ip source-track through ivrf

ip source-track

To enable IP source tracking for a specified host, use the ip source-track command in global configuration mode. To disable IP source tracking, use the no form of this command.

ip source-track ip-address

no ip source-track ip-address

Syntax Description

ip-address

Destination IP address of the host that is to be tracked.

Command Default

IP address tracking is not enabled.

Command Modes


Global configuration

Command History

Release

Modification

12.0(21)S

This command was introduced.

12.0(22)S

This command was implemented on the Cisco 7500 series routers.

12.0(26)S

This command was implemented on Cisco 12000 series ISE line cards.

12.3(7)T

This command was integrated into Cisco IOS Release 12.3(7)T.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

IP source tracking allows you to gather information about the traffic that is flowing to a host that is suspected of being under attack. It also allows you to easily trace a denial-of-service (DoS) attack to its entry point into the network.

After you have identified the destination that is being attacked, enable tracking for the destination address on the whole router by entering the ip source-track command.

Examples

The following example shows how to configure IP source tracking on all line cards and port adapters in the router. In this example, each line card or port adapter collects traffic flow data to host address 100.10.0.1 for 2 minutes before creating an internal system log entry; packet and flow information recorded in the system log is exported for viewing to the route processor or switch processor every 60 seconds.


Router# configure interface
Router(config)# ip source-track 10.10.0.1
Router(config)# ip source-track syslog-interval 2
Router(config)# ip source-track export-interval 60

ip source-track address-limit

To configure the maximum number of destination hosts that can be simultaneously tracked at any given moment, use the ip source-track address-limit command in global configuration mode. To cancel this administrative limit and return to the default, use the no form of this command.

ip source-track address-limit number

no ip source-track address-limit number

Syntax Description

number

Maximum number of hosts that can be tracked.

Command Default

An unlimited number of hosts can be tracked.

Command Modes


Global configuration

Command History

Release

Modification

12.0(21)S

This command was introduced.

12.0(22)S

This command was implemented on the Cisco 7500 series routers.

12.0(26)S

This command was implemented on Cisco 12000 series ISE line cards.

12.3(7)T

This command was integrated into Cisco IOS Release 12.3(7)T.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

After you have configured at least one destination IP address for source tracking (via the ip source-track command), you can limit the number of destination IP addresses that can be tracked via the ip source-track address-limit command.

Examples

The following example shows how to configure IP source tracking for data that flows to host 100.10.1.1 and limit IP source tracking to 10 IP addresses:


Router(config)# ip source-track 100.10.0.1
Router(config)# ip source-track address-limit 10

ip source-track export-interval

To set the time interval (in seconds) in which IP source tracking statistics are exported from the line card to the route processor (RP), use the ip source-track export-interval command in global configuration mode. To return to default functionality, use the no form of this command.

ip source-track export-interval number

no ip source-track export-interval number

Syntax Description

number

Number of seconds that pass before IP source tracking statistics are exported.

Command Default

Traffic flow information is exported from the line card to the RP every 30 seconds.

Command Modes


Global configuration

Command History

Release

Modification

12.0(21)S

This command was introduced.

12.0(22)S

This command was implemented on the Cisco 7500 series routers.

12.0(26)S

This command was implemented on Cisco 12000 series ISE line cards.

12.3(7)T

This command was integrated into Cisco IOS Release 12.3(7)T.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the ip source-track export-interval command to specify the frequency in which IP source tracking information is sent to the RP for viewing.


Note


This command can be issued only on distributed platforms such as the gigabit route processor (GRP) and the route switch processor (RSP).


Examples

The following example shows how to configure IP source tracking on all line cards and port adapters in the router. In this example, each line card or port adapter collects traffic flow data to host address 100.10.0.1 for 2 minutes before creating an internal system log entry; packet and flow information recorded in the system log is exported for viewing to the route processor or switch processor every 60 seconds.


Router# configure interface
Router(config)# ip source-track 10.10.0.1
Router(config)# ip source-track syslog-interval 2
Router(config)# ip source-track export-interval 60

ip source-track syslog-interval

To set the time interval (in minutes) in which syslog messages are generated if IP source tracking is enabled on a device, use the ip source-track syslog-interval command in global configuration mode. To cancel this setting and disable syslog generation, use the no form of this command.

ip source-track syslog-interval number

no ip source-track syslog-interval number

Syntax Description

number

IP address of the destination that is to be tracked.

Command Default

Syslog messages are not generated.

Command Modes


Global configuration

Command History

Release

Modification

12.0(21)S

This command was introduced.

12.0(22)S

This command was implemented on the Cisco 7500 series routers.

12.0(26)S

This command was implemented on Cisco 12000 series ISE line cards.

12.3(7)T

This command was integrated into Cisco IOS Release 12.3(7)T.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the ip source-track syslog-interval command to track the source interfaces of traffic that are destined to a particular address.

Examples

The following example shows how to configure IP source tracking on all line cards and port adapters in the router. In this example, each line card or port adapter collects traffic flow data to host address 100.10.0.1 for 2 minutes before creating an internal system log entry; packet and flow information recorded in the system log is exported for viewing to the route processor or switch processor every 60 seconds.


Router# configure interface
Router(config)# ip source-track 10.10.0.1
Router(config)# ip source-track syslog-interval 2
Router(config)# ip source-track export-interval 60

ip ssh

To configure Secure Shell (SSH) control parameters on your router, use the ip ssh command in global configuration mode. To restore the default value, use the no form of this command.

ip ssh [timeout seconds | authentication-retries integer]

no ip ssh [timeout seconds | authentication-retries integer]

Syntax Description

timeout

(Optional) The time interval that the router waits for the SSH client to respond.

This setting applies to the SSH negotiation phase. Once the EXEC session starts, the standard timeouts configured for the vty apply. By default, there are 5 vtys defined (0-4), therefore 5 terminal sessions are possible. After the SSH executes a shell, the vty timeout starts. The vty timeout defaults to 10 minutes.

seconds

(Optional) The number of seconds until timeout disconnects, with a maximum of 120 seconds. The default is 120 seconds.

authentication- retries

(Optional) The number of attempts after which the interface is reset.

integer

(Optional) The number of retries, with a maximum of 5 authentication retries. The default is 3.

Command Default

SSH control parameters are set to default router values.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.0(5)S

This command was introduced.

12.1(1)T

This command was integrated into Cisco IOS Release 12.1(1) T.

12.2(17a)SX

This command was integrated into Cisco IOS Release 12.2(17a)SX.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

Cisco IOS XE Release 2.4

This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

Before you configure SSH on your router, you must enable the SSH server using the crypto key generate rsa command.

Examples

The following examples configure SSH control parameters on your router:


ip ssh timeout 120
ip ssh authentication-retries 3

ip ssh break-string

To configure a string that, when received from a Secure Shell (SSH) client, will cause the Cisco IOS SSH server to transmit a break signal out an asynchronous line, use the ip ssh break-string command in global configuration mode. To remove the string, use the no form of this command.

ip ssh break-string string

no ip ssh break-string string

Syntax Description

string

Any sequence of characters not including embedded whitespace. Include control characters by prefixing them with ^V (control/V) or denote them using the \000 notation (that is, a backslash followed by the the ASCII value of the character in three octal digits.)

Command Default

Break signal is not enabled

Command Modes


Global configuration

Command History

Release

Modification

12.3(2)

This command was introduced.

12.3(2)T

This command was integrated into Cisco IOS Release 12.3(2)T.

Usage Guidelines


Note


This break string is used only for SSH sessions that are outbound on physical lines using the SSH Terminal-Line Access feature. This break string is not used by the Cisco IOS SSH client, nor is it used by the Cisco IOS SSH server when the server uses a virtual terminal (VTY) line. This break string does not provide any interoperability with the method that is described in the Internet Engineering Task Force (IETF) Internet-Draft “Session Channel Break Extension” (draft-ietf-secsh-break-02.txt).



Note


In some versions of Cisco IOS, if the SSH break string is set to a single character, the Cisco IOS server will not immediately process that character as a break signal on receipt of that character but will delay until it has received a subsequent character. A break string of two or more characters will be immediately processed as a break signal after the last character in the string has been received from the SSH client.


