-
Cisco IOS Security Command Reference
-
Introduction
-
aaa accounting through aaa local authentication attempts max-fail
-
aaa max-sessions through algorithm
-
all (profile map configuration) through browser-proxy
-
ca trust-point through clear eou
-
clear ip access-list counters through crl-cache none
-
crypto aaa attribute list through crypto ipsec transform-set
-
crypto isakmp aggressive-mode disable through crypto mib ipsec flowmib history tunnel size
-
crypto pki authenticate through ctype
-
database archive through dns
-
dnsix-dmdp retries through dynamic
-
E
-
F through H
-
icmp idle-timeout through ip http ezvpn
-
ip inspect through ip security strip
-
ip source-track through ivrf
-
K through L
-
mac access-group through max-users (WebVPN)
-
message retry count through outgoing
-
parameter through port-misuse
-
ppp accounting through quit
-
radius attribute nas-port-type through rate-limit (firewall)
-
reauthentication time through rsa-pubkey
-
sa ipsec through sessions maximum
-
set aggressive-mode client-endpoint through show class-map type urlfilter
-
show crypto ace redundancy through show crypto vlan
-
show diameter peer through show object-group
-
show parameter-map type consent through show users
-
show vlan group through switchport port-security violation
-
tacacs-server administration through title-color
-
traffic-export through zone security
-
Feedback
Table Of Contents
mls acl tcam override dynamic dhcp-snooping
mls rate-limit unicast l3-features
mls rate-limit unicast vacl-log
no crypto engine software ipsec
object-group (Catalyst 6500 series switches)
mls acl tcam default-result
To set the default action during the ACL TCAM update, use the mls acl tcam default-result command in global configuration mode. To return to the default settings, use the no form of this command.
mls acl tcam default-result {permit | deny | bridge}
no mls acl tcam default-result
Syntax Description
permit
Permits all traffic.
deny
Denies all traffic.
bridge
Bridges all Layer 3 traffic up to the rendezvous point.
Defaults
deny
Command Modes
Global configuration (config)
Command History
12.2(14)SX
Support for this command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
In the transition time between when an existing ACL is removed and a new ACL is applied, a default deny is programmed in the hardware. Once the new ACL has been applied completely in the hardware, the default deny is removed.
Use the mls acl tcam default-result permit command to permit all traffic in the hardware or bridge all traffic to the software during the transition time.
Examples
This example shows how to permit all traffic to pass during the ACL TCAM update:
Router(config)# mls acl tcam default-result permitThis example shows how to deny all traffic during the ACL TCAM update:
Router(config)# mls acl tcam default-result denyThis example shows how to bridge all Layer 3 traffic up to the rendezvous point during the ACL TCAM update:
Router(config)# mls acl tcam default-result bridgemls acl tcam override dynamic dhcp-snooping
To allow web-based authentication (webauth) and IP Source Guard (IPSG) to function together on the same interface, use the mls acl tcam override dynamic dhcp-snooping command in global configuration mode. To disable this compatibility function, use the no form of this command.
mls acl tcam override dynamic dhcp-snooping
no mls acl tcam override dynamic dhcp-snooping
Syntax Description
This command has no arguments or keywords.
Command Default
This function is disabled by default.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
On the Catalyst 6500 series switch, when both webauth and IPSG are configured on the same access port and DHCP snooping is enabled on the access VLAN, the webauth downloadable ACLs (DACLs) can interfere with the DHCP snooping functionality. To prevent this interference, enter the mls acl tcam override dynamic dhcp-snooping command in global configuration mode. This command causes DHCP snooping entries to be replicated in the DACLs.
Examples
This example shows how to configure compatibility between webauth and IPSG:
Router(config)# mls acl tcam override dynamic dhcp-snoopingRelated Commands
ip admission
Configures web-based authentication on the interface.
ip dhcp snooping
Enables DHCP snooping.
ip verify source
Enables IP Source Guard on the port.
mls acl tcam share-global
To enable sharing of the global default ACLs, use the mls acl tcam share-global command in global configuration mode. To turn off sharing of the global defaults, use the no form of this command.
mls acl tcam share-global
no mls acl tcam share-global
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Global configuration
Command History
12.2(18)SXE
Support for this command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
If you power cycle one of the DFCs, we recommend that you reset all the DFCs across the ACLs of the different DFCs.
Examples
This example shows how to enable sharing of the global default ACLs:
Router(config)# mls acl tcam share-globalmls acl vacl apply-self
To enable VACL lookups on software-switched and router-generated packets on the Catalyst 6500 Supervisor Engine 2, use the mls acl vacl apply-self command in global configuration mode. To disable VACL lookups for software packets, use the no form of this command.
mls acl vacl apply-self
no mls acl vacl apply-self
Syntax Description
This command has no keywords or arguments.
Defaults
VACL lookup on the egress VLAN for software packets are not enabled on switches with Supervisor Engine 2.
Command Modes
Global configuration
Command History
Usage Guidelines
On the Supervisor Engine 2 based switches running Cisco IOS Release 12.2(18)SXF15 or a later release, you can enable VACL lookups on software-switched and router generated packets for the VLAN filter configured on the egress VLAN by entering the mls acl vacl apply-self command.
On both the Supervisor Engine 720 and Supervisor Engine 32, software-switched packets and router-generated packets are always subjected to VACL lookups on the egress VLAN.
Examples
This example shows how to enable VACL lookups on software-switched and router-generated packets:
Router(config)# mls acl vacl apply-selfRouter(config)#mls aclmerge algorithm
To select the type of ACL merge method to use, use the mls aclmerge algorithm command in global configuration mode.
mls aclmerge algorithm {bdd | odm}
Syntax Description
bdd
Specifies the binary decision diagram (BDD)-based algorithm.
odm
Specifies the order dependent merge (ODM)-based algorithm.
Defaults
bdd
Command Modes
Global configuration
Command History
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 720.
The BDD-based ACL merge uses Boolean functions to condense entries into a single merged list of Ternary Content Addressable Memory (TCAM) entries that can be programmed into the TCAM.
You cannot disable the ODM-based ACL merge on Cisco 7600 series routers that are configured with a Supervisor Engine 720.
The ODM-based ACL merge uses an order-dependent merge algorithm to process entries that can be programmed into the TCAM.
Note
The ODM-based ACL merge supports both security ACLs and ACLs that are used for QoS filtering.
If you change the algorithm method, the change is not retroactive. For example, ACLs that have had the merge applied are not affected. The merge change applies to future merges only.
Use the show fm summary command to see the status of the current merge method.
Examples
This example shows how to select the BDD-based ACL to process ACLs:
Router(config)# mls aclmerge algorithm bddThe algorithm chosen will take effect for new ACLs which are being applied, notfor already applied ACLs.Router(config)This example shows how to select the ODM-based ACL merge to process ACLs:
Router(config)# mls aclmerge algorithm odmThe algorithm chosen will take effect for new ACLs which are being applied, notfor already applied ACLs.Related Commands
mls ip acl port expand
To enable ACL-specific features for Layer 4, use the mls ip acl port expand command in global configuration mode. To disable the ACL-specific Layer 4 features, use the no form of this command.
mls ip acl port expand
no mls ip acl port expand
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
Examples
This example shows how to enable the expansion of ACL logical operations on Layer 4 ports:
Router(config)# mls ip acl port expandmls ip inspect
To permit traffic through any ACLs that would deny the traffic through other interfaces from the global configuration command mode, use the mls ip inspect command. Use the no form of this command to return to the default settings.
mls ip inspect acl-name
no mls ip inspect acl-name
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
On a Cisco 7600 series router, when interfaces are configured to deny traffic, the CBAC permits traffic to flow bidirectionally only through the interface that is configured with the ip inspect command.
