-
Cisco IOS Security Command Reference
-
Introduction
-
aaa accounting through aaa local authentication attempts max-fail
-
aaa max-sessions through algorithm
-
all (profile map configuration) through browser-proxy
-
ca trust-point through clear eou
-
clear ip access-list counters through crl-cache none
-
crypto aaa attribute list through crypto ipsec transform-set
-
crypto isakmp aggressive-mode disable through crypto mib ipsec flowmib history tunnel size
-
crypto pki authenticate through ctype
-
database archive through dns
-
dnsix-dmdp retries through dynamic
-
E
-
F through H
-
icmp idle-timeout through ip http ezvpn
-
ip inspect through ip security strip
-
ip source-track through ivrf
-
K through L
-
mac access-group through max-users (WebVPN)
-
message retry count through outgoing
-
parameter through port-misuse
-
ppp accounting through quit
-
radius attribute nas-port-type through rate-limit (firewall)
-
reauthentication time through rsa-pubkey
-
sa ipsec through sessions maximum
-
set aggressive-mode client-endpoint through show class-map type urlfilter
-
show crypto ace redundancy through show crypto vlan
-
show diameter peer through show object-group
-
show parameter-map type consent through show users
-
show vlan group through switchport port-security violation
-
tacacs-server administration through title-color
-
traffic-export through zone security
-
Feedback
Table Of Contents
parameter-map type protocol-info
parameter-map type inspect-vrf
parameter-map type inspect-zone
parameter-map type trend-global
permit (Catalyst 6500 series switches)
policy-map type inspect urlfilter
parameter
To specify parameters for an enrollment profile, use the parameter command in ca-profile-enroll configuration mode. To disable specified parameters, use the no form of this command.
parameter number {value value | prompt string}
no parameter number {value value | prompt string}
Syntax Description
Defaults
No enrollment profile parameters are specified.
Command Modes
Ca-profile-enroll configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
The parameter command can be used within an enrollment profile after the authentication command command or the enrollment command has been enabled.
Examples
The following example shows how to specify parameters for the enrollment profile named "E":
crypto ca trustpoint Entrustenrollment profile Eserialcrypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
parameter-map type
To create or modify a parameter map, use the parameter-map type command in global configuration mode. To delete a parameter map from the configuration, use the no form of this command.
parameter-map type {inspect | urlfilter | protocol-info | consent} parameter-map-name
no parameter-map type {inspect | urlfilter | protocol-info | consent} parameter-map-name
Syntax Description
Command Default
None
Command Modes
Global configuration (config)
Command History
Usage Guidelines
A parameter map allows you to specify parameters that control the behavior of actions and match criteria specified under a policy map and a class map, respectively.
There are currently four types of parameter maps:
•
Inspect parameter map
An inspect parameter map is optional. If you do not configure a parameter map, the software uses default parameters. Parameters associated with the inspect action apply to all nested actions (if any). If parameters are specified in both the top and lower levels, those in the lower levels override those in the top levels.
•
A parameter map is required for URL filtering (via the URL filter action in a Layer 3 or Layer 4 policy map and the URL filter parameter map).
•
A parameter map is required for an IM application (Layer 7) policy map.
•
Examples
The following example shows how to configure an IM-based firewall policy. In this example, all Yahoo Messenger and ICQ traffic is allowed to pass through, while all MSN Messenger, AOL and Windows Messenger traffic is blocked. Also, parameter maps are defined to control all Yahoo Messenger and ICQ traffic on a more granular level.
!!parameter-map type protocol-info ymsgr-serversserver name messenger.yahoo.akadns.netserver name .*.yahoo.com snoopserver ip 192.0.2.100server ip range 192.0.2.115 192.0.2.180parameter-map type protocol-info icq-serversserver name login.oscar.aol.comserver name .*.aol.com snoopserver ip 192.0.2.200server ip range 192.0.2.215 192.0.2.230!!class-map type inspect match-all l4-cmap-ymsgrmatch protocol ymsgr ymsgr-serversclass-map type inspect ymsgr match-any l7-cmap-ymsgrmatch service text-chatclass-map type inspect match-all l4-cmap-icqmatch protocol icq icq-serversclass-map type inspect icq match-any l7-cmap-icqmatch service text-chatmatch service any!!policy-map type inspect im l7-pmap-ymsgrclass type inspect ymsgr l7-cmap-ymsgrallowlogpolicy-map type inspect im l7-pmap-icqclass type inspect icq l7-cmap-icqallowlogpolicy-map type inspect to_internetclass type inspect l4-cmap-ymsgrinspectservice-policy im l7-pmap-ymsgrclass type inspect l4-cmap-icqinspectservice-policy im l7-pmap-icqclass class-defaultdrop!!The following example shows a typical URL filter parameter map configuration:
parameter-map type urlfilter eng-filter-profileserver vendor n2h2 172.16.1.2 port 3128 outside log timeout 10 retrans 6max-request 80max-resp-pak 200cache 200exclusive-domain permit cisco.comexclusive-domain deny gaming.comThe following example shows a sample inspect type parameter map configuration:
parameter-map type inspect eng_network_profileaudit-trail onalert offmax-incomplete low 2000max-incomplete high 3000one-minute low 5000one-minute high 8000udp idle-time 75dns-timeout 25tcp idle-time 90tcp finwait-time 20tcp synwait-time 10tcp block-non-sessiontcp max-incomplete host 2000 block-time 120The following example shows how to define the consent-specific parameter map "consent_parameter_map" and a default consent parameter map:
parameter-map type consent consent_parameter_mapcopy tftp://192.168.104.136/consent_page.html flash:consent_page.htmlauthorize accept identity consent_identity_policytimeout file download 35791file flash:consent_page.htmllogging enabledexit!parameter-map type consent defaultcopy tftp://192.168.104.136/consent_page.html flash:consent_page.htmlauthorize accept identity test_identity_policytimeout file download 35791file flash:consent_page.htmllogging enabledexit!
parameter-map type inspect
To configure an inspect type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action, use the parameter-map type inspect command in global configuration mode. To delete an inspect type parameter map, use the no form of this command.
parameter-map type inspect {parameter-map-name | global | default}
no parameter-map type inspect {parameter-map-name | global | default}
Syntax Description
parameter-map-name
Name of the inspect parameter map.
global
Defines a global inspect parameter map.
default
Defines a default inspect parameter map.
Command Default
No inspect type parameter maps are set.
Command Modes
Global configuration (config)
Command History
12.4(6)T
This command was introduced.
15.1(1)T
The keywords global and default were added.
Usage Guidelines
After you enter the parameter-map type inspect command, you can enter the following commands in parameter-map type inspect configuration mode:
•
Turns on Cisco IOS stateful packet inspection alert messages.
•
Turns audit trail messages on or off.
•
Specifies the Domain Name System (DNS) idle timeout.
•
Configures the timeout for Internet Control Message Protocol (ICMP) sessions.
•
Defines the number of existing half-open sessions that will cause the software to start and stop deleting half-open sessions.
•
Defines the rate of new half-open session initiation in one minute that will cause the system to start deleting half-open sessions and stop deleting half-open sessions.
•
Specifies how long a TCP session will be managed after the Cisco IOS firewall detects a FIN-exchange.
•
Configures the timeout for TCP sessions.
•
Specifies threshold and blocking time values for TCP host-specific denial-of-service (DOS) detection and prevention.
•
Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.
•
Configures the timeout of User Datagram Protocol (UDP) sessions going through the firewall.
For more detailed information about these commands, see their individual command descriptions.
Examples
The following example shows a sample inspect parameter map with the Cisco IOS stateful packet inspection alert messages enabled:
parameter-map type inspect eng-network-profilealert onThe following example shows a sample inspect type parameter map configuration:
parameter-map type inspect eng_network_profileaudit-trail onalert onmax-incomplete low unlimitedmax-incomplete high unlimitedone-minute low unlimitedone-minute high unlimitedudp idle-time 30icmp idle-time 10dns-timeout 5tcp idle-time 3600tcp finwait-time 5tcp synwait-time 30tcp block-non-sessiontcp max-incomplete host 1-2147483647 block-time unlimitedsessions maximum:2147483647Related Commands
parameter-map type protocol-info
To create or modify a protocol-specific parameter map and enter parameter-map type configuration mode, use the parameter-map type protocol-info command in global configuration mode. To delete a protocol-specific parameter map from the configuration, use the no form of this command.
parameter-map type protocol-info [msrpc | sip | stun-ice] parameter-map-name
no parameter-map type protocol-info [msrpc | sip | stun-ice] parameter-map-name
Syntax Description
Command Default
No protocol-specific parameter maps are created.
Command Modes
Global configuration (config)
Command History
12.4(11)T
This command was introduced.
15.0(1)M
This command was modified. The sip keyword was added.
15.1(4)M
This command was modified. The msrpc keyword was added.
Usage Guidelines
A protocol-specific parameter map allows you to specify the parameters that control the behavior of actions specified under a policy map and match criteria specified under a class map.
Protocol-specific parameter maps can be created for real-time voice, video, and text messaging applications (such as AOL, MSN Messenger, or Windows Messenger).
Examples
The following example shows a sample SIP protocol type parameter map configuration. In this example, the parameter map is configured to not open a media channel when attached to a SIP class map:
Router(config)# parameter-map type protocol-info sip pmap-sipRouter(config-profile)# disable open-media channelThe following example shows a sample STUN-ICE protocol type parameter map configuration. In this example, the parameter map is configured to not open a media channel when attached to a SIP class map:
Router(config)# parameter-map type protocol-info stun-ice
Router(config-profile)# disable open-media channelRouter(config-profile)# authorization agent-id 20 shared-secret 12345flower12345 cat-window 15
The following example shows how to configure an Instant Messaging-based firewall policy. In this example, all Yahoo Messenger and I Seek You (ICQ) traffic is allowed to pass through, while all MSN Messenger, AOL, and Windows Messenger traffic is blocked. Also, parameter maps are defined to control all Yahoo Messenger and ICQ traffic on a more granular level.