Examples

The following example shows that the control-B character (ASCII 2) has been set as the SSH break string:


Router (config)# ip ssh break-string \002

ip ssh client algorithm encryption

To define the order of encryption algorithms in a Cisco IOS secure shell (SSH) client, use the ip ssh {server | client} algorithm encryption command in global configuration mode. To disable an algorithm from the configured list, use the no form of this command. To return to the default behavior in which all encryption algorithms are enabled in the predefined order, use the default form of this command.

ip ssh client algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des-cbc | aes192-cbc | aes256-cbc}

no ip ssh client algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des-cbc | aes192-cbc | aes256-cbc}

Syntax Description

aes128-ctr

Configures Advanced Encryption Standard Counter Mode (AES-CTR) encryption for 128-bit key length.

aes192-ctr

Configures AES-CTR encryption for 192-bit key length.

aes256-ctr

Configures AES-CTR encryption for 256-bit key length.

aes128-cbc

Configures AES Cipher Block Chaining (AES-CBC) 128-bit key length.

3des-cbc

Configures Triple Data Encryption Standard (3DES) CBC algorithm.

aes192-cbc

Configures AES-CBC encryption for 192-bit key length.

aes256-cbc

Configures AES-CBC encryption for 256-bit key length.

Command Default

SSH encryption algorithms are set to the following default order:

Encryption Algorithms: aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS 15.5(2)S

This command was introduced.

Cisco IOS XE 3.15S

This command was integrated into Cisco IOS XE Release 3.15S.

Cisco IOS 15.5(2)T

This command was integrated into Cisco IOS Release 15.5(2)T.

Usage Guidelines

To start an encrypted session between an SSH client and server, the preferred mode of encryption needs to be decided. For increased security, the preferred crypto algorithm for an SSH session is AES-CTR.

SSH Version 2 (SSHv2) supports AES-CTR encryption for 128-bit, 192-bit, and 256-bit key length. From the supported AES-CTR algorithms, the preferred algorithm is chosen based on the processing capability. The greater the length of the key, the stronger the encryption.

The Cisco IOS SSH servers and clients support three types of crypto algorithms to encrypt data and select an encryption mode in the following order of preferred encryption:
  1. AES-CTR

  2. AES-CBC

  3. 3DES

If the SSH session uses a remote device that does not support AES-CTR encryption mode, the encryption mode for the session falls back to AES-CBC mode.

The default order of the encryption algorithms are:

Encryption Algorithms: aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc

To disable more than one algorithm, use the no form of the command multiple times with different algorithm names. If you try to disable the last encryption algorithm in the configuration, the following message is displayed, and the command is rejected:

% SSH command rejected: All encryption algorithms cannot be disabled

Examples

The following example shows how to configure encryption algorithms on Cisco IOS SSH clients:


Device> enable
Device# configure terminal
Device(config)# ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc
Device(config)# end

The following example shows how to return to the default behavior in which all encryption algorithms are enabled in the predefined order:

Device> enable
Device# configure terminal
Device(config)# default ip ssh client algorithm encryption
Device(config)# end

ip ssh client algorithm mac

To define the order of Message Authentication Code (MAC) algorithms in a Cisco IOS secure shell (SSH) client, use the ip ssh client algorithm mac command in global configuration mode. To disable an algorithm from the configured list, use the no form of this command. To return to the default behavior in which all MAC algorithms are enabled in the predefined order, use the default form of this command.

ip ssh client algorithm mac { hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com | hmac-sha2-256 | hmac-sha2-512 }

no ip ssh client algorithm mac { hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com | hmac-sha2-256 | hmac-sha2-512 }

Syntax Description

hmac-sha2-256

Configures the HMAC algorithm of HMAC-SHA2-256 as a cryptographic algorithm with a digest size of 256 bits and a key length of 256 bits.

hmac-sha2-512

Configures the HMAC algorithm of HMAC-SHA2-512 as a cryptographic algorithm with a digest size of 512 bits and a key length of 512 bits.

hmac-sha2-256-etm@openssh.com

Configures the HMAC algorithm of HMAC-SHA2-256-Encrypt-then-MAC@openssh.com as a cryptographic algorithm with a digest size of 256 bits and a key length of 256 bits.

hmac-sha2-512-etm@openssh.com

Configures the HMAC algorithm of HMAC-SHA2-512-Encrypt-then-MAC@openssh.com as a cryptographic algorithm with a digest size of 512 bits and a key length of 512 bits.

Command Default

SSH MAC algorithms are set to the following default order:

MAC Algorithms: hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512 

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS 15.5(2)S

This command was introduced.

Cisco IOS XE 3.15S

This command was integrated into Cisco IOS XE Release 3.15S.

Cisco IOS 15.5(2)T

This command was integrated into Cisco IOS Release 15.5(2)T.

Cisco IOS XE 17.3

The hmac-sha2-256-ETM@openssh.com and hmac-sha2-512-ETM@openssh.com were introduced.

Usage Guidelines

The Cisco IOS SSH servers and clients must have at least one configured Hashed Message Authentication Code (HMAC) algorithm. The Cisco IOS SSH servers and clients support the MAC algorithms in the following order:

  1. hmac-sha2-256-etm@openssh.com

  2. hmac-sha2-512-etm@openssh.com

  3. hmac-sha2-256

  4. hmac-sha2-512

The default order of the MAC algorithms are:

MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm-etm@openssh.com, hmac-sha2-256, hmac-sha2-512
@openssh.com
To disable more than one algorithm, use the no form of the command multiple times with different algorithm names. If you try to disable the last MAC algorithm in the configuration, the following message is displayed, and the command is rejected:

% SSH command rejected: All mac algorithms cannot be disabled

Examples

The following example shows how to configure MAC algorithms on Cisco IOS SSH clients:


Device> enable
Device# configure terminal
Device(config)# ip ssh client algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha2-256 hmac-sha2-512
Device(config)# end

The following example shows how to return to the default behavior in which all MAC algorithms are enabled in the predefined order:

Device> enable
Device# configure terminal
Device(config)# default ip ssh client algorithm mac
Device(config)# end

ip ssh dh min size

To configure the modulus size on the IOS Secure Shell (SSH) server and client, use the ip ssh dh min size command in global configuration mode. To configure the default value of 2048 bits, use the no form or the default form of this command.

ip ssh dh min size number

no ip ssh dh min size

default ip ssh dh min size

Syntax Description

number

Minimum number of bits in the key size. The available options are 2048, and 4096. The default value is 2048.

Command Default

Minimum size of Diffie-Hellman (DH) key on IOS SSH server and client is 2048 bits.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(20)T

This command was introduced.

15.1(2)S

This command was integrated into Cisco IOS Release 15.1(2)S.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Usage Guidelines

Use the ip ssh dh min size command to ensure that the CLI is successfully parsed from either the client side or the server side.

IOS SSH supports the following Diffie-Hellman (DH) key exchange methods:
  • Fixed Group Method (diffie-hellman-group14-sha1 [2048 bits])

  • Group Exchange Method (diffie-hellman-group-exchange-sha1 [2048 bits, 4096 bits])

In both DH key exchange methods, IOS SSH server and client negotiates and establishes connections with only groups (ranges) whose modulus sizes are equal to or higher than the value configured in the CLI.

Examples

The following example shows how to set the minimum modulus size to 2048 bits:


Device> enable
Device# configure terminal
Device(config)# ip ssh dh min size 2048

ip ssh dscp

To specify the IP differentiated services code point (DSCP) value that can be set for a Secure Shell (SSH) configuration, use the ip ssh dscp command in global configuration mode. To restore the default value, use the no form of this command.

ip ssh dscp number

no ip ssh dscp number

Syntax Description

number

Value that can be set. The default value is 0 (zero).

  • number --0 through 63.

Command Default

The IP DSCP value is not specified.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(20)S

This command was introduced.

12.2SR

This command is supported in the Cisco IOS Release 12.2SR train. Support in a specific 12.2SR train depends on your feature set, platform, and platform hardware.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX train depends on your feature set, platform, and platform hardware.

12.4(22)T

This command was integrated into Cisco IOS Release 12.4(22)T.

Usage Guidelines

IP DSCP values can be configured on both the SSH client and the SSH server for SSH traffic that is generated on either end.

Examples

The following example shows that the DSCP value is set to 35:


Router(config)# ip ssh dscp 35

ip ssh logging events

To create a log statement of an ssh attempt, use the ip ssh logging events command in Global Configuration Mode.

ip ssh logging events

Syntax Description

This command has no arguments or keywords.

Command Default

This command is enabled by default.

Command Modes

Global configuration mode

Command History

Release Modification

12.3 T

This command was introduced.

