Cisco Security Appliance Command Reference, Version 8.0
client-access-rule -- crl-configure
Download this chapter
client-access-rule -- crl-configureclient-access-rule -- crl-configure
Download the complete book
Cisco Security Appliance Command Reference Book, Version 8.0--Whole Book PDFCisco Security Appliance Command Reference Book, Version 8.0--Whole Book PDF (PDF - 23 MB)
give_us_feedback

Table Of Contents

client through crl configure Commands

client-access-rule

client (ctl-provider)

client (tls-proxy)

client-firewall

client trust-point

client-types (crypto ca trustpoint)

client-update

clock set

clock summer-time

clock timezone

cluster-ctl-file

cluster encryption

cluster ip address

cluster key

cluster-mode

cluster port

command-alias

command-queue

compatible rfc1583

compression

config-register

configure factory-default

configure http

configure memory

configure net

configure terminal

config-url

console timeout

content-length

context

copy

copy capture

crashinfo console disable

crashinfo force

crashinfo save disable

crashinfo test

crl

crl configure


client through crl configure Commands

client-access-rule

To configure rules that limit the remote access client types and versions that can connect via IPSec through the security appliance, use the client-access-rule command in group-policy configuration mode. To delete a rule, use the no form of this command.

To delete all rules, use the no client-access-rule command with only the priority argument. This deletes all configured rules, including a null rule created by issuing the client-access-rule none command.

When there are no client access rules, users inherit any rules that exist in the default group policy. To prevent users from inheriting client access rules, use the client-access-rule none command. The result of doing so is that all client types and versions can connect.

client-access-rule priority {permit | deny} type type version version | none

no client-access-rule priority [{permit | deny} type type version version]

Syntax Description

deny

Denies connections for devices of a particular type and/or version.

none

Allows no client access rules. Sets client-access-rule to a null value, thereby allowing no restriction. Prevents inheriting a value from a default or specified group policy.

permit

Permits connections for devices of a particular type and/or version.

priority

Determines the priority of the rule. The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type and/or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it.

type type

Identifies device types via free-form strings, for example VPN 3002. A string must match exactly its appearance in the show vpn-sessiondb remote display, except that you can use the * character as a wildcard.

version version

Identifies the device version via free-form strings, for example 7.0. A string must match exactly its appearance in the show vpn-sessiondb remote display, except that you can use the * character as a wildcard.


Defaults

By default, there are no access rules.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Construct rules according to these caveats:

If you do not define any rules, the security appliance permits all connection types.

When a client matches none of the rules, the security appliance denies the connection. This means that if you define a deny rule, you must also define at least one permit rule, or the security appliance denies all connections.

For both software and hardware clients, type and version must match exactly their appearance in the show vpn-sessiondb remote display.

The * character is a wildcard, which you can use multiple times in each rule. For example, client-access-rule 3 deny type * version 3.* creates a priority 3 client access rule that denies all client types running release versions 3.x software.

You can construct a maximum of 25 rules per group policy.

There is a limit of 255 characters for an entire set of rules.

You can use n/a for clients that do not send client type and/or version.

Examples

The following example shows how to create client access rules for the group policy named FirstGroup. These rules permit VPN Clients running software version 4.1, while denying all VPN 3002 hardware clients: 

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# client-access-rule 1 d t VPN3002 v *

hostname(config-group-policy)# client-access-rule 2 p * v 4.1

client (ctl-provider)

To specify clients allowed to connect to the Certificate Trust List provider, or to specify a username and password for client authentication, use the client command in CTL provider configuration mode. To remove the configuration, use the no form of this command.

client [[interface if_name] ipv4_addr] | [username user_name password password [encrypted]]

no client [[interface if_name] ipv4_addr] | [username user_name password password [encrypted]]

Syntax Description

encrypted

Specifies encryption for the password.

interface if_name

Specifies the interface allowed to connect.

ipv4_addr

Specifies the IP address of the client.

username user_name

Specifies the username for client authentication.

password password

Specifies the password for client authentication.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

CTL provider configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

Use the client command in CTL provider configuration mode to specify the clients allowed to connect to the CTL provider, and to set the username and password for client authentication. More than one command may be issued to define multiple clients. The username and password must match the CCM Administrator's username and password for the CallManager cluster.