Examples
This example shows how to permit the traffic through a specific ACL (named den-ftp-c):
Router(config)# mls ip inspect deny-ftp-cRouter(config)#Related Commands
mls rate-limit all
To enable and set the rate limiters common to unicast and multicast packets in the global configuration command mode, use the mls rate-limit all command. Use the no form of this command to disable the rate limiters.
mls rate-limit all {mtu-failure | ttl-failure} pps [packets-in-burst]
no mls rate-limit all {mtu-failure | ttl-failure}
Syntax Description
Defaults
The Layer 2 rate limiters are off by default. If you enable and set the rate limiters, the default packets-in-burst is 10.
Command Modes
Global configuration
Command History
12.2(14)SX
Support for this command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
Rate limiters can rate-limit packets that are punted from the data path in the hardware up to the data path in the software. Rate limiters protect the control path in the software from congestion by dropping the traffic that exceeds the configured rate.
Note
Examples
This example shows how to set the TTL-failure limiter for unicast and multicast packets:
Router(config)# mls rate-limit all ttl-failure 15Router(config)#Related Commands
mls rate-limit layer2
To enable and rate limit the control packets in Layer 2, use the mls rate-limit layer2 command in global configuration mode. To disable the rate limiter in the hardware, use the no form of this command.
mls rate-limit layer2 {ip-admission | l2pt | pdu | port-security| unknown} pps [packets-in-burst]
no mls rate-limit layer2 [l2pt | pdu | port-security | unknown]
Syntax Description
Defaults
The Layer 2 rate limiters are off by default. If you enable and set the rate limiters, the default packets-in-burst value is 10 and pps value has no default setting.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
MLS provides high-performance hardware-based Layer 3 switching at Layer 2.
This command is not supported on Catalyst 6500 series switches and Cisco 7600 series routers that are configured with a Supervisor Engine 2.
The unknown keyword is only available on PFC3C line cards. When PFC3C and PFC3B linecards are powered on in the same chassis the chassis will downgrade to the PFC3B linecard and the unknown keyword will be unavailable.
You cannot configure the Layer 2 rate limiters if the global switching mode is set to truncated mode.
The following restrictions are pertinent to the use of the port-security pps keywords and argument:
•
•
•
Rate limiters control packets as follows:
•
–
–
–
•
•
The Layer 2 control packets are as follows:
•
•
•
•
If the rate of the traffic exceeds the configured rate limit, the excess packets are dropped at the hardware.
The pdu and l2pt rate limiters use specific hardware rate-limiter numbers only, such as 9 through 12. Enter the show mls rate-limit usage command to display the available rate-limiter numbers. The available numbers are displayed as "Free" in the output field. If all four of those rate limiters are in use by other features, a system message is displayed telling you to turn off a feature to rate limit the control packets in Layer 2.
When a MAC move occurs and a packet is seen on two ports, the packet is redirected to the software. If one of those ports has the violation mode set to restrict or protect, the packet is dropped in software. You can use the port-security rate limiter to throttle the number of such packets redirected to software. This helps in protecting the software from high traffic rates.
Examples
This example shows how to enable and set the rate limiters for the protocol-tunneling packets in Layer 2:
Router(config)# mls rate-limit layer2 l2pt 3000This example shows how to configure the port-security rate limiter:
Router(config)# mls rate-limit layer2 port-security 500This example shows how to configure the ip-admission rate limiter:
Router(config)# mls rate-limit layer2 ip-admission 560Related Commands
mls rate-limit unicast l3-features
To enable and set the Layer 3 security rate limiters for the unicast packets in the global configuration command mode, use the mls rate-limit unicast l3-features command. Use the no form of this command to disable the rate limiters.
mls rate-limit unicast l3-features pps [packets-in-burst]
no mls rate-limit unicast l3-features pps [packets-in-burst]
Syntax Description
pps
Packets per second; see the "Usage Guidelines" section for valid values.
packets-in-burst
(Optional) Packets in burst; valid values are from 1 to 255.
Defaults
The defaults are as follows:
•
•
Command Modes
Global configuration
Command History
12.2(17d)SXB
Support for this command was introduced on the Supervisor Engine 2.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 720.
Examples
This example shows how to set the Layer 3 security rate limiters for the unicast packets:
Router(config)# mls rate-limit unicast l3-features 5000Router(config)#Related Commands
mls rate-limit multicast ipv4
To enable and set the rate limiters for the IPv4 multicast packets in the global configuration command mode, use the mls rate-limit multicast ipv4 command. Use the no form of this command to disable the rate limiters.
mls rate-limit multicast ipv4 {connected | fib-miss | igmp | ip-option | partial | non-rpf} pps [packets-in-burst]
no mls rate-limit multicast ipv4 {connected | fib-miss | igmp | ip-option | partial | non-rpf}
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
Command Modes
Global configuration
Command History
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
You cannot configure the IPv4 rate limiters if the global switching mode is set to truncated mode.
The rate limiters can rate limit the packets that are punted from the data path in the hardware up to the data path in the software. The rate limiters protect the control path in the software from congestion and drop the traffic that exceeds the configured rate.
The ip-option keyword is supported in PFC3BXL or PFC3B mode only.
Examples
This example shows how to set the rate limiters for the multicast packets failing the RPF check:
Router(config)# mls rate-limit multicast ipv4 non-rpf 100Router(config)#This example shows how to set the rate limiters for the multicast packets during a partial SC state:
Router(config)# mls rate-limit multicast ipv4 partial 250Router(config)#This example shows how to set the rate limiters for the FIB-missed multicast packets:
Router(config)# mls rate-limit multicast ipv4 fib-miss 15Router(config)#Related Commands
mls rate-limit multicast ipv6
To configure the IPv6 multicast rate limiters, use the mls rate-limit multicast ipv6 command in global configuration mode. To disable the rate limiters, use the no form of this command.
mls rate-limit multicast ipv6 {connected pps [packets-in-burst] | rate-limiter-name {share {auto | target-rate-limiter}}
no mls rate-limit multicast ipv6 {connected | rate-limiter-name}
Syntax Description
Command Default
If the burst is not set, a default of 100 is programmed for multicast cases.
Command Modes
Global configuration
Command History
12.2(18)SXD
This command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
The rate-limiter-name argument must be a rate limiter that is not currently programmed.
The target-rate-limiter argument must be a rate limiter that is programmed in the hardware and must be the first rate limiter programmed for its group.
Table 43 lists the IPv6 rate limiters and the class of traffic that each rate limiter serves.
You can configure rate limiters for IPv6 multicast traffic using one of the following methods:
•
Router(config)# mls rate-limit multicast ipv6 default-drop 1000 20•
Router(config)# mls rate-limit multicast ipv6 route-cntl share default-dropIf the target rate limiter is not configured, a message displays that the target rate limiter must be configured for it to be shared with other rate limiters.
•
Router(config)# mls rate-limit multicast ipv6 route-cntl share autoExamples
This example shows how to set the rate limiters for the IPv6 multicast packets from a directly connected source:
Router(config)# mls rate-limit multicast ipv6 connected 1500 20Router(config)#This example shows how to configure a direct association of the rate limiters for a traffic class:
Router(config)# mls rate-limit multicast ipv6 default-drop 1000 20Router(config)#This example shows how to configure the static sharing of a rate limiter with another preconfigured rate limiter:
Router(config)# mls rate-limit multicast ipv6 route-cntl share default-dropRouter(config)#This example shows how to enable dynamic sharing for the route-cntrl rate limiter:
Router(config)# mls rate-limit multicast ipv6 route-cntl share autoRouter(config)#Related Commands
mls rate-limit unicast acl
To enable and set the ACL-bridged rate limiters in global configuration command mode, use the mls rate-limit unicast acl command. Use the no form of this command to disable the rate limiters.
mls rate-limit unicast acl {input | output | vacl-log} pps [packets-in-burst]
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
Command Modes
Global configuration
Command History
Usage Guidelines
The input and output keywords are not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
The rate limiters can rate limit the packets that are punted from the data path in the hardware up to the data path in the software. The rate limiters protect the control path in the software from congestion and drop the traffic that exceeds the configured rate.
When setting the pps, valid values are as follows:
•
•
You cannot change the vacl-log packets-in-burst keyword and argument; it is set to 1 by default.
