Table Of Contents

cache through clear compression Commands

cache

cache-compressed

cache-time

call-agent

call-duration-limit

call-party-numbers

capture

cd

certificate

chain

changeto

character-encoding

checkheaps

check-retransmission

checksum-verification

class (global)

class (policy-map)

class-map

class-map type inspect

class-map type management

class-map type regex

clear aaa local user fail-attempts

clear aaa local user lockout

clear aaa-server statistics

clear access-group

clear access-list

clear arp

clear asp drop

clear asp table

clear blocks

clear-button

clear capture

clear compression

cache through clear compression Commands

---

cache

To enter cache mode and set values for caching attributes, enter the cache command in webvpn mode. To remove all cache related commands from the configuration and reset them to default values, enter the no version of the command, also in webvpn mode.

cache

no cache

Defaults

Enabled with default settings for each cache attribute.

Command Modes

The following table shows the modes in which you enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Webvpn mode	•	—	•	—	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Usage Guidelines

Caching stores frequently reused objects in the system cache, which reduces the need to perform repeated rewriting and compressing of content. It reduces traffic between WebVPN and both the remote servers and end-user browsers, with the result that many applications run much more efficiently.

Examples

The following example shows how to enter cache mode:

hostname(config)# webvpn

hostname(config-webvpn)# cache 

hostname(config-webvpn-cache)#

Related Commands

Command	Description
cache-compressed	Configures WebVPN cache compression.
disable	Disables caching.
expiry-time	Configures the expiration time for caching objects without revalidating them.
lmfactor	Sets a revalidation policy for caching objects that have only the last-modified timestamp.
max-object-size	Defines the maximum size of an object to cache.
min-object-size	Defines the minimum sizze of an object to cache.

cache-compressed

To cache compressed objects for WebVPN sessions, use the cache-compressed command in webvpn mode. To disallow caching of compressed content, enter the no version of the command.

cache-compressed enable

no cache-compressed

Syntax Description

enable

Enables caching of compressed content over WebVPN sessions.

Defaults

Caching of compressed content is enabled by default.

Command Modes

The following table shows the modes in which you enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Cache mode	•	—	•	—	—

Command History

Release	Modification
7.1(1)	This command was introduced.

Usage Guidelines

Caching stores frequently reused objects in the system cache. When caching of compressed content is enabled, the security appliance stores compressed ojects. When you disable caching of compressed content, the security appliance stores objects prior to invoking the compression routine.

Examples

The following example shows how to disable caching of compressed content, and how to reenable it.

hostname(config)# webvpn

hostname(config-webvpn)# cache 

hostname(config-webvpn-cache)# no cache-compressed

hostname(config-webvpn-cache)# cache-compressed enable

Related Commands

Command	Description
cache	Enters WebVPN Cache mode.
disable	Disables caching.
expiry-time	Configures the expiration time for caching objects without revalidating them.
lmfactor	Sets a revalidation policy for caching objects that have only the last-modified timestamp.
max-object-size	Defines the maximum size of an object to cache.
min-object-size	Defines the minimum sizze of an object to cache.

cache-time

To specify in minutes how long to allow a CRL to remain in the cache before considering it stale, use the cache-time command in ca-crl configuration mode. To return to the default value, use the no form of this command.

cache-time refresh-time

no cache-time

Syntax Description

refresh-time

Specifies the number of minutes to allow a CRL to remain in the cache. The range is 1 - 1440 minutes. If the NextUpdate field is not present in the CRL, the CRL is not cached.

Defaults

The default setting is 60 minutes.

Command Modes

The following table shows the modes in which you can enter the

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
CRL configuration	•	•	•	•	•

command:

Command History

Release	Modification
7.0	This command was introduced.