Examples

The following example shows how to create a CTL provider instance: 

hostname(config)# ctl-provider my_ctl

hostname(config-ctl-provider)# client interface inside 172.23.45.1

hostname(config-ctl-provider)# client username CCMAdministrator password XXXXXX encrypted

hostname(config-ctl-provider)# export certificate ccm_proxy

hostname(config-ctl-provider)# ctl install

Related Commands

Commands
Description

ctl

Parses the CTL file from the CTL client and install trustpoints.

ctl-provider

Configures a CTL provider instance in CTL provider mode.

export

Specifies the certificate to be exported to the client

service

Specifies the port to which the CTL provider listens.

tls-proxy

Defines a TLS proxy instance and sets the maximum sessions.


client (tls-proxy)

To configure trustpoints, keypairs, and cipher suites, use the client command in TLS proxy configuration mode. To remove the configuration, use the no form of this command.

client [cipher-suite cipher_suite] | [ldc [issuer ca_tp_name | key-pair key_label]]

no client [cipher-suite cipher_suite] | [ldc [issuer ca_tp_name | key-pair key_label]

Syntax Description

cipher-suite cipher_suite

Specifies the cipher suite. Options include des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, or null-sha1.

issuer ca_tp_name

Specifies the local CA trustpoint to issue client dynamic certificates.

keypair key_label

Specifies the RSA keypair to be used by client dynamic certificates.

ldc

Specifies the local dynamic certificate issuer or keypair.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

TLS proxy configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

Use the client command in TLS proxy configuration mode to control the TLS handshake parameters for the security appliance as the TLS client role in TLS proxy. This includes cipher suite configuration, or to set the local dynamic certificate issuer or keypair. The local CA to issue client dynamic certificates is defined by the crypto ca trustpoint command and the trustpoint must have proxy-ldc-issuer configured, or the default local CA server (LOCAL-CA-SERVER).

The keypair value must have been generated with the crypto key generate command.

For client proxy (the proxy acts as a TLS client to the server), the user-defined cipher suite replaces the default cipher suite, or the one defined by the ssl encryption command. You can use this command to achieve difference ciphers between the two TLS sessions. You should use AES ciphers with the CallManager server.

Examples

The following example shows how to create a TLS proxy instance: 

hostname(config)# tls-proxy my_proxy

hostname(config-tlsp)# server trust-point ccm_proxy

hostname(config-tlsp)# client ldc issuer ldc_server

hostname(config-tlsp)# client ldc keypair phone_common

Related Commands

Commands
Description

ctl-provider

Defines a CTL provider instance and enters provider configuration mode.

server trust-point

Specifies the proxy trustpoint certificate to be presented during the TLS handshake.

show tls-proxy

Shows the TLS proxies.

tls-proxy

Defines a TLS proxy instance and sets the maximum sessions.


client-firewall

To set personal firewall policies that the security appliance pushes to the VPN client during IKE tunnel negotiation, use the client-firewall command in group-policy configuration mode. To delete a firewall policy, use the no form of this command.

To delete all firewall policies, use the no client-firewall command without arguments. This deletes all configured firewall policies, including a null policy created by issuing the client-firewall none command.

When there are no firewall policies, users inherit any that exist in the default or other group policy. To prevent users from inheriting such firewall policies, use the client-firewall none command.

client-firewall none

client-firewall {opt | req} custom vendor-id num product-id num policy {AYT | CPP acl-in acl acl-out acl} [description string]

client-firewall {opt | req} zonelabs-integrity

Note When the firewall type is zonelabs-integrity, do not include arguments. The Zone Labs Integrity Server determines the policies.

client-firewall {opt | req} zonelabs-zonealarm policy {AYT | CPP acl-in acl acl-out acl }

client-firewall {opt | req} zonelabs-zonealarmorpro policy {AYT | CPP acl-in acl acl-out acl }

client-firewall {opt | req} zonelabs-zonealarmpro policy {AYT | CPP acl-in acl acl-out acl }

client-firewall {opt | req} cisco-integrated acl-in acl acl-out acl}

client-firewall {opt | req} sygate-personal

client-firewall {opt | req} sygate-personal-pro

client-firewall {opt | req} sygate-personal-agent

client-firewall {opt | req} networkice-blackice

client-firewall {opt | req} cisco-security-agent

Syntax Description

acl-in <acl>

Provides the policy the client uses for inbound traffic.

acl-out <acl>

Provides the policy the client uses for outbound traffic.