Some cases (or scenarios) share the same hardware register. These cases are divided into the following two groups:
•
–
–
•
–
–
–
–
All the components of each group use or share the same hardware register. For example, ACL-bridged ingress and egress packets use register A. ICMP-unreachable, no-route, and RPF failure use register B.
In most cases, when you change a component of a group, all the components in the group are overwritten to use the same hardware register as the first component changed. A warning message is printed out each time that an overwriting operation occurs, but only if you enable the service internal mode. The overwriting operation does not occur in these situations:
•
•
Examples
This example shows how to set the input ACL-bridged packet limiter for unicast packets:
Router(config)# mls rate-limit unicast acl input 100Router(config)#Related Commands
mls rate-limit unicast cef
To enable and set the Cisco Express Forwarding rate limiters in global configuration command mode, use the mls rate-limit unicast cef command. Use the no form of this command to disable the rate limiters.
mls rate-limit unicast cef {receive | glean} pps [packets-in-burst]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
Global configuration
Command History
Usage Guidelines
If you enable the CEF rate limiters, the following behaviors occur (if the behavior that is listed is unacceptable, disable the CEF rate limiters):
•
•
•
Examples
This example shows how to set the CEF-glean limiter for the unicast packets:
Router(config)# mls rate-limit unicast cef glean 5000Router(config)#Related Commands
mls rate-limit unicast ip
To enable and set the rate limiters for the unicast packets in global configuration command mode, use the mls rate-limit unicast ip command. Use the no form of this command to disable the rate limiters.
mls rate-limit unicast ip {errors | features | options | rpf-failure} pps [packets-in-burst]
mls rate-limit unicast ip icmp {redirect | unreachable acl-drop pps | no-route pps} [packets-in-burst]
no mls rate-limit unicast ip {errors | features | icmp {redirect | unreachable {acl-drop | no-route}} | options | rpf-failure} pps [packets-in-burst]
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
•
•
Command Modes
Global configuration
Command History
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
To provide OAL support for denied packets, enter the mls rate-limit unicast ip icmp unreachable acl-drop 0 command.
OAL and VACL capture are incompatible. Do not configure both features on the switch. With OAL configured, use SPAN to capture traffic.
The rate limiters can rate limit the packets that are punted from the data path in the hardware up to the data path in the software. The rate limiters protect the control path in the software from congestion and drop the traffic that exceeds the configured rate.
Note
When setting the pps, the valid values are 0 and from 10 to 1000000. Setting the pps to 0 globally disables the redirection of the packets to the route processor. The 0 value is supported for these rate limiters:
•
•
•
•
Some cases (or scenarios) share the same hardware register. These cases are divided into the following two groups:
•
–
–
•
–
–
–
–
All the components of each group use or share the same hardware register. For example, ACL-bridged ingress and egress packets use register A. ICMP-unreachable, no-route, and RPF failure use register B.
In most cases, when you change a component of a group, all the components in the group are overwritten to use the same hardware register as the first component changed. A warning message is printed out each time that an overwriting operation occurs, but only if you enable the service internal mode. The overwriting operation does not occur in these situations:
•
•
Examples
This example shows how to set the ICMP-redirect limiter for unicast packets:
Router(config)# mls rate-limit unicast ip icmp redirect 250Router(config)#Related Commands
mls rate-limit unicast vacl-log
To enable and set the VACL-log case rate limiters in the global configuration command mode, use the mls rate-limit unicast vacl-log command. Use the no form of this command to disable the rate limiters.
mls rate-limit unicast vacl-log pps [packets-in-burst]
Syntax Description
pps
Packets per second; see the "Usage Guidelines" section for valid values.
packets-in-burst
(Optional) Packets in burst; valid values are from 1 to 255.
Defaults
The defaults are as follows:
•
•
Command Modes
Global configuration
Command History
12.2(17d)SXB
Support for this command was introduced on the Supervisor Engine 2.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 720.
The rate limiters can rate limit the packets that are punted from the data path in the hardware up to the data path in the software. The rate limiters protect the control path in the software from congestion and drop the traffic that exceeds the configured rate.
When setting the pps, valid values are as follows:
•
•
Setting the pps to 0 globally disables the redirection of the packets to the route processor.
You cannot change the vacl-log packets-in-burst keyword and argument; it is set to 1 by default.
Some cases (or scenarios) share the same hardware register. These cases are divided into the following two groups:
•
–
–
•
–
–
–
–
All the components of each group use or share the same hardware register. For example, ACL-bridged ingress and egress packets use register A. ICMP-unreachable, no-route, and RPF failure use register B.
In most cases, when you change a component of a group, all the components in the group are overwritten to use the same hardware register as the first component changed. A warning message is printed out each time that an overwriting operation occurs, but only if you enable the service internal mode. The overwriting operation does not occur in these situations:
•
•
Examples
This example shows how to set the VACL-log case packet limiter for unicast packets:
Router(config)# mls rate-limit unicast vacl-log 100Router(config)#Related Commands
mode (IPSec)
To change the mode for a transform set, use the mode command in crypto transform configuration mode. To reset the mode to the default value of tunnel mode, use the no form of this command.
mode [tunnel | transport]
no mode
Syntax Description
tunnel | transport
(Optional) Specifies the mode for a transform set: either tunnel or transport mode. If neither tunnel nor transport is specified, the default (tunnel mode) is assigned.
Defaults
Tunnel mode
Command Modes
Crypto transform configuration
Command History
Usage Guidelines
Use this command to change the mode specified for the transform. This setting is only used when the traffic to be protected has the same IP addresses as the IPSec peers (this traffic can be encapsulated either in tunnel or transport mode). This setting is ignored for all other traffic (all other traffic is encapsulated in tunnel mode).
If the traffic to be protected has the same IP address as the IP Security peers and transport mode is specified, during negotiation the router will request transport mode but will accept either transport or tunnel mode. If tunnel mode is specified, the router will request tunnel mode and will accept only tunnel mode.
After you define a transform set, you are put into the crypto transform configuration mode. While in this mode you can change the mode to either tunnel or transport. This change applies only to the transform set just defined.
If you do not change the mode when you first define the transform set, but later decide you want to change the mode for the transform set, you must re-enter the transform set (specifying the transform name and all its transforms) and then change the mode.
If you use this command to change the mode, the change will only affect the negotiation of subsequent IPSec security associations via crypto map entries which specify this transform set. (If you want the new settings to take effect sooner, you can clear all or part of the security association database. See the clear crypto sa command for more details.
Tunnel Mode
With tunnel mode, the entire original IP packet is protected (encrypted, authenticated, or both) and is encapsulated by the IPSec headers and trailers (an Encapsulation Security Protocol header and trailer, an Authentication Header, or both). Then a new IP header is prefixed to the packet, specifying the IPSec endpoints as the source and destination.
Tunnel mode can be used with any IP traffic. Tunnel mode must be used if IPSec is protecting traffic from hosts behind the IPSec peers. For example, tunnel mode is used with Virtual Private Networks (VPNs) where hosts on one protected network send packets to hosts on a different protected network via a pair of IPSec peers. With VPNs, the IPSec peers "tunnel" the protected traffic between the peers while the hosts on their protected networks are the session endpoints.
Transport Mode
With transport mode, only the payload (data) of the original IP packet is protected (encrypted, authenticated, or both). The payload is encapsulated by the IPSec headers and trailers (an ESP header and trailer, an AH header, or both). The original IP headers remain intact and are not protected by IPSec.
Use transport mode only when the IP traffic to be protected has IPSec peers as both the source and destination. For example, you could use transport mode to protect router management traffic. Specifying transport mode allows the router to negotiate with the remote peer whether to use transport or tunnel mode.
Examples
The following example defines a transform set and changes the mode to transport mode. The mode value only applies to IP traffic with the source and destination addresses at the local and remote IPSec peers.
crypto ipsec transform-set newer esp-des esp-sha-hmacmode transportexitRelated Commands
crypto ipsec transform-set
Defines a transform set—an acceptable combination of security protocols and algorithms.
mode ra
To place the public key infrastructure (PKI) server into Registration Authority (RA) certificate server mode, use the mode ra command in certificate server configuration mode. To remove the PKI server from RA certificate mode, use the no form of this command.
mode ra [transparent]
no mode ra [transparent]
Syntax Description
transparent
The transparent keyword allows the CA server in RA mode to interoperate with more than one type of CA server.
