled.
Command Modes
Parameter-map-type consent (config-profile)
Command History
Usage Guidelines
After the logging enabled command is entered, a log entry (a syslog), including the client's IP address and the time, is created everytime a response is received for the consent web page.
Examples
The following example shows how to define the consent-specific parameter map "consent_parameter_map" and a default consent parameter map. In both parameter maps, logging is enabled.
parameter-map type consent consent_parameter_mapcopy tftp://192.168.104.136/consent_page.html flash:consent_page.htmlauthorize accept identity consent_identity_policytimeout file download 35791file flash:consent_page.htmllogging enabledexit!parameter-map type consent defaultcopy tftp://192.168.104.136/consent_page.html flash:consent_page.htmlauthorize accept identity test_identity_policytimeout file download 35791file flash:consent_page.htmllogging enabledexitlogging ip access-list cache (global configuration)
To configure the Optimized ACL Logging (OAL) parameters, use the logging ip access-list cache command in global configuration mode. To return to the default settings, use the no form of this command.
logging ip access-list cache {entries entries | {interval seconds | rate-limit pps | threshold packets}
no logging ip access-list cache [entries | interval | rate-limit | threshold]
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
Command Modes
Global configuration
Command History
12.2(17d)SXB
Support for this command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
This command is supported on Cisco 7600 series routers that are configured with a Supervisor Engine 720 only.
OAL is supported on IPv4 unicast traffic only.
You cannot configure OAL and VACL capture on the same chassis. OAL and VACL capture are incompatible. With OAL configured, use SPAN to capture traffic.
If the entry is inactive for the duration that is specified in the update-interval seconds command, the entry is removed from the cache.
If you enter the no logging ip access-list cache command without keywords, all the parameters are returned to the default values.
You must set ICMP unreachable rate limiting to 0 if the OAL is configured to log denied packets.
Examples
This example shows how to specify the maximum number of log entries that are cached in the software:
Router(config)# logging ip access-list cache entries 200This example shows how to specify the maximum time interval before an entry is sent to the system log:
Router(config)# logging ip access-list cache interval 350This example shows how to specify the number of packets that are logged per second in the software:
Router(config)# logging ip access-list cache rate-limit 100This example shows how to specify the number of packet matches before an entry is sent to the system log:
Router(config)# logging ip access-list cache threshold 125Related Commands
logging ip access-list cache (interface configuration)
To enable an Optimized ACL Logging (OAL)-logging cache on an interface that is based on direction, use the logging ip access-list cache command in interface configuration mode. To disable OAL, use the no form of this command.
logging ip access-list cache [in | out]
no logging ip access-list cache
Syntax Description
Defaults
Disabled
Command Modes
Interface configuration
Command History
12.2(17d)SXB
Support for this command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
This command is supported on Cisco 7600 series routers that are configured with a Supervisor Engine 720 only.
This command is supported on traffic that matches the log keyword in the applied ACL. You must set ICMP unreachable rate limiting to 0 if the OAL is configured to log denied packets.
On systems that are configured with a PFC3A, support for the egress direction on tunnel interfaces is not supported.
OAL is supported on IPv4 unicast traffic only.
You cannot configure OAL and VACL capture on the same chassis. OAL and VACL capture are incompatible. With OAL configured, use SPAN to capture traffic.
If the entry is inactive for the duration that is specified in the update-interval seconds command, the entry is removed from the cache.
If you enter the no logging ip access-list cache command without keywords, all the parameters are returned to the default values.
Examples
This example shows how to enable OAL on ingress packets:
Router(config-if)# logging ip access-list cache inThis example shows how to enable OAL on egress packets:
Router(config-if)# logging ip access-list cache outRelated Commands
login authentication
To enable authentication, authorization, and accounting (AAA) authentication for logins, use the login authentication command in line configuration mode. To return to the default specified by the aaa authentication login command, use the no form of this command.
login authentication {default | list-name}
no login authentication {default | list-name}
Syntax Description
default
Uses the default list created with the aaa authentication login command.
list-name
Uses the indicated list created with the aaa authentication login command.
Defaults
Uses the default set with aaa authentication login.
Command Modes
Line configuration
Command History
Usage Guidelines
This command is a per-line command used with AAA that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line).
Caution
Entering the no version of login authentication has the same effect as entering the command with the default keyword.
Before issuing this command, create a list of authentication processes by using the global configuration aaa authentication login command.