AYT

Specifies that the client PC firewall application controls the firewall policy. The security appliance checks to make sure the firewall is running. It asks, "Are You There?" If there is no response, the security appliance tears down the tunnel.

cisco-integrated

Specifies Cisco Integrated firewall type.

cisco-security-agent

Specifies Cisco Intrusion Prevention Security Agent firewall type.

CPP

Specifies Policy Pushed as source of the VPN Client firewall policy.

custom

Specifies Custom firewall type.

description <string>

Describes the firewall.

networkice-blackice

Specifies Network ICE Black ICE firewall type.

none

Indicates that there is no client firewall policy. Sets a firewall policy with a null value, thereby disallowing one. Prevents inheriting a firewall policy from a default or specified group policy.

opt

Indicates an optional firewall type.

product-id

Identifies the firewall product.

req

Indicates a required firewall type.

sygate-personal

Specifies Sygate Personal firewall type.

sygate-personal-pro

Specifies Sygate Personal Pro firewall type.

sygate-security-agent

Specifies Sygate Security Agent firewall type.

vendor-id

Identifies the firewall vendor.

zonelabs-integrity

Specifies Zone Labs Integrity Server firewall type.

zonelabs-zonealarm

Specifies Zone Labs Zone Alarm firewall type.

zonelabs-zonealarmorpro policy

Specifies Zone Labs Zone Alarm or Pro firewall type.

zonelabs-zonealarmpro policy

Specifies Zone Labs Zone Alarm Pro firewall type.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy configuration


Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(1)

The zonelabs-integrity firewall type was added.


Usage Guidelines

Only one instance of this command can be configured.

Examples

The following example shows how to set a client firewall policy that requires Cisco Intrusion Prevention Security Agent for the group policy named FirstGroup: 

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# client-firewall req cisco-security-agent

client trust-point

To specify the proxy trustpoint certificate to be presented during TLS handshake when configuring the TLS Proxy for Cisco Unified Presence Server (CUPS), use the client trust-point command in tls-proxy configuration mode. To remove the proxy trustpoint certificate, use the no form of this command.

client trust-point proxy_trustpoint

no client trust-point [proxy_trustpoint]

Syntax Description 

proxy_trustpoint

Specifies the trustpoint defined by the crypto ca trustpoint command.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

TLS proxy configuration


Command History 

Release
Modification

8.0(4)

The command was introduced.


Usage Guidelines

The client trust-point command specifies the trustpoint and associated certificate that the security appliance uses in the TLS handshake when the security appliance assumes the role of the TLS client. The certificate must be owned by the security appliance (identity certificate).

The certificate can be self-signed, enrolled with a certificate authority, or from an imported credential. The client trust-point command has precedence over the global ssl trust-point command.

Examples

The following example shows the use of the client trust-point command to specify the use of trustpoint "ent_y_proxy" in the TLS handshake with the TLS server. The handshake is likely to be originated from entity Y to entity X where the TLS server resides. The ASA functions as the TLS proxy for entity Y. 

hostname(config-tlsp)# client trust-point ent_y_proxy

Related Commands 

Command
Description

client (tls-proxy)

Configures trustpoints, keypairs, and cipher suites for a TLS proxy instance.

server trust-point

Specifies the proxy trustpoint certificate to present during the TLS handshake when the security appliance assumes the role of the TLS server.

ssl trust-point

Specifies the certificate trustpoint that represents the SSL certificate for an interface.

tls-proxy

Configures a TLS proxy instance.


client-types (crypto ca trustpoint)

To specify the client connection types for which this trustpoint can be used to validate the certificates associated with a user connection, use the client-types command in crypto ca trustpoint configuration mode. To specify that the trustpoint cannot be used for the named connection, use the no form of the command.

[no] client-types {ssl | ipsec}

Syntax Description

ipsec

Specifies that the Certificate Authority (CA) certificate and policy associated with the trustpoint can be used to validate IPSec connections.

ssl

Specifies that the Certificate Authority (CA) certificate and policy associated with the trustpoint can be used to validate SSL connections.