Router(config)# parameter-map type protocol-info ymsgr-serversRouter(config-profile)# server name messenger.yahoo.akadns.netRouter(config-profile)# server name .*.yahoo.com snoopRouter(config-profile)# server ip 192.0.2.100Router(config-profile)# server ip range 192.0.2.115 192.0.2.180Router(config-profile)# exitRouter(config)# parameter-map type protocol-info icq-serversRouter(config-profile)# server name login.oscar.aol.comRouter(config-profile)# server name .*.aol.com snoopRouter(config-profile)# server ip 192.0.2.200Router(config-profile)# server ip range 192.0.2.215 192.0.2.230Router(config-profile)# exitRouter(config)# class-map type inspect match-all l4-cmap-ymsgrRouter(config-cmap)# match protocol ymsgr ymsgr-serversRouter(config-cmap)# exitRouter(config)# class-map type inspect ymsgr match-any l7-cmap-ymsgrRouter(config-cmap)# match service text-chatRouter(config-cmap)# exitRouter(config)# class-map type inspect match-all l4-cmap-icqRouter(config-cmap)# match protocol icq icq-serversRouter(config-cmap)# exitRouter(config)# class-map type inspect icq match-any l7-cmap-icqRouter(config-cmap)# match service text-chatRouter(config-cmap)# match service anyRouter(config-cmap)# exitRouter(config)# policy-map type inspect im l7-pmap-ymsgrRouter(config-pmap)# class type inspect ymsgr l7-cmap-ymsgrRouter(config-pmap-c)# allowRouter(config-pmap-c)# logRouter(config-pmap-c)# exitRouter(config)# policy-map type inspect im l7-pmap-icqRouter(config-pmap)#class type inspect icq l7-cmap-icqRouter(config-pmap-c)# allowRouter(config-pmap-c)# logRouter(config-pmap-c)# exitRouter(config)# policy-map type inspect to_internetRouter(config-pmap)# class type inspect l4-cmap-ymsgrRouter(config-pmap-c)# inspectRouter(config-pmap-c)# service-policy im l7-pmap-ymsgrRouter(config-pmap-c)# exitRouter(config-pmap)# class type inspect l4-cmap-icqRouter(config-pmap-c)# inspectRouter(config-pmap-c)# service-policy im l7-pmap-icqRouter(config-pmap-c)# exitRouter(config-pmap)# class class-defaultRouter(config-pmap-c)# dropRelated Commands
parameter-map type inspect-vrf
To configure an inspect VPN Routing and Forwarding (VRF)-type parameter map, use the parameter-map type inspect-vrf command in global configuration mode. To delete an inspect VRF type parameter map, use the no form of this command.
parameter-map type inspect-vrf vrf-pmap-name
no parameter-map type inspect-vrf vrf-pmap-name
Syntax Description
Command Default
An inspect VRF-type parameter map is not configured.
Command Modes
Global configuration (config)
Command History
Examples
The following example shows how to configure an inspect VRF-type parameter map named inspect-pmap:
Router(config)# parameter-map type inspect-vrf inspect-pmapRelated Commands
parameter-map type
Creates or modifies a parameter map.
show parameter-map type inspect-vrf
Displays information about the configured inspect VRF-type parameter maps.
parameter-map type inspect-zone
To configure an inspect zone-type parameter map, use the parameter-map type inspect-zone command in global configuration mode. To remove an inspect zone type parameter map, use the no form of this command.
parameter-map type inspect-zone zone-pmap-name
no parameter-map type inspect-zone zone-pmap-name
Syntax Description
Command Default
Inspect zone-type parameter maps are not configured.
Command Modes
Global configuration (config)
Command History
Examples
The following example shows how to create an inspect zone-type parameter map named zone-pmap:
Router(config)# parameter-map type inspect-zone zone-pmapRelated Commands
parameter-map type
Creates or modifies a parameter map.
show parameter-map type inspect-zone
Displays information about the configured inspect zone-type parameter maps.
parameter-map type regex
To configure a parameter-map type to match a specific traffic pattern, use the parameter-map type regex command in global configuration mode. To delete a parameter-map type with a regular expression (regex), use the no form of this command.
parameter-map type regex parameter-map-name
no parameter-map type regex
Syntax Description
Command Default
A regex parameter map is not configured.
Command Modes
Global configuration
Command History
Usage Guidelines
You can enter a regex to match text strings either literally as an exact string or by using metacharacters so that you can match multiple variants of a text string. You can use a regex to match the content of certain application traffic; for example, you can match a uniform resource identifier (URI) string inside an HTTP packet using the match request regex command under an HTTP inspection class map.
Use Ctrl-V to ignore all of the special characters in the command line interface (CLI), such as a question mark (?) or a tab. For example, type d[Ctrl-V]g to enter d?g in the configuration.
Table 44 lists the metacharacters that have special meanings.
Examples
The following example configures and applies a regex parameter map to an HTTP application firewall parameter-map type whose URI matches any of the following regular expressions:
•
•
•
Router# configure terminalRouter(config)# parameter-map type regex uri-regex-cmRouter(config-profile)# pattern ".*cmd.exe"Router(config-profile)# pattern ".*money"Router(config-profile)# pattern ".*shopping"Router(config-profile)# exitRouter(config)# class-map type inspect http uri-check-cmRouter(config-cmap)# match request uri regex uri-regex-cmRouter(config-cmap)# exitRouter(config)# policy-map type inspect http uri-check-pmRouter(config-pmap)# class type inspect http uri-check-cmRouter(config-pmap-c)# resetThe following example configures a regex parameter map whose case-insensitive pattern matches multiple variants of the string "hello":
Router# configure terminalRouter(config)# parameter-map type regex body_regexRouter(config-profile)# pattern ".*[Hh][Ee][Ll][Ll][Oo]"Router(config-profile)# endRelated Commands
parameter-map type trend-global
To create or modify the parameter map for global parameters associated with a Trend Router Provisioning Server (TRPS) and to place the system in parameter map configuration mode, use the parameter-map type trend-global command in global configuration mode. To delete the global parameters associated with a TRPS from the configuration, use the no form of this command.
parameter-map type trend-global parameter-map-name
no parameter-map type trend-global parameter-map-name
Syntax Description
Command Default
No parameter map for the global TRPS parameters is created.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the parameter-map type trend-global command to specify global parameters for the TRPS. You can specify only one trend-global parameter map on the system. To specify per-policy parameters, use the parameter-map type urlfpolicy command.
When you create or modify a global TRPS parameter map, use the following commands in parameter map configuration mode to set the values for the global TRPS parameters:
•
•
•
•
•
•
–
–
–
–
–
–
Examples
The following shows an example of how to specify global TRPS parameters in a parameter map named global-parameter-map:
parameter-map type trend-global global-parameter-mapserver server.example.com retrans 5 timeout 200cache-size maximum-memory 128000cache-entry-lifetime 1Related Commands
parameter-map type urlfilter
Note
To create or modify a parameter map for URL filtering parameters, use the parameter-map type urlfilter command in global configuration mode. To delete a URL filter parameter map, use the no form of this command.
parameter-map type urlfilter parameter-map-name
no parameter-map type urlfilter parameter-map-name
Syntax Description
Command Default
None
Command Modes
Global configuration (config)
Command History
Usage Guidelines
When you are creating or modifying a URL parameter map, you can enter the following subcommands after you enter the parameter-map type urlfilter command. For more detailed information about the subcommands, see their individual command descriptions by going to the "Command Reference" section on page 45.
•
Turns on or off URL-filtering system alert messages that are displayed on the console.
•
Turns on or off the default mode (allow mode) of the filtering algorithm.
•
Turns on or off the logging of URL information into the syslog server or router.
•
Configures cache parameters.
•
Adds or removes a domain name to or from the exclusive domain list so that the Cisco IOS firewall does not have to send lookup requests to the vendor server.
•
Specifies the maximum number of outstanding requests that can exist at any given time.
•
Specifies the maximum number of HTTP responses that the Cisco IOS firewall can keep in its packet buffer.
•
Specifies a vendor server for URL filtering.
•
Specifies the interface whose IP address will be used as the source IP address while making a TCP connection to the URL filter server (websense or N2h2).
Examples
The following example shows a sample URL parameter map:
parameter-map type urlfilter eng-network-profileserver vendor n2h2 10.64.64.22 port 4128 outside retrans 4 timeout 8The following example shows a typical URL filter configuration:
parameter-map type urlfilter eng-network-profileserver vendor n2h2 10.64.65.22 port 3128 outside log retrans 6 timeout 10max-request 80max-resp-pak 200cache 200exclusive-domain permit cisco.comexclusive-domain deny gaming.comRelated Commands
parameter-map type urlfpolicy
To create or modify a parameter map for a URL filtering policy and to place the system in parameter map configuration mode, use the parameter-map type urlfpolicy command in global configuration mode. To delete the parameter map for a URL filtering policy from the configuration, use the no form of this command.
parameter-map type urlfpolicy {local | trend | n2h2 | websense} parameter-map-name
no parameter-map type urlfpolicy {local | trend | n2h2 | websense} parameter-map-name
Syntax Description
local
Specifies that the parameters are for a local URL filtering policy. See Table 45 for more information.
trend
Specifies that the parameters are for a Trend Micro URL filtering policy. See Table 46 for more information.
n2h2
Specifies that the parameters are for a SmartFilter (previously N2H2) URL filtering policy. See Table 47 for more information.
websense
Specifies that the parameters are for a Websense URL filtering policy. See Table 47 for more information.
parameter-map-name
The name of the parameter map for a URL filtering policy.
Command Default
No parameter maps for a URL filtering policy are created.
Command Modes
Global configuration (config)
Command History
12.4(15)XZ
This command was introduced.
12.4(20)T
This command was integrated into Cisco IOS Release 12.4(20)T.
Usage Guidelines
Use the parameter-map type urlfpolicy command to create a parameter map for a URL filtering policy. The commands that you use to specify the parameters for a filtering policy depend on the URL filtering server you are using.
Table 45 defines the parameters for a local URL filtering policy.
Table 46 defines the per-policy parameters for a Trend Micro URL filtering policy. These parameters are in addition to the global Trend Micro policy parameters specified with the parameter-map type trend-global command.
Table 47 defines the per-policy parameters for SmartFilter (N2H2) and Websense URL filtering policies.
Examples
The following example shows a parameter map for a local URL filtering policy that does not send alert messages and displays the message "URL is blocked by local filters" when a URL is blocked:
parameter-map type urlfpolicy local local-parameter-mapalert offblock-page message "URL is blocked by local-filters"The following example shows a configuration for global parameters and per-policy parameters for a Trend Micro URL filtering policy:
parameter-map type trend-global global-parameter-mapserver mytrps.trendmicro.com retrans 5 timeout 200cache-size maximum-memory 128000cache-entry-lifetime 1parameter-map type urlfpolicy trend trend-parameter-mapmax-request 2147483647max-resp-pak 20000truncate hostnameblock-page message "group2 is blocked by trend"The following example shows the configuration for per-policy parameters for a SmartFilter URL filtering policy:
parameter-map type urlfpolicy n2h2 n2h2-parameter-mapserver n2h2Server timeout 30max-request 2000max-resp-pak 2000source-interface Loopback0truncate script-parameterscache-size maximum-entries 100cache-entry-lifetime 1block-page redirect-url http://www.example.comRelated Commands
parameter-map type trend-global
Specifies the global parameters associated with Trend Micro URL filtering policies.
parameter-map type urlf-glob
To create or modify a parameter map used to specify a list of domains, URL keywords, or URL metacharacters that should be allowed or blocked by local URL filtering, use the parameter-map type urlf-glob command in global configuration mode. To delete the parameter map, use the no form of this command.
parameter-map type urlf-glob parameter-map-name
no parameter-map type urlf-glob parameter-map-name
Syntax Description
Command Default
No URL filtering parameter maps are created.
Command Modes
Global configuration (config)
Command History
12.4(15)XZ
This command was introduced.
12.4(20)T
This command was integrated into Cisco IOS Release 12.4(20)T.
Usage Guidelines
The parameter-map type urlf-glob command can be used to create a parameter map for trusted domains, a parameter map for untrusted domains, and a parameter map for URL keywords. The following sub-commands are available in parameter map configuration mode to specify matching parameters when the parameter-map type urlf-glob command is issued:
•
•
•
URL pattern matching is improved because the period (.) is interpreted as a dot, and not as a wildcard entry representing a single character, as is the case with regex regular expression pattern matching.