Cisco IOS XE Dublin 17.12.1a release

This command was modified. The command is enabled by default.

Usage Guidelines

To create a log statement of an ssh attempt, use the ip ssh logging events command in global configuration mode.

Examples

This example shows the logging events:


Router(Config)# ip ssh logging events

*Jul 19 23:15:00.822: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.232.24.222 (tty = 4) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Jul 19 23:15:04.794: %SSH-5-SSH2_USERAUTH: User 'test' authentication for SSH2 Session from 10.232.24.222 (tty = 4) using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Jul 19 23:16:10.898: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.232.24.222 (tty = 4) for user 'test' using crypto cipher 'chacha20-poly1305@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed

ip ssh maxstartups

If the SSH server negotiates the establishment of too many SSH sessions at the same time, it could cause high CPU consumption. To control the maximum number of SSH sessions that can be started simultaneously, use the ip ssh maxstartups command in global configuration mode.

To disable the configuration, use the no form of this command.

ip ssh maxstartups [number]

no ip ssh maxstartups [number]

Syntax Description

number

(Optional) Number of connections to be accepted concurrently. The range is from 2 to 128. The default is 128.

Command Default

The number of maximum concurrent sessions is 128.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.0(1)M

This command was introduced in a release earlier than Cisco IOS Release 15.0(1)M.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1 and implemented on the Cisco ASR 1000 Series Aggregation Services Routers.

Usage Guidelines

You must create RSA keys to enable SSH. The RSA key must be at least 768 bits for SSHv2.

Examples

The following example shows how to set the maximum concurrent sessions allowed on a SSH to 100:


Router# configure terminal
Router(config)# ip ssh maxstartups 100

ip ssh port

To enable secure access to tty (asynchronous) lines, use the ip ssh port command in global configuration mode. To disable this functionality, use the no form of this command.

ip ssh port por-tnum rotary group

no ip ssh port por-tnum rotary group

Syntax Description

port-num

Specifies the port, such as 2001, to which Secure Shell (SSH) needs to connect.

rotary group

Specifies the defined rotary that should search for a valid name.

Command Default

This command is disabled by default.

Command Modes


Global configuration

Command History

Release

Modification

12.2(2)T

This command was introduced.

Usage Guidelines

The ip ssh port co mmand supports a functionality that replaces reverse Telnet with SSH. Use this command to securely access the devices attached to the serial ports of a router and to perform the following tasks:

  • Connect to a router with multiple terminal lines that are connected to consoles of other devices.

  • Allow network available modems to be securely accessed for dial-out.

Examples

The following example shows how to configure the SSH Terminal-Line Access feature on a modem that is used for dial-out on lines 1 through 200:


line 1 200
 no exec
 login authentication default
 rotary 1
 transport input ssh
ip ssh port 2000 rotary 1

The following example shows how to configure the SSH Terminal-Line Access feature to access the console ports of various devices that are attached to the serial ports of the router. For this type of access, each line is put into its own rotary, and each rotary is used for a single port. In this example, lines 1 through 3 are used, and the port (line) mappings of the configuration are as follows: Port 2001 = Line 1, Port 2002 = Line 2, and Port 2003 = Line 3.


line 1
 no exec
 login authentication default
 rotary 1
 transport input ssh
line 2
 no exec
 login authentication default
 rotary 2
 transport input ssh
line 3
 no exec
 login authentication default
 rotary 3
 transport input ssh
ip ssh port 2001 rotary 1 3
From any UNIX or UNIX-like device, the following command is typically used to form an S SH session:

ssh -c 3des -p 2002 router.example.com

This command will initiate an SSH session using the Triple DES cipher to the device known as “router.example.com,” which uses port 2002. This device will connect to the device on Line 2, which was associated with port 2002. Similarly, many Windows SSH packages have related methods of selecting the cipher and the port for this access.

ip ssh precedence

To specify the IP precedence value that can be set for a Secure Shell (SSH) configuration, use the ip ssh precedence command in global configuration mode. To restore the default value, use the no form of this command.

ip ssh precedence number

no ip ssh precedence number

Syntax Description

number

Value that can be set. The default value is 0 (zero).

  • number --0 through 7.

Command Default

The IP precedence value is not specified.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.2(20)S

This command was introduced.

12.2SR

This command is supported in the Cisco IOS Release 12.2SR train. Support in a specific 12.2SR train depends on your feature set, platform, and platform hardware.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX train depends on your feature set, platform, and platform hardware.

12.4(22)T

This command was integrated into Cisco IOS Release 12.4(22)T.

Usage Guidelines

IP precedence values can be configured on both the SSH client and the SSH server for SSH traffic that is generated on either end.

Examples

The following example shows that up to six IP precedence values can be set:


Router(config)# ip precedence value 6

ip ssh pubkey-chain

To configure Secure Shell RSA (SSH-RSA) keys for user and server authentication on the SSH server, use the ip ssh pubkey-chain command in global configuration mode. To remove SSH-RSA keys for user and server authentication on the SSH server, use the no form of this command.

ip ssh pubkey-chain

no ip ssh pubkey-chain

Syntax Description

This command has no arguments or keywords.

Command Default

SSH-RSA keys are not configured.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.0(1)M

This command was introduced.

15.1(1)S

This command was integrated into Cisco IOS Release 15.1(1)S.

Usage Guidelines

Use the ip ssh pubkey-chain command to ensure SSH server and user public key authentication.

Examples

The following example shows how to enable public key generation:


Router(config)# ip ssh pubkey-chain
 

ip ssh rekey

To configure a time-based rekey or a volume-based rekey for a secure shell (SSH) session, use the ip ssh rekey command in global configuration mode. To disable the rekey, use the no form of this command.

ip ssh rekey {time time | volume volume}

no ip ssh rekey

Syntax Description

time time

Rekey time, in minutes. The range is from 10 minutes to 1440 minutes.

volume volume

Amount of rekeyed data, in kilobytes. The range is from 100 KB to 4194303 KB.

Command Default

The rekey time or volume is not configured.

Command Modes


        Global configuration (config)
      

Command History

Release

Modification

15.0(2)SE

This command was introduced.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Usage Guidelines

SSH rekey initiation occurs when the session key negotiated at connection startup is used for an unusually long time. A server or a client initiates a new key exchange based on the maximum number of packets transmitted or based on a specified time. The ip ssh rekey time command enables you to specify a time for the rekey initiation. The ip ssh rekey volume command enables you to specify a volume that is based on the maximum number of packets transmitted for the rekey initiation. When you use the no ip ssh rekey command, the configured time-based rekey or volume-based rekey is disabled.

Examples

The following example shows how to configure a time-based rekey for an SSH session:

Device(config)# ip ssh rekey time 108

The following example shows how to configure a volume-based rekey for an SSH session:

Device(config)# ip ssh rekey volume 500

ip ssh rsa keypair-name

To specify which Rivest, Shimar, and Adelman (RSA) key pair to use for a Secure Shell (SSH) connection, use the ip ssh rsa keypair-name command in global configuration mode. To disable the key pair that was configured, use the no form of this command.

ip ssh rsa keypair-name keypair-name

no ip ssh rsa keypair-name keypair-name

Syntax Description

keypair-name

Name of the key pair.

Command Default

If this command is not configured, SSH will use the first RSA key pair that is enabled.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.3(2)XE

This command was integrated into Cisco IOS Release 12.3(2)XE.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.3(7)JA

This command was integrated into Cisco IOS Release 12.3(7)JA.

12.0(32)SY

This command was integrated into Cisco IOS Release 12.0(32)SY.

12.2(33)SXI4

This command was integrated into Cisco IOS Release 12.2(33)SXI4.

Usage Guidelines

Using the ip ssh rsa keypair-name command, you can enable an SSH connection using RSA keys that you have configured using the keypair-name argument. Previously, SSH was tied to the first RSA keys that were generated (that is, SSH was enabled when the first RSA key pair was generated). The previous behavior still exists, but by using the ip ssh rsa keypair-name command, you can overcome that behavior. If you configure the ip ssh rsa keypair-name command with a key pair name, SSH is enabled if the key pair exists, or SSH will be enabled if the key pair is generated later. If you use this command, you are not forced to configure a hostname and a domain name.


Note


A Cisco IOS router can have many RSA key pairs.


