Security Commands: eap through hw-module slot subslot only

Table Of Contents

eap

enable

enable password

enable secret

encryption (IKE policy)

enrollment

enrollment credential

enrollment mode ra

enrollment retry count

enrollment retry period

enrollment selfsigned

enrollment terminal (ca-trustpoint)

enrollment url (ca-identity)

enrollment url (ca-trustpoint)

eou clientless

evaluate

firewall are-u-there

fqdn (crypto identity)

grant auto trustpoint

group (authentication)

group (IKE policy)

group-lock

hash (IKE policy)

hw-module slot subslot only


eap


Note This command is removed effective with Cisco IOS Release 12.4(6)T.


To specify Extensible Authentication Protocol- (EAP-) specific parameters, use the eap command in identity profile configuration mode. To disable the parameters that were set, use the no form of this command.

eap {username name | password password}

no eap {username name | password password}

Syntax Description

username name

Username that will be sent to Request-Id packets.

password password

Password that should be used when replying to an Message Digest 5 (MD5) challenge.


Defaults

EAP parameters are not set.

Command Modes

Identity profile configuration

Command History

Release
Modification

12.3(11)T

This command was introduced.

12.4(6)T

This command was removed.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

Use this command if your router is configured as a supplicant. This command provides the means for configuring the identity and the EAP MD5 password that will be used by 802.1X to authenticate.

Examples

The following example shows that the EAP username "user1" has been configured:

Router(config)# identity profile dot1x
Router(config-identity-prof)# eap username user1

Related Commands

Command
Description

identity profile

Creates an identity profile.


enable

To enter privileged EXEC mode, or any other security level set by a system administrator, use the enable command in user EXEC or privileged EXEC mode.

enable [privilege-level] [view [view-name]]

Syntax Description

privilege-level

(Optional) Privilege level at which to log in.

view

(Optional) Enters into root view, which enables users to configure CLI views.

Note This keyword is required if you want to configure a CLI view.

view-name

(Optional) Enters or exits a specified command-line interface (CLI) view. This keyword can be used to switch from one CLI view to another CLI view.


Defaults

Privilege-level 15 (privileged EXEC)

Command Modes

User EXEC

Privileged EXEC

Command History

Release
Modification

10.0

This command was introduced.

12.3(7)T

The view keyword and view-name argument were added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SRB

The view keyword and view-name argument were integrated into Cisco IOS Release 12.2(33)SRB.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

Entering privileged EXEC mode enables the use of privileged commands. Because many of the privileged commands set operating parameters, privileged access should be password-protected to prevent unauthorized use. If the system administrator has set a password with the enable password global configuration command, you are prompted to enter the password before being allowed access to privileged EXEC mode. The password is case sensitive.

If an enable password has not been set, only enable mode can be accessed through the console connection.

Security levels can be set by an administrator using the enable password and privilege level commands. Up to 16 privilege levels can be specified, using the numbers 0 through 15. Using these privilege levels, the administrator can allow or deny access to specific commands. Privilege level 0 is associated with user EXEC mode, and privilege level 15 is associated with privileged EXEC mode.

For more information on defined privilege levels, see the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference publications.

If a level is not specified when entering the enable command, the user will enter the default mode of privileged EXEC (level 15).

Accessing a CLI View

CLI views restrict user access to specified CLI and configuration information. To configure and access CLI views, users must first enter into root view, which is accomplished via the enable view command (without the view-name argument). Thereafter, users are prompted for a password, which is the same password as the privilege level 15 password.

The view-name argument is used to switch from one view to another view.

To prevent dictionary attacks, a user is prompted for a password even if an incorrect view name is given. The user is denied access only after an incorrect view name and password are given.

Examples

In the following example, the user enters privileged EXEC mode using the enable command. The system prompts the user for a password before allowing access to the privileged EXEC mode. The password is not printed to the screen. The user then exits back to user EXEC mode using the disable command. Note that the prompt for user EXEC mode is the greater than symbol (>), and the prompt for privileged EXEC mode is the number sign (#).

Router> enable
Password: <password1>
Router# disable
Router>

This following example shows which commands are available inside the CLI view "first" after the user has logged into this view:

Router# enable view first

Password:

00:28:23:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.
Router# ?
Exec commands:
  configure  Enter configuration mode
  enable     Turn on privileged commands
  exit       Exit from the EXEC
  show       Show running system information

Router# show ?

  ip       IP information
  parser   Display parser information
  version  System hardware and software status

Router# show ip ? 

  access-lists            List IP access lists
  accounting              The active IP accounting database
  aliases                 IP alias table
  arp                     IP ARP table
  as-path-access-list     List AS path access lists
  bgp                     BGP information
  cache                   IP fast-switching route cache
  casa                    display casa information
  cef                     Cisco Express Forwarding
  community-list          List community-list
  dfp                     DFP information
  dhcp                    Show items in the DHCP database
  drp                     Director response protocol
  dvmrp                   DVMRP information
  eigrp                   IP-EIGRP show commands
  extcommunity-list       List extended-community list
  flow                    NetFlow switching
  helper-address          helper-address table
  http                    HTTP information
  igmp                    IGMP information
  irdp                    ICMP Router Discovery Protocol
.
.
.