Examples
The following example specifies that the default AAA authentication is to be used on line 4:
line 4login authentication defaultThe following example specifies that the AAA authentication list called list1 is to be used on line 7:
line 7login authentication list1Related Commands
login block-for
To configure your Cisco IOS device for login parameters that help provide denial-of-service (DoS) detection, use the login block-for command in global configuration mode. To disable the specified login parameters and return to the default functionality, use the no form of this command.
login block-for seconds attempts tries within seconds
no login block-for
Syntax Description
Defaults
No login parameters are defined.
A quiet period is not enabled.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
If the specified number of connection attempts (via the attempts tries option) fail within a specified time (via the within seconds option), the Cisco IOS device will not accept any additional login attempts for a specified period of time (via the seconds argument).
All login parameters are disabled by default. You must issue the login block-for command, which enables default login functionality, before using any other login commands. After the login block-for command is enabled, the following defaults are enforced:
•
•
For example:
Router#show access-lists sl_def_aclExtended IP access list sl_def_acl10 deny tcp any any eq telnet20 deny tcp any any eq www30 deny tcp any any eq 2240 permit ip any anySystem Logging Messages
The following logging message is generated after the router switches to quiet mode:
00:04:07:%SEC_LOGIN-1-QUIET_MODE_ON:Still timeleft for watching failures is 158 seconds, [user:sfd] [Source:10.4.2.11] [localport:23] [Reason:Invalid login], [ACL:22] at 16:17:23 UTC Wed Feb 26 2003The following logging message is generated after the router switches from quiet mode back to normal mode:
00:09:07:%SEC_LOGIN-5-QUIET_MODE_OFF:Quiet Mode is OFF, because block period timed out at 16:22:23 UTC Wed Feb 26 2003Examples
The following example shows how to configure your router to block all login requests for 100 seconds if 15 failed login attempts are exceeded within 100 seconds. Thereafter, the show login command is issued to verify the login settings.
Router(config)# login block-for 100 attempts 15 within 100Router(config)# exitRouter# show loginA default login delay of 1 seconds is applied.No Quiet-Mode access list has been configured.All successful login is logged and generate SNMP traps.All failed login is logged and generate SNMP traps.Router enabled to watch for login Attacks.If more than 15 login failures occur in 100 seconds or less, logins will be disabled for 100 seconds.Router presently in Watch-Mode, will remain in Watch-Mode for 95 seconds.Present login failure count 5The following example shows how to disable login parameters. Thereafter, the show login command is issued to verify that login parameters are no longer configured.
Router(config)# no login block-forRouter(config)# exitRouter# show loginNo login delay has been applied.No Quiet-Mode access list has been configured.All successful login is logged and generate SNMP traps.All failed login is logged and generate SNMP trapsRouter NOT enabled to watch for login AttacksRelated Commands
login delay
To configure a uniform delay between successive login attempts, use the login delay command in global configuration mode. To return to the default functionality (which is a 1 second delay), use the no form of this command.
login delay seconds
no login delay
Syntax Description
Defaults
If this command is not enabled, a login delay of 1 second is automatically enforced.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
A Cisco IOS device can accept connections (such as Telnet, secure shell (SSH), and HTTP) as fast as they can be processed. The login delay command introduces a uniform delay between successive login attempts. (The delay occurs for all login attempts—failed or successful attempts.) Thus, user users can better secure their Cisco IOS device from dictionary attacks, which are an attempt to gain username and password access to your device.
Although the login delay command allows users to configure a specific a delay, a uniform delay of 1 second is enabled if the auto secure command is issued. After the auto secure command is enabled, the autosecure dialog prompts users for login parameters; if login parameters have already been configured, the autosecure dialog will retain the specified values.
Examples
The following example shows how to configure your router to issue a delay of 10 seconds between each successive login attempt:
Router(config)# login delay 10Related Commands
login-message
To configure a login message for the text box on the user login page, use the login-message command in webvpn context configuration mode. To reconfigure the SSL VPN context configuration to display the default message, use the no form of this command.
login-message [message-string]
no login-message [message-string]
Syntax Description
message-string
(Optional) Login message string up to 255 characters in length. The string value may contain 7-bit ASCII values, HTML tags, and escape sequences.
Defaults
The following message is displayed if this command is not configured or if the no form is entered:
"Please enter your username and password"
Command Modes
Webvpn context configuration
Command History
Usage Guidelines
The optional form of this command is used to change or enter a login message. A text string up to 255 characters in length can be entered. The no form of this command is entered to configure the default message to be displayed. When the login-message command is entered without the optional text string, no login message is displayed.