Defaults
The PKI server is not placed into RA certificate server mode.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
When this command is configured, ensure that the crypto pki trustpoint command has also been configured and that the enrollment URL is pointed to a Cisco IOS issuing certification authority (CA). If the mode ra command is not configured and the certificate server is enabled for the first time, a self-signed CA certificate will be generated and the certificate server will operate as a root CA.
The Cisco IOS certificate server can act as an RA for a Cisco IOS CA or another third party CA. The transparent keyword is used if a third-party CA is used.
When the transparent keyword is used, the original PKCS#10 enrollment message is not re-signed and is forwarded unchanged. This enrollment message makes the IOS RA certificate server work with CA servers like the Microsoft CA server.
Examples
The following configuration example shows that a RA mode certificate server named "myra" has been configured:
Router (config)# crypto pki trustpoint myraRouter (ca-trustpoint)# enrollment url http://10.3.0.6Router (ca-trustpoint)# subject-name cn=myra, ou=ioscs RA, o=cisco, c=usRouter (ca-trustpoint)# exitRouter (config)# crypto pki server myraRouter (cs-server)# mode raRouter (cs-server)# no shutdownRelated Commands:
mode secure
To enable the secure mode in the Lightweight Directory Access Protocol (LDAP) server, use the mode secure command in LDAP server configuration mode. To disable the secure mode in LDAP server, use the no form of this command.
mode secure [no-negotiation]
no mode secure [no-negotiation]
Syntax Description
Command Default
The secure mode is disabled.
Command Modes
LDAP server configuration (config-ldap-server)
Command History
Usage Guidelines
Use the mode secure command to establish a TLS connection with the LDAP server. This command will help to secure all the transactions.
Examples
The following example shows how to configure the secure mode on the LDAP server:
Router(config)# ldap server server1Router(config-ldap-server)# mode secure no-negotiationRelated Commands
mode sub-cs
To place the public key infrastructure (PKI) server into sub-certificate server mode, use the mode sub-cs command in certificate server mode. To remove the PKI server from sub-certificate mode, use the no form of this command.
mode sub-cs
no mode sub-cs
Syntax Description
This command has no arguments or keywords.
Defaults
The PKI server is not placed into sub-certificate server mode.
Command Modes
Certificate server
Command History
Usage Guidelines
When this command is configured, ensure that the crypto pki trustpoint command has also been configured and that the enrollment URL is pointed to a Cisco IOS root certification authority (CA). If the mode sub-cs command is not configured and the certificate server is enabled for the first time, a self-signed CA certification will be generated and the certificate server will operate as a root CA.
Note
Examples
The following configuration example shows that a subordinate certificate server named "sub" has been configured:
Router (config)# crypto pki trustpoint subRouter (ca-trustpoint)# enrollment url http://10.3.0.6Router (ca-trustpoint)# exitRouter (config)# crypto pki server subRouter (cs-server)# issuer-name CN=sub CA, O=Cisco, C=usRouter (cs-server)# mode sub-csRouter (cs-server)# no shutdownRelated Commands
monitor event-trace dmvpn
To monitor and control Dynamic Multipoint VPN (DMVPN) traces, use the monitor event-trace dmvpn command in privileged EXEC or global configuration mode.
Privileged EXEC
monitor event-trace dmvpn {dump [merged] pretty | {nhrp {error | event | exception} | tunnel} {clear | continuous [cancel] | disable | enable | one-shot} | tunnel}}
Global Configuration
monitor event-trace dmvpn {dump-file url | {nhrp {error | event | exception} | tunnel} {disable | dump-file url | enable | size | stacktrace value}}
no monitor event-trace dmvpn {dump-file url | {nhrp {error | event | exception} | tunnel} {disable | dump-file url | enable | size | stacktrace value}}
Syntax Description
Command Default
DMVPN event tracing is disabled.
Command Modes
Privileged EXEC (#)
Global configuration (config)Command History
Usage Guidelines
You can use the monitor event-trace dmvpn command to configure the DMVPN Event Tracing feature. The DMVPN Event Tracing feature provides a trace facility for troubleshooting Cisco IOS DMVPN. This feature enables you to monitor DMVPN events, errors, and exceptions. During runtime, the event trace mechanism logs trace information in a buffer space. A display mechanism extracts and decodes the debug data.
Note
Examples
The following example shows how to configure a router to monitor and control NHRP event traces in privileged EXEC mode:
Router# monitor event-trace dmvpn nhrp event enableThe following example shows how to configure a router to monitor and control NHRP exception traces in privileged EXEC mode:
Router# monitor event-trace dmvpn nhrp exception enableThe following example shows how to configure a router to monitor and control NHRP error traces in privileged EXEC mode:
Router# monitor event-trace dmvpn nhrp error enableThe following example shows how to configure a router to monitor and control NHRP event traces in global configuration mode:
Router# enableRouter(config)# monitor event-trace dmvpn nhrp event enableThe following example shows how to configure a router to monitor and control NHRP exception traces in global configuration mode:
Router# enableRouter(config)# monitor event-trace dmvpn nhrp exception enableThe following example shows how to configure a router to monitor and control NHRP error traces in global configuration mode:
Router# enableRouter(config)# monitor event-trace dmvpn nhrp error enableRelated Commands
name
To configure the redundancy group with a name, use the name command in redundancy application group configuration mode. To remove the name of a redundancy group, use the no form of this command.
name group-name
no name group-name
Syntax Description
Command Default
The redundancy group is not configured with a name.
Command Modes
Redundancy application group configuration (config-red-app-grp)
Command History
Examples
The following example shows how to configure the redundancy group name as group1:
Router# configure terminalRouter(config)# redundancyRouter(config-red)# application redundancyRouter(config-red-app)# group 1Router(config-red-app-grp)# name group1Related Commands
application redundancy
Enters redundancy application configuration mode.
group
Enters redundancy application group configuration mode.
shutdown
Shuts down a group manually.
name (view)
To change the name of a lawful intercept view, use the name command in view configuration mode. To return to the default lawful intercept view name, which is "li-view," use the no form of this command.
name new-name
no name new-name
Syntax Description
Defaults
A lawful intercept view is called "li-view."
Command Modes
View configuration (config-view)
Command History
Usage Guidelines
Only a system administrator or a level 15 privilege user can change the name of a lawful intercept view.
Examples
The following example shows how to configure a lawful intercept view and change the view name to "myliview":
!Initialize the LI-View.Router(config-view)# li-view lipass user li_admin password li_adminpass00:19:25:%PARSER-6-LI_VIEW_INIT:LI-View initialized.Router(config-view)# name myliviewRouter(config-view)# endRelated Commands
li-view
Initializes a lawful intercept view.
parser view
Creates or changes a CLI view and enters view configuration mode.
named-key
To specify which peer's RSA public key you will manually configure and enter public key configuration mode, use the named-key command in public key chain configuration mode. This command should be used only when the router has a single interface that processes IP Security (IPSec).
named-key key-name [encryption | signature]
Syntax Description
Defaults
If neither the encryption nor the signature keyword is used, general-purpose keys will be specified.
Command Modes
Public key chain configuration.
Command History
Usage Guidelines
Use this command or the addressed-key command to specify which IPSec peer's RSA public key you will manually configure next.
Follow this command with the key-string command to specify the key.
If you use the named-key command, you also need to use the address public key configuration command to specify the IP address of the peer.
If the IPSec remote peer generated general purpose RSA keys, do not use the encryption or signature keyword.
If the IPSec remote peer generated special usage keys, you must manually specify both keys: perform this command and the key-string command twice and use the encryption and signature keywords in turn.