Examples

The following example enters ca-crl configuration mode, and specifies a cache time refresh value of 10 minutes for trustpoint central:

hostname(configure)# crypto ca trustpoint central

hostname(ca-trustpoint)# crl configure

hostname(ca-crl)# cache-time 10

hostname(ca-crl)# 

Related Commands

Command	Description
crl configure	Enters crl configuration mode.
crypto ca trustpoint	Enters trustpoint configuration mode.
enforcenextupdate	Specifies how to handle the NextUpdate CRL field in a certificate.

call-agent

To specify a group of call agents, use the call-agent command in MGCP map configuration mode, which is accessible by using the mgcp-map command. To remove the configuration, use the no form of this command.

call-agent ip_address group_id

no call-agent ip_address group_id

Syntax Description

ip_address	The IP address of the gateway.
group_id	The ID of the call agent group, from 0 to 2147483647.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Use the call-agent command to specify a group of call agents that can manage one or more gateways. The call agent group information is used to open connections for the call agents in the group (other than the one a gateway sends a command to) so that any of the call agents can send the response. Call agents with the same group_id belong to the same group. A call agent may belong to more than one group. The group_id option is a number from 0 to 4294967295. The ip_address option specifies the IP address of the call agent.

Examples

The following example allows call agents 10.10.11.5 and 10.10.11.6 to control gateway 10.10.10.115, and allows call agents 10.10.11.7 and 10.10.11.8 to control both gateways 10.10.10.116 and 10.10.10.117:

hostname(config)# mgcp-map mgcp_inbound

hostname(config-mgcp-map)# call-agent 10.10.11.5 101

hostname(config-mgcp-map)# call-agent 10.10.11.6 101

hostname(config-mgcp-map)# call-agent 10.10.11.7 102

hostname(config-mgcp-map)# call-agent 10.10.11.8 102

hostname(config-mgcp-map)# gateway 10.10.10.115 101

hostname(config-mgcp-map)# gateway 10.10.10.116 102

hostname(config-mgcp-map)# gateway 10.10.10.117 102

Related Commands

Commands	Description
debug mgcp	Enables the display of debug information for MGCP.
mgcp-map	Defines an MGCP map and enables MGCP map configuration mode.
show mgcp	Displays MGCP configuration and session information.

call-duration-limit

To configure the call duration for an H.323 call, use the call-duration-limit command in parameters configuration mode. To disable this feature, use the no form of this command.

call-duration-limit hh:mm:ss

no call-duration-limit hh:mm:ss

Syntax Description

hh:mm:ss

Specifies the duration in hours, minutes, and seconds.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Parameters configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to configure the call duration for an H.323 call:

hostname(config)# policy-map type inspect h323 h323_map

hostname(config-pmap)# parameters

hostname(config-pmap-p)# call-duration-limit 0:1:0

Related Commands

Command	Description
class	Identifies a class map name in the policy map.
class-map type inspect	Creates an inspection class map to match traffic specific to an application.
policy-map	Creates a Layer 3/4 policy map.
show running-config policy-map	Display all current policy map configurations.

call-party-numbers

To enforce sending call party numbers during an H.323 call setup, use the call-party-numbers command in parameters configuration mode. To disable this feature, use the no form of this command.

call-party-numbers

no call-party-numbers

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Parameters configuration	•	•	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example shows how to enforce call party numbers during call setup for an H.323 call:

hostname(config)# policy-map type inspect h323 h323_map

hostname(config-pmap)# parameters

hostname(config-pmap-p)# call-party-numbers

Related Commands

Command	Description
class	Identifies a class map name in the policy map.
class-map type inspect	Creates an inspection class map to match traffic specific to an application.
policy-map	Creates a Layer 3/4 policy map.
show running-config policy-map	Display all current policy map configurations.

capture

To enable packet capture capabilities for packet sniffing and network fault isolation, use the capture command. To disable packet capture capabilities, use the no form of this command.