A URL keyword is a complete word that occurs after the domain name and that is between the forward slash (/) path delimiters. For example in the URL http://www.example.com/hack/123.html, only "hack" and "123.html" are treated as keywords. Anything in the host or domain name can be allowed or blocked using a domain name, and thus a URL keyword should be a word that comes after the domain name. The entire keyword in the URL must match the pattern. For example if you have pattern hack, the URL www.example.com/hacksite/123.html doesn't match the pattern. In order to match this URL, you must have hacksite.
URL metacharacters allow pattern matching of single characters or ranges of characters to URLs, similar to the way a UNIX style glob expression works. The URL metacharacters are presented in Table 48.
URL metacharacters are combined with domain names and URL keywords for pattern matching. For example, pattern *.example.com will match the domain name www.example.com and pattern www.[ey]xample.com can be used to block both www.example.com and www.yxample.com. Also, pattern www.example[0-9][0-9].com can be used to block www.example01.com, www.example33.com, and www.example99.com. An example of combining a keyword and metacharacter for pattern matching is using pattern hack* to block www.example.com/hacksite/123.html.
Examples
The following shows an example of specifying the parameter map for trusted domains:
Router(config)# parameter-map type urlf-glob trusted-domain-paramRouter(config-profile)# pattern www.example.comRouter(config-profile)# pattern *.example2.comThe following shows an example of a parameter map specifying keywords to be blocked:
Router(config)# parameter-map type urlf-glob keyword-paramRouter(config-profile)# pattern example1Router(config-profile)# pattern example3The following shows an example of a parameter map specifying URL metacharacters to be blocked:
Router(config)# parameter-map type urlf-glob metacharacter-paramRelated CommandsRouter(config-profile)# pattern www.example[4-9].com
parser view
To create or change a command-line interface (CLI) view and enter view configuration mode, use the parser view command in global configuration mode. To delete a view, use the no form of this command.
parser view view-name
no parser view view-name
Syntax Description
Defaults
A CLI view does not exist.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
A CLI view is a set of operational commands and configuration capabilities that restrict user access to the CLI and configuration information; that is, a view allows users to define what commands are accepted and what configuration information is visible.
After you have issued the parser view command, you can configure the view via the secret 5 command and the commands command.
To invoke the parser view command, the system of the user must be set to root view. The root view can be enabled via the enable view command.
Examples
The following example shows how to configure two CLI views, "first" and "second":
Router(config)# parser view first00:11:40:%PARSER-6-VIEW_CREATED:view 'first' successfully created.Router(config-view)# secret 5 firstpassRouter(config-view)# command exec include show versionRouter(config-view)# command exec include configure terminalRouter(config-view)# command exec include all show ipRouter(config-view)# exitRouter(config)# parser view second00:13:42:%PARSER-6-VIEW_CREATED:view 'second' successfully created.Router(config-view)# secret 5 secondpassRouter(config-view)# command exec include-exclusive show ip interfaceRouter(config-view)# command exec include logoutRouter(config-view)# exitAfter you have successfully created a view, a system message such as the following will be displayed:
%PARSER-6-VIEW_CREATED: view `first' successfully created.After you have successfully deleted a view, a system message such as the following will be displayed:
%PARSER-6-VIEW_DELETED: view `first' successfully deleted.Related Commands
commands (view)
Adds commands to a CLI view.
secret 5
Associates a CLI view or a superview with a password.
parser view superview
To create a superview and enter view configuration mode, use the parser view superview command in global configuration mode. To delete a superview, use the no form of this command.
parser view superview-name superview
no parser view superview-name superview
Syntax Description
superview-name
Superview name, which can include 1 to 30 alphanumeric characters.
The superview-name argument must not have a number as the first character.
Defaults
A superview does not exist.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
A superview consists of one or more command-line interface (CLI) views, which allow users to define what commands are accepted and what configuration information is visible. Superviews allow a network administrator to easily assign all users within configured CLI views to a superview instead of having to assign multiple CLI views to a group of users.
Superviews contain the following characteristics:
•
•
•
•
Adding CLI Views to a Superview
You can add a view to a superview only after a password has been configured for the superview (via the secret 5 command). Thereafter, issue the view command in view configuration mode to add at least one CLI view to the superview.
Note
Examples
The following example shows how to create a superview (su_view1) and enter view configuration mode; two CLI views (view_one, view_two) are added to the superview also:
Router> enable viewRouter# configure terminalRouter(config)# parser view su_view1 superviewRouter(config-view)# secret 5 secretRouter(config-view)# view view_oneRouter(config-view)# view view_twoRelated Commands
pass
To allow packets to be sent to the router without being inspected, use the pass command in policy-map-class configuration mode.
pass
Syntax Description
This command has no arguments or keywords.
Command Default
Traffic is not passed; that is, it is dropped.
Command Modes
Policy-map-class configuration
Command History
Usage Guidelines
You can use this command only after entering the policy-map type inspect, class type inspect, and parameter-map type inspect commands.
Examples
The following example specifies that policy map p1 will pass the traffic:
policy-map type inspect p1class type inspect c1passRelated Commands
passive
To move a group member directly into passive mode, use the passive command in crypto gdoi group configuration mode. To disable the passive mode setting, use the no form of this command.
passive
no passive
Syntax Description
This command has no arguments or keywords.
Command Default
The group member is in full crypto send and receive mode.
Command Modes
Crypto gdoi group configuration (crypto-gdoi-group)
Command History
12.4(22)T
This command was introduced.
Cisco IOS XE Release 2.3
This command was implemented on the Cisco ASR 1000 series routers.
Usage Guidelines
By using the passive command, you avoid having to use the crypto gdoi gm ipsec direction inbound optional privileged EXEC command, which is not persistent after a router reload and can be overriden by key server configuration from a rekey.
Examples
The following example shows that the group member group1 is being moved to passive mode:
crypto gdoi group group1identity 2345passiveserver address ipv4 10.34.255.57Related Commands
password (ca-trustpoint)
To specify the revocation password for the certificate, use the password command in ca-trustpoint configuration mode. To erase any stored passwords, use the no form of this command.
password string
no password
Syntax Description
Defaults
You are prompted for the password during certificate enrollment.
Command Modes
Ca-trustpoint configuration
Command History
12.2(8)T
This command was introduced.
12.4(24)T
Support for IPv6 Secure Neighbor Discovery (SeND) was added.
Usage Guidelines
Before you can issue the password command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.
This command allows you to specify the revocation password for the certificate before actual certificate enrollment begins. The specified password is encrypted when the updated configuration is written to NVRAM by the router.
If this command is enabled, you will not be prompted for a password during certificate enrollment.
Examples
The following example shows how to specify the password "revokeme" for the certificate request:
crypto ca trustpoint trustpoint1enrollment url http://trustpoint1.example.com/subject-name OU=Spiral Dept., O=example1.comip-address ethernet-0auto-enroll regeneratepassword revokemeRelated Commands
password (dot1x credentials)
To specify the password for an 802.1X credentials profile, use the password command in dot1x credentials configuration mode. To remove the password, use the no form of this command.
password [0 | 7] password
no password
Syntax Description
0
(Optional) A plain text password will follow. The default is 0.
7
(Optional) An encrypted password will follow. The default is 0.
password
The password.
Command Default
A password is not specified.
Command Modes
Dot1x credentials configuration
Command History
Usage Guidelines
Before using this command, the dot1x credentials command must have been configured.
Examples
The following example shows which credentials profile should be used when configuring a supplicant. The password is "secret."
dot1x credentials basic-userusername routerpassword secretdescription This credentials profile should be used for most configured portsThe credentials structure can be applied to an interface along with the dot1x pae supplicant command and keyword to enable supplicant functionality on that interface.
interface fastethernet 0/1dot1x credentials basic-userdot1x pae supplicantRelated Commands
password (line configuration)
To specify a password on a line, use the password command in line configuration mode. To remove the password, use the no form of this command.
password password
no password
Syntax Description
Defaults
No password is specified.
Command Modes
Line configuration
Command History
Usage Guidelines
When an EXEC process is started on a line with password protection, the EXEC prompts for the password. If the user enters the correct password, the EXEC prints its normal privileged prompt. The user can try three times to enter a password before the EXEC exits and returns the terminal to the idle state.
Examples
The following example removes the password from virtual terminal lines 1 to 4:
line vty 1 4 no passwordRelated Commands
enable password
Sets a local password to control access to various privilege levels.
password 5
Note
To associate a command-line interface (CLI) view or a superview with a password, use the password 5 command in view configuration mode.
password 5 password
Syntax Description
password
Password for users to enter the CLI view or superview. A password can contain any combination of alphanumeric characters.
Note
Defaults
A user cannot access a CLI view or superview.
Command Modes
View configuration
Command History
12.3(7)T
This command was introduced.
12.3(11)T
This command was enhanced to support superviews.
12.3(14)T
This command was replaced by the secret command.
Usage Guidelines
A user cannot access any commands within the CLI view or superview until the password 5 command has been issued.
Examples
The following example show how to configure two CLI views, "first" and "second" and associate each view with a password:
Router(config)# parser view first00:11:40:%PARSER-6-VIEW_CREATED:view 'first' successfully created.Router(config-view)# password 5 firstpassRouter(config-view)# command exec include show versionRouter(config-view)# command exec include configure terminalRouter(config-view)# command exec include all show ipRouter(config-view)# exitRouter(config)# parser view second00:13:42:%PARSER-6-VIEW_CREATED:view 'second' successfully created.Router(config-view)# password 5 secondpassRouter(config-view)# command exec include-exclusive show ip interfaceRouter(config-view)# command exec include logoutRouter(config-view)# exitRelated Commands
password encryption aes
To enable a type 6 encrypted preshared key, use the password encryption aes command in global configuration mode. To disable password encryption, use the no form of this command.
password encryption aes
no password encryption aes
Syntax Description
This command has no arguments or keywords.
Defaults
Preshared keys are not encrypted.
Command Modes
Global configuration
Command History
Usage Guidelines
You can securely store plain text passwords in type 6 format in NVRAM using a command-line interface (CLI). Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. Use the key config-key password-encryption command with the password encryption aes command to configure and enable the password (symmetric cipher Advanced Encryption Standard [AES] is used to encrypt the keys). The password (key) configured using the key config-key password-encryption command is the master encryption key that is used to encrypt all other keys in the router.
If you configure the password encryption aes command without configuring the key config-key password-encryption command, the following message is printed at startup or during any nonvolatile generation (NVGEN) process, such as when the show running-config or copy running-config startup-config commands have been configured:
"Can not encrypt password. Please configure a configuration-key with `key config-key'"
Note
Changing a Password
If the password (master key) is changed, or reencrypted, using the key config-key password-encryption command), the list registry passes the old key and the new key to the application modules that are using type 6 encryption.
Deleting a Password
If the master key that was configured using the key config-key password-encryption command is deleted from the system, a warning is printed (and a confirm prompt is issued) that states that all type 6 passwords will become useless. As a security measure, after the passwords have been encrypted, they will never be decrypted in the Cisco IOS software. However, passwords can be reencrypted as explained in the previous paragraph.