Examples
The following example manually specifies the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general-purpose keys, and the other peer uses special-purpose keys.
crypto key pubkey-chain rsanamed-key otherpeer.example.comaddress 10.5.5.1key-string005C300D 06092A86 4886F70D 0101010500034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E464CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28D58AD221 B583D7A4 71020301 0001quitexitaddressed-key 10.1.1.2 encryptionkey-string00302017 4A7D385B 1234EF29 335FC9732DD50A37 C4F4B0FD 9DADE748 429618D518242BA3 2EDFBDD3 4296142A DDF7D3D808407685 2F2190A0 0B43F1BD 9A8A26DB07953829 791FCDE9 A98420F0 6A82045B90288A26 DBC64468 7789F76E EE21quitexitaddressed-key 10.1.1.2 signaturekey-string0738BC7A 2BC3E9F0 679B00FE 098533AB01030201 42DD06AF E228D24C 458AD22858BB5DDD F4836401 2A2D7163 219F882E64CE69D4 B583748A 241BED0F 6E7F2F160DE0986E DF02031F 4B0B0912 F68200C4C625C389 0BFF3321 A2598935 C1B1quitexitexitRelated Commands
nas
To add an access point or router to the list of devices that use the local authentication server, use the nas command in local RADIUS server configuration mode. To remove the identity of the network access server (NAS) that is configured on the local RADIUS server, use the no form of this command.
nas ip-address key shared-key
no nas ip-address key shared-key
Syntax Description
Defaults
No default behavior or values
Command Modes
Local RADIUS server configuration
Command History
Examples
The following command adds the access point having the IP address 192.168.12.17 to the list of devices that use the local authentication server, using the shared key named shared256.
Router(config-radsrv)# nas 192.168.12.17 key shared256Related Commands
nasi authentication
To enable authentication, authorization, and accounting (AAA) authentication for NetWare Asynchronous Services Interface (NASI) clients connecting to a router, use the nasi authentication command in line configuration mode. To return to the default, as specified by the aaa authentication nasi command, use the no form of the command.
nasi authentication {default | list-name}
no nasi authentication {default | list-name}
Syntax Description
default
Uses the default list created with the aaa authentication nasi command.
list-name
Uses the list created with the aaa authentication nasi command.
Defaults
Uses the default set with the aaa authentication nasi command.
Command Modes
Line configuration
Command History
Usage Guidelines
This command is a per-line command used with AAA authentication that specifies the name of a list of authentication methods to try at login. If no list is specified, the default list is used, even if it is not specified in the command line. (You create defaults and lists with the aaa authentication nasi command.) Entering the no form of this command has the same effect as entering the command with the default argument.
Caution
Before issuing this command, create a list of authentication processes by using the aaa authentication nasi global configuration command.
Examples
The following example specifies that the default AAA authentication be used on line 4:
line 4nasi authentication defaultThe following example specifies that the AAA authentication list called list1 be used on line 7:
line 7nasi authentication list1Related Commands
nat (IKEv2 profile)
To configure Network Address Translation (NAT) keepalive for Internet Key Exchange Version 2 (IKEv2), use the nat command in IKEv2 profile configuration mode. To delete NAT keepalive configuration, use the no form of this command.
nat keepalive interval
no nat keepalive
Syntax Description
Command Default
NAT keepalive is disabled.
Command Modes
IKEv2 profile configuration (config-ikev2-profile)
Command History
15.1(1)T
This command was introduced.
Cisco IOS XE Release 3.3S.
This command was integrated into Cisco IOS XE Release 3.3S.
Usage Guidelines
Use this command to configure NAT keepalive. NAT keepalive configuration specified in an IKEv2 profile overrides the global configuration. NAT keepalive prevents the NAT translation entries from deletion in the absence of any traffic when there is NAT between IKE peers.
Examples
The following example shows how to specify the NAT keepalive interval:
Router(config)# crypto ikev2 profile prf1Router(config-ikev2-profile)# nat keepalive 500Related Commands
crypto ikev2 nat
Defines NAT keepalive globally for all peers.
crypto ikev2 profile
Defines an IKEv2 profile.
nbns-list
To enter the webvpn NBNS list configuration mode to configure a NetBIOS Name Service (NBNS) server list for Common Internet File System (CIFS) name resolution, use the nbns-list command in webvpn context configuration mode. To remove the NBNS server list from the SSL VPN context configuration, use the no form of this command.
nbns-list name
no nbns-list name
Syntax Description
name
Name of the NBNS list. The name can be up to 64 characters in length. This argument is case sensitive.
Command Default
Webvpn NBNS list configuration mode is not entered, and a NBNS server list cannot be configured.
Command Modes
Webvpn context configuration
Command History
Usage Guidelines
The NBNS server list is used to configure a list of Windows Internet Name Service (WINS) to resolve Microsoft file-directory shares. Entering the nbns-list command places the router in webvpn NBNS list configuration mode. You can specify up to three NetBIOS name servers. A single server is configured as the master browser if multiple servers are specified in the server list.
Note
Examples
The following example configures an NBNS server list:
Router(config)# webvpn context context1Router(config-webvpn-context)# nbns-list SERVER_LISTRouter(config-webvpn-nbnslist)# nbns-server 172.16.1.1 masterRouter(config-webvpn-nbnslist)# nbns-server 172.16.2.2 timeout 10 retries 5Router(config-webvpn-nbnslist)# nbns-server 172.16.3.3 timeout 10 retries 5Router(config-webvpn-nbnslist)#Related Commands
nbns-server
Adds a server to an NBNS server list.
webvpn context
Enters webvpn context configuration mode to configure the SSL VPN context.
nbns-list (policy group)
To attach a NetBIOS name service (NBNS) server list to a policy group configuration, use the nbns-list command in webvpn group policy configuration mode. To remove the NBNS server list from the policy group configuration, use the no form of this command.
nbns-list name
no nbns-list
Syntax Description
Command Default
An NBNS server list is not attached to a policy group configuration.
Command Modes
Webvpn group policy configuration
Command History
Usage Guidelines
The configuration of this command applies to only clientless mode configuration.
Examples
The following example applies the NBNS server list to the policy group configuration:
Router(config)# webvpn context context1Router(config-webvpn-context)# nbns-list SERVER_LISTRouter(config-webvpn-nbnslist)# nbns-server 172.16.1.1 masterRouter(config-webvpn-nbnslist)# nbns-server 172.16.2.2 timeout 10 retries 5Router(config-webvpn-nbnslist)# nbns-server 172.16.3.3 timeout 10 retries 5Router(config-webvpn-nbnslist)# exitRouter(config-webvpn-context)# policy group ONERouter(config-webvpn-group)# nbns-list SERVER_LISTRouter(config-webvpn-group)#Related Commands
nbns-server
To add a server to a NetBIOS name service (NBNS) server list, use the nbns-server command in webvpn NBNS list configuration mode. To remove the server entry from the NBNS server list, use the no form of this command.
nbns-server ip-address [master] [timeout seconds] [retries number]
no nbns-server ip-address [master] [timeout seconds] [retries number]
Syntax Description
Command Default
The following default values are used if this command is not configured or if the no form is entered:
timeout 2
retries 2Command Modes
Webvpn NBNS list configuration
Command History
Usage Guidelines
The server specified with the ip-address argument can be a primary domain controller (PDC) in a Microsoft network. A Windows Internet Naming Service (WINS) server cannot and should not be specified. When multiple NBNS servers are specified, a single server is configured as master browser.
Examples
The following example adds three servers to an NBNS server list:
Router(config)# webvpn context context1Router(config-webvpn-context)# nbns-list SERVER_LISTRouter(config-webvpn-nbnslist)# nbns-server 172.16.1.1 masterRouter(config-webvpn-nbnslist)# nbns-server 172.16.2.2 timeout 10 retries 5Router(config-webvpn-nbnslist)# nbns-server 172.16.3.3 timeout 10 retries 5Related Commands
netmask
To specify the subnet mask to be used by the client for local connectivity, use the netmask command in ISAKMP group configuration mode or IKEv2 authorization policy configuration mode. To disable the mask, use the no form of this command.
netmask mask
no netmask mask
Syntax Description
Command Default
Default mask is used.