The following command shows how to issue the enable view command to switch from the root view to the CLI view "first":

Router# enable view
Router# 
01:08:16:%PARSER-6-VIEW_SWITCH:successfully set to view 'root'.
Router# 
! Enable the show parser view command from the root view
Router# show parser view

Current view is 'root'
! Enable the show parser view command from the root view to display all views
Router# show parser view all

Views Present in System:
View Name:   first 
View Name:   second 
! Switch to the CLI view "first."
Router# enable view first 
Router#
01:08:09:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.
! Enable the show parser view command from the CLI view "first."
Router# show parser view

Current view is 'first'

Related Commands

Command
Description

disable

Exits from privileged EXEC mode to user EXEC mode, or, if privilege levels are set, to the specified privilege level.

enable password

Sets a local password to control access to various privilege levels.

privilege level (global)

Sets a privilege level for a command.

privilege level (line)

Sets a privilege level for a command for a specific line.


enable password

To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement, use the no form of this command.

enable password [level level] {password | [encryption-type] encrypted-password}

no enable password [level level]

Syntax Description

level level

(Optional) Level for which the password applies. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or the no form of the command, the privilege level defaults to 15 (traditional enable privileges).

password

Password users type to enter enable mode.

encryption-type

(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available is 5. If you specify encryption-type, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router).

encrypted-password

Encrypted password you enter, copied from another router configuration.


Defaults

No password is defined. The default is level 15.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines


Caution If neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console, the console line password will serve as the enable password for all VTY (Telnet and Secure Shell [SSH]) sessions.

Use this command with the level option to define a password for a specific privilege level. After you specify the level and the password, give the password to the users who need to access this level. Use the privilege level configuration command to specify commands accessible at various levels.

You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you copy and paste into this command a password that has already been encrypted by a Cisco router.


Caution If you specify an encryption type and then enter a clear text password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method.

If the service password-encryption command is set, the encrypted form of the password you create with the enable password command is displayed when a more nvram:startup-config command is entered.

You can enable or disable password encryption with the service password-encryption command.

An enable password is defined as follows:

Must contain from 1 to 25 uppercase and lowercase alphanumeric characters.

Must not have a number as the first character.

Can have leading spaces, but they are ignored. However, intermediate and trailing spaces are recognized.

Can contain the question mark (?) character if you precede the question mark with the key combination Crtl-v when you create the password; for example, to create the password abc?123, do the following:

Enter abc.

Type Crtl-v.

Enter ?123.

When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.

Examples

The following example enables the password "password1" for privilege level 2:

enable password level 2 password1

The following example sets the encrypted password "$1$i5Rkls3LoyxzS8t9", which has been copied from a router configuration file, for privilege level 2 using encryption type 7:

enable password level 2 5 $1$i5Rkls3LoyxzS8t9

Related Commands

Command
Description

disable

Exits privileged EXEC mode and returns to user EXEC mode.

enable

Enters privileged EXEC mode.

enable secret

Specifies an additional layer of security over the enable password command.

privilege

Configures a new privilege level for users and associate commands with that privilege level.

service password-encryption

Encrypts passwords.

show privilege

Displays your current level of privilege.


enable secret

To specify an additional layer of security over the enable password command, use the enable secret command in global configuration mode. To turn off the enable secret function, use the no form of this command.

enable secret [level level] {password | [encryption-type] encrypted-password}

no enable secret [level level]

Syntax Description

level level

(Optional) Level for which the password applies. You can specify up to sixteen privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or in the no form of the command, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command.

password

Password for users to enter enable mode. This password should be different from the password created with the enable password command.

encryption-type

(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available for this command is 5. If you specify encryption-type, the next argument you supply must be an encrypted password (a password encrypted by a Cisco router).

encrypted-password

Encrypted password you enter, copied from another router configuration.


Defaults

No password is defined. The default level is 15.

Command Modes

Global configuration

Command History

Release
Modification

11.0

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines


Caution If neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console, the console line password will serve as the enable password for all VTY (Telnet and Secure Shell [SSH]) sessions.

Use this command to provide an additional layer of security over the enable password. The enable secret command provides better security by storing the enable secret password using a non-reversible cryptographic function. The added layer of security encryption provides is useful in environments where the password crosses the network or is stored on a TFTP server.

You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you paste into this command an encrypted password that you copied from a router configuration file.


Caution If you specify an encryption type and then enter a clear text password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method.

If you use the same password for the enable password and enable secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted. By using the same password, however, you undermine the additional security the enable secret command provides.


Note After you set a password using the enable secret command, a password set using the enable password command works only if the enable secret is disabled or an older version of Cisco IOS software is being used, such as when running an older rxboot image. Additionally, you cannot recover a lost password that has been encrypted by any method.


If service password-encryption is set, the encrypted form of the password you create here is displayed when a more nvram:startup-config command is entered.

You can enable or disable password encryption with the service password-encryption command.

An enable password is defined as follows:

Must contain from 1 to 25 uppercase and lowercase alphanumeric characters

Must not have a number as the first character

Can have leading spaces, but they are ignored. However, intermediate and trailing spaces are recognized.

Can contain the question mark (?) character if you precede the question mark with the key combination Crtl-v when you create the password; for example, to create the password abc?123, do the following:

Enter abc.

Type Crtl-v.

Enter ?123.

When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.

Examples

The following example specifies the enable secret password of "password1":

enable secret password1

After specifying an enable secret password, users must enter this password to gain access. Any passwords set through enable password will no longer work.