Examples

The following example shows how to specify the RSA key pair “sshkeys” for an SSH connection:


Router# configure terminal
Router(config)# ip ssh rsa keypair-name sshkeys

ip ssh server algorithm authentication

To define the order of user authentication algorithms in a Cisco IOS Secure Shell (SSH) server, use the ip ssh server algorithm authentication command in global configuration mode. To disable an algorithm from the configured list, use the no form of this command. To return to the default behavior in which all user authentication algorithms are enabled in the predefined order, use the default form of this command.

ip ssh server algorithm authentication {publickey | keyboard | password}

no ip ssh server algorithm authentication {publickey | keyboard | password}

Syntax Description

publickey

Enables the public-key-based authentication method.

keyboard

Enables the keyboard-interactive-based authentication method.

password

Enables the password-based authentication method.

Command Default

SSH user authentication algorithms are set to the following default order:


Authentication methods: publickey, keyboard-interactive, password

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS 15.5(2)S

This command was introduced.

Cisco IOS XE 3.15S

This command was integrated into Cisco IOS XE Release 3.15S.

Cisco IOS 15.5(2)T

This command was integrated into Cisco IOS Release 15.5(2)T.

Usage Guidelines

To start a session between an SSH client and server, the preferred mode of user authentication needs to be decided. The IOS SSH server must have at least one configured user authentication algorithm.

The default order of the encryption algorithms are:

Authentication methods:publickey,keyboard-interactive,password

To disable more than one algorithm, use the no form of the command multiple times with different algorithm names. If you try to disable the last user authentication algorithm in the configuration, the following message is displayed, and the command is rejected:

% SSH command rejected: All authentication algorithms can not be disabled.

Examples

The following example shows how to configure user authentication algorithms on Cisco IOS SSH servers:


Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm authentication publickey keyboard password
Device(config)# end

The following example shows how to return to the default behavior in which all user authentication algorithms are enabled in the predefined order:

Device> enable
Device# configure terminal
Device(config)# default ip ssh server algorithm authentication
Device(config)# end

ip ssh server algorithm encryption

To define the order of encryption algorithms in a Cisco IOS secure shell (SSH) server, use the ip ssh server algorithm encryption command in global configuration mode. To disable an algorithm from the configured list, use the no form of this command. To return to the default behavior in which all encryption algorithms are enabled in the predefined order, use the default form of this command.

ip ssh server algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des-cbc | aes192-cbc | aes256-cbc}

no ip ssh server algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des-cbc | aes192-cbc | aes256-cbc}

Syntax Description

aes128-ctr

Configures Advanced Encryption Standard Counter Mode (AES-CTR) encryption for 128-bit key length.

aes192-ctr

Configures AES-CTR encryption for 192-bit key length.

aes256-ctr

Configures AES-CTR encryption for 256-bit key length.

aes128-cbc

Configures AES Cipher Block Chaining (AES-CBC) 128-bit key length.

3des-cbc

Configures Triple Data Encryption Standard (3DES) CBC algorithm.

aes192-cbc

Configures AES-CBC encryption for 192-bit key length.

aes256-cbc

Configures AES-CBC encryption for 256-bit key length.

Command Default

SSH encryption algorithms are set to the following default order:

Encryption Algorithms: aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS 15.5(2)S

This command was introduced.

Cisco IOS XE 3.15S

This command was integrated into Cisco IOS XE Release 3.15S.

Cisco IOS 15.5(2)T

This command was integrated into Cisco IOS Release 15.5(2)T.

Usage Guidelines

To start an encrypted session between an SSH client and server, the preferred mode of encryption needs to be decided. For increased security, the preferred crypto algorithm for an SSH session is AES-CTR.

SSH Version 2 (SSHv2) supports AES-CTR encryption for 128-bit, 192-bit, and 256-bit key length. From the supported AES-CTR algorithms, the preferred algorithm is chosen based on the processing capability. The greater the length of the key, the stronger the encryption.

The Cisco IOS SSH servers and clients support three types of crypto algorithms to encrypt data and select an encryption mode in the following order of preferred encryption:
  1. AES-CTR

  2. AES-CBC

  3. 3DES

If the SSH session uses a remote device that does not support AES-CTR encryption mode, the encryption mode for the session falls back to AES-CBC mode.

The default order of the encryption algorithms are:

Encryption Algorithms: aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc

To disable more than one algorithm, use the no form of the command multiple times with different algorithm names. If you try to disable the last encryption algorithm in the configuration, the following message is displayed, and the command is rejected:

% SSH command rejected: All encryption algorithms cannot be disabled

Examples

The following example shows how to configure encryption algorithms on Cisco IOS SSH servers:


Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc
Device(config)# end

The following example shows how to return to the default behavior in which all encryption algorithms are enabled in the predefined order:

Device> enable
Device# configure terminal
Device(config)# default ip ssh server algorithm encryption
Device(config)# end

ip ssh server algorithm kex

To define the order of kex algorithms in a Cisco IOS secure shell (SSH) server, use the ip ssh server algorithm kex command in global configuration mode. To disable an algorithm from the configured list, use the no form of this command. To return to the default behavior in which all kex algorithms are enabled in the predefined order, use the default form of this command.

ip ssh server algorithm kex

no ip ssh server algorithm kex

Syntax Description

diffie-hellman-group14-sha1

DH_GRP14_SHA1 diffie-hellman key exchange

algorithm
ecdh-sha2-nistp256

ECDH_SHA2_P256 ecdh key exchange algorithm

ecdh-sha2-nistp384

ECDH_SHA2_P384 ecdh key exchange algorithm

ecdh-sha2-nistp521

ECDH_SHA2_P521 ecdh key exchange algorithm

Command Default

SSH kex algorithms are set to the following default order:

Kex Algorithms: ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS XE 16.3

This command was introduced.

Usage Guidelines

The Cisco IOS SSH server and client must have at least one configured kex algorithm. The Cisco IOS SSH servers support the kex algorithms in the following order:
  1. ecdh-sha2-nistp256

  2. secdh-sha2-nistp384

  3. ecdh-sha2-nistp521

  4. diffie-hellman-group14-sha1

The default order of the kex algorithms are:

Kex Algorithms: ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1


To disable more than one algorithm, use the no form of the command multiple times with different algorithm names. If you try to disable the last kex algorithm in the configuration, the following message is displayed, and the command is rejected:

% SSH command rejected: All kex algorithms cannot be disabled

Examples

The following example shows how to configure kex algorithms on Cisco IOS SSH servers:


Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm kex ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1
Device(config)# end

The following example shows how to return to the default behavior in which all kex algorithms are enabled in the predefined order:

Device> enable
Device# configure terminal
Device(config)# default ip ssh server algorithm kex
Device(config)# end

ip ssh server algorithm hostkey

To define the order of host key algorithms in a Cisco IOS secure shell (SSH) server, use the ip ssh server algorithm hostkey command in global configuration mode. To disable an algorithm from the configured list, use the no form of this command. To return to the default behavior in which all host key algorithms are enabled in the predefined order, use the default form of this command.

ip ssh server algorithm hostkey {x509v3-ssh-rsa | ssh-rsa}

no ip ssh server algorithm hostkey {x509v3-ssh-rsa | ssh-rsa}

Syntax Description

x509v3-ssh-rsa

Configures certificate-based authentication.

ssh-rsa

Configures public key based authentication.

Command Default

SSH host key algorithms are set to the following default order:

Hostkey Algorithms: x509v3-ssh-rsa, ssh-rsa

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS 15.5(1)S

This command was introduced.

Cisco IOS XE 3.14S

This command was integrated into Cisco IOS XE Release 3.14S.

Cisco IOS 15.5(2)T

This command was integrated into Cisco IOS Release 15.5(2)T.