Defaults

No default value or behavior.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration


Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

When there are multiple trustpoints associated with the same CA certificate, only one of the trustpoints can be configured for a specific client type. However, one of the trustpoints can be configured for one client type and the other trustpoint with another client-type.

If there is a trustpoint associated with the same CA certificate that is already configured with a client type, the new trustpoint is not allowed to be configured with the same client-type setting. The no form of the command clears the setting so that trustpoint cannot be used for any client validation.

Remote-access VPNs can use Secure Sockets Layer (SSL) VPN, IP Security (IPSec), or both, depending on deployment requirements, to permit access to virtually any network application or resource.

Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint, central, and designates it an SSL trustpoint: 

hostname(config)# crypto ca trustpoint central

hostname(config-ca-trustpoint)# client-types ssl

hostname(config-ca-trustpoint)#

The following example enters crypto ca trustpoint configuration mode for trustpoint, checkin1,anddesignated it as an IPsec trustpoint. 

hostname(config)# crypto ca trustpoint checkin1

hostname(config-ca-trustpoint)# client-types ipsec

hostname(config-ca-trustpoint)#

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint configuration mode.

id-usage

Specifies how the enrolled identity of a trustpoint can be used

ssl trust-point

Specifies the certificate trustpoint that represents the SSL certificate for an interface.


client-update

To issue a client-update for all active remote VPN software and hardware clients and security appliances configured as Auto Update clients, on all tunnel-groups or for a particular tunnel group, use the client-update command in privileged EXEC mode.

To configure and change client-update parameters at the global level, including VPN software and hardware clients and security appliances configured as Auto Update clients, use the client-update command in global configuration mode.

To configure and change client-update tunnel-group IPSec-attributes parameters for VPN software and hardware clients, use the client-update command in tunnel-group ipsec-attributes configuration mode.

If the client is already running a software version on the list of revision numbers, it does not need to update its software. If the client is not running a software version on the list, it should update.

To disable a client update, use the no form of this command.

Global configuration mode command:

client-update {enable | component {asdm | image} | device-id dev_string |
family family_name | type type} url url-string rev-nums rev-nums}

no client-update {enable | component {asdm | image} | device-id dev_string |
family family_name | type type} url url-string rev-nums rev-nums}

Tunnel-group ipsec-attributes mode command:

client-update type type url url-string rev-nums rev-nums

no client-update type type url url-string rev-nums rev-nums

Privileged EXEC mode command:

client-update {all | tunnel-group}

no client-update tunnel-group

Syntax Description

all

(Available only in privileged EXEC mode.) Applies the action to all active remote clients in all tunnel groups. You cannot use the keyword all with the no form of the command.

component {asdm | image}

The software component for security appliances configured as Auto Update clients.

device-id dev_string

If the Auto Update client is configured to identify itself with a unique string, specify the same string that the client uses. The maximum length is 63 characters.

enable

(Available only in global configuration mode). Enables remote client software updates.

family family_name

If the Auto Update client is configured to identify itself by device family, specify the same device family that the client uses. It can be asa, pix, or a text string with a maximum length of 7 characters.

rev-nums rev-nums

(Not available in privileged EXEC mode.) Specifies the software or firmware images for this client. For Windows, WIN9X, WinNT, and vpn3002 clients, enter up to 4, in any order, separated by commas. For security appliances, only one is allowed. The maximum length of the string is 127 characters.

tunnel-group

(Available only in privileged EXEC mode.) Specifies the name of a valid tunnel-group for remote client update.

type type

(Not available in privileged EXEC mode.) Specifies the operating systems of remote PCs or the type of security appliances (configured as Auto Update clients) to notify of a client update. The list comprises the following:

asa5505: Cisco 5505 Adaptive Security Appliance

asa5510: Cisco 5510 Adaptive Security Appliance

asa5520: Cisco 5520 Adaptive Security Appliance

asa5540: Cisco Adaptive Security Appliance

linux: A Linux client

mac: MAC OS X client

pix-515: Cisco PIX 515 Firewall

pix-515e: Cisco PIX 515E Firewall

pix-525: Cisco PIX 525 Firewall

pix-535: Cisco PIX 535 Firewall

Windows: all windows-based platforms

WIN9X: Windows 95, Windows 98, and Windows ME platforms

WinNT: Windows NT 4.0, Windows 2000, and Windows XP platforms

vpn3002: VPN 3002 hardware client

A text string of up to 15 characters

url url-string

(Not available in privileged EXEC mode.) Specifies the URL for the software/firmware image. This URL must point to a file appropriate for this client. The maximum string length is 255 characters.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

Global configuration

Tunnel-group ipsec-attributes configuration


Command History

Release
Modification

7.0(1)

This command was introduced.