Password: password1

The following example enables the encrypted password "$1$FaD0$Xyti5Rkls3LoyxzS8", which has been copied from a router configuration file, for privilege level 2 using encryption type 5:

enable password level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8

Related Commands

Command
Description

enable

Enters privileged EXEC mode.

enable password

Sets a local password to control access to various privilege levels.


encryption (IKE policy)

To specify the encryption algorithm within an Internet Key Exchange (IKE) policy, use the encryption command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the encryption algorithm to the default value, use the no form of this command.

encryption {des | 3des | aes | aes 192 | aes 256}

no encryption

Syntax Description

des

56-bit Data Encryption Standard (DES)-CBC as the encryption algorithm.

3des

168-bit DES (3DES) as the encryption algorithm.

aes

128-bit Advanced Encryption Standard (AES) as the encryption algorithim.

aes 192

192-bit AES as the encryption algorithim.

aes 256

256-bit AES as the encryption algorithim.


Defaults

The 56-bit DES-CBC encryption algorithm

Command Modes

ISAKMP policy configuration

Command History

Release
Modification

11.3T

This command was introduced.

12.0(2)T

The 3des option was added.

12.2(13)T

The following keywords were added: aes, aes 192, and aes 256.

12.4(4)T

IPv6 support was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

Use this command to specify the encryption algorithm to be used in an IKE policy.

If a user enters an IKE encryption method that the hardware does not support, a warning message will be displayed immediately after the encryption command is entered.

Examples

The following example configures an IKE policy with the 3DES encryption algorithm (all other parameters are set to the defaults):

crypto isakmp policy
 encryption 3des
 exit

The following example is a sample warning message that is displayed when a user enters an IKE encryption method that the hardware does not support:

encryption aes 256
WARNING:encryption hardware does not support the configured
encryption method for ISAKMP policy 1

Related Commands

Command
Description

authentication (IKE policy)

Specifies the authentication method within an IKE policy.

crypto isakmp policy

Defines an IKE policy.

group (IKE policy)

Specifies the DH group identifier within an IKE policy.

hash (IKE policy)

Specifies the hash algorithm within an IKE policy.

lifetime (IKE policy)

Specifies the lifetime of an IKE SA.

show crypto isakmp policy

Displays the parameters for each IKE policy.


enrollment

To specify the enrollment parameters of your certification authority (CA), use the enrollment command in ca-trustpoint configuration mode. To remove any of the configured parameters, use the no form of this command.

enrollment [mode] [retry minutes] [retry number] url url

no enrollment [mode] [retry minutes] [retry number] url url

Syntax Description

mode

(Optional) Specifies registration authority (RA) mode if your CA system provides a RA.

retry minutes

(Optional) Specifies the wait period between certificate request retries. The default is 1 minute between retries.

retry number

(Optional) Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. (Specify from 1 to 100 retries.)

url url

Specifies the URL of the CA where your router should send certificate requests.

If you are using Simple Certificate Enrollment Protocol (SCEP) for enrollment, url must be in the form http://CA_name, where CA_name is the CA's host Domain Name System (DNS) name or IP address.

If you are using TFTP for enrollment, url must be in the form tftp://certserver/file_specification. (The file_specification is optional. See the "Usage Guidelines" for additional information.)


Defaults

RA mode is turned off until you enable the mode keyword.
The router will send the CA another certificate request every 1 minute unless otherwise specified.
There is no limit to the number of retries unless you specify a number via retry number.
Your router does not know the CA URL until you specify it via url url.

Command Modes

Ca-trustpoint configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.

12.2(13)T

The url url option was enhanced to support TFTP enrollment.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Usage Guidelines

Use the mode keyword to specify the mode supported by the CA. This keyword is required if your CA system provides an RA.

Use the retry minutes option to change the retry period from the default of 1 minute between retries. After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period), the router will send another certificate request. The router will continue to send requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries is exceeded. By default, the router will keep sending requests forever, unless you can change this parameter to a finite number using the retry number option.

Use the url url option to specify or change the URL of the CA. You can specify enrollment via SCEP (an HTTP URL) or TFTP (a TFTP URL).

TFTP enrollment is used to send the enrollment request and retrieve the certificate of the CA and the certificate of the router. If the file_specification is included in the URL, the router will append an extension onto the file specification. When the crypto ca authenticate command is entered, the router will retrieve the certificate of the CA from the specified TFTP server. As appropriate, the router will append the extension ".ca" to the filename or the fully qualified domain name (FQDN). (If the url url option does not include a file specification, the router's FQDN will be used.)


Note The crypto ca trustpoint command deprecates the crypto ca identity and crypto ca trusted-root commands and all related subcommands (all ca-identity and trusted-root configuration mode commands). If you enter a ca-identity or trusted-root subcommand, the configuration mode and command will be written back as ca-trustpoint.


Examples

The following example shows how to declare a CA named "ka" and specify the URL of the CA as "http://example:80":

crypto ca trustpoint ka
 enrollment url http://example:80

Related Commands

Command
Description

crypto ca authenticate

Authenticates the CA (by getting the CA's certificate).

crypto ca trustpoint

Declares the CA that your router should use.


enrollment credential

To specify an existing trustpoint from another vendor that is to be enrolled with the Cisco IOS certificate server, use the enrollment credential command in ca-profile-enroll configuration mode.

enrollment credential label

Syntax Description

label

Name of the certification authority (CA) trustpoint of another vendor.