capture capture_name [type {asp-drop all [drop-code] | raw-data | isakmp | webvpn user webvpn-user [url url]}] [access-list access_list_name] [buffer buf_size] [ethernet-type type] [interface interface_name] [packet-length bytes] [circular-buffer] [trace trace_count] [real-time] [dump] [detail] [match prot] {host ip | ip mask | any} [operator port]

no capture capture-name [access-list access_list_name] [circular-buffer] [interface interface_name] [real-time] [dump] [detail] [match prot] {host ip | ip mask | any} [operator port]

Syntax Description

access-list access_list_name	(Optional) Captures traffic that matches an access list. In multiple context mode, this is only available within a context.
any	Specifies any IP address instead of a single IP address and mask.
all	Captures all the packets that the security appliance drops
asp-drop [drop-code]	(Optional) Captures packets dropped by the accelerated security path. The drop-code specifies the type of traffic that is dropped by the accelerated security path. See the show asp drop frame command for a list of drop codes. If you do not enter the drop-code argument, then all dropped packets are captured. You can enter this keyword with packet-length, circular-buffer, and buffer, but not with interface or ethernet-type.
buffer buf_size	(Optional) Defines the buffer size used to store the packet in bytes. Once the byte buffer is full, packet capture stops.
capture_name	Specifies the name of the packet capture. Use the same name on multiple capture statements to capture multiple types of traffic. When you view the capture configuration using the show capture command, all options are combined on one line.
circular-buffer	(Optional) Overwrites the buffer, starting from the beginning, when the buffer is full.
detail	(Optional) Displays additional protocol information for each packet.
dump	(Optional) Displays a hexadecimal dump of the packets that are transported over the data link transport.
ethernet-type type	(Optional) Selects an Ethernet type to capture. The default is IP packets. An exception occurs with the 802.1Q or VLAN type. The 802.1Q tag is automatically skipped and the inner Ethernet type is used for matching.
host ip	Specifies the single IP address of the host to which the packet is being sent.
interface interface_name	Sets the name of the interface on which to use packet capture. You must configure an interface for any packets to be captured. You can configure multiple interfaces using multiple capture commands with the same name. To capture packets on the dataplane of an ASA 5500 series adaptive security appliance, you can use the interface keyword with asa_dataplane as the name of the interface.
isakmp	(Optional) Captures ISAKMP traffic. This is not available in multiple context mode. The ISAKMP subsystem does not have access to the upper layer protocols. The capture is a pseudo capture, with the Physical, IP, and UDP layers combined together to satisfy a PCAP parser. The peer addresses are obtained from the SA exchange and are stored in the IP layer.
mask	The subnet mask for the IP address. When you specify a network mask, the method is different from the Cisco IOS software access-list command. The security appliance uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
match prot	Specifies the packets that match the five-tuple to allow filtering of those packets to be captured. You can use this keyword up to three times on one line.
operator	(Optional) Matches the port numbers used by the source or destination. The permitted operators are as follows: •lt—less than •gt—greater than •eq—equal to
packet-length bytes	(Optional) Sets the maximum number of bytes of each packet to store in the capture buffer.
port	(Optional) If you set the protocol to tcp or udp, specifies the integer or name of a TCP or UDP port.
raw-data	(Optional) Captures inbound and outbound packets on one or more interfaces. This setting is the default.
real-time	Displays the captured packets continuously in real-time. To terminate real-time packet capture, enter Ctrl + c. This option applies only to raw-data and asp-drop captures.
trace trace_count	(Optional) Captures packet trace information, and the number of packets to capture. This is used with an access list to insert trace packets into the data path to determine whether the packet is processed as expected.
type	(Optional) Specifies the type of data captured.
url url	(Optional) Specifies a URL prefix to match for data capture. Use the URL format http://server/path to capture HTTP traffic to the server. Use https://server/path to capture HTTPS traffic to the server.
user webvpn-user	(Optional) Specifies a username for a WebVPN capture.
webvpn	(Optional) Captures WebVPN data for a specific WebVPN connection.

Defaults

The defaults are as follows:

•The default type is raw-data.

•The default buffer size is 512 KB.

•The default Ethernet type is IP.