Caution
Unconfiguring Password Encryption
If you later unconfigure password encryption using the no password encryption aes command, all existing type 6 passwords are left unchanged, and as long as the password (master key) that was configured using the key config-key password-encryption command exists, the type 6 passwords will be decrypted as and when required by the application.
Storing Passwords
Because no one can "read" the password (configured using the key config-key password-encryption command), there is no way that the password can be retrieved from the router. Existing management stations cannot "know" what it is unless the stations are enhanced to include this key somewhere, in which case the password needs to be stored securely within the management system. If configurations are stored using TFTP, the configurations are not standalone, meaning that they cannot be loaded onto a router. Before or after the configurations are loaded onto a router, the password must be manually added (using the key config-key password-encryption command). The password can be manually added to the stored configuration but is not recommended because adding the password manually allows anyone to decrypt all passwords in that configuration.
Configuring New or Unknown Passwords
If you enter or cut and paste cipher text that does not match the master key, or if there is no master key, the cipher text is accepted or saved, but an alert message is printed. The alert message is as follows:
"ciphertext>[for username bar>] is incompatible with the configured master key."If a new master key is configured, all the plain keys are encrypted and made type 6 keys. The existing type 6 keys are not encrypted. The existing type 6 keys are left as is.
If the old master key is lost or unknown, you have the option of deleting the master key using the no key config-key password-encryption command. Deleting the master key using the no key config-key password-encryption command causes the existing encrypted passwords to remain encrypted in the router configuration. The passwords will not be decrypted.
Examples
The following example shows that a type 6 encrypted preshared key has been enabled:
Router (config)# password encryption aesRelated Commands
key config-key password-encryption
Stores a type 6 encryption key in private NVRAM.
password logging
Provides a log of debugging output for a type 6 password operation.
password logging
To get a log of debugging output for a type 6 password operation, use the password logging command in global configuration mode. To disable the debugging, use the no form of this command.
password logging
no password logging
Syntax Description
This command has no arguments or keywords.
Defaults
Debug logging is not enabled.
Command Modes
Global Configuration #
Command History
Examples
The following example shows that debug logging is configured:
Router# password loggingRelated Commands
key config-key password-encryption
Stores an encryption key in private NVRAM.
password encryption aes
Enables a type 6 encrypted preshared key.
pattern (parameter-map)
To configure a matching pattern that specifies a list of domains, URL keywords, or URL metacharacters that should be allowed or blocked by local URL filtering, use the pattern command in parameter map configuration mode. To delete the parameter map, use the no form of this command.
pattern expression
no pattern expression
Syntax Description
expression
Matching pattern argument that can refer to a domain name, URL keyword, URL metacharacter entry, or URL keyword and URL metacharacter combination.
Command Default
No pattern is created for the parameter map.
Command Modes
Parameter map configuration (config-profile)
Command History
12.4(15)XZ
This command was introduced.
12.4(20)T
This command was integrated into Cisco IOS Release 12.4(20)T.
Usage Guidelines
The matching pattern expression is configured for a parameter map created by the parameter-map type urlf-glob command. In the pattern expression, the characters /, {, and } are not allowed in the expression. The question mark (?) is not allowed because it is reserved for the help function in the command-line interface (CLI).
URL pattern matching is improved because the period (.) is interpreted as a dot, and not as a wildcard entry representing a single character, as is the case with regex regular expression pattern matching.
A URL keyword is a complete word that occurs after the domain name and that is between the forward slash (/) path delimiters. For example in the URL http://www.example.com/hack/123.html, only "hack" and "123.html" are treated as keywords. Anything in the host or domain name can be allowed or blocked using a domain name, and thus a URL keyword should be a word that comes after the domain name. The entire keyword in the URL must match the pattern. For example if you have pattern hack, the URL www.example.com/hacksite/123.html doesn't match the pattern. In order to match this URL, you must have hacksite.
URL metacharacters allow pattern matching of single characters or ranges of characters to URLs, similar to the way a UNIX style glob expression works. The URL metacharacters are presented in Table 48.
URL metacharacters are combined with domain names and URL keywords for pattern matching. For example, pattern *.example.com will match the domain name www.example.com and pattern www.[ey]xample.com can be used to block both www.example.com and www.yxample.com. Also, pattern www.example[0-9][0-9].com can be used to block www.example01.com, www.example33.com, and www.example99.com. An example of combining a keyword and metacharacter for pattern matching is using pattern hack* to block www.example.com/hacksite/123.html.
Examples
The following shows an example of specifying the parameter map for trusted domains:
Router(config)# parameter-map type urlf-glob trusted-domain-paramRouter(config-profile)# pattern www.example.comRouter(config-profile)# pattern *.example2.comThe following shows an example of a parameter map specifying keywords to be blocked:
Router(config)# parameter-map type urlf-glob keyword-paramRouter(config-profile)# pattern example1Router(config-profile)# pattern example3The following shows an example of a parameter map specifying URL metacharacters to be blocked:
Router(config)# parameter-map type urlf-glob metacharacter-paramRouter(config-profile)# pattern www.example[4-9].comRelated Commands
peer address ipv4
To configure a Group Domain of Interpretation (GDOI) redundant peer key server, use the peer address ipv4 command in GDOI redundancy configuration mode. To remove the peer key server that was configured, use the no form of this command.
peer address ipv4 ip-address
no peer address ipv4 ip-address
Syntax Description
Command Default
(Redundancy does not function correctly if at least one peer is not configured under the local key server configuration on a key server.)
Command Modes
GDOI redundancy configuration (gdoi-coop-ks-config)
Command History
12.4(11)T
This command was introduced.
Cisco IOS XE Release 2.3
This command was implemented on the Cisco ASR 1000 series routers.
Usage Guidelines
For redundancy between key servers to operate correctly, there have to be at least two key servers in a redundant group. Therefore, at least one other peer must be defined on a key server using the peer address ipv4 command. The local key server sets up an Internet Key Exchange (IKE) session with the peer that is defined using this command and proceeds to communicate using IKE informational messages to complete the election process using the specified IP address of the peer.
Examples
The following example shows that two peer key servers have been configured: 10.41.2.5 and 10.33.5.6.
address ipv4 10.1.1.1redundancylocal priority 10peer address ipv4 10.41.2.5peer address ipv4 10.33.5.6Related Commands
peer (IKEv2 keyring)
To define a peer or a peer group for the Internet Key Exchange Version 2 (IKEv2) keyring, use the peer command in IKEv2 keyring configuration mode. To remove the peer, use the no form of this command.
peer name
no peer name
Syntax Description
Command Default
A peer is not defined or configured.
Command Modes
IKEv2 keyring configuration (config-ikev2-keyring)
Command History
15.1(1)T
This command was introduced.
Cisco IOS XE Release 3.3S
This command was integrated into Cisco IOS XE Release 3.3S.
Usage Guidelines
Use this command to define the name of a peer or peer group. This command enters IKEv2 keyring peer configuration mode. A peer subblock identifies a peer or peer-group using identity, hostname or address statements. A peer subblock must have atleast one statement identifying a peer or peer group. A peer subblock can have a single statement of each type identifying a peer or peer group. A peer subblock can have a single key or key-pair.
Examples
The following example shows how to configure an IKEv2 keyring with multiple peer subblocks:
Router(config)# crypto ikev2 keyring keyring-1Router(configikev2-keyring)# peer peer1Router(config-ikev2-keyring-peer)# description peer1Router(config-ikev2-keyring-peer)# address 10.0.0.1Router(config-ikev2-keyring-peer)# pre-shared-key key-1Router(configikev2-keyring)# peer peer2Router(config-ikev2-keyring-peer)# description peer2Router(config-ikev2-keyring-peer)# host peer1.example.comRouter(config-ikev2-keyring-peer)# pre-shared-key key-2Router(configikev2-keyring)# peer peer3Router(config-ikev2-keyring-peer)# description peer3Router(config-ikev2-keyring-peer)# host peer3.example.comRouter(config-ikev2-keyring-peer)# identity key-id abcRouter(config-ikev2-keyring-peer)# address 10.0.0.3Router(config-ikev2-keyring-peer)# pre-shared-key key-3Related Commands
permit
To set conditions in named IP access list or object group access control list (OGACL) that will permit packets, use the permit command in the appropriate configuration mode. To remove a condition from an IP access list or an OGACL, use the no form of this command.
permit protocol [source-addr source-wildcard] {any | host {address | name} | object-group object-group-name} {destination-addr destination-wildcard | any | host {address | name} | object-group object-group-name}[dscp dscp-value | precendence precedence-value] [fragments fragment-value] [option option-value] [reflect access-list-name] [time-range time-range-value] [ttl match-value ttl-value [ttl-value]] [tos tos-value] [timeout max-time]] [log [log-value] | log-input [log-input-value]]
no permit protocol [source-addr source-wildcard ] {any | host {address | name} | object-group object-group-name} {destination-addr destination-wildcard | any | host {address | name} | object-group object-group-name}
permit {tcp | udp} {source-addr source-wildcard | any | host source-addr | object-group source-obj-group} {destination-addr destination-wildcard | any | host dest-addr | object-group dest-obj-group | port-match-criteria {destination-addr destination-wildcard | any | host dest-addr | object-group dest-obj-group}} [port-match-criteria port-number] [fragments] [ack | established] [fin] [psh] [rst] [syn] [urg] [match-all match-value | match-any match-value] [dscp dscp-value | precendence precedence-value] [option option-value] [time-range time-range-value] [ttl match-value ttl-value [ttl-value]] [tos tos-value]] [log [log-value] | log-input [log-input-value]]
no permit {tcp | udp}{source-addr source-wildcard | any | host source-addr | object-group source-obj-group} {destination-addr destination-wild-card | any | host dest-addr | object-group dest-obj-group | port-match-criteria {destination-addr destination-wild-card | any | host dest-addr | object-group dest-obj-group}}
Syntax Description
protocol
Name or number of a protocol; valid values are; valid values are ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, object-group, tcp, pcp, pim, udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol (UDP), use the keyword ip. See the "Usage Guidelines" section for additional qualifiers.
source-addr
(Optional) Number of the network or host from which the packet is being sent in a 32-bit quantity in four-part, dotted-decimal format.
source-wildcard
(Optional) Wildcard bits to be applied to the source in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.
any
Specifies any source or any destination host as an abbreviation for the source-addr or destination-addr value and the source-wildcard or destination-wildcard value of 0.0.0.0 255.255.255.255.
host address name
Specifies the source or destination address and name of a single host.
object-group object-group-name
Specifies the source or destination name of the object group.
destination-addr
Number of the network or host to which the packet is being sent in a 32-bit quantity in four-part, dotted-decimal format.
destination-wildcard
Wildcard bits to be applied to the destination in a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.
object-group dest-addr-group-name
Specifies the destination address group name.
dscp dscp-value
(Optional) Matches the packets with the given Differentiated Services Code Point (DSCP) value; see the "Usage Guidelines" section for valid values.
precedence precedence-value
(Optional) Specifies the precedence filtering level for packets; valid values are a number from 0 to 7 or by a name. See the "Usage Guidelines" section for a list of valid names.
fragments fragment-value
(Optional) Applies the access list entry to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List or OGACL Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
option option-value
(Optional) Matches the packets with the given IP options value number; see the "Usage Guidelines" section for valid values.
reflect access-list-name
(Optional) Create reflexive access list entry.
time-range time-range-value
(Optional) Specifies a time-range entry name.
ttl match-value ttl-value
(Optional) Specifies the match packets with given TTL value; see the "Usage Guidelines" section for valid values.
tos tos-value
(Optional) Specifies the service filtering level for packets; valid values are a number from 0 to 15 or by a name as listed in the "Usage Guidelines" section of the access-list (IP extended) command.
timeout max-time
Specifies the maximum time for a reflexive ACL to live; the valid values are from 1 to 2147483 seconds.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message for a standard list includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets.