Usage Guidelines

The IOS SSH server and client must have at least one configured host key algorithm. The Cisco IOS SSH servers support the host key algorithms in the following order:
  1. x509v3-ssh-rsa

  2. ssh-rsa

The default order of the host key algorithms are:

Hostkey Algorithms: x509v3-ssh-rsa, ssh-rsa

To disable more than one algorithm, use the no form of the command multiple times with different algorithm names. If you try to disable the last host key algorithm in the configuration, the following message is displayed, and the command is rejected:

% SSH command rejected: All hostkey algorithms cannot be disabled

Examples

The following example shows how to configure host key algorithms on Cisco IOS SSH servers:


Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm hostkey x509v3-ssh-rsa ssh-rsa
Device(config)# end

The following example shows how to return to the default behavior in which all host key algorithms are enabled in the predefined order:

Device> enable
Device# configure terminal
Device(config)# default ip ssh server algorithm hostkey
Device(config)# end

ip ssh server algorithm mac

To define the order of Message Authentication Code (MAC) algorithms in a Cisco IOS secure shell (SSH) server and client, use the ip ssh server algorithm mac command in global configuration mode. To disable an algorithm from the configured list, use the no form of this command. To return to the default behavior in which all MAC algorithms are enabled in the predefined order, use the default form of this command.

ip ssh server algorithm mac { hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com | hmac-sha2-256 | hmac-sha2-512 }

no ip ssh server algorithm mac { hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com | hmac-sha2-256 | hmac-sha2-512 }

Syntax Description

hmac-sha2-256

Configures the HMAC algorithm of HMAC-SHA2-256 as a cryptographic algorithm with a digest size of 256 bits and a key length of 256 bits.

hmac-sha2-512

Configures the HMAC algorithm of HMAC-SHA2-512 as a cryptographic algorithm with a digest size of 512 bits and a key length of 512 bits.

hmac-sha2-256-etm@openssh.com

Configures the HMAC algorithm of HMAC-SHA2-256-Encrypt-then-MAC@openssh.com as a cryptographic algorithm with a digest size of 256 bits and a key length of 256 bits.

hmac-sha2-512-etm@openssh.com

Configures the HMAC algorithm of HMAC-SHA2-512-Encrypt-then-MAC@openssh.com as a cryptographic algorithm with a digest size of 512 bits and a key length of 512 bits.

Command Default

SSH MAC algorithms are set to the following default order:

MAC Algorithms: hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512  

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS 15.5(2)S

This command was introduced.

Cisco IOS XE 3.15S

This command was integrated into Cisco IOS XE Release 3.15S.

Cisco IOS 15.5(2)T

This command was integrated into Cisco IOS Release 15.5(2)T.

Cisco IOS XE Everest 16.5.1b

The Hmac-SHA2 mac algorithm for SSH was introduced.

Cisco IOS XE Amsterdam 17.3

The Hmac-SHA2-256ETM@openssh.com and Hmac-SHA2-512ETM@openssh.com mac algorithm for SSH were introduced.

Usage Guidelines

The Cisco IOS SSH servers and clients must have at least one configured Hashed Message Authentication Code (HMAC) algorithm and can have more than one HMAC algorithm configured. The Cisco IOS SSH servers and clients support the MAC algorithms in the following order:

  1. hmac-sha2-256-etm@openssh.com

  2. hmac-sha2-512-etm@openssh.com

  3. hmac-sha2-256

  4. hmac-sha2-512

The default order of the MAC algorithms are:

MAC Algorithms: hmac-sha2-256, hmac-sha2-512, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com

To disable more than one algorithm, use the no form of the command multiple times with different algorithm names. If you try to disable the last MAC algorithm in the configuration, the following message is displayed, and the command is rejected:

% SSH command rejected: All mac algorithms cannot be disabled

Examples

The following example shows how to configure MAC algorithms on Cisco IOS SSH servers:


Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha2-256 hmac-sha2-512
Device(config)# end

The following example shows how to return to the default behavior in which all MAC algorithms are enabled in the predefined order:

Device> enable
Device# configure terminal
Device(config)# default ip ssh server algorithm mac
Device(config)# end

ip ssh server algorithm publickey

To define the order of public key algorithms in a Cisco IOS secure shell (SSH) server for user authentication, use the ip ssh server algorithm publickey command in global configuration mode. To disable an algorithm from the configured list, use the no form of this command. To return to the default behavior in which all public key algorithms are enabled in the predefined order, use the default form of this command.

ip ssh server algorithm publickey {x509v3-ssh-rsa | ssh-rsa}

no ip ssh server algorithm publickey {x509v3-ssh-rsa | ssh-rsa}

Syntax Description

x509v3-ssh-rsa

Configures certificate-based authentication.

ssh-rsa

Configures public key based authentication.

Command Default

SSH public key algorithms are set to the following default order:

Authentication Publickey Algorithms: x509v3-ssh-rsa, ssh-rsa

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS 15.5(1)S

This command was introduced.

Cisco IOS XE 3.14S

This command was integrated into Cisco IOS XE Release 3.14S.

Cisco IOS 15.5(2)T

This command was integrated into Cisco IOS Release 15.5(2)T.

Usage Guidelines

The IOS SSH server and client must have at least one configured public key algorithm. The Cisco IOS SSH servers support the public key algorithms in the following order:
  1. x509v3-ssh-rsa

  2. ssh-rsa

The default order of the host key algorithms are:

Authentication Publickey Algorithms: x509v3-ssh-rsa, ssh-rsa

To disable more than one algorithm, use the no form of the command multiple times with different algorithm names. If you try to disable the last public key algorithm in the configuration, the following message is displayed, and the command is rejected:

% SSH command rejected: All publickey algorithms cannot be disabled.

Examples

The following example shows how to configure public key algorithms on Cisco IOS SSH servers:


Device> enable
Device# configure terminal
Device(config)# ip ssh server algorithm publickey x509v3-ssh-rsa ssh-rsa
Device(config)# end

The following example shows how to return to the default behavior in which all public key algorithms are enabled in the predefined order:

Device> enable
Device# configure terminal
Device(config)# default ip ssh server algorithm publickey
Device(config)# end

ip ssh server authenticate user

To enable the user authentication methods available in a Cisco IOS Secure Shell (SSH) server, use the ip ssh server authenticate user command in global configuration mode. To disable the user authentication methods available in a Cisco IOS SSH server, use the no form of this command. To return to the default behavior in which all user authentication methods are enabled in the predefined order, use the default form of this command.

ip ssh server authenticate user {publickey | keyboard | password}

no ip ssh server authenticate user {publickey | keyboard | password}

default ip ssh server authenticate user

Syntax Description

publickey

Enables the public-key-based authentication method.

keyboard

Enables the keyboard-interactive-based authentication method.

password

Enables the password-based authentication method.

Command Default

All three user authentication methods are enabled in the following predefined order:
  • Public-key authentication method

  • Keyboard-interactive authentication method

  • Password authentication method

Command Modes

Global configuration (config)

Command History

Release Modification

15.3(3)M

This command was introduced.

Cisco IOS XE Release 3.10S

This command was integrated into Cisco IOS XE Release 3.10S.

Usage Guidelines

The no ip ssh authenticate user {publickey | keyboard | pasword } command enables the SSH server to choose a preferred user authentication method by disabling any of the other supported user authentication methods. By default, all user authentication methods are enabled on the SSH server in the following predefined order:
  • Public-key authentication method

  • Keyboard-interactive authentication method

  • Password authentication method

The following messages are displayed during specific scenarios:
  • If the public-key-based authentication method is disabled using the no ip ssh server authenticate user publickey command, the RFC 4252 (The Secure Shell (SSH) Authentication Protocol) behavior in which public-key authentication is mandatory is overridden and the following warning message is displayed:

    %SSH: Publickey disabled. Overriding RFC
  • If all three authentication methods are disabled, the following warning message is displayed:

    %SSH: No auth method configured. Incoming connection will be dropped
  • In the event of an incoming SSH session request from the SSH client when all three user authentication methods are disabled on the SSH server, the connection request is dropped at the SSH server and a system log message is available in the following format:

    %SSH-3-NO_USERAUTH: No auth method configured for SSH Server. Incoming connection from <ip address> (tty = <ttynum>) dropped

Examples

The following example shows how to disable the public-key-based authentication and keyboard-interactive-based authentication methods, allowing the SSH client to connect to the SSH server using password-based authentication:

Device> enable
Device# configure terminal
Device(config)# no ip ssh server authenticate user publickey
%SSH: Publickey disabled. Overriding RFC
Device(config)# no ip ssh server authenticate user keyboard
Device(config)# exit

The following example shows how to enable the public-key-based authentication and keyboard-interactive-based authentication methods:

Device> enable
Device# configure terminal
Device(config)# ip ssh server authenticate user publickey
Device(config)# ip ssh server authenticate user keyboard
Device(config)# exit

The following example shows how to return to the default behavior in which all user authentication methods are enabled in the predefined order:

Device> enable
Device# configure terminal
Device(config)# default ip ssh server authenticate user
Device(config)# exit

ip ssh source-interface

To specify the IP address of an interface as the source address for a Secure Shell (SSH) client device, use the ip ssh source-interface command in global configuration mode. To remove the IP address as the source address, use the no form of this command.

ip ssh source-interface interface

no ip ssh source-interface interface

Syntax Description

interface

The interface whose address is used as the source address for the SSH client.