•The default packet-length is 68 bytes.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Priveleged mode	•	•	•	•	•

Command History

Release	Modification
6.2(1)	This command was introduced.
7.0(1)	This command was modified to include the following new keywords: type asp-drop, type isakmp, type raw-data, and type webvpn.
7.2(1)	This command was modified to include the following options: trace trace_count, match prot, real-time, host ip, any, mask, and operator.
7.2(4)	Added the all option to capture all packets that the security appliance drops.

Usage Guidelines

Capturing packets is useful when troubleshooting connectivity problems or monitoring suspicious activity. You can create multiple captures. To view the packet capture, use the show capture name command. To save the capture to a file, use the copy capture command. Use the https://security appliance-ip-address/capture/capture_name[/pcap] command to see the packet capture information with a web browser. If you specify the pcap optional keyword, then a libpcap-format file is downloaded to the web browser and can be saved using the web browser. (A libcap file can be viewed with TCPDUMP or Ethereal.)

If you copy the buffer contents to a TFTP server in ASCII format, you will see only the headers, not the details and hexadecimal dump of the packets. To see the details and hexadecimal dump, you need to transfer the buffer in PCAP format and read it with TCPDUMP or Ethereal.

When you enable WebVPN capture, the security appliance creates a pair of matching files: capture_name_ORIGINAL.000 and capture_name_MANGLED.000. For each subsequent capture, the security appliance generates additional matching pairs of files and increments the file extensions.

---

Note Enabling WebVPN capture affects the performance of the security appliance. Be sure to disable the capture after you generate the capture files that you need for troubleshooting.

---

Enter the no capture command with either the access-list or interface optional keyword unless you want to clear the capture itself. Entering no capture without optional keywords deletes the capture. If the access-list optional keyword is specified, the access list is removed from the capture and the capture is preserved. If the interface keyword is specified, the capture is detached from the specified interface and the capture is preserved.

You cannot perform any operations on a capture while the real-time display is in progress. Using the real-time keyword with a slow console connection may result in an excessive number of non-displayed packets because of performance considerations. The fixed limit of the buffer is 1000 packets. If the buffer fills up, a counter is maintained of the captured packets. If you open another session, you can disable the real-time display be entering the no capture real-time command.

---

Note The capture command is not saved to the configuration, and is not copied to the standby unit during failover.

---

Examples

To enable packet capture, enter the following:

hostname# capture captest interface inside

hostname# capture captest interface outside

On a web browser, the capture contents for a capture named "captest" can be viewed at the following location:

https://171.69.38.95/capture/captest/pcap

To download a libpcap file (used in web browsers such as Internet Explorer or Netscape Navigator) to a local machine, enter the following:

https://171.69.38.95/capture/http/pcap

This example shows that the traffic is captured from an outside host at 171.71.69.234 to an inside HTTP server:

hostname# access-list http permit tcp host 10.120.56.15 eq http host 171.71.69.234

hostname# access-list http permit tcp host 171.71.69.234 host 10.120.56.15 eq http

hostname# capture http access-list http packet-length 74 interface inside

This example shows how to capture ARP packets:

hostname# capture arp ethernet-type arp interface outside

This example creates a WebVPN capture designated hr, which is configured to capture HTTP traffic for user2 visiting website wwwin.abcd.com/hr/people:

hostname# capture hr type webvpn user user2 url http://wwwin.abcd.com/hr/people

WebVPN capture started.

   capture name   hr

   user name      user2

   url            /http/0/wwwin.abcd.com/hr/people

This example inserts five tracer packets into the data stream, where access-list 101 defines traffic that matches TCP protocol FTP :

hostname# capture ftptrace interface outside access-list 101 trace 5

In the preceding case, use the show capture ftptrace command to view the traced packets and view information about packet processing in an easily readable manner.

This example shows how to display captured packets in real-time:

hostname# capture test interface outside real-time

Warning: Using this option with a slow console connection may result in an excess amount 
of non-displayed packets due to performance limitations.