The message for an extended list includes the access list number; whether the packet was permitted or denied; the protocol; whether the protocol was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and port numbers and the user-defined cookie or router-generated hash value.
For both standard and extended lists, the message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from reloading because of too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
After you specify the log keyword (and the associated word argument), you cannot specify any other keywords or settings for this command.
log-value
(Optional) User-defined cookie appended to the log message. The cookie:
•
•
•
•
The user-defined cookie is appended to the access control entry (ACE) syslog entry and uniquely identifies the ACE, within the access control list, that generated the syslog entry.
log-input log-input-value
(Optional) Matches the log against this entry, including the input interface.
After you specify the log-input keyword (and the associated log-input-value argument), you cannot specify any other keywords or settings for this command.
tcp
Specifies the TCP protocol.
udp
Specifies the UDP protocol.
object-group source-obj-group
Specifies the source address group name.
port-match-criteria port-number
Matches only packets on a given port number; see the "Usage Guidelines" section for valid values.
Command Default
There are no specific conditions under which a packet passes the access list.
Command Modes
Standard access-list configuration (config-std-nacl)
Extended access-list configuration (config-ext-nacl)Command History
12.4(20)T
This command was introduced.
12.4(22)T
The word argument was added to the log and log-input keywords.
Usage Guidelines
Use this command following the ip access-list command to define the conditions under which a packet passes the access list.
In Cisco IOS 15.0(1)M and later Releases, to remove the log entry from the permit ip any any log command, use the permit ip any any command.
In releases earlier than Cisco IOS Release15.0(1)M, to remove the log option from the permit ip any any log command, use the no permit ip any any log and the permit ip any any commands.
In Cisco IOS 15.0(1)M and later releases, to remove the log entry and the user-defined cookie, use the permit ip any any [log-value] command.
In releases earlier than Cisco IOS Release 15.0(1)M, to remove the log entry and user-defined cookies, use the no permit ip any any log [log-value] and permit ip any any commands.
Access List or OGACL Processing of Fragments
The behavior of access-list entries regarding the use or lack of the fragments keyword are summarized in Table 50:
Ensure that you do not add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.
Note
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.
By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.
The source-addr and destination-addr arguments allow you to create an object group based on a source or destination group. The following keywords and arguments are available:
•
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
•
•
•
•
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
•
–
–
–
–
–
–
–
–
–
•
•
–
–
–
–
–
•
•
–
–
–
–
–
–
•
Examples
The following example shows how to create an access list that permits packets from the users in my_network_object_group if the protocol ports match the ports specified in my_network_object_group:
Router> enableRouter# configure terminalRouter(config)# ip access-list extended my_ogacl_policy
Router(config-ext-nacl)# permit tcp object-group my_network_object_group portgroup my_service_object_group any
The following example shows how to create an access list that permits packets from the users in my_network_object_group if the protocol ports match the ports specified in my_network_object_group. In addition, logging is enabled for the access list, and all syslog entries for this ACE include the word MyServiceCookieValue:
Router> enableRouter# configure terminalRouter(config)# ip access-list extended my_ogacl_policy
Router(config-ext-nacl)# permit tcp object-group my_network_object_group portgroup my_service_object_group any log MyServiceCookieValue
Related Commands
permit (Catalyst 6500 series switches)
To set conditions for a named IP access list, use the permit command in access-list configuration mode. To remove a condition from an access list, use the no form of this command.
permit protocol {{source-addr source-wildcard} | addrgroup object-group-name | any | host {address | name}} {destination-addr destination-wildcard} | addrgroup object-group-name | any | host {address | name}}
permit {tcp | udp} {{source-addr source-wildcard} | addrgroup source-addr-group-name | any | host {address | name} {destination-addr destination-wildcard | any | eq port | gt port | host {address | name} | lt port | neq port | portgroup srcport-groupname} {addrgroup dest-addr-groupname | destination | destination-addr destination-wildcard | any | eq port | gt port | host {address | name} | lt port | neq port | portgroup destport-groupname} [dscp type] [fragments] [option option] [precedence precedence] [time-range time-range-name] [tos tos]] [log [word] | log-input [word]]}
no permit protocol {{source-addr source-wildcard} | addrgroup object-group-name | any | host {address | name}} {destination-addr destination-wildcard} | addrgroup object-group-name | any | host {address | name}}
no permit {tcp | udp} {{source-addr source-wildcard} | addrgroup source-addr-group-name | any | host {address | name} {destination-addr destination-wildcard | any | eq port | gt port | host {address | name} | lt port | neq port | portgroup srcport-groupname} {addrgroup dest-addr-groupname | destination | destination-addr destination-wildcard | any | eq port | gt port | host {address | name} | lt port | neq port | portgroup destport-groupname} [dscp type] [fragments] [option option] [precedence precedence] [time-range time-range-name] [tos tos]] [log [word] | log-input [word]]}
Syntax Description
Command Default
There are no specific conditions under which a packet passes the named access list.
Command Modes
Access-list configuration (config-ext-nacl)
Command History
12.2(33)SXH
This command was introduced.
12.4(22)T
The word argument was added to the log and log-input keywords.
Usage Guidelines
Use this command following the ip access-list command to define the conditions under which a packet passes the access list.
The portgroup keyword appears only when you configure an extended access list.
Access List Processing of Fragments
The behavior of access-list entries regarding the use or lack of the fragments keyword are summarized in Table 51:
Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.
Note
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.
By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.
The portgroup srcport-groupname or portgroup destport-groupname keywords and arguments allow you to create an object group based on a source or destination group. The following keywords and arguments are available:
•
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
•
•
•
•
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
•
–
–
–
–
–
–
–
–
–
•
•
•
–
–
–
–
–
–
Examples
The following example shows how to create an access list that permits packets from the users in myAG if the protocol ports match the ports specified in myPG:
Router(config)# ip access-list extended my-pbacl-policy
Router(config-ext-nacl)# permit tcp addrgroup myAG portgroup myPG any
The following example shows how to create an access list that permits packets from the users in myAG if the protocol ports match the ports specified in myPG. The access list is log enabled, and the cookie value is set to myCookie:
Router(config)# ip access-list extended my-pbacl-policy
Router(config-ext-nacl)# permit tcp addrgroup myAG portgroup myPG any log myCookie
Related Commands
permit (IP)
To set conditions to allow a packet to pass a named IP access list, use the permit command in access list configuration mode. To remove a permit condition from an access list, use the no form of this command.
[sequence-number] permit source [source-wildcard]
[sequence-number] permit protocol source source-wildcard destination destination-wildcard [option option-name] [precedence precedence] [tos tos] [ttl operator value] [time-range time-range-name] [fragments] [log [user-defined-cookie]]
no sequence-number
no permit source [source-wildcard]
no permit protocol source source-wildcard destination destination-wildcard [option option-name] [precedence precedence] [tos tos] [ttl operator value] [time-range time-range-name] [fragments] [log [user-defined-cookie]]
Internet Control Message Protocol (ICMP)
[sequence-number] permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [ttl operator value] [time-range time-range-name] [fragments] [log [user-defined-cookie]]
Internet Group Management Protocol (IGMP)
[sequence-number] permit igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [ttl operator value] [time-range time-range-name] [fragments] [log [user-defined-cookie]]
Transmission Control Protocol (TCP)
[sequence-number] permit tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established | {match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos tos] [ttl operator value] [time-range time-range-name] [fragments] [log [user-defined-cookie]]
User Datagram Protocol (UDP)
[sequence-number] permit udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [ttl operator value] [time-range time-range-name] [fragments] [log [user-defined-cookie]]
Syntax Description
sequence-number
(Optional) Sequence number assigned to the permit statement. The sequence number causes the system to insert the statement in that numbered position in the access list.
source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
•
•
•
source-wildcard
(Optional) Wildcard bits to be applied to the source. There are three alternative ways to specify the source wildcard:
•
•
•
protocol
Name or number of an Internet protocol. The protocol argument can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword.
Note
Note
destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
•
•
•
destination-wildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
•
•
•
option option-name
(Optional) Packets can be filtered by IP Options, as specified by a number from 0 to 255, or by the corresponding IP Option name, as listed in Table 52 in the "Usage Guidelines" section.
precedence precedence
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by a name.
tos tos
(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by a name as listed in the "Usage Guidelines" section of the access-list (IP extended) command.
ttl operator value
(Optional) Compares the TTL value in the packet to the TTL value specified in this permit statement.
•
•
•
•
•
time-range time-range-name
(Optional) Name of the time range that applies to this permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
fragments
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
After you specify the log keyword (and the associated word argument), you cannot specify any other keywords or settings for this command.
user-defined-cookie
(Optional) User-defined cookie appended to the log message. The cookie:
•
•
•
•
The user-defined cookie is appended to the Allegro Crypto Engine (ACE) syslog entry and uniquely identifies the ACE, within the access control list, that generated the syslog entry.
icmp
Permits only ICMP packets. When you enter the icmp keyword, you must use the specific command syntax shown for the ICMP form of the permit command.
icmp-type
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code
(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or an ICMP message type and code name. The possible names are listed in the "Usage Guidelines" section of the access-list (IP extended) command.
igmp
Permits only IGMP packets. When you enter the igmp keyword, you must use the specific command syntax shown for the IGMP form of the permit command.
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (IP extended) command.
tcp
Permits only TCP packets. When you enter the tcp keyword, you must use the specific command syntax shown for the TCP form of the permit command.
operator
(Optional) Compares source or destination ports. Operators are eq (equal) , gt (greater than),lt (less than), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard arguments, it must match the source port. If the operator is positioned after the destination and destination-wildcard arguments, it must match the destination port.
The range operator requires two port numbers. Up to ten port numbers can be entered for the eq (equal) and neq (not equal) operators. All other operators require one port number.
port
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (IP extended) command.
TCP port names can be used only when filtering TCP. UDP port names can be used only when filtering UDP.
established
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bit set. The nonmatching case is that of the initial TCP datagram to form a connection.
{match-any | match-all}
(Optional) For the TCP protocol only: A match occurs if the TCP datagram has certain TCP flags set or not set. You use the match-any keyword to allow a match to occur if any of the specified TCP flags are present, or you can use the match-all keyword to allow a match to occur only if all of the specified TCP flags are present. You must follow the match-any and match-all keywords with the + or - keyword and the flag-name argument to match on one or more TCP flags.