Command Modes
ISAKMP group configuration (config-isakmp-group)
IKEv2 authorization policy configuration (config-ikev2-author-policy)Command History
12.2(8)T
This command was introduced on the Easy VPN remote.
Cisco IOS XE Release 3.3S
This command was integrated into Cisco IOS XE Release 3.3S.
Usage Guidelines
Use this command to specify the subnet mask for the IP address assigned to the client.
Examples
The following example shows that the subnet mask 255.255.255.255 is to be downloaded to the client:
crypto isakmp client configuration group group1netmask 255.255.255.255Related Commands
crypto ikev2 authorization policy
Specifies an IKEv2 authorization policy group.
crypto isakmp client configuration group
Specifies the DNS domain to which a group belongs.
no crypto engine software ipsec
To disable hardware crypto engine failover to the software crypto engine, use the no crypto engine software ipsec command in global configuration mode. To reenable failover, use the crypto engine software ipsec form of this command.
no crypto engine software ipsec
crypto engine software ipsec
Syntax Description
This command has no arguments or keywords.
Defaults
Failover is enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command for those situations in which the amount of IP Security (IPSec) traffic is more than can be handled (because of bandwidth) by the software routines on the CPU.
Examples
The following example shows that hardware crypto engine failover to the software crypto engine has been disabled:
no crypto engine software ipsecThe following example shows that hardware crypto engine failover has been reenabled:
crypto engine software ipsecRelated Commands
crypto engine accelerator
Enables the onboard hardware accelerator of the router for IPSec encryption.
no crypto xauth
To ignore extended authentication (Xauth) during an Internet Key Exchange (IKE) Phase 1 negotiation, use the no crypto xauth command in global configuration mode. To consider Xauth proposals, use the crypto xauth command.
no crypto xauth interface
crypto xauth interface
Syntax Description
interface
Interface whose IP address is the local endpoint to which the remote peer will send IKE requests.
Defaults
No default behaviors or values
Command Modes
Global configuration (config)
Command History
12.2(15)T
This command was introduced.
Cisco IOS XE Release 2.6
This command was integrated into Cisco IOS XE Release 2.6.
Usage Guidelines
The no version of this command was introduced to support Unity clients that do not require Xauth when using Internet Security Association and Key Management Protocol (ISAKMP) profiles.
Note
Examples
The following example shows that Xauth proposals on Ethernet 1/1 are to be ignored:
no crypto xauth Ethernet1/1no ip inspect
To turn off Context-based Access Control (CBAC) completely at a firewall, use the no ip inspect command in global configuration mode.
no ip inspect
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Turn off CBAC with the no ip inspect global configuration command.
Note
Examples
The following example turns off CBAC at a firewall:
no ip inspectno ip ips sdf builtin
To instruct the router not to load the built-in signatures if it cannot find the specified signature definition files (SDFs), use the no ip ips sdf builtin command in global configuration mode.
no ip ips sdf builtin
Syntax Description
This command has no arguments or keywords.
Defaults
If the router fails to load the SDF, the router will load the default, built-in signatures.
Command Modes
Global configuration
Command History
Usage Guidelines
Caution
Examples
The following example shows how to instruct the router not to refer to the default, built-in signature if the attack-drop.sdf file fails to load:
Router(config) no ip ips sdf builtinRelated Commands
copy ips-sdf
Loads or saves the SDF in the router.
ip ips sdf location
Specifies the location in which the router will load the SDF.
object-group (Catalyst 6500 series switches)
To define object groups that you can use to optimize your configuration, use the object-group global configuration mode command. To remove object groups from the configuration use the no form of this command .
object-group ip {{address obj-grp-id} | {port obj-grp-id}}
no object-group ip {{address obj-grp-id} | {port obj-grp-id}}
Syntax Description
Command Default
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
Yes
Yes
Yes
Yes
No
Command History
Usage Guidelines
This command supports IPv4 and IPv6 addresses.
Objects such as hosts, protocols, or services can be grouped, and then you can issue a single command using the group name to apply to every item in the group.
When you define a group with the object-group command and then use any security appliance command, the command applies to every item in that group. This feature can significantly reduce your configuration size.
Once you define an object group, you must use the object-group keyword before the group name in all applicable security appliance commands as follows:
Router# show running-config object-group group-namewhere group-name is the name of the group.
This example shows the use of an object group once it is defined:
Router(config)# access-list access_list_name permit tcp any object-group group-nameIn addition, you can group access list command arguments:
protocol
object-group protocol
host and subnet
object-group network
service
object-group service
icmp-type
object-group icmp-type
You can group commands hierarchically; an object group can be a member of another object group.
To use object groups, you must do the following:
•
Router(config)# access-list acl permit tcp object-group remotes object-group locals object-group eng-svcwhere remotes and locals are sample object group names.
•
•
Use the exit, quit, or any valid config-mode commands such as access-list to close an object-group mode and exit the object-group main command.
The show running-config object-group command displays all defined object groups by their grp-id when the show running-config object-group group-id command is entered, and by their group type when you enter the show running-config object-group group-type command. When you enter the show running-config object-group command without an argument, all defined object groups are shown.
Use the clear configure object-group command to remove a group of previously defined object-group commands. Without an argument, the clear configure object-group command lets you to remove all defined object groups that are not being used in a command. Use of the group-type argument removes all defined object groups that are not being used in a command for that group type only.
You can use all other security appliance commands in an object-group mode, including the show running-config and clear configure commands
Commands within the object-group mode appear indented when displayed or saved by the show running-config object-group, write, or config commands.
Commands within the object-group mode have the same command privilege level as the main command.
When you use more than one object group in an access-list command, the elements of all object groups that are used in the command are linked, starting with the elements of the first group with the elements of the second group, then the elements of the first and second groups together with the elements of the third group, and so on.
The starting position of the description text is the character right immediately following the white space (a blank or a tab) following the description keyword.
When you enter the object-group ip address command, the prompt changes to Router(config-ipaddr-ogroup)# and allows you to create or modify a PBACL protocol port object group.
The following IP address object-group configuration commands are available:
•
•
•
•
•
Use the no form of the command to delete the object group with the specified name.
When you enter the object-group ip port command, the prompt changes to Router(config-port-ogroup)# and allows you to define the object group name and enter port object-group configuration mode. The following port object-group configuration commands are available:
•
•
•
•
•
•
•
•
Use the no form of the command to delete the object group with the specified name.
Examples
This example shows how to create an object group with three hosts and a network address:
Router(config)# object-group ip address myAGRouter(config-ipaddr-pgroup)# host 10.20.20.1Router(config-ipaddr-pgroup)# host 10.20.20.5Router(config-ipaddr-pgroup)# 10.30.0.0 255.255.0.0This example shows how to create a port object group that matches protocol port 100 and any port greater than 200, except 300:
Router(config)# object-group ip port myPGRouter(config-port-pgroup)# eq 100Router(config-port-pgroup)# gt 200Router(config-port-pgroup)# neq 300Related Commands
object-group network
To define network object groups for use in object group-based ACLs (OGACLs) and enter network object-group configuration mode (config-network-group), use the object-group network command in global configuration mode. To remove network object groups from the configuration, use the no form of this command.
object-group network object-group-name
no object-group network object-group-name
Syntax Description
Command Default
No network object groups are created.
Command Modes
Global configuration (config)
Command History
12.4(20)T
This command was introduced.
15.0(1)M
This command was modified. The any command was added as a command in network object-group configuration mode.
Usage Guidelines
A network object group is a group of any of the following objects: hostnames, host IP addresses, subnets, ranges of IP addresses, or existing network object groups. A network object group is an ordered list and can be used in an ACL or in other commands. You can use a single command using the group name to apply to every object in the group.
This command supports only IPv4 addresses.
Commands within the network object-group mode appear indented when displayed or saved by the write memory or show running-config commands.
Commands within the network object-group mode have the same command privilege level as the main command.