Use ctrl-c to terminate real-time capture.

10 packets displayed

12 packets not displayed due to performance limitations

Related Commands

Command	Description
clear capture	Clears the capture buffer.
copy capture	Copies a capture file to a server.
show capture	Displays the capture configuration when no options are specified.

cd

To change the current working directory to the one specified, use the cd command in privileged EXEC mode.

cd [disk0: | disk1: | flash:] [path]

Syntax Description

disk0:	Specifies the internal Flash memory, followed by a colon.
disk1:	Specifies the removable, external Flash memory card, followed by a colon.
flash:	Specifies the internal Flash memory, followed by a colon. In the ASA 5500 series, the flash keyword is aliased to disk0.
path	(Optional) The absolute path of the directory to change to.

Defaults

If you do not specify a directory, the directory is changed to the root directory.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

This example shows how to change to the "config" directory:

hostname# cd flash:/config/

Related Commands

Command	Description
pwd	Displays the current working directory.

certificate

To add the indicated certificate, use the certificate command in crypto ca certificate chain mode. When you use this command, the security appliance interprets the data included with it as the certificate in hexadecimal format. A quit string indicates the end of the certificate.

To delete the certificate, use the no form of the command.

certificate [ca | ra-encrypt | ra-sign | ra-general] certificate-serial-number

no certificate certificate-serial-number

Syntax Description

Syntax DescriptionSyntax Description

certificate-serial-number	Specifies the serial number of the certificate in hexadecimal format ending with the word quit.
ca	Indicates that the certificate is a certificate authority (CA) issuing certificate.
ra-encrypt	Indicates that the certificate is a registration authority (RA) key encipherment certificate used in SCEP.
ra-general	Indicates that the certificate is a registration authority (RA) certificate used for digital signing and key encipherment in SCEP messaging.
ra-sign	Indicates that the certificate is an registration authority (RA) digital signature certificate used in SCEP messaging.

Defaults

This command has no default values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Certificate chain configuration	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

A certificate authority (CA) is an authority in a network that issues and manages security credentials and public key for message encryption. As part of a public key infrastructure, a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a certificate.

Examples

This example enters ca trustpoint mode for a trustpoint named central, then enters crypto ca certificate chain mode for central, and adds a CA certificate with a serial number 29573D5FF010FE25B45:

hostname(config)# crypto ca trustpoint central

hostname(ca-trustpoint)# crypto ca certificate chain central 

hostname(ca-cert-chain)# certificate ca 29573D5FF010FE25B45

  30820345 308202EF A0030201 02021029 572A3FF2 96EF854F D0D6732F E25B4530

  0D06092A 864886F7 0D010105 05003081 8F311630 1406092A 864886F7 0D010901

  16076140 622E636F 6D310B30 09060355 04061302 55533116 30140603 55040813

  0D6D6173 73616368 75736574 74733111 300F0603 55040713 08667261 6E6B6C69

  6E310E30 0C060355 040A1305 63697363 6F310F30 0D060355 040B1306 726F6F74

  6F75311C 301A0603 55040313 136D732D 726F6F74 2D736861 2D30362D 32303031

  301E170D 30313036 32363134 31313430 5A170D32 32303630 34313430 3133305A

  30818F31 16301406 092A8648 86F70D01 09011607 6140622E 636F6D31 0B300906

  03550406 13025553 31163014 06035504 08130D6D 61737361 63687573 65747473

  3111300F 06035504 07130866 72616E6B 6C696E31 0E300C06 0355040A 13056369

  73636F31 0F300D06 0355040B 1306726F 6F746F75 311C301A 06035504 0313136D

  732D726F 6F742D73 68612D30 362D3230 3031305C 300D0609 2A864886 F70D0101

  01050003 4B003048 024100AA 3EB9859B 8670A6FB 5E7D2223 5C11BCFE 48E6D3A8

  181643ED CF7E75EE E77D83DF 26E51876 97D8281E 9F58E4B0 353FDA41 29FC791B

  1E14219C 847D19F4 A51B7B02 03010001 A3820123 3082011F 300B0603 551D0F04

  04030201 C6300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604

  14E0D412 3ACC96C2 FBF651F3 3F66C0CE A62AB63B 323081CD 0603551D 1F0481C5

  3081C230 3EA03CA0 3A86386C 6461703A 2F2F7732 6B616476 616E6365 64737276

  2F436572 74456E72 6F6C6C2F 6D732D72 6F6F742D 7368612D 30362D32 3030312E

  63726C30 3EA03CA0 3A863868 7474703A 2F2F7732 6B616476 616E6365 64737276

  2F436572 74456E72 6F6C6C2F 6D732D72 6F6F742D 7368612D 30362D32 3030312E

  63726C30 40A03EA0 3C863A66 696C653A 2F2F5C5C 77326B61 6476616E 63656473

  72765C43 65727445 6E726F6C 6C5C6D73 2D726F6F 742D7368 612D3036 2D323030

  312E6372 6C301006 092B0601 04018237 15010403 02010130 0D06092A 864886F7

  0D010105 05000341 0056221E 03F377B9 E6900BF7 BCB3568E ADBA146F 3B8A71F3

  DF9EB96C BB1873B2 B6268B7C 0229D8D0 FFB40433 C8B3CB41 0E4D212B 2AEECD77

  BEA3C1FE 5EE2AB6D 91

  quit

Related Commands

Command	Description
clear configure crypto map	Clears all configuration for all crypto maps
show running-config crypto map	Displays the crypto map configuration.
crypto ca certificate chain	Enters certificate crypto ca certificate chain mode.
crypto ca trustpoint	Enters ca trustpoint mode.
show running-config crypto map	Displays all configuration for all the crypto maps

chain

To enable sending of a certificate chain, use the chain command in tunnel-group ipsec-attributes configuration mode. This action includes the root certificate and any subordinate CA certificates in the transmission. To return this command to the default, use the no form of this command.

chain

no chain

Syntax Description

This command has no arguments or keywords.

Defaults

The default setting for this command is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Tunnel-group ipsec attributes configuration	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

You can apply this attribute to all IPSec tunnel-group types.

Examples

The following example entered in tunnel-group-ipsec attributes configuration mode, enables sending a chain for an IPSec LAN-to-LAN tunnel group with the IP address of 209.165.200.225, which includes the root certificate and any subordinate CA certificates:

hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2L

hostname(config)# tunnel-group 209.165.200.225 ipsec-attributes

hostname(config-tunnel-ipsec)# chain

hostname(config-tunnel-ipsec)# 

Related Commands

Command	Description
clear-configure tunnel-group	Clears all configured tunnel groups.
show running-config tunnel-group	Shows the current tunnel-group configuration.
tunnel-group ipsec-attributes	Configures the tunnel-group ipsec-attributes for this group.

changeto

To change between security contexts and the system, use the changeto command in privileged EXEC mode.

changeto {system | context name}

Syntax Description

context name	Changes to the context with the specified name.
system	Changes to the system execution space.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	—	•	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

If you log into the system execution space or the admin context, you can change between contexts and perform configuration and monitoring tasks within each context. The "running" configuration that you edit in configuration mode, or that is used in the copy or write commands, depends on which execution space you are in. When you are in the system execution space, the running configuration consists only of the system configuration; when you are in a context execution space, the running configuration consists only of that context. For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration appears.

Examples

The following example changes between contexts and the system in privileged EXEC mode:

hostname/admin# changeto system

hostname# changeto context customerA

hostname/customerA#

The following example changes between the system and the admin context in interface configuration mode. When you change between execution spaces, and you are in a configuration submode, the mode changes to the global configuration mode in the new execution space.

hostname(config-if)# changeto context admin

hostname/admin(config)#

Related Commands

Command	Description