{+ | -} flag-name
(Optional) For the TCP protocol only: The + keyword matches IP packets if their TCP headers contain the TCP flags that are specified by the flag-name argument. The - keyword matches IP packets that do not contain the TCP flags specified by the flag-name argument. You must follow the + and - keywords with the flag-name argument. TCP flag names can be used only when filtering TCP. Flag names for the TCP flags are as follows: ack, fin, psh, rst, syn, and urg.
udp
Permits only UDP packets. When you enter the udp keyword, you must use the specific command syntax shown for the UDP form of the permit command.
Command Default
There are no specific conditions under which a packet passes the named access list.
Command Modes
Access list configuration (config-ext-nacl)
Command History
Usage Guidelines
Use this command following the ip access-list command to define the conditions under which a packet passes the named access list.
The time-range keyword allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this permit statement is in effect.
log Keyword
A log message includes the access list number or access list name, and whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and port numbers, and the user-defined cookie or router-generated hash value. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute-interval). See the ip access-list log-update command for more information.
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from reloading because of too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
If you enable Cisco Express Forwarding and then create an access list that uses the log keyword, the packets that match the access list are not Cisco Express Forwarding switched. They are fast-switched. Logging disables Cisco Express Forwarding .
Access List Filtering of IP Options
Access control lists can be used to filter packets with IP Options to prevent routers from being saturated with spurious packets containing IP Options. To see a complete table of all IP Options, including ones currently not in use, refer to the latest Internet Assigned Numbers Authority (IANA) information that is available from its URL: www.iana.org.
Cisco IOS software allows you to filter packets according to whether they contain one or more of the legitimate IP Options by entering either the IP Option value or the corresponding name for the option-name argument as shown in Table 52.
Filtering IP Packets Based on TCP Flags
The access list entries that make up an access list can be configured to detect and drop unauthorized TCP packets by allowing only the packets that have very specific groups of TCP flags set or not set. Users can select any desired combination of TCP flags with which to filter TCP packets. Users can configure access list entries in order to allow matching on a flag that is set and on a flag that is not set. Use the + and - keywords with a flag name to specify that a match is made based on whether a TCP header flag has been set. Use the match-any and match-all keywords to allow the packet if any or all, respectively, of the flags specified by the + or - keyword and flag-name argument have been set or not set.
Permitting Optimized Edge Routing (OER) Communication
The drip keyword was introduced under the tcp keyword to support packet filtering in a network where OER is configured. The drip keyword specifies port 3949 that OER uses for internal communication. This option allows you to build a packet filter that permits communication between an OER master controller and border routers. The drip keyword is entered following the TCP source, destination addresses, and the eq operator. See the example in the "Examples" section.
Access List Processing of Fragments
The behavior of access list entries regarding the use or lack of use of the fragments keyword can be summarized as follows:
Be aware that you should not add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword. The packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases in which there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets, and each counts individually as a packet in access list accounting and access list violation counts.
Note
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list has entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy-routed, even if the first fragment is not policy-routed.
If you specify the fragments keyword in access list entries, a better match between the action taken for initial and noninitial fragments can be made, and it is more likely that policy routing will occur as intended.
Creating an Access List Entry with Noncontiguous Ports
For Cisco IOS Release 12.3(7)T and later releases, you can specify noncontiguous ports on the same access control entry, which greatly reduces the number of access list entries required for the same source address, destination address, and protocol. If you maintain large numbers of access list entries, we recommend that you consolidate them when possible by using noncontiguous ports. You can specify up to ten port numbers following the eq and neq operators.
Examples
The following example shows how to set conditions for a standard access list named Internetfilter:
ip access-list standard Internetfilterdeny 192.168.34.0 0.0.0.255permit 172.16.0.0 0.0.255.255permit 10.0.0.0 0.255.255.255! (Note: all other access implicitly denied).The following example shows how to permit Telnet traffic on Mondays, Tuesdays, and Fridays from 9:00 a.m. to 5:00 p.m.:
time-range testingperiodic Monday Tuesday Friday 9:00 to 17:00!ip access-list extended legalpermit tcp any any eq telnet time-range testing!interface ethernet0ip access-group legal inThe following example shows how to set a permit condition for an extended access list named filter2. The access list entry specifies that a packet may pass the named access list only if it contains the NSAP Addresses IP Option, which is represented by the IP Option value nsapa.
ip access-list extended filter2permit ip any any option nsapaThe following example shows how to set a permit condition for an extended access list named kmdfilter1. The access list entry specifies that a packet can pass the named access list only if the RST IP flag has been set for that packet:
ip access-list extended kmdfilter1permit tcp any any match-any +rstThe following example shows how to set a permit condition for an extended access list named kmdfilter1. The access list entry specifies that a packet can pass the named access list if the RST TCP flag or the FIN TCP flag has been set for that packet:
ip access-list extended kmdfilter1permit tcp any any match-any +rst +finThe following example shows how to verify the access list by using the show access-lists command and then to add an entry to an existing access list:
Router# show access-listsStandard IP access list 12 permit 10.0.0.0, wildcard bits 0.0.255.2555 permit 10.0.0.0, wildcard bits 0.0.255.25510 permit 10.0.0.0, wildcard bits 0.0.255.25520 permit 10.0.0.0, wildcard bits 0.0.255.255ip access-list standard 115 permit 10.0.0.0 0.0.255.255The following examples shows how to remove the entry with the sequence number of 20 from the access list:
ip access-list standard 1no 20!Verify that the list has been removed.Router# show access-listsStandard IP access list 110 permit 0.0.0.0, wildcard bits 0.0.0.25530 permit 0.0.0.0, wildcard bits 0.0.0.25540 permit 0.4.0.0, wildcard bits 0.0.0.255The following example shows how, if a user tries to enter an entry that is a duplicate of an entry already on the list, no changes occur. The entry that the user is trying to add is a duplicate of the entry already in the access list with a sequence number of 20.
Router# show access-lists 101Extended IP access list 10110 permit ip host 10.0.0.0 host 10.5.5.3420 permit icmp any any30 permit ip host 10.0.0.0 host 10.2.54.240 permit ip host 10.0.0.0 host 10.3.32.3 logip access-list extended 101100 permit icmp any anyRouter# show access-lists 101Extended IP access list 10110 permit ip host 10.3.3.3 host 10.5.5.3420 permit icmp any any30 permit ip host 10.34.2.2 host 10.2.54.240 permit ip host 10.3.4.31 host 10.3.32.3 logThe following example shows what occurs if a user tries to enter a new entry with a sequence number of 20 when an entry with a sequence number of 20 is already in the list. An error message appears, and no change is made to the access list.
Router# show access-lists 101Extended IP access lists 10110 permit ip host 10.3.3.3 host 10.5.5.3420 permit icmp any any30 permit ip host 10.34.2.2 host 10.2.54.240 permit ip host 10.3.4.31 host 10.3.32.3 logip access-lists extended 10120 permit udp host 10.1.1.1 host 10.2.2.2%Duplicate sequence number.Router# show access-lists 101Extended IP access lists 10110 permit ip host 10.3.3.3 host 10.5.5.3420 permit icmp any any30 permit ip host 10.34.2.2 host 10.2.54.240 permit ip host 10.3.4.31 host 10.3.32.3 logThe following example shows several permit statements that can be consolidated into one access list entry with noncontiguous ports. The show access-lists command is entered to display a group of access list entries for the access list named aaa.
Router# show access-lists aaaExtended IP access lists aaa10 permit tcp any eq telnet any eq 45020 permit tcp any eq telnet any eq 67930 permit tcp any eq ftp any eq 45040 permit tcp any eq ftp any eq 679Because the entries are all for the same permit statement and simply show different ports, they can be consolidated into one new access list entry. The following example shows the removal of the redundant access list entries and the creation of a new access list entry that consolidates the previously displayed group of access list entries:
ip access-list extended aaano 10no 20no 30no 40permit tcp any eq telnet ftp any eq 450 679The following example shows the creation of the consolidated access list entry:
Router# show access-lists aaaExtended IP access list aaa10 permit tcp any eq telnet ftp any eq 450 679The following access list filters IP packets containing Type of Service (ToS) level 3 with TTL values 10 and 20. It also filters IP packets with a TTL greater than 154 and applies that rule to noninitial fragments. It permits IP packets with a precedence level of flash and a TTL not equal to 1, and sends log messages about such packets to the console. All other packets are denied.
ip access-list extended cantondeny ip any any tos 3 ttl eq 10 20deny ip any any ttl gt 154 fragmentspermit ip any any precedence flash ttl neq 1 logThe following example shows how to configure a packet filter, for any TCP source and destination, that permits communication between an OER master controller and border router:
ip access-list extended 100permit any any tcp eq dripexitThe following example shows how to set a permit condition for an extended access list named filter_logging. The access list entry specifies that a packet may pass the named access list only if it is of TCP protocol type and destined to host 10.5.5.5, all other packets are denied. In addition, the logging mechanism is enabled and one of the user defined cookies (Permit_tcp_to_10.5.5.5 or Deny_all) is appended to the appropriate syslog entry.
ip access-list extended filter_loggingpermit tcp any host 10.5.5.5 log Permit_tcp_to_10.5.5.5deny ip any any log Deny_allThe following example shows how to configure a packet filter for any TCP source and destination that permits inbound and outbound BGP traffic:
ip access-list extended 100permit tcp any eq bgp any eq bgpRelated Commands
permit (MAC ACL)
To set conditions for a MAC access list, use the permit command in MAC access-list extended configuration mode. To remove a condition from an access list, use the no form of this command.
permit {src_mac_mask | {host name src_mac_name} | any} {dest_mac_mask | {host name dst_mac_name} | any} [{protocol_keyword | {ethertype_number ethertype_mask}} [vlan vlan_ID] [cos cos_value]]
no permit {src_mac_mask | {host name src_mac_name} | any} {dest_mac_mask | {host name dst_mac_name} | any} [{protocol_keyword | {ethertype_number ethertype_mask}} [vlan vlan_ID] [cos cos_value]]
Syntax Description
Command Default
This command has no defaults.
Command Modes
MAC access-list extended configuration (config-ext-macl)
Command History
Usage Guidelines
Use this command following the ip access-list command to define the conditions under which a packet passes the access list.
•
•
•
•
•
•
•
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Examples
This example shows how to create a MAC-Layer ACL named mac_layer that permits dec-phase-iv traffic with source address 0000.4700.0001 and destination address 0000.4700.0009, but denies all other traffic:
Router(config)# mac access-list extended mac_layerRouter(config-ext-macl)# permit 0000.4700.0001 0.0.0 0000.4700.0009 0.0.0 dec-phase-ivRouter(config-ext-macl)# deny any anyRelated Commands
permit (reflexive)
To create a reflexive access list and to enable its temporary entries to be automatically generated, use the permit command in access-list configuration mode. To delete the reflexive access list (if only one protocol was defined) or to delete protocol entries from the reflexive access list (if multiple protocols are defined), use the no form of this command.
permit protocol source source-wildcard destination destination-wildcard reflect name [timeout seconds]
no permit protocol source-wildcard destination destination-wildcard reflect name
Syntax Description
Defaults
If this command is not configured, no reflexive access lists will exist, and no session filtering will occur.