When you enter the object-group network command, the command mode enters network object-group configuration mode (config-network-group) and allows you to populate or modify a network OGACL. The following commands are available in this mode:
•
This command supports only IPv4 addresses.
•
•
The type of child object group must match that of the parent (for example, if you are creating a network object group, you must specify another network object group as the child).
You can use duplicated objects in an object group if it is because of the inclusion of group objects. For example, if object 1 is in both group A and group B, you can define a group C that includes both A and B. However, you cannot include a group object that causes the group hierarchy to become circular (for example, you cannot include group A in group B and then also include group B in group A).
You can use an unlimited number of nested object groups (however, a maximum of two levels is recommended).
•
•
When the command is used in the network-address /nn format to create a subnet object, for example 209.165.201.0 /27, the 27 most significant bits are allocated for the network prefix number, and the remaining 5 bits are reserved for host addressing. If the same subnet object is created using the network-address network-mask format of the command, the command appears as 209.165.201.31 255.255.255.224. In this case, the subnet mask is 255.255.255.224. The default subnet mask is 255.255.255.255.
Using a subnet mask of 0.0.0.0 includes any address in the range 0.0.0.0 to 255.255.255.255 in the subnet object—this gives the subnet object the same range as the range specified by the any command.
The network-address command supports only IPv4 addresses.
•
If the range specified is 0.0.0.0 to 255.255.255.255 this specifies that any IP address can be used as a host IP address—this has the same effect as the any command, which specifies that any IP address can be used.
If the same IP address is used for host-address1 and host-address2, the effect is the same as using the host command—the identical IP address specified becomes the single host IP address for the object group.
This command supports only IPv4 addresses.
Use the no form of the command to delete the object group with the specified name. (You cannot delete an object group that is being used within an ACL or a CPL policy.)
Examples
The following example shows how to configure a network object group named my_network_object_group that contains two hosts and a subnet as objects.
Router> enableRouter# configure terminalRouter(config)# object-group network my_network_object_groupRouter(config-network-group)# host 10.20.20.1Router(config-network-group)# host 10.20.20.5Router(config-network-group)# 10.30.0.0 255.255.0.0The following example shows how to configure a network object group named sjc_ftp_servers that contains two hosts , a subnet, and an existing object group (child) named sjc_eng_ftp_servers as objects.
Router> enableRouter# configure terminalRouter(config)#object-group network sjc_ftp_serversRouter(config-network-group)# host sjc.eng.ftpRouter(config-network-group)# host 172.23.56.195Router(config-network-group)# 209.165.200.225 255.255.255.224Router(config-network-group)# group-object sjc_eng_ftp_serversThe following example creates an object group called printer_users and specifies any IP address for the object group:
Router> enableRouter# configure terminalRouter(config)# object-group network printer_usersRouter(config-network-group)# description sw_engineersRouter(config-network-group)# anyThe following example creates an object group called printer_users and specifies a range of host IP addresses from 209.165.202.129 to 255.255.255.255 for the object group:
Router> enableRouter# configure terminalRouter(config)# object-group network printer_usersRouter(config-network-group)# description sw_engineersRouter(config-network-group)# range 209.165.202.129 255.255.255.255Related Commands
object-group service
To define service object groups for use in object group-based ACLs (OGACLs), use the object-group service command in global configuration mode. To remove service object groups from the configuration, use the no form of this command.
object-group service object-group-name
no object-group service object-group-name
Syntax Description
Command Default
No service object groups are created.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
A service object group is a group of any of the following objects:
•
•
•
•
A service object group is an ordered list and can be used in an ACL or other commands. You can use a single command using the group name to apply to every object in the group.
This command supports only IPv4 addresses.
Commands within the service object-group mode appear indented when displayed or saved by the write or config commands.
Commands within the service object-group mode have the same command privilege level as the main command.
When you use more than one object group in an access-list command, the elements of all object groups that are used in the command are linked, starting with the elements of the first group with the elements of the second group, then the elements of the first and second groups together with the elements of the third group, and so on.
When you enter the object-group service command, the prompt changes to Router(config-service-group)# and allows you to populate or modify a service OGACL. The following commands are available in this mode:
•
•
–
–
–
–
–
–
–
–
–
–
–
–
•
–
–
eq—Single port value port1. When no operator is specified, the default is eq. However, this keyword is always present in the configuration file.
The following keywords are required when specifying a range of ports.
range—Range of ports between port1 and port2, inclusive.
lt—All port values that are less than port1.
gt—All port values that are greater than port1.
–
Following are the supported services for TCP:
0-65535—Port number.
bgp—Border Gateway Protocol (179).
chargen—Character generator (19).
cmd—Remote commands (rcmd, 514).
daytime—Daytime (13).
discard—Discard (9).
domain—Domain Name Service (53).
drip—Dynamic Routing Information Protocol (3949).
echo—Echo (7).
exec—Exec (rsh, 512).
finger—Finger (79).
ftp—File Transfer Protocol (21).
ftp-data—FTP data connections (20).
gopher—Gopher (70).
hostname—NIC hostname server (101).
ident—Ident Protocol (113).
irc—Internet Relay Chat (194).
klogin—Kerberos login (543).
kshell—Kerberos shell (544).
login—Login (rlogin, 513).
lpd—Printer service (515).
nntp—Network News Transport Protocol (119).
pim-auto-rp PIM Auto-RP (496).
pop2—Post Office Protocol v2 (109).
pop3—Post Office Protocol v3 (110).
smtp—Simple Mail Transport Protocol (25).
sunrpc—Sun Remote Procedure Call (111).
tacacs—TAC Access Control System (49).
talk—Talk (517).
telnet—Telnet (23).
time—Time (37).
uucp—Unix-to-Unix Copy Program (540).
whois—Nicname (43).
www—World Wide Web (HTTP, 80).
Following are the supported services for UDP:
0-65535—Port number.
biff—Biff (mail notification, comsat, 512).
bootpc—Bootstrap Protocol (BOOTP) client (68).
bootps—Bootstrap Protocol (BOOTP) server (67).
discard—Discard (9).
dnsix—DNSIX security protocol auditing (195).
domain—Domain Name Service (DNS, 53).
echo—Echo (7).
isakmp—Internet Security Association and Key Management Protocol (500).
mobile-ip—Mobile IP registration (434).
nameserver—IEN116 name service (obsolete, 42).
netbios-dgm—NetBios datagram service (138).
netbios-ns—NetBios name service (137).
netbios-ss—NetBios session service (139).
non500-isakmp Internet Security Association and Key Management Protocol (4500).
ntp—Network Time Protocol (123).
pim-auto-rp—PIM Auto-RP (496).
rip—Routing Information Protocol (router, in.routed, 520).
snmp—Simple Network Management Protocol (161).
snmptrap—SNMP Traps (162).
sunrpc—Sun Remote Procedure Call (111).
syslog—System Logger (514).
tacacs—TAC Access Control System (49).
talk—Talk (517).
tftp—Trivial File Transfer Protocol (69).
time—Time (37).
who—Who service (rwho, 513).
xdmcp—X Display Manager Control Protocol (177).
Following are the supported services for TCP and UDP:
0-65535—Port number.
discard—Discard (9).
domain—Domain Name Service (53).
echo—Echo (7).
pim-auto-rp—PIM Auto-RP (496).
sunrpc—Sun Remote Procedure Call (111).
syslog—Syslog (514).
tacacs—TAC Access Control System (49).
talk—Talk (517).
•
Following are the supported ICMP types:
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
•
The type of child object group must match that of the parent (for example, if you are creating a network object group, you must specify another network object group as the child).
You can use duplicated objects in an object group if it is because of the inclusion of group objects. For example, if object 1 is in both group A and group B, you can define a group C that includes both A and B. However, you cannot include a group object that causes the group hierarchy to become circular (for example, you cannot include group A in group B and then also include group B in group A).
You can use an unlimited number of nested object groups (however, a maximum of two levels is recommended).
Use the no form of the command to delete the object group with the specified name. (You cannot delete an object group that is being used within an ACL or a CPL policy.)