Command Default

The address of the closest interface to the destination is used as the source address (the closest interface is the output interface through which the SSH packet is sent).

Command Modes


Global configuration

Command History

Release

Modification

12.2(8)T

This command was introduced.

Usage Guidelines

By specifying this command, you can force the SSH client to use the IP address of the source interface as the source address.

Examples

In the following example, the IP address assigned to Ethernet interface 0 will be used as the source address for the SSH client:


ip ssh source-interface ethernet0

ip ssh stricthostkeycheck

To enable strict host key checking on the Secure Shell (SSH) server, use the ip ssh stricthostcheck command in global configuration mode. To disable strict host key checking, use the no form of this command.

ip ssh stricthostkeycheck

no ip ssh stricthostkeycheck

Syntax Description

This command has no arguments or keywords.

Command Default

Strict host key checking on the SSH server is not enabled.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.0(1)M

This command was introduced.

15.1(1)S

This command was integrated into Cisco IOS Release 15.1(1)S.

Usage Guidelines

Use the ip ssh stricthostkeycheck command to ensure SSH server side strict checking. Configuring the ip ssh stricthostkeycheck command authenticates all servers.


Note


This command is not available on SSH Version 1.


  • If the ip ssh pubkey-chain command is not configured, the ip ssh stricthostkeycheck command will lead to connection failure in SSH Version 2.

Examples

The following example shows how to enable strict host key checking:


Router(config)# ip ssh stricthostkeycheck

ip ssh version

To specify the version of Secure Shell (SSH) to be run on a router, use the ip ssh version command in global configuration mode. To disable the version of SSH that was configured and to return to compatibility mode, use the no form of this command.

ip ssh version [1 | 2]

no ip ssh version [1 | 2]

Syntax Description

1

(Optional) Router runs only SSH Version 1.

2

(Optional) Router runs only SSH Version 2.

Command Default

If this command is not configured, SSH operates in compatibility mode, that is, Version 1 and Version 2 are both supported.

Command Modes


Global configuration

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.3(2)XE

This command was integrated into Cisco IOS Release 12.3(2)XE.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.3(7)JA

This command was integrated into Cisco IOS Release 12.3(7)JA.

12.0(32)SY

This command was integrated into Cisco IOS Release 12.0(32)SY.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

15.2(2)SA2

This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.

Usage Guidelines

You can use this command with the 2 keyword to ensure that your router will not inadvertently establish a weaker SSH Version 1 connection.

Examples

The following example shows that only SSH Version 1 support is configured:


Router (config)# ip ssh version 1

The following example shows that only SSH Version 2 is configured:


Router (config)# ip ssh version 2

The following example shows that SSH Versions 1 and 2 are configured:


Router (config)# no ip ssh version

ip tacacs source-interface

To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration or server-group configuration mode. To disable use of the specified interface IP address, use the no form of this command.

ip tacacs source-interface subinterface-name vrf vrf-name

no ip tacacs source-interface

Syntax Description

subinterface-name

Name of the interface that TACACS+ uses for all of its outgoing packets.

vrf vrf-name

VPN routing/forwarding parameter name.

Command Default

None

Command Modes


Global configuration (config)


Server-group configuration (server-group)

Command History

Release

Modification

10.0

This command was introduced.

12.3(7)T

This command was introduced in server-group configuration mode.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

12.2(33)SXI

This command was integrated into Cisco IOS Release 12.2(33)SXI.

12.2(54)SG

This command was integrated into Cisco IOS Release 12.2(54)SG.

Cisco IOS XE Fuji 16.9.1

The vrf vrf-name keyword-argument pair was added.

Usage Guidelines

Use this command to set the IP address of a subinterface for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.

This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.

The specified sub-interface should have a valid IP address and should be in the up state for a valid configuration. If the specified sub-interface does not have a valid IP address or is in the down state, TACACS+ enforces the source-interface configuration. In case the interface has no IP address, a null IP address is sent. To avoid this, add a valid IP address to the sub-interface or bring the sub-interface to the up state.


Note


This command can be configured globally or in server-group configuration mode. If this command is configured in the server-group configuration mode, the IP address of the specified interface is used for packets that are going only to servers that are defined in that server group. If this command is not configured in server-group configuration mode, the global configuration applies.


Examples

The following example makes TACACS+ use the IP address of subinterface “s2” for all outgoing TACACS+ packets:


ip tacacs source-interface s2

In the following example, TACACS+ is to use the IP address of Loopback0 for packets that are going only to server 10.1.1.1:


aaa group server tacacs+ tacacs1
    server-private 10.1.1.1 port 19 key cisco
    ip vrf forwarding cisco
    ip tacacs source-interface Loopback0
  ip vrf cisco
   rd 100:1
  interface Loopback0
   ip address 10.0.0.2 255.0.0.0
   ip vrf forwarding cisco

ip tcp intercept connection-timeout

To change how long a TCP connection will be managed by the TCP intercept after no activity, use the ip tcp intercept connection-timeout command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept connection-timeout seconds

no ip tcp intercept connection-timeout [seconds]

Syntax Description

seconds

Time (in seconds) that the software will still manage the connection after no activity. The minimum value is 1 second. The default is 86,400 seconds (24 hours).

Command Default

86,400 seconds (24 hours)

Command Modes


Global configuration

Command History

Release

Modification

11.2 F

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the ip tcp intercept connection-timeout command to change how long a TCP connection will be managed by the TCP intercept after a period of inactivity.

Examples

The following example sets the software to manage the connection for 12 hours (43,200 seconds) after no activity:


ip tcp intercept connection-timeout 43200

ip tcp intercept drop-mode

To set the TCP intercept drop mode, use the ip tcp intercept drop-mode command in g lobal configuration mode . To restore the default, use the no form of this command.

ip tcp intercept drop-mode [oldest | random]

no ip tcp intercept drop-mode [oldest | random]

Syntax Description

oldest

(Optional) S oftware drops the oldest partial connection. This is the default.

random

(Optional) Software drops a randomly selected partial connection.

Command Default

oldest

Command Modes


Global configuration

Command History

Release

Modification

11.2 F

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

If the number of incomplete connections exceeds 1100 or the number of connections arriving in the last 1 minute exceeds 1100, the TCP intercept feature becomes more aggressive. When this happens, each new arriving connection causes the oldest partial connection to be deleted, and the initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish the connection will be cut in half).

Note that the 1100 thresholds can be configured with the ip tcp intercept max-incomplete high and ip tcp intercept one-minute high commands.

Use the ip tcp intercept drop-mode command to change the dropping strategy from oldest to a random drop.

Examples

The following example sets the drop mode to random:


ip tcp intercept drop-mode random

ip tcp intercept finrst-timeout

To chang e how long after receipt of a reset or FIN-exchange the software ceases to manage the connection, use the ip tcp intercept finrst-timeout command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept finrst-timeout seconds

no ip tcp intercept finrst-timeout [seconds]

Syntax Description

seconds

Time (in seconds) after receiving a reset or FIN-exchange that the software ceases to manage the connection. The minimum value is 1 second. The default is 5 seconds.

Command Default

5 seconds

Command Modes


Global configuration

Command History

Release

Modification

11.2 F

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Even after the two ends of the connection are joined, the software intercepts packets being sent back and forth. Use this command if you need to adjust how soon after receiving a reset or FIN-exchange the software stops intercepting packets.

Examples

The following example sets the software to wait for 10 seconds before it leaves intercept mode:


ip tcp intercept finrst-timeout 10

ip tcp intercept list

To e nable TCP intercept, use the ip tcp intercept list command in globa l configuration mode . To disable TCP intercept, use the no form of this command.

ip tcp intercept list access-list-number

no ip tcp intercept list access-list-number

Syntax Description

access-list-number

E xtended access list number in the range from 100 to 199.

Command Default

Disabled

Command Modes


Global configuration

Command History

Release

Modification

11.2 F

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

The TCP intercept feature intercepts TCP connection attempts and shields servers from TCP SYN-flood attacks, also known as denial-of-service attacks.

TCP packets matching the access list are presented to the TCP intercept code for processing, as determined by the ip tcp intercept mode command. The TCP intercept code either intercepts or watches the connections.