If this command is configured without specifying a timeout value, entries in this reflexive access list will expire after the global timeout period.
Command Modes
Access-list configuration
Command History
Usage Guidelines
This command is used to achieve reflexive filtering, a form of session filtering.
For this command to work, you must also nest the reflexive access list using the evaluate command.
This command creates a reflexive access list and triggers the creation of entries in the same reflexive access list. This command must be an entry (condition statement) in an extended named IP access list.
If you are configuring reflexive access lists for an external interface, the extended named IP access list should be one which is applied to outbound traffic.
If you are configuring reflexive access lists for an internal interface, the extended named IP access list should be one which is applied to inbound traffic.
IP sessions that originate from within your network are initiated with a packet exiting your network. When such a packet is evaluated against the statements in the extended named IP access list, the packet is also evaluated against this reflexive permit entry.
As with all access list entries, the order of entries is important, because they are evaluated in sequential order. When an IP packet reaches the interface, it will be evaluated sequentially by each entry in the access list until a match occurs.
If the packet matches an entry prior to the reflexive permit entry, the packet will not be evaluated by the reflexive permit entry, and no temporary entry will be created for the reflexive access list (session filtering will not be triggered).
The packet will be evaluated by the reflexive permit entry if no other match occurs first. Then, if the packet matches the protocol specified in the reflexive permit entry, the packet is forwarded and a corresponding temporary entry is created in the reflexive access list (unless the corresponding entry already exists, indicating the packet belongs to a session in progress). The temporary entry specifies criteria that permits traffic into your network only for the same session.
Characteristics of Reflexive Access List Entries
This command enables the creation of temporary entries in the same reflexive access list that was defined by this command. The temporary entries are created when a packet exiting your network matches the protocol specified in this command. (The packet "triggers" the creation of a temporary entry.) These entries have the following characteristics:
•
•
•
•
If the original triggering packet is a protocol other than TCP or UDP, port numbers do not apply, and other criteria are specified. For example, for ICMP, type numbers are used: the temporary entry specifies the same type number as the original packet (with only one exception: if the original ICMP packet is type 8, the returning ICMP packet must be type 0 to be matched).
•
•
•
•
Examples
The following example defines a reflexive access list tcptraffic, in an outbound access list that permits all Border Gateway Protocol and Enhanced Interior Gateway Routing Protocol traffic and denies all ICMP traffic. This example is for an external interface (an interface connecting to an external network).
First, the interface is defined and the access list is applied to the interface for outbound traffic.
interface Serial 1description Access to the Internet via this interfaceip access-group outboundfilters outNext, the outbound access list is defined and the reflexive access list tcptraffic is created with a reflexive permit entry.
ip access-list extended outboundfilterspermit tcp any any reflect tcptrafficRelated Commands
permit (webvpn acl)
To set conditions to allow packets to pass a named Secure Sockets Layer Virtual Private Network (SSL VPN) access list, use the permit command in webvpn acl configuration mode. To remove a permit condition from an access list, use the no form of this command.
permit [url [any | url-string]] [ip | tcp | udp | http | https | cifs] [any | source-ip source-mask] [any | destination-ip destination-mask] time-range time-range-name [syslog]
no permit url [any | url-string] [ip | tcp | udp | http | https | cifs] [any | source-ip source-mask] [any | destination-ip destination-mask] time-range time-range-name [syslog]
Syntax Description
Command Default
All packets are permitted.
Command Modes
Webvpn acl configuration
Command History
Usage Guidelines
Use this command following the acl command (in webvpn context configuration mode) to specify conditions under which a packet can pass the named access list.
The time-range keyword allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this permit statement is in effect.
Examples
The following example shows that all packets from the URL "https://10.168.2.228:34,80-90,100-/public" are permitted to pass ACL "acl1":
webvpn context context1acl acl1permit url "https://10.168.2.228:34,80-90,100-/public"Related Commands
pfs
To configure a server to notify the client of the central-site policy regarding whether PFS is required for any IP Security (IPSec) Security Association (SA), use the pfs command in global configuration mode. To restore the default behavior, use the no form of this command.
pfs
no pfs
Syntax Description
This command has no arguments or keywords.
Defaults
The server will not notify the client of the central-site policy regarding whether PFS is required for any IPSec SA.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Before you use the pfs command, you must first configure the crypto isakmp client configuration group command.
An example of an attribute-value (AV) pair for the PFS attribute is as follows:
ipsec:pfs=1Examples
The following example shows that the server has been configured to notify the client of the central-site policy regarding whether PFS is required for any IPSec SA:
crypto isakmp client configuration grouppfsRelated Commands
crypto isakmp client configuration group
Specifies to which group a policy profile will be defined.
pki-server
To specify the certificate server that is to be associated with the Trusted Transitive Introduction (TTI) exchange between the Secure Device Provisioning (SDP) petitioner and the SDP registrar, use the pki-server command in tti-registrar configuration mode. To change the specified certificate server, use the no form of this command.
pki-server label
no pki-server label
Syntax Description
Defaults
A certificate server is not associated with the TTI exchange; thus, the petitioner and registrar will not be able to communicate.
Command Modes
tti-registrar configuration
Command History
Usage Guidelines
Although any device that contains a crypto image can be the registrar, it is recommended that the registrar be either a Cisco IOS certificate server registration authority (RA) or a Cisco IOS certificate server root.
Examples
The following example shows how to associate the certificate server "cs1" with the TTI exchange:
crypto wui tti registrarpki-server cs1Related Commands
pki trustpoint
To use the PKI trustpoints in the Rivest, Shamir and Adleman (RSA) signature authentication method, use the pki trustpoint command in IKEv2 profile configuration mode. To remove the trustpoint, use the no form of this command.
pki trust-point trustpoint-name [sign | verify]
no pki trust-point trustpoint-name [sign | verify]
Syntax Description
Command Default
If there is no trustpoint defined in the IKEv2 profile configuration, the default is to validate the certificate using all the trustpoints that are defined in the global configuration.
Command Modes
IKEv2 profile configuration (config-ikev2-profile)
Command History
15.1(1)T
This command was introduced.
Cisco IOS XE Release 3.3S
This command was integrated into Cisco IOS XE Release 3.3S.
Usage Guidelines
The pki trustpoint command specifies the trustpoints that are used with the RSA-signature authentication method. You can configure upto six truspoints.
Note
Examples
The following example specifies two trustpoints, trustpoint-local for local authentication using sign and trustpoint-remote for remote verification using verify:
Router(config)# crypto ikev2 profile profile2Router(config-ikev2-profile)# pki trustpoint trustpoint-local signRouter(config-ikev2-profile)# pki trustpoint trustpoint-remote verifyRelated Commands
police (zone policy)
To limit traffic matching within a firewall (inspect) policy, use the police command in policy-map-class configuration mode. To remove traffic limiting from the firewall policy configuration, use the no form of this command.
police rate bps [burst size]
no police rate bps [burst size]
Syntax Description
Command Default
Traffic limiting is disabled.
Command Modes
Policy-map-class configuration
Command History
Usage Guidelines
Issue the police command within an inspect policy to limit the number of concurrent connections allowed for applications such as Instant Messenger (IM) and peer-to-peer (P2P).
To effectively use the police command, you must also enable Cisco IOS stateful packet inspection within the inspect policy map. If you configure the police command without configuring the inspect action (via the inspect command), you will receive an error message and the police command will be rejected.
Because an inspect policy map can be applied only to a zone pair, and not an interface, the police action will be enforced on traffic that traverses the zone pair. (The direction is inherent to the specification of the zone pair.)
The police action is not allowed in policies that are attached to zone pairs involving a "self" zone. If you want to perform this task, you should use control plane policing.
Examples
The following example shows how to limit traffic matching with the inspect policy "p1":
policy-map type inspect p1class type inspect c1inspectpolice rate 1000 burst 6100The following example is sample output from the show policy-map type inspect zone-pair command, which can now be used to verify the police action configuration:
Router# show policy-map type inspect zone-pairZone-pair: zpService-policy inspect : test-udpClass-map: check-udp (match-all)Match: protocol udpInspectPacket inspection statistics [process switch:fast switch]udp packets: [3:4454]Session creations since subsystem startup or last reset 92Current session counts (estab/half-open/terminating) [5:33:0]Maxever session counts (estab/half-open/terminating) [5:59:0]Last session created 00:00:06Last statistic reset neverLast session creation rate 61Last half-open session total 33Policerate 8000 bps,1000 limitconformed 2327 packets, 139620 bytes; actions: transmitexceeded 36601 packets, 2196060 bytes; actions: dropconformed 6000 bps, exceed 61000 bpsClass-map: class-default (match-any)Match: anyDrop (default action)0 packets, 0 bytesRelated Commands
show policy-map type inspect zone-pair
Displays the runtime inspect type policy map statistics and other information such as sessions existing on a specified zone pair.
policy
To define the Central Policy Push (CPP) firewall policy push, use the command in global configuration mode. To remove the CPP policy that was configured, use the no form of this command.
policy {check-presence | central-policy-push {access-list {in | out} {access-list-name | access-list-number}}
no policy {check-presence | central-policy-push {access-list {in | out} {access-list-name | access-list-number}}
Syntax Description
Command Default
The CPP policy is not defined.
Command Modes
Global configuration (config)
Command History
12.4(6)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
Examples
The following example defines the CPP policy name as "hw-client-g-cpp." The "Cisco-Security-Agent" policy type is mandatory. The CPP inbound list is "192" and the outbound list is "sample":
crypto isakmp client firewall hw-client-g-cpp required Cisco-Security-Agentpolicy central-policy-push access-list in 192policy central-policy-push access-list out samplepolicy check-presence:
The following example shows access lists that have been applied on a VPN remote client and later applied by the client firewall :
Defines the inbound access control list that is applied on the VPN remote client
...access-list 170 permit ip 172.18.124.0 0.0.0.255 anyaccess-list 170 permit ip 172.21.1.0 0.0.0.255 any...Defines the outbound ACL that is applied on the VPN remote client
...access-list 180 permit ip any 172.18.124.0 0.0.0.255...Inbound and outbound policies to be applied by the client firewall
...crypto isakmp client firewall test required cisco-integrated-client-firewallpolicy central-policy-push access-list in 170policy central-policy-push access-list out 180...crypto isakmp client configuration group vpngroup1firewall policy test...Related Commands
crypto isakmp client firewall
Defines the CPP) firewall push policy on a server.
policy group
To enter webvpn group policy configuration mode to configure a group policy, use the policy group command in webvpn context configuration mode. To remove the policy group from the router configuration file, use the no form of this command.
policy group name
no policy group name
Syntax Description
Command Default
Webvpn group policy configuration mode is not entered, and a policy group is not configured.
Command Modes
Webvpn context configuration
Command History
Usage Guidelines
The policy group is a container that defines the presentation of the portal and the permissions for resources that are configured for a group of end users. Entering the policy group command places the router in webvpn group policy configuration mode. After the group policy is configured, the policy group is attached to the SSL VPN context configuration by configuring the default-group-policy command.