Defaults

No default behavior or values.

Command Modes

Ca-profile-enroll configuration

Command History

Release
Modification

12.3(11)T

This command was introduced.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Usage Guidelines

To configure a router that is already enrolled with a CA of another vendor that is to be enrolled with a Cisco IOS certificate server, you must configure a certificate enrollment profile (via the crypto pki profile enrollment command). Thereafter, you should issue the enrollment credential command, which specifies the trustpoint of another vendor that has to be enrolled with a Cisco IOS certificate server.

Examples

The following example shows how to configure a client router and a Cisco IOS certificate server to exchange enrollment requests via a certificate enrollment profile:

! Define the trustpoint "msca-root" that points to the non-Cisco IOS CA and enroll and 
! authenticate the client with the non-Cisco IOS CA.
crypto pki trustpoint msca-root 
 enrollment mode ra
 enrollment url http://msca-root:80/certsrv/mscep/mscep.dll
 ip-address FastEthernet2/0
 revocation-check crl
!
! Configure trustpoint "cs" for Cisco IOS CA.
crypto pki trustpoint cs 
 enrollment profile cs1
 revocation-check crl
!
! Define enrollment profile "cs1," which points to Cisco IOS CA and mention (via the 
! enrollment credential command) that "msca-root" is being initially enrolled with the 
! Cisco IOS CA.
crypto pki profile enrollment cs1
 enrollment url  http://cs:80
 enrollment credential  msca-root!

! Configure the certificate server, and issue and the grant auto trustpoint command to 
! instruct the certificate server to accept enrollment request only from clients who are 
! already enrolled with trustpoint "msca-root." 
crypto pki server cs
 database level minimum
 database url nvram:
 issuer-name CN=cs
 grant auto trustpoint msca-root
!
crypto pki trustpoint cs
 revocation-check crl
rsakeypair cs
!
crypto pki trustpoint msca-root
 enrollment mode ra
 enrollment url http://msca-root:80/certsrv/mscep/mscep.dll
 revocation-check crl

Related Commands

Command
Description

crypto pki profile enrollment

Defines an enrollment profile.


enrollment mode ra

The enrollment mode ra command is replaced by the enrollment command. See the enrollment command for more information.

enrollment retry count

The enrollment retry count command is replaced by the enrollment command. See the enrollment command for more information.

enrollment retry period

The enrollment retry period command is replaced by the enrollment command. See the enrollment command for more information.

enrollment selfsigned

To specify self-signed enrollment for a trustpoint, use the enrollment selfsigned command in ca-trustpoint configuration mode. To delete self-signed enrollment from a trustpoint, use the no form of this command.

enrollment selfsigned

no enrollment selfsigned

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default behavior or values.

Command Modes

ca-trustpoint configuration (ca-trustpoint)

Command History

Release
Modification

12.3(14)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.


Usage Guidelines

Before you can use the enrollment selfsigned command, you must enable the crypto pki trustpoint command, which defines the trustpoint and enters ca-trustpoint configuration mode.

If you do not use this command, you should specify another enrollment method for the router by using an enrollment command such as enrollment url or enrollment terminal.

Examples

The following example shows a self-signed certificate being designated for a trustpoint named local:

crypto pki trustpoint local
 enrollment selfsigned

Related Commands

Command
Description

crypto pki trustpoint

Declares the CA that your router should use.


enrollment terminal (ca-trustpoint)

To specify manual cut-and-paste certificate enrollment, use the enrollment terminal command in ca-trustpoint configuration mode. To delete a current enrollment request, use the no form of this command.

enrollment terminal [pem]

no enrollment terminal [pem]

Syntax Description

pem

(Optional) Adds privacy-enhanced mail (PEM) boundaries to the certificate request.


Defaults

No default behavior or values

Command Modes

Ca-trustpoint configuration

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.3(4)T

The pem keyword was added.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Usage Guidelines

A user may want to manually cut-and-paste certificate requests and certificates when he or she does not have a network connection between the router and certification authority (CA). When this command is enabled, the router displays the certificate request on the console terminal, allowing the user to enter the issued certificate on the terminal.

The pem Keyword

Use the pem keyword to issue certificate requests (via the crypto ca enroll command) or receive issued certificates (via the crypto ca import certificate command) in PEM-formatted files through the console terminal. If the CA server does not support simple certificate enrollment protocol (SCEP), the certificate request can be presented to the CA server manually.


Note When generating certificate requests in PEM format, your router does not have to have the CA certificate, which is obtained via the crypto ca authenticate command.


Examples

The following example shows how to manually specify certificate enrollment via cut-and-paste. In this example, the CA trustpoint is "MS."

crypto ca trustpoint MS
 enrollment terminal
 crypto ca authenticate MS
!
crypto ca enroll MS
crypto ca import MS certificate

Related Commands

Command
Description

crypto ca authenticate

Authenticates the CA (by getting the certificate of the CA).

crypto ca enroll

Obtains the certificate(s) of your router from the certification authority.

crypto ca import

Imports a certificate manually via TFTP or cut-and-paste at the terminal.

crypto ca trustpoint

Declares the CA that your router should use.


enrollment url (ca-identity)

The enrollment url (ca-identity) command is replaced by the enrollment url (ca-trustpoint) command. See the enrollment url (ca-trustpoint) command for more information.

enrollment url (ca-trustpoint)