7.1(1)

Added tunnel-group ipsec-attributes configuration mode.

7.2(1)

Added the component, device-id, and family keywords and their arguments to support the security appliance configured as an Auto Update server.


Usage Guidelines

In tunnel-group ipsec-attributes configuration mode, you can apply this attribute only to the IPSec remote-access tunnel-group type.

The client-update command lets you enable the update; specify the types and revision numbers of clients to which the update applies; provide a URL or IP address from which to get the update; and, in the case of Windows clients, optionally notify users that they should update their VPN client version. For Windows clients, you can provide a mechanism for users to accomplish that update. For VPN 3002 Hardware Client users, the update occurs automatically, with no notification. When the client type is another security appliance, this security appliance acts as an Auto Update server.

To configure the client-update mechanism, do the following steps:

Step 1 In global configuration mode, enable client update by entering the command: 

hostname(config)# client-update enable

hostname(config)#

Step 2 In global configuration mode, configure the parameters for the client update that you want to apply to all clients of a particular type. That is, specify the type of client and the URL or IP address from which to get the updated image. For Auto Update clients, specify the software component—ASDM or boot image. In addition, you must specify a revision number. If the user's client revision number matches one of the specified revision numbers, there is no need to update the client. This command configures the client-update parameters for all clients of the specified type across the entire security appliance. For example: 

hostname(config)# client-update type windows url https://support/updates/ rev-nums 4.6.1

hostname(config)#

See the Examples section for an illustration of configuring a tunnel group for a VPN 3002 hardware client.

Note For all Windows clients and Auto Update clients, you must use the protocol "http://" or "https://" as the prefix for the URL. For the VPN3002 Hardware Client, you must specify protocol "tftp://" instead.

Alternatively, for Windows clients and VPN3002 Hardware Clients, you can configure client update just for individual tunnel-groups, rather than for all clients of a particular type. (See Step 3.)

Note You can have the browser automatically start an application by including the application name at the end of the URL; for example: https://support/updates/vpnclient.exe.

Step 3 After you have enabled client update, you can define a set of client-update parameters for a particular ipsec-ra tunnel group. To do this, in tunnel-group ipsec-attributes mode, specify the tunnel-group name and its type, and the URL or IP address from which to get the updated image. In addition, you must specify a revision number. If the user's client revision number matches one of the specified revision numbers, there is no need to update the client; for example, to issue a client update for all Windows clients: 

hostname(config)# tunnel-group remotegrp type ipsec-ra

hostname(config)# tunnel-group remotegrp ipsec-attributes

hostname(config-tunnel-ipsec)# client-update type windows url https://support/updates/ 
rev-nums 4.6.1

hostname(config-tunnel-ipsec)#

See the Examples section for an illustration of configuring a tunnel group for a VPN 3002 hardware client. VPN 3002 clients update without user intervention, and users receive no notification message.

Step 4 Optionally, you can send a notice to active users with outdated Windows clients that their VPN client needs updating. For these users, a pop-up window appears, offering the opportunity to launch a browser and download the updated software from the site specified in the URL. The only part of this message that you can configure is the URL. (See Step 2 or 3.) Users who are not active get a notification message the next time they log on. You can send this notice to all active clients on all tunnel groups, or you can send it to clients on a particular tunnel group. For example, to notify all active clients on all tunnel groups, you would enter the following command in privileged EXEC mode: 

hostname# client-update all

hostname#

If the user's client revision number matches one of the specified revision numbers, there is no need to update the client, and users receive no notification message. VPN 3002 clients update without user intervention and users receive no notification message.