To have all TCP connection attempts submitted to the TCP intercept code, have the access list match everything.

Examples

The following example configuration defines access list 101, causing the software to intercept packets for all TCP servers on the 192.168.1.0/24 subnet:


ip tcp intercept list 101
!
access-list 101 permit tcp any 192.168.1.0 0.0.0.255

ip tcp intercept max-incomplete

To define either the number of incomplete connections below which the software leaves aggressive mode or the maximum number of incomplete connections allowed before the software enters aggressive mode, use the ip tcp intercept max-incomplete command in global configuration mode . To restore the default, use the no form of this command.

ip tcp intercept max-incomplete low number high number

no ip tcp intercept max-incomplete [low number high number]

Syntax Description

low number

Defines the number of incomplete connections below which the software leaves aggressive mode. The range is 1 to 2147483647. The default is 900

high number

Defines the number of incomplete connections allowed, above which the software enters aggressive mode. The range is from 1 to 2147483647. The default is 1100.

Command Default

The number of incomplete connections below which the software leaves aggressive mode is 900.

The maximum number of incomplete connections allowed before the software enters aggressive mode is 1100.

Command Modes


Global configuration

Command History

Release

Modification

12.4(15)T

This command was introduced in Cisco IOS Release 12.4(15)T. This command replaces the ip tcp intercept max-incomplete low and the ip tcp intercept max-incomplete high commands.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Usage Guidelines

There are two factors that determine aggressive mode: connection requests and incomplete connections.

By default, if both the number of connection requests and the number of incomplete connections is 900 or lower, aggressive mode ends.

By default, if either the number of connection requests or the number of incomplete connections is 1100 or greater, aggressive mode begins.

The number of connection requests may be defined by the ip tcp intercept one-minute command and the number of incomplete connections may be defined by the ip tcp intercept max-incomplete command.

Characteristics of Aggressive Mode

The following are the characteristics of aggressive mode:

  • Each new arriving connection causes the oldest partial connection to be deleted.

  • The initial retransmission timeout, the total time the router attempts to establish the connection, is reduced from 1 second to 0.5 seconds.

  • The watch-timeout period is reduced from 30 seconds to 15 seconds.

Examples

The following example sets the software to leave aggressive mode when the number of incomplete connections falls below 1000 and allows 1500 incomplete connections before the software enters aggressive mode. The running configuration is also shown.


Router(config)# ip tcp intercept max-incomplete low 1000 high 1500
Router(config)# show running config | i ip tcp
     ip tcp intercept one-minute low 1000 high 1400

ip tcp intercept max-incomplete high


Note


Effective with Cisco IOS Release 12.2(33)SXH and Cisco IOS Release 12.4(15)T, the ip tcp intercept max-incomplete high command is replaced by the ip tcp intercept max-incomplete command. See the ip tcp intercept max-incomplete command for more information.


To define the maximum number of incomplete connections allowed before the software enters aggressive mode, use the ip tcp intercept max-incomplete high command in global configuration mode . To restore the default, use the no form of this command.

ip tcp intercept max-incomplete high number

no ip tcp intercept max-incomplete high [number]

Syntax Description

number

Defines the number of incomplete connections allowed, above which the software enters aggressive mode. The range is from 1 to 2147483647. The default is 1100.

Command Default

1100 incomplete connections

Command Modes


Global configuration

Command History

Release

Modification

11.2 F

This command was introduced.

12.4(15)T

This command was replaced by the ip tcp intercept max-incomplete command.

12.2(33)SXH

This command was replaced by the ip tcp intercept max-incomplete command.

Usage Guidelines


Note


If you are running Cisco IOS Release 12.2(33)SXH or Cisco IOS Release 12.4(15)T and issue the ip tcp intercept max-incomplete high command, it will be accepted by the router, but a message will be displayed stating that the ip tcp intercept max-incomplete high command has been replaced by the ip tcp intercept max-incomplete command.


If the number of incomplete connections exceeds the number configured, the TCP intercept feature becomes aggressive. The following are the characteristics of aggressive mode:

  • Each new arriving connection causes the oldest partial connection to be deleted.

  • The initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish the connection is cut in half).

  • The watch-timeout is cut in half (from 30 seconds to 15 seconds).

You can change the drop strategy from the oldest connection to a random connection with the ip tcp intercept drop-mode command.


Note


The two factors that determine aggressive mode (connection requests and incomplete connections) are related and work together. When the value of eitherip tcp intercept one-minute high or ip tcp intercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low , aggressive mode ends.


The software will back off from its aggressive mode when the number of incomplete connections falls below the number specified by the ip tcp intercept max-incomplete low command.

Examples

The following example allows 1500 incomplete connections before the software enters aggressive mode:


ip tcp intercept max-incomplete high 1500

ip tcp intercept max-incomplete low


Note


Effective with Cisco IOS Release 12.2(33)SXH and Cisco IOS Release 12.4(15)T, the ip tcp intercept max-incomplete low command is replaced by the ip tcp intercept max-incomplete command. See the ip tcp intercept max-incomplete command for more information.


To define the number of incomplete connections below which the software leaves aggressive mode, use the ip tcp intercept max-incomplete low command in global configuration mode . To restore the default, use the no form of this command.

ip tcp intercept max-incomplete low number

no ip tcp intercept max-incomplete low [number]

Syntax Description

number

Defines the number of incomplete connections below which the software leaves aggressive mode. The range is 1 to 2147483647. The default is 900.

Command Default

900 incomplete connections

Command Modes


Global configuration

Command History

Release

Modification

11.2 F

This command was introduced.

12.4(15)T

This command was replaced by the ip tcp intercept max-incomplete command.

12.2(33)SXH

This command was replaced by the ip tcp intercept max-incomplete command.

Usage Guidelines


Note


If you are running Cisco IOS Release 12.2(33)SXH, or Cisco IOS Release 12.4(15)T and issue the ip tcp intercept max-incomplete low command, it will be accepted by the router, but a message will be displayed stating that the ip tcp intercept max-incomplete high command has been replaced by the ip tcp intercept max-incomplete command.


When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low , the TCP intercept feature leaves aggressive mode.


Note


The two factors that determine aggressive mode (connection requests and incomplete connections) are related and work together. When the value of eitherip tcp intercept one-minute high or ip tcp intercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low , aggressive mode ends.


See the ip tcp intercept max-incomplete high command for a description of aggressive mode.

Examples

The following example sets the software to leave aggressive mode when the number of incomplete connections falls below 1000:


ip tcp intercept max-incomplete low 1000

ip tcp intercept mode

To c hange the TCP intercept mode, use the ip tcp intercept mode command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept mode {intercept | watch}

no ip tcp intercept mode [intercept | watch]

Syntax Description

intercept

Active mode in which the TCP intercept software intercepts TCP packets from clients to servers that match the configured access list and performs intercept duties. This is the default.

watch

Monitoring mode in which the software allows connection attempts to pass through the router and watches them until they are established.

Command Default

intercept

Command Modes


Global configuration

Command History

Release

Modification

11.2 F

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

When TCP intercept is enabled, it operates in intercept mode by default. In intercept mode, the software actively intercepts TCP SYN packets from clients to servers that match the specified access list. For each SYN, the software responds on behalf of the server with an ACK and SYN, and waits for an ACK of the SYN from the client. When that ACK is received, the original SYN is sent to the server, and the code then performs a three-way handshake with the server. Then the two half-connections are joined.

In watch mode, the software allows connection attempts to pass through the router, but watches them until they become established. If they fail to become established in 30 seconds (or the value set by the ip tcp intercept watch-timeout command), a Reset is sent to the server to clear its state.

Examples

The following example sets the mode to watch mode:


ip tcp intercept mode watch

ip tcp intercept one-minute

To define both the number of connection requests below which the software leaves aggressive mode and the number of connection requests that can be received before the software enters aggressive mode, use the ip tcp intercept one-minute command in gl obal configuration mode . To restore the default connection request settings, use the no form of this command.

ip tcp intercept one-minute low number high number

no ip tcp intercept one-minute [low number high number]

Syntax Description

low number

Specifies the number of connection requests in the last one-minute sample period below which the software leaves aggressive mode. The range is from 1 to 2147483647. The default is 900.

high number

Specifies the number of connection requests that can be received in the last one-minute sample period before the software enters aggressive mode. The range is 1 to 2147483647. The default is 1100.

Command Default

The default number of connection requests below which the software leaves aggressive mode is 900.