To specify the enrollment parameters of a certification authority (CA), use the enrollment command in ca-trustpoint configuration mode. To remove any of the configured parameters, use the no form of this command.

enrollment [mode] [retry period minutes] [retry count number] url url [pem]

no enrollment [mode] [retry period minutes] [retry count number] url url [pem]

Syntax Description

mode

(Optional) Registration authority (RA) mode, if your CA system provides an RA. By default, RA mode is disabled.

retry period minutes

(Optional) Specifies the period in which the router will wait before sending the CA another certificate request. The default is 1 minute between retries. (Specify from 1 to 60 minutes.)

retry count number

(Optional) Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. The default is 10 retries. (Specify from 1 to 100 retries.)

url url

URL of the file system where your router should send certificate requests. For enrollment method options, see Table 19.

pem

(Optional) Adds privacy-enhanced mail (PEM) boundaries to the certificate request.


Defaults

Your router does not know the CA URL until you specify it using url url.

Command Modes

Ca-trustpoint configuration

Command History

Release
Modification

11.3T

This command was introduced as the enrollment url (ca-identity) command.

12.2(8)T

This command replaced the enrollment url (ca-identity) command. The mode, retry period minutes, and retry count number keywords and arguments were added.

12.2(13)T

The url url option was enhanced to support TFTP enrollment.

12.3(4)T

The pem keyword was added, and the url url option was enhanced to support an additional enrollment method—the Cisco IOS File System (IFS).

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

Use the mode keyword to specify the mode supported by the CA. This keyword is required if your CA system provides an RA.

Use the retry period minutes option to change the retry period from the default of 1 minute between retries. After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period), the router will send another certificate request. By default, the router will send a maximum of 10 requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries (specified via the retry count number option) is exceeded.

Use the pem keyword to issue certificate requests (using the crypto pki enroll command) or receive issued certificates (using the crypto pki import certificate command) in PEM-formatted files.


Note When generating certificate requests in PEM format, your router does not have to have the CA certificate, which is obtained using the crypto ca authenticate command.


Use the url url option to specify or change the URL of the CA. Table 19 lists the available enrollment methods.

Table 19 Certificate Enrollment Methods 

Enrollment Method
Description

bootflash

Enroll via bootflash: file system

cns

Enroll via Cisco Networking Services (CNS): file system

flash

Enroll via flash: file system

ftp

Enroll via FTP: file system

SCEP1

Enroll via Simple Certificate Enrollment Protocol (SCEP) (an HTTP URL)

null

Enroll via null: file system

nvram

Enroll via NVRAM: file system

rcp

Enroll via remote copy protocol (rcp): file system

scp

Enroll via secure copy protocol (scp): file system

system

Enroll via system: file system

TFTP2

Enroll via TFTP: file system

1 If you are using SCEP for enrollment, the URL must be in the form http://CA_name, where CA_name is the host Domain Name System (DNS) name or IP address of the CA.

2 If you are using TFTP for enrollment, the URL must be in the form tftp://certserver/file_specification. (The file_specification is optional. See the section "TFTP Certificate Enrollment" for additional information.)


TFTP Certificate Enrollment

TFTP enrollment is used to send the enrollment request and retrieve the certificate of the CA and the certificate of the router. If the file_specification is included in the URL, the router will append an extension onto the file specification. When the crypto pki authenticate command is entered, the router will retrieve the certificate of the CA from the specified TFTP server. As appropriate, the router will append the extension ".ca" to the filename or the fully qualified domain name (FQDN). (If the url url option does not include a file specification, the FQDN of the router will be used.)


Note The crypto pki trustpoint command replaces the crypto ca identity and crypto ca trusted-root commands and all related subcommands (all ca-identity and trusted-root configuration mode commands). If you enter a ca-identity or trusted-root subcommand, the configuration mode and command will be written back as pki-trustpoint.


Examples

The following example shows how to declare a CA named "ka" and specify the URL of the CA as "http://address:80":

crypto pki trustpoint ka
 enrollment url http://address:80

Related Commands

Command
Description

crypto pki authenticate

Authenticates the CA (by getting the certificate of the CA).

crypto pki enroll

Obtains the certificate or certificates of your router from the CA.

crypto pki trustpoint

Declares the CA that your router should use.


eou clientless

To set user group credentials for clientless hosts, use the eou clientless command in global configuration mode. To remove the user group credentials, use the no form of this command.

eou clientless {password password | username username}

no eou clientless {password | username}

Syntax Description

password password

Sets a password.

username username

Sets a username.


Defaults

Username and password values are clientless.

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

For this command to be effective, the eou allow command must also be enabled.

Examples

The following example shows that a clientless host with the username "user1" has been configured:

Router(config)# eou clientless username user1

The following example shows that a clientless host with the password "password1" has been configured:

Router(config)# eou clientless password password1

Related Commands

Command
Description

eou allow

Allows additional EAPoUDP options.


evaluate

To nest a reflexive access list within an access list, use the evaluate command in access-list configuration mode. To remove a nested reflexive access list from the access list, use the no form of this command.

evaluate name

no evaluate name

Syntax Description

name

The name of the reflexive access list that you want evaluated for IP traffic entering your internal network. This is the name defined in the permit (reflexive) command.


Defaults

Reflexive access lists are not evaluated.

Command Modes

Access-list configuration

Command History

Release
Modification

11.3

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

This command is used to achieve reflexive filtering, a form of session filtering.