Note If you specify the client-update type as windows (specifying all Windows-based platforms) and later want to enter a client-update type of win9x or winnt for the same entity, you must first remove the windows client type with the no form of the command, then use new client-update commands to specify the new client types.

Examples

The following example, entered in global configuration mode, enables client update for all active remote clients on all tunnel groups: 

hostname(config)# client-update enable

hostname#

The following example applies only to Windows (win9x, winnt, or windows). Entered in global configuration mode, it configures client update parameters for all Windows-based clients. It designates the revision number, 4.7 and the URL for retrieving the update, which is https://support/updates. 

hostname(config)# client-update type windows url https://support/updates/ rev-nums 4.7

hostname(config)#

The following example applies only to VPN 3002 Hardware Clients. Entered in tunnel-group ipsec-attributes configuration mode, it configures client update parameters for the IPSec remote-access tunnel-group "salesgrp". It designates the revision number, 4.7 and uses the TFTP protocol for retrieving the updated software from the site with the IP address 192.168.1.1: 

hostname(config)# tunnel-group salesgrp type ipsec-ra

hostname(config)# tunnel-group salesgrp ipsec-attributes

hostname(config-tunnel-ipsec)# client-update type vpn3002 url tftp:192.168.1.1 rev-nums 
4.7

hostname(config-tunnel-ipsec)#

The following example shows how to issue a client update for clients that are Cisco 5520 Adaptive Security Appliances configured as Auto Update clients: 

hostname(config)# client-update type asa5520 component asdm url 
http://192.168.1.114/aus/asdm501.bin rev-nums 7.2(1)

The following example, entered in privileged EXEC mode, sends a client-update notification to all connected remote clients in the tunnel group named "remotegrp" that need to update their client software. Clients in other groups do not get an update notification: 

hostname# client-update remotegrp

hostname#

Related Commands

Command
Description

clear configure client-update

Clears the entire client-update configuration.

show running-config client-update

Shows the current client-update configuration.

tunnel-group ipsec-attributes

Configures the tunnel-group ipsec-attributes for this group.


clock set

To manually set the clock on the security appliance, use the clock set command in privileged EXEC mode.

clock set hh:mm:ss {month day | day month} year

Syntax Description

day

Sets the day of the month, from 1 to 31. You can enter the day and month as april 1 or as 1 april, for example, depending on your standard date format.

hh:mm:ss

Sets the hour, minutes, and seconds in 24-hour time. For example, set 20:54:00 for 8:54 pm.

month

Sets the month. Depending on your standard date format, you can enter the day and month as april 1 or as 1 april.

year

Sets the year using four digits, for example, 2004. The year range is 1993 to 2035.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

If you have not entered any clock configuration commands, the default time zone for the clock set command is UTC. If you change the time zone after you enter the clock set command using the clock timezone command, the time automatically adjusts to the new time zone. However, if you enter the clock set command after you establish the time zone with the clock timezone command, then enter the time appropriate for the new time zone and not for UTC. Similarly, if you enter the clock summer-time command after the clock set command, the time adjusts for daylight saving. If you enter the clock set command after the clock summer-time command, enter the correct time for daylight saving.

This command sets the time in the hardware chip, and does not save the time in the configuration file. This time endures reboots. Unlike the other clock commands, this command is a privileged EXEC command. To reset the clock, you need to set a new time for the clock set command.

Examples

The following example sets the time zone to MST, the daylight saving time to the default period in the U.S., and the current time for MDT to 1:15 p.m. on July 27, 2004: 

hostname(config)# clock timezone MST -7

hostname(config)# clock summer-time MDT recurring

hostname(config)# exit

hostname# clock set 13:15:0 jul 27 2004

hostname# show clock

13:15:00.652 MDT Tue Jul 27 2004

The following example sets the clock to 8:15 on July 27, 2004 in the UTC time zone, and then sets the time zone to MST and the daylight saving time to the default period in the U.S. The end time (1:15 in MDT) is the same as the previous example. 

hostname# clock set 20:15:0 jul 27 2004

hostname# configure terminal

hostname(config)# clock timezone MST -7

hostname(config)# clock summer-time MDT recurring

hostname# show clock

13:15:00.652 MDT Tue Jul 27 2004

Related Commands

Command
Description

clock summer-time

Sets the date range to show daylight saving time.