Examples
This example shows how to create a service object group that matches protocol port 100 and any port greater than 200, except 300:
Router> enableRouter# configure terminalRouter(config)# object-group service my_service_object_groupRouter(config-service-group)# eq 100Router(config-service-group)# gt 200Router(config-service-group)# neq 300Related Commands
occur-at (ips-auto-update)
To define a preset time for which the Cisco IOS Intrusion Prevention System (IPS) automatically obtains updated signature information, use the occur-at command in IPS-auto-update configuration mode.
occur-at {[monthly | weekly] day minutes hours}
Syntax Description
Command Default
The default value is defined in the signature definition XML.
Command Modes
IPS-auto-update configuration (config-ips-auto-update)
Command History
12.4(11)T
This command was introduced.
12.4(22)T
The command was modified with the monthly and weekly keywords in Cisco IOS Release 12.4(22)T.
Usage Guidelines
Automatic signature updates allow users to override the existing IPS configuration and automatically keep signatures up to date on the basis of a preset time, which can be configured to a preferred setting.
Use the ip ips auto-update command to enable Cisco IOS IPS to automatically update the signature file on the system. Thereafter, issue the occur-at command to define how often the Cisco IOS IPS signature files should be automatically updated.
Examples
The following example shows how to configure automatic signature updates and set the frequency in which updates are made. In this example, the signature package file is pulled from the TFTP server at the third hour of the 5 day of the month, at the 56th minute of this hour.
Note
Router# clock set ?hh:mm:ss Current TimeRouter# clock set 10:38:00 20 apr 2006Router#*Apr 20 17:38:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:37:55 MST Thu Apr 20 2006 to 10:38:00 MST Thu Apr 20 2006, configured from console by cisco on console.Router(config)# ip ips auto-updateRouter(config-ips-auto-update)# occur-at monthly 5 56 3Router(config-ips-auto-update)# $s-auto-update/IOS_reqSeq-dw.xmlRouter(config-ips-auto-update)#^ZRouter#*May 4 2006 15:50:28 MST: IPS Auto Update: setting update timer for next update: 0 hrs 10 min*May 4 2006 15:50:28 MST: %SYS-5-CONFIG_I: Configured from console by cisco on consoleRouter#Router# show ip ips auto-updateIPS Auto Update ConfigurationURL : tftp://192.168.0.2/jdoe/ips-auto-update/IOS_reqSeq-dw.xmlUsername : not configuredPassword : not configuredAuto Update Intervalsminutes (0-59) : 56hours (0-23) : 3days of month (1-31) : 5days of week: (0-6) :Related Commands
ip ips auto-update
Enables automatic signature updates for Cisco IOS IPS.
cisco
Enables automatic signature updates from Cisco.com.
ocsp url
To specify the URL of an online certificate status protocol (OCSP) server to override the OCSP server URL (if one exists) in Authority Info Access (AIA) extension of the certificate, use the ocsp url command in ca-trustpoint configuration mode. To disable the OCSP server, use the no form of this command.
ocsp url url
no ocsp url url
Syntax Description
url
All certificates associated with a configured trustpoint will be checked by the OCSP server at the specified HTTP URL.
Defaults
Uses the OCSP server URL in AIA extension of the certificate. If a URL does not exist, revocation check will fail.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
A central OCSP server can be configured to collect and update certificate revocation lists (CRLs) from different certification authority (CA) servers. Thus, the devices within the network can rely on the OCSP server to check the certificate status without retrieving and caching each CRL for every device.
Examples
The following example shows how to configure your router to use the OCSP server at the HTTP URL "http://myocspserver:81." If the server is down, revocation check will be ignored.
Router(config)# crypto pki trustpoint mytpRouter(ca-trustpoint)# ocsp url http://myocspserver:81Router(ca-trustpoint)# revocation-check ocsp noneRelated Commands
crypto pki trustpoint
Declares the CA that your router should use.
revocation-check
Checks the revocation status of a certificate.
on
To specify the location where Rivest, Shamir, and Adelman (RSA) keys will be generated upon initial auto enrollment, use the on command in ca-trustpoint configuration mode.
on devicename:
Syntax Description
Command Default
Keys are generated and stored in NVRAM.
Command Modes
Ca-trustpoint
Command History
Usage Guidelines
Locations that may be specified include a USB token, local disk, or NVRAM.
A USB token may be used as a cryptographic device in addition to a storage device. Using a USB token as a cryptographic devices allows RSA operations such as key generation, signing, and authentication to be performed on the token. Private keys are not distributed and remain on the token by default, however you may configure the private key storage location.
Keys that reside on a USB token, or on-token keys, are saved to persistent token storage when they are generated. Key deletion will remove the on-token keys from persistent storage immediately. (Keys that do not reside on a token are saved to or deleted from non-token storage locations only when the write memory or similar command is issued.)
Examples
The following example shows the configuration for the "mytp-A" certificate server and its associated trustpoint, where RSA keys generated by the initial auto enrollment for the trustpoint will be stored on a USB token, "usbtoken0":
crypto pki server mytp-Adatabase level completeissuer-name CN=company, L=city, C=countrygrant auto! Specifies that certificate requests will be granted automatically.!crypto pki trustpoint mytp-Arevocation-check nonersakeypair myTP-Astorage usbtoken0:! Specifies that keys will be stored on usbtoken0:.on usbtoken0:! Specifies that keys generated on initial auto enroll will be generated on and stored on ! usbtoken0:Related Commands
crypto key generate rsa
Generates RSA key pairs.
crypto key import rsa
Imports RSA key pairs.
crypto pki trustpoint
Declares the trustpoint that the router will use.
one-minute
To define the number of new unestablished sessions that will cause the system to start deleting half-open sessions and stop deleting half-open sessions, use the one-minute command in parameter-map type inspect configuration mode. To disable the value, use the no form of this command.
one-minute {low number-of-connections | high number-of-connections}
no one-minute {low number-of-connections | high number-of-connections}
Syntax Description
Command Default
None
Command Modes
Parameter-map type inspect configuration
Command History
Usage Guidelines
When you are configuring an inspect type parameter map, you can enter the one-minute subcommand after you enter the parameter-map type inspect command.
Enter the one-minute command twice; once to specify a high number at which the system will start deleting half-open sessions, and once to specify a low number at which the system will stop deleting half-open sessions.
For more detailed information about creating a parameter map, see the parameter-map type inspect command.
Examples
The following example causes the system to start deleting half-open sessions when there are 300 unestablished sessions, and to stop deleting half-open sessions when there are 400 unestablished systems:
parameter-map type inspect internet-policyone minute high 400one minute low 300Related Commands
outgoing
To configure filtering for outgoing export traffic, use the outgoing command in router IP traffic export (RITE) configuration mode. To disable filtering for outgoing traffic, use the no form of this command.
outgoing {access-list {standard | extended | named} | sample one-in-every packet-number}
no outgoing {access-list {standard | extended | named} | sample one-in-every packet-number}
Syntax Description
Defaults
If this command is not enabled, outgoing IP traffic is not exported.
Command Modes
RITE configuration
Command History
12.3(4)T
This command was introduced.
12.2(25)S
This command was integrated into Cisco IOS Release 12.2(25)S.
Usage Guidelines
When configuring a network device for IP traffic export, you can issue the outgoing command to filter unwanted outgoing traffic via the following methods:
•
•
Note
Examples
The following example shows how to configure the profile "corp1," which will send captured IP traffic to host "00a.8aab.90a0" at the interface "FastEthernet 0/1." This profile is also configured to export one in every 50 packets and to allow incoming traffic only from the ACL "ham_ACL."
Router(config)# ip traffic-export profile corp1Router(config-rite)# interface FastEthernet 0/1Router(config-rite)# bidirectionalRouter(config-rite)# mac-address 00a.8aab.90a0Router(config-rite)# outgoing sample one-in-every 50Router(config-rite)# incoming access-list ham_aclRouter(config-rite)# exitRouter(config)# interface FastEthernet 0/0Router(config-if)# ip traffic-export apply corp1Related Commands