Before this command will work, you must define the reflexive access list using the permit (reflexive) command.

This command nests a reflexive access list within an extended named IP access list.

If you are configuring reflexive access lists for an external interface, the extended named IP access list should be one which is applied to inbound traffic. If you are configuring reflexive access lists for an internal interface, the extended named IP access list should be one which is applied to outbound traffic. (In other words, use the access list opposite of the one used to define the reflexive access list.)

This command allows IP traffic entering your internal network to be evaluated against the reflexive access list. Use this command as an entry (condition statement) in the IP access list; the entry "points" to the reflexive access list to be evaluated.

As with all access list entries, the order of entries is important. Normally, when a packet is evaluated against entries in an access list, the entries are evaluated in sequential order, and when a match occurs, no more entries are evaluated. With a reflexive access list nested in an extended access list, the extended access list entries are evaluated sequentially up to the nested entry, then the reflexive access list entries are evaluated sequentially, and then the remaining entries in the extended access list are evaluated sequentially. As usual, after a packet matches any of these entries, no more entries will be evaluated.

Examples

The following example shows reflexive filtering at an external interface. This example defines an extended named IP access list inboundfilters, and applies it to inbound traffic at the interface. The access list definition permits all Border Gateway Protocol and Enhanced Interior Gateway Routing Protocol traffic, denies all Internet Control Message Protocol traffic, and causes all Transmission Control Protocol traffic to be evaluated against the reflexive access list tcptraffic.

If the reflexive access list tcptraffic has an entry that matches an inbound packet, the packet will be permitted into the network. tcptraffic only has entries that permit inbound traffic for existing TCP sessions.

interface Serial 1
 description Access to the Internet via this interface
 ip access-group inboundfilters in
!
ip access-list extended inboundfilters
 permit 190 any any
 permit eigrp any any
 deny icmp any any
 evaluate tcptraffic

Related Commands

Command
Description

ip access-list

Defines an IP access list by name.

ip reflexive-list timeout

Specifies the length of time that reflexive access list entries will continue to exist when no packets in the session are detected.

permit (reflexive)

Creates a reflexive access list and enables its temporary entries to be automatically generated.


firewall are-u-there

To add the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls, use the firewall are-u-there command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To disable the Firewall-Are-U-There attribute, use the no form of this command.

firewall are-u-there

no firewall are-u-there

Syntax Description

This command has no arguments or keywords.

Defaults

The server will not send the Firewall-Are-U-There attribute to the client.

Command Modes

ISAKMP group configuration (config-isakmp-group)

Command History

Release
Modification

12.3(2)T

This command was introduced.

12.4(6)T

The policy command and check-presence keyword were added to Cisco IOS documentation in Cisco IOS 12.4(6)T to instruct the server to check for the presence of the specified firewall. It is recommended that the policy command be used instead of the firewall are-u-there command because the policy command is supported in local AAA and remote AAA configurations. The firewall are-u-there command can be figured only locally, but it is still supported for backward compatibility.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.


Usage Guidelines

The Firewall-Are-U-There attribute is sent by the Black Ice and Zone Alarm personal firewalls if they are prompted by the server. If connections to the Virtual Private Network (VPN) are for protected devices only, that is, if a PC is running one of these personal firewalls, you should add the attribute to the server group. Devices that do not have a personal firewall will not respond with their capabilities, and their connections will be dropped.

The Firewall-Are-U-There attribute is configured on a Cisco IOS router or in the RADIUS profile.

To configure the Firewall-Are-U-There attribute, use the firewall are-u-there command.

An example of an attribute-value (AV) pair for the Firewall-Are-U-There attribute is as follows:

ipsec:firewall=1

You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the firewall are-u-there command.


NoteThe Firewall-Are-U-There attribute can be applied only by a RADIUS user.

The attribute can be applied on a per-user basis after the user has been authenticated.

The attribute can override any similar group attributes.

User-based attributes are available only if RADIUS is used as the database.

The policy command and check-presence keyword were added to Cisco IOS documentation in Cisco IOS 12.4(6)T. It is recommended that the policy command be used instead of the firewall are-u-there command because the policy command is supported in local AAA and remote AAA configurations. The firewall are-u-there command can be figured only locally, but it is still supported for backward compatibility.


Examples

The following example shows that the Firewall-Are-U-There attribute has been configured:

crypto isakmp client configuration group group1
 firewall are-u-there

Related Commands

Command
Description

acl

Configures split tunneling.

crypto isakmp client configuration group

Specifies the DNS domain to which a group belongs.


fqdn (crypto identity)

To associate the identity of the router with the host name that the peer used to authenticate itself, use the fqdn command in crypto identity configuration mode. To remove this command from your configuration, use the no form of this command.

fqdn name

no fqdn name

Syntax Description

name

Identity used to restrict access to peers with specific certificates.


Defaults

If this command is not enabled, the router can communicate with any encrypted interface that is not restricted on its IP address.

Command Modes

Crypto identity configuration

Command History

Release
Modification

12.2(4)T

This command was introduced.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Usage Guidelines

Use the fqdn command to associate the identity of the router, which is defined in the crypto identity command, with the distinguished name (DN) in the certificate of the router. This command allows you set restrictions in the router configuration that prevent those peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.


Note The name argument defined in the crypto identity command must match the name argument defined in the fqdn command. That is, the identity of the peer must be the same as the identity in the exchanged certificate.