Examples
The following example configures a policy group named ONE:
Router(config)# webvpn context context1Router(config-webvpn-context)# policy group ONERouter(config-webvpn-group)# exitRouter(config-webvpn-context)# default-group-policy ONERelated Commands
policy-map type inspect
To create a Layer 3 and Layer 4 or a Layer 7 (protocol-specific) inspect type policy map, use the policy-map type inspect command in global configuration mode. To delete an inspect type policy map, use the no form of this command.
Layer 3 and Layer 4 (Top Level) Policy Map Syntax
policy-map type inspect policy-map-name
no policy-map type inspect policy-map-name
Layer 7 (Application-Specific) Policy Map Syntax
policy-map type inspect protocol-name policy-map-name
no policy-map type inspect protocol-name policy-map-name
Syntax Description
Command Default
No policy-map is configured.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the policy-map type inspect command to create a Layer 3, Layer 4 inspect type policy map or a Layer 7 application-specific inspect type policy map. After you create a policy map, you should enter the class type inspect command (as appropriate for your configuration) to specify the traffic (class) on which an action is to be performed. The class was previously defined in a class map. Thereafter, you should enter the inspect command to enable Cisco IOS stateful packet inspection and to specify inspect-specific parameters in a parameter map.
Layer 3, Layer 4 (Top Level) Policy Maps
Top-level policy maps allow you to define high-level actions such as inspect, drop, pass, and urlfilter. You can attach the maps to a target (zone pair). The maps can contain "child" policies that are also known as application-specific Layer 7 policies.
Layer 7 (Application-Specific) Policy Maps
Application-specific policy maps are used to specify a policy for an application protocol. For example, if you want to drop HTTP traffic with Uniform Resource Identifier (URI) lengths exceeding 256 bytes, you must configure an HTTP policy map to do that. Application-specific policy maps cannot be attached directly to a target (zone pair). They must be configured as "child" policies in a top-level Layer 3 or Layer 4 policy map.
Examples
The following example specifies the traffic class (host) on which the drop action is to be performed:
policy-map type inspect mypolicyclass type inspect hostdropThe following example shows how to configure the policy map "my-im-pmap" with two IM classes—AOL and Yahoo Messenger—and allow only text-chat messages to pass through. When any packet with a service other than "text-chat" is seen, the connection will be reset.
class-map type inspect aol match-any my-aol-cmapmatch service text-chat!class-map type inspect ymsgr match-any my-ysmgr-cmapmatch service any!policy-map type inspect im my-im-pmapclass type inspect aol my-aol-cmapallowlog!class type inspect ymsgr my-ysmgr-cmapresetlogRelated Commands
class type inspect
Specifies the traffic (class) on which an action is to be performed.
policy-map type inspect urlfilter
To create or modify a URL filter type inspect policy map, use the policy-map type inspect urlfilter command in global configuration mode. To delete a URL filter type inspect policy map, use the no form of this command.
policy-map type inspect urlfilter policy-map-name
no policy-map type inspect urlfilter policy-map-name
Syntax Description
Command Default
No policy map is created.
Command Modes
Global configuration (config)
Command History
12.4(15)XZ
This command was introduced.
12.4(20)T
This command was integrated into Cisco IOS Release 12.4(20)T.
Usage Guidelines
Use the policy-map type inspect urlfilter command to create a URL filter type inspect policy map. The policy map specifies the traffic (class type urlfilter) and the actions to be performed on that traffic for the specified URL filtering policy.
Before you create a URL filter type inspect policy map, use the following commands:
•
•
After you create a policy map, use the following commands to configure the URL filtering policy:
•
For each class, use one of the URL filtering action commands to specify how to handle a URL that matches the class map. Table 53 lists the URL filtering action commands.
•
•
•
•
•
Examples
The following example shows a how to create a URL filter type inspect policy for a Trend Micro URL filtering server. The policy logs URL requests that match the URL categories specified in the class drop-category, and then resets the connection, thus denying the request.
class-map type urlfilter trend match-any drop-categorymatch url category Gamblingmatch url category Personals-Datingparameter-map type trend-global global-parameter-mapserver trend.example.comparameter-map type urlfpolicy trend g1-trend-pmmax-request 2147483647max-resp-pak 20000allow-mode ontruncate hostnameblock-page message "group1: 10.10.10.0 is blocked by Trend."policy-map type inspect urlfilter g1-trend-policyparameter type urlfpolicy trend g1-trend-parameter-mapclass type urlfilter trend drop-categorylogresetThe following example shows a filtering policy for a Websense URL filtering server. The policy logs and allows URL requests that are in the trusted domain class, logs and denies URL requests that are in the untrusted domain class, and logs and denies URL requests that are in the keyword class.
policy-map type inspect urlfilter websense-policyparameter type urlfpolicy websense websense-parameter-mapclass type urlfilter trusted-domain-classlogallowclass type urlfilter untrusted-domain-classlogresetclass type urlfilter keyword-classlogresetRelated Commands
pool (isakmp-group)
To define a local pool address, use the pool command in ISAKMP group configuration mode or IKEv2 authorization policy configuration mode. To remove a local pool from your configuration, use the no form of this command.
pool name
no pool name
Syntax Description
Defaults
No local pool address is defined.
Command Modes
ISAKMP group configuration (config-isakmp-group)
IKEv2 authorization policy configuration (config-ikev2-author-policy)Command History
Usage Guidelines
Use the pool command to refer to an IP local pool address, which defines a range of addresses that will be used to allocate an internal IP address to a client. Although a user must define at least one pool name, a separate pool may be defined for each group policy.
Note
You must enable the following commands before enabling the dns command:
•
•
Examples
The following example shows how to refer to the local pool address "dog":
crypto isakmp client configuration group ciscokey ciscodns 10.2.2.2 10.3.2.3pool dogacl 199!ip local pool dog 10.1.1.1 10.1.1.254Related Commands
port
To specify the port on which a device listens for RADIUS requests from configured RADIUS clients, use the port command in dynamic authorization local server configuration mode. To restore the default, use the no form of this command.
port port-number
no port port-number
Syntax Description
Command Default
The device listens for RADIUS requests on the default port (port 1700).
Command Modes
Dynamic authorization local server configuration (config-locsvr-da-radius)
Command History
12.2(28)SB
This command was introduced.
Cisco IOS XE Release 2.6
This command was integrated into Cisco IOS XE Release 2.6.
Usage Guidelines
A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the port command to specify the ports on which the router will listen for requests from RADIUS clients.
Examples
The following example specifies port 1650 as the port on which the device listens for RADIUS requests:
aaa server radius dynamic-authorclient 10.0.0.1port 1650Related Commands
aaa server radius dynamic-author
Configures a device as a AAA server to facilitate interaction with an external policy server.
port-forward
To enter webvpn port-forward list configuration mode to configure a port-forwarding list, use the port-forward command in webvpn context configuration mode. To remove the port-forwarding list from the SSL VPN context configuration, use the no form of this command.
port-forward name
no port-forward name
Syntax Description
Command Default
Webvpn port-forward list configuration mode is not entered, and a port-forwarding list is not configured.
Command Modes
Webvpn context configuration
Command History
Usage Guidelines
The port-forward command is used to create the port-forwarding list. Application port number mapping (port forwarding) is configured with the local-port command in webvpn port-forward configuration mode.
A port-forwarding list is configured for thin client mode SSL VPN. Port forwarding extends the cryptographic functions of the SSL-protected browser to provide remote access to TCP-based applications that use well-known port numbers, such as POP3, SMTP, IMAP, Telnet, and SSH.
When port forwarding is enabled, the hosts file on the SSL VPN client is modified to map the application to the port number configured in the forwarding list. The application port mapping is restored to default when the user terminates the SSL VPN session.
Examples
The following example configures port forwarding for well-known e-mail application port numbers:
Router(config)# webvpn context context1Router(config-webvpn-context)# port-forward EMAILRouter(config-webvpn-port-fwd)# local-port 30016 remote-server mail.company.com remote-port 110 description POP3Router(config-webvpn-port-fwd)# local-port 30017 remote-server mail.company.com remote-port 25 description SMTPRouter(config-webvpn-port-fwd)# local-port 30018 remote-server mail.company.com remote-port 143 description IMAPRelated Commands
local-port (WebVPN)
Remaps an application port number in a port-forwarding list.
webvpn context
Enters webvpn context configuration mode to configure the SSL VPN context.
port-forward (policy group)
To attach a port-forwarding list to a policy group configuration, use the port-forward command in webvpn group policy configuration mode. To remove the port-forwarding list from the policy group configuration, use the no form of this command.
port-forward name [auto-download [http-proxy [proxy-url homepage-url]] | http-proxy [proxy-url homepage-url] [auto-download]]
no port-forward name [auto-download [http-proxy [proxy-url homepage-url]] | http-proxy [proxy-url homepage-url] [auto-download]]
Syntax Description
Command Default
A port-forwarding list is not attached to a policy group configuration.
Command Modes
Webvpn group policy configuration (config-webvpn-group)
Command History
12.4(6)T
This command was introduced.
12.4(9)T
This command was modified. The auto-download keyword was added.
Usage Guidelines
The configuration of this command applies to only clientless access mode. In clientless mode, the remote user accesses the internal or corporate network using the web browser on the client machine.
Examples
The following example shows how to apply the port-forwarding list to the policy group configuration:
webvpn context context1port-forward EMAILlocal-port 30016 remote-server mail.company.com remote-port 110 description POP3local-port 30017 remote-server mail.company.com remote-port 25 description SMTPlocal-port 30018 remote-server mail.company.com remote-port 143 description IMAPexitpolicy group ONEport-forward EMAIL auto-downloadThe following example shows that HTTP proxy has been configured. The page at URL "http://www.example.com" will automatically download as the home page of the user.
webvpn context myContextssl authenticate verify all!!port-forward "email"local-port 20016 remote-server "ssl-server1.sslvpn-ios.com" remote-port 110 description "POP-ssl-server1"!policy group myPolicyport-forward "email" auto-download http-proxy proxy-url "http://www.example.com"inserviceRelated Commands
port-misuse
To permit or deny HTTP traffic through the firewall on the basis of specified applications in the HTTP message, use the port-misuse command in appfw-policy-http configuration mode. To disable this inspection parameter, use the no form of this command.
port-misuse {p2p | tunneling | im | default} action {reset | allow} [alarm]
no port-misuse {p2p | tunneling | im | default} action {reset | allow} [alarm]
Syntax Description
Defaults
If this command is not enabled, HTTP messages are permitted through the firewall if any of the applications are detected within the message.
Command Modes
appfw-policy-http configuration
Command History
Examples
The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy.appfw policy-name mypolicyapplication httpstrict-http action allow alarmcontent-length maximum 1 action allow alarmcontent-type-verification match-req-rsp action allow alarmmax-header-length request 1 response 1 action allow alarmmax-uri-length 1 action allow alarmport-misuse default action allow alarmrequest-method rfc default action allow alarmrequest-method extension default action allow alarmtransfer-encoding type default action allow alarm!!! Apply the policy to an inspection rule.ip inspect name firewall appfw mypolicyip inspect name firewall http!!! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.interface FastEthernet0/0ip inspect firewall in!!