Examples
The following example changes the default login message to "Please enter your login credentials":
Router(config)# webvpn context context1Router(config-webvpn-context)# login-message "Please enter your login credentials"Related Commands
webvpn context
Enters webvpn context configuration mode to configure the SSL VPN context.
login quiet-mode access-class
To specify an access control list (ACL) that is to be applied to the router when the router switches to quiet mode, use the login quiet-mode access-class command in global configuration mode. To remove this ACL and allow the router to deny all login attempts, use the no form of this command.
login quiet-mode access-class {acl-name | acl-number}
no login quiet-mode access-class {acl-name | acl-number}
Syntax Description
acl-name
Named ACL that is to be enforced during quiet mode.
acl-number
Numbered (standard or extended) ACL that is to be enforced during quiet mode.
Defaults
All login attempts via Telnet, secure shell (SSH), and HTTP are denied.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Before using this command, you must issue the login block-for command, which allows you to specify the necessary parameters to enable a quiet period.
•
For example:
Router#show access-lists sl_def_aclExtended IP access list sl_def_acl10 deny tcp any any eq telnet20 deny tcp any any eq www30 deny tcp any any eq 2240 permit ip any anySystem Logging Messages
The following logging message is generated after the router switches to quiet mode:
00:04:07:%SEC_LOGIN-1-QUIET_MODE_ON:Still timeleft for watching failures is 158 seconds, [user:sfd] [Source:10.4.2.11] [localport:23] [Reason:Invalid login], [ACL:22] at 16:17:23 UTC Wed Feb 26 2003The following logging message is generated after the router switches from quiet mode back to normal mode:
00:09:07:%SEC_LOGIN-5-QUIET_MODE_OFF:Quiet Mode is OFF, because block period timed out at 16:22:23 UTC Wed Feb 26 2003Examples
The following example shows how to configure your router to accept hosts only from the ACL "myacl" during the next quiet period:
Router(config)# login quiet-mode access-class myaclRelated Commands
login block-for
Configures your Cisco IOS device for login parameters that help provide DoS detection.
show login
Displays login parameters.
login-photo
To set the photo parameters on a Secure Socket Layer Virtual Private Network (SSL VPN) login page, use the login-photo command in web vpn context configuration mode. To display the login page with no photo but with a message that spans the message and the photo columns, use the no form of this command.
login-photo [file file-name | none]
no login-photo
Syntax Description
file file-name
Points to a file to be displayed on the login page. The file-name argument can be jpeg, bitmap, or gif. However, gif files are recommended.
none
No photo appears on the login page.
Command Default
No photo appears, and the message spans the two columns (message and photo columns).
Command Modes
Webvpn context configuration (config-webvpn-context)
Command History
Usage Guidelines
To display no photo, use the login-photo none option. To display no photo and have the message span both columns (message column and photo column), use the no login-photo option.
The best resolution for login photos is 179 x 152 pixels.
Examples
The following example shows that no photo is displayed:
Router (config)# webvpn contextRouter (config-webvpn-context)# login-photo noneRelated Commands
webvpn context
Enters webvpn context configuration mode to configure the SSL VPN context.
logo
To configure a custom logo to be displayed on the login and portal pages of an SSL VPN, use the logo command in SSLVPN configuration mode. To configure the Cisco logo to be displayed, use the no form of this command.
logo [file filename | none]
no logo [file filename | none]
Syntax Description
Defaults
The Cisco logo is displayed if the no form of this command is not configured or if the no form is entered.
Command Modes
SSLVPN configuration
Command History
Usage Guidelines
The source image file for the logo is a gif, jpg, or png file that is up to 255 characters in length (filename) and up to 100 kilobytes (KB) in size. The file is referenced from a local file system, such as flash memory. An error message will be displayed if the file is not referenced from a local file system. No logo will be displayed if the image file is removed from the local file system.
Examples
The following example references mylogo.gif (from flash memory) to use as the SSL VPN logo:
Router(config)# webvpn context SSLVPNRouter(config-webvpn-context)# logo file flash:/mylogo.gifRouter(config-webvpn-context)#In the following example, no logo is to be displayed on the login or portal pages:
Router(config)# webvpn context SSLVPNRouter(config-webvpn-context)# logo noneRouter(config-webvpn-context)#The following example configures the SSL VPN to display the default logo (Cisco) on the login and portal pages:
Router(config)# webvpn context SSLVPNRouter(config-webvpn-context)# logo noneRouter(config-webvpn-context)#Related Commands
webvpn context
Enters SSLVPN configuration mode to configure the WebVPN context.