Examples

The following example shows how to configure a crypto map that can be used only by peers that have been authenticated by hostname and if the certificate belongs to "example.com":

crypto map map-to-example-com 10 ipsec-isakmp
 set peer 172.21.115.119
 set transform-set my-transformset 
 match address 125
 identity to-example-com
!
crypto identity to-example-com
 fqdn example.com

Related Commands

Command
Description

crypto identity

Configures the identity of the router with a given list of DNs in the certificate of the router.

crypto mib ipsec flowmib history failure size

Associates the identity of the router with the DN in the certificate of the router.


grant auto trustpoint

To specify the certification authority (CA) trustpoint of another vendor from which the Cisco IOS certificate server will automatically grant certificate enrollment requests, use the grant auto trustpoint command in certificate server configuration mode.

grant auto trustpoint label

Syntax Description

label

Name of the non-Cisco IOS CA trustpoint.


Defaults

No default behavior or values.

Command Modes

Certificate server configuration

Command History

Release
Modification

12.3(11)T

This command was introduced.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Usage Guidelines

After the network administrator for the server configures and authenticates a trustpoint for the CA of another vendor, the grant auto trustpoint command is issued to reference the newly created trustpoint and enroll the router with a Cisco IOS CA.


Note The newly created trustpoint can only be used one time (which occurs when the router is enrolled with the Cisco IOS CA). After the initial enrollment is successfully completed, the credential information will be deleted from the enrollment profile.


The Cisco IOS certificate server will automatically grant only the requests from clients who were already enrolled with the CA of another vendor. All other requests must be manually granted—unless the server is set to be in auto grant mode (via the grant automatic command).


Caution The grant automatic command can be used for testing and building simple networks and should be disabled before the network is accessible by the Internet. However, it is recommended that you do not issue this command if your network is generally accessible.

Examples

The following example shows how to configure a client router and a Cisco IOS certificate server to exchange enrollment requests via a certificate enrollment profile:

! Define the trustpoint "msca-root" that points to the non-Cisco IOS CA and enroll and 
! authenticate the client with the non-Cisco IOS CA.
crypto pki trustpoint msca-root 
 enrollment mode ra
 enrollment url http://msca-root:80/certsrv/mscep/mscep.dll
 ip-address FastEthernet2/0
 revocation-check crl
!
! Configure trustpoint "cs" for Cisco IOS CA.
crypto pki trustpoint cs 
 enrollment profile cs1
 revocation-check crl
!
! Define enrollment profile "cs1," which points to Cisco IOS CA and mention (via the 
! enrollment credential command) that "msca-root" is being initially enrolled with the 
! Cisco IOS CA.
crypto pki profile enrollment cs1
 enrollment url  http://cs:80
 enrollment credential  msca-root!

! Configure the certificate server, and issue the grant auto trustpoint command to 
! instruct the certificate server to accept enrollment request only from clients who are 
! already enrolled with trustpoint "msca-root." 
crypto pki server cs
 database level minimum
 database url nvram:
 issuer-name CN=cs
 grant auto trustpoint msca-root
!
crypto pki trustpoint cs
 revocation-check crl
rsakeypair cs
!
crypto pki trustpoint msca-root
 enrollment mode ra
 enrollment url http://msca-root:80/certsrv/mscep/mscep.dll
 revocation-check crl

Related Commands

Command
Description

crypto pki server

Enables a Cisco IOS certificate server and enters certificate server configuration mode.


group (authentication)

To specify the authentication, authorization, and accounting (AAA) TACACS+ server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.

group {tacacs+ server-group}

no group {tacacs+ server-group}

Syntax Description

tacacs+

Uses a TACACS+ server for authentication.

server-group

Name of the server group to use for authentication.


Defaults

No method list is configured.

Command Modes

AAA preauthentication configuration

Command History

Release
Modification

12.1(2)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).

Examples

The following example enables Dialed Number Identification Service (DNIS) preauthentication using the abc123 server group and the password aaa-DNIS:

aaa preauth
 group abc123
 dnis password aaa-DNIS

Related Commands

Command
Description

aaa preauth

Enters AAA preauthentication mode.

dnis (authentication)

Enables AAA preauthentication using DNIS.


group (IKE policy)

To specify the Diffie-Hellman group identifier within an Internet Key Exchange (IKE) policy, use the group command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.

group {1 | 2 | 5}

no group

Syntax Description

1

Specifies the 768-bit Diffie-Hellman group.

2

Specifies the 1024-bit Diffie-Hellman group.

5

Specifies the 1536-bit Diffie-Hellman group.


Command Default

768-bit Diffie-Hellman (group 1)

Command Modes

ISAKMP policy configuration

Command History

Release
Modification

11.3T

This command was introduced.

12.4(4)T

Support for IPv6 was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

Use this command to specify the Diffie-Hellman group to be used in an IKE policy.

Examples

The following example configures an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):

crypto isakmp policy 15
 group 2
 exit

Related Commands

Command
Description

authentication (IKE policy)

Specifies the authentication method within an IKE policy.

crypto isakmp policy

Defines an IKE policy.

encryption (IKE policy)

Specifies the encryption algorithm within an IKE policy.

hash (IKE policy)

Specifies the hash algorithm within an IKE policy.

lifetime (IKE policy)

Specifies the lifetime of an IKE SA.

show crypto isakmp policy

Displays the parameters for each IKE policy.


group-lock

The group-lock command attribute is used to check if a user attempting to connect to a group belongs to this group. This attribute is used in conjunction with the extended authentication (Xauth) username. The user name must include the group to which it belongs. The group is then matched against the VPN group name (ID_KEY_ID) that is passed during the Internet Key Exchange (IKE). If the groups do not match, then the client connection is terminated.

To allow the extended authentication (Xauth) username to be entered when preshared key authentication is used with IKE, use the group-lock command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove the group lock, use the no form of this command.


Note Preshared keys are supported only. Certificates are not supported.


group-lock

no group-lock

Syntax Description

This command has no arguments or keywords.

Defaults

Group lock is not configured.

Command Modes

ISAKMP group configuration (config-isakmp-group)

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.


Usage Guidelines

The Group-Lock attribute can be used if preshared key authentication is used with IKE. When the user enables the group-lock command attribute, one of the following extended Xauth usernames can be entered:

name/group

name\group

name@group

name%group

where the \ / @ % are the delimiters. The group that is specified after the delimiter is then compared against the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.


Caution Do not use the Group-Lock attribute if you are using RSA signature authentication mechanisms such as certificates. Use the User-VPN-Group attribute instead.

The Group-Lock attribute is configured on a Cisco  IOS router or in the RADIUS profile. This attribute has local (gateway) significance only and is not passed to the client.


Note If local authentication is used, then the Group-Lock attribute is the only option.


The username in the local or RADIUS database must be of the following format:

username[/,\,%,@]group.

Examples

The following example shows how Group-Lock attribute is configured in the CLI using the group-lock command:


Note You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the group-lock command.


crypto isakmp client configuration group cisco
  group-lock

The following example shows how an attribute-value (AV) pair for the User-VPN-Group attribute is added in the RADIUS configuration:


Note If RADIUS is used for user authentication, then use the User-VPN-Group attribute instead of the Group-Lock attribute.


ipsec:group-lock=1

Related Commands

Command
Description

acl

Configures split tunneling.

crypto isakmp client configuration group

Specifies the DNS domain to which a group belongs.


hash (IKE policy)

To specify the hash algorithm within an Internet Key Exchange policy, use the hash command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command.

hash {sha | md5}

no hash

Syntax Description

sha

Specifies SHA-1 (HMAC variant) as the hash algorithm.

md5

Specifies MD5 (HMAC variant) as the hash algorithm.


Defaults

The SHA-1 hash algorithm

Command Modes

ISAKMP policy configuration

Command History

Release
Modification

11.3T

This command was introduced.

12.4(4)T

IPv6 support was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

Use this command to specify the hash algorithm to be used in an IKE policy.

Examples

The following example configures an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):

crypto isakmp policy 15
 hash md5
 exit

Related Commands

Command
Description

authentication (IKE policy)

Specifies the authentication method within an IKE policy.

crypto isakmp policy

Defines an IKE policy.

encryption (IKE policy)

Specifies the encryption algorithm within an IKE policy.

group (IKE policy)

Specifies the Diffie-Hellman group identifier within an IKE policy.

lifetime (IKE policy)
Specifies the lifetime of an IKE SA.
show crypto isakmp policy
Displays the parameters for each IKE policy.

hw-module slot subslot only

To change the mode of the Cisco 7600 SSC-400 card to allocate full buffers to the specified subslot, use the hw-module slot subslot only command in global configuration mode.


Note This command automatically generates a reset on the Cisco 7600 SSC-400. See Usage Guidelines below for details.


hw-module slot slot subslot subslot only

Syntax Description

slot

Chassis slot number where the Cisco 7600 SSC-400 is located. Refer to the appropriate hardware manual for slot information. For SPA Interface Processors (SIPs) and SSCs, refer to the platform-specific Shared Port Adapter (SPA) hardware installation guide or the corresponding "Identifying Slots and Subslots for SIPs and SPAs" topic in the platform-specific SPA software configuration guide.

subslot

Secondary slot number on the SSC where the IPSec VPN SPA is installed.


Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

12.2(18)SXF2

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

Follow these guidelines and restrictions when configuring a Cisco 7600 SSC-400 and IPSec VPN SPAs using the hw-module slot subslot only command:

If this command is not used, the total number of buffers available is divided between the two subslots on the Cisco 7600 SSC-400.

This command is useful when supporting IP multicast over generic routing encapsulation (GRE) on the IPSec VPN SPA.

When this command is executed, it automatically takes a reset action on the Cisco 7600 SSC-400 and issues the following prompt to the console:

Module n will be reset? Confirm [n]:

The prompt will default to "N" (no). You must type "Y" (yes) to activate the reset action.

When in this mode, if you manually plug in a second SPA, or if you attempt to reset the SPA (by entering a no hw-module subslot shutdown command, for example), a message is displayed on the router console that refers you to the customer documentation.

Examples

The following example allocates full buffers to the SPA that is installed in subslot 0 of the SIP located in slot 1 of the router and takes a reset action of the Cisco 7600 SSC-400:

Router(config)# hw-module slot 4 subslot 1 only

Module 4 will be reset? Confirm [no]: y

Note that the prompt will default to "N" (no). You must type "Y" (yes) to activate the reset action.

Related Commands

Command
Description

ip multicast-routing

Enables IP multicast routing.

ip pim

Enables PIM on an interface.