The default number of connection requests received before the software enters aggressive mode is 1100.

Command Modes


Global configuration

Command History

Release

Modification

12.4(15)T

This command was introduced in Cisco IOS Release 12.4(15)T. This command replaces the ip tcp intercept one-minute low and the ip tcp intercept one-minute high commands.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Usage Guidelines

There are two factors that determine aggressive mode: connection requests and incomplete connections.

By default, if both the number of connection requests and the number of incomplete connections is 900 or lower, aggressive mode ends.

By default, if either the number of connection requests or the number of incomplete connections is 1100 or greater, aggressive mode begins.

The number of connection requests may be defined by the ip tcp intercept one-minute command and the number of incomplete connections may be defined by the ip tcp intercept max-incomplete command. The default number of connection requests

Characteristics of Aggressive Mode

The following are the characteristics of aggressive mode:

  • Each new arriving connection causes the oldest partial connection to be deleted.

  • The initial retransmission timeout, the total time the router attempts to establish the connection, is reduced from 1 second to 0.5 seconds.

  • The watch-timeout period is reduced from 30 seconds to 15 seconds.

Examples

The following example sets the software to leave aggressive mode when the number of connection requests falls below 1000 and allows 1400 connection requests before the software enters aggressive mode. The the running configuration is then shown.


Router(config)# ip tcp intercept one-minute low 1000 high 1400
Router(config)# show running configuration | i ip tcp
     ip tcp intercept one-minute low 1000 high 1400

ip tcp intercept one-minute high


Note


Effective with Cisco IOS Release 12.2(33)SXH and Cisco IOS Release 12.4(15)T the ip tcp intercept one-minute high command is replaced by the ip tcp intercept one-minute command. See the ip tcp intercept one-minute command for more information.


To define the number of connection requests received in the last one-minutes sample period before the software enters aggressive mode, use the ip tcp intercept one-minute high command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept one-minute high number

no ip tcp intercept one-minute high [number]

Syntax Description

number

Specifies the number of connection requests that can be received in the last one-minute sample period before the software enters aggressive mode. The range is 1 to 2147483647. The default is 1100.

Command Default

1100 connection requests

Command Modes


Global configuration

Command History

Release

Modification

11.2 F

This command was introduced.

12.4(15)T

This command was replaced by the ip tcp intercept one-minute command.

12.2(33)SXH

This command was replaced by the ip tcp intercept one-minute command.

Usage Guidelines


Note


If you are running Cisco IOS Release 12.2(33)SXH or Cisco IOS Release 12.4(15)T and issue the ip tcp intercept one-minute high command, it will be accepted by the router, but a message will be displayed stating that the ip tcp intercept one-minute high command has been replaced by the ip tcp intercept one-minute command.


If the number of connection requests exceeds the number value configured, the TCP intercept feature becomes aggressive. The following are the characteristics of aggressive mode:

  • Each new arriving connection causes the oldest partial connection to be deleted.

  • The initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish the connection is cut in half).

  • The watch-timeout is cut in half (from 30 seconds to 15 seconds).

You can change the drop strategy from the oldest connection to a random connection with the ip tcp intercept drop-mode command.


Note


The two factors that determine aggressive mode (connection requests and incomplete connections) are related and work together. When the value of eitherip tcp intercept one-minute high or ip tcp intercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low , aggressive mode ends.


Examples

The following example allows 1400 connection requests before the software enters aggressive mode:


ip tcp intercept one-minute high 1400

ip tcp intercept one-minute low


Note


Effective with Cisco IOS Release 12.2(33)SXH and Cisco IOS Release 12.4(15)T, the ip tcp intercept one-minute low command is replaced by the ip tcp intercept one-minute command. See the ip tcp intercept one-minute command for more information.


To define the number of connection requests below which the software leaves aggressive mode, use the ip tcp intercept one-minute low command in gl obal configuration mode . To restore the default, use the no form of this command.

ip tcp intercept one-minute low number

no ip tcp intercept one-minute low [number]

Syntax Description

number

Defines the number of connection requests in the last one-minute sample period below which the software leaves aggressive mode. The range is from 1 to 2147483647. The default is 900.

Command Default

900 connection requests

Command Modes


Global configuration

Command History

Release

Modification

11.2 F

This command was introduced.

12.4(15)T

This command was replaced by the ip tcp intercept one-minute command.

12.2(33)SXH

This command was replaced by the ip tcp intercept one-minute command.

Usage Guidelines


Note


If you are running Cisco IOS Release 12.2(33)SXH or Cisco IOS Release 12.4(15)T and issue the ip tcp intercept one-minute low command, it will be accepted by the router, but a message will be displayed stating that the ip tcp intercept one-minute low command has been replaced by the ip tcp intercept one-minute command.


When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low , the TCP intercept feature leaves aggressive mode.


Note


The two factors that determine aggressive mode (connection requests and incomplete connections) are related and work together. When the value of either ip tcp intercept one-minute high or ip tcp intercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp intercept max-incomplete low , aggressive mode ends.


See the ip tcp intercept one-minute high command for a description of aggressive mode.

Examples

The following example sets the software to leave aggressive mode when the number of connection requests falls below 1000:


ip tcp intercept one-minute low 1000

ip tcp intercept watch-timeout

To define how long the software will wait for a watched TCP intercept connection to reach established state before sending a reset to the server, use the ip tcp intercept watch-timeout command in global configuration mode. To restore the default, use the no form of this command.

ip tcp intercept watch-timeout seconds

no ip tcp intercept watch-timeout [seconds]

Syntax Description

seconds

Time (in seconds) that the software waits for a watched connection to reach established state before sending a Reset to the server. The minimum value is 1 second. The default is 30 seconds.

Command Default

30 seconds

Command Modes


Global configuration

Command History

Release

Modification

11.2 F

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use this command if you have set the TCP intercept to passive watch mode and you want to change the default time the connection is watched. During aggressive mode, the watch timeout time is cut in half.

Examples

The following example sets the software to wait 60 seconds for a watched connection to reach established state before sending a Reset to the server:


ip tcp intercept watch-timeout 60

ip traffic-export apply

To apply an IP traffic export profile or an IP traffic capture profile to a specific interface, use the ip traffic-export apply command in interface configuration mode. To remove an IP traffic export profile or an IP traffic capture profile from an interface, use the no form of this command.

ip traffic-export apply profile-name

no ip traffic-export apply profile-name

Cisco 1841, Cisco 2800 Series, and Cisco 3800 Series

ip traffic-export apply profile-name size size

no ip traffic-export apply profile-name

Syntax Description

profile-name

Name of the profile that is to be applied to a specified interface.

The profile-name argument must match a name that was specified in the ip traffic-export profile command.

size

Optional. Used in IP traffic capture mode to set up a local capture buffer.

size

Optional. Specifies the size of the local capture buffer, in bytes.

Command Default

If you do not use this command, a sucessfully configured profile is not active.

Command Modes


Interface configuration

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.4(11)T

This command was updated to incorporate the size keyword and size argument for IP traffic capture mode on the Cisco 1841, Cisco 2800 series, and Cisco 3800 series routers.

Usage Guidelines

After you configure at least one export profile, use the ip traffic-export apply command to activate IP traffic export on the specified ingress interface.

After you configure a capture profile, use the ip traffic-export apply command to activate IP traffic capture on the specified ingress interface, and to specify the size of the local capture buffer.

Examples

The following example shows how to apply the export profile “corp1” to interface Fast Ethernet 0/0.


Router(config)# ip traffic-export profile corp1
Router(config-rite)# interface FastEthernet 0/1
Router(config-rite)# bidirectional
Router(config-rite)# mac-address 00a.8aab.90a0
Router(config-rite)# outgoing sample one-in-every 50
Router(config-rite)# incoming access-list spam_acl
Router(config-rite)# exit
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip traffic-export apply corp1

The following example shows how to apply the capture profile “corp2” to interface Fast Ethernet 0/0, and specify a capture buffer of 10,000,000 bytes.


Router(config)# ip traffic-export profile corp2 mode_capture
Router(config-rite)# bidirectional
Router(config-rite)# outgoing sample one-in-every 50
Router(config-rite)# incoming access-list ham_acl
Router(config-rite)# length 512
Router(config-rite)# exit
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip traffic-export apply corp2 size 10000000

After a profile is activated on the interface, a logging message such as the following will appear:


%RITE-5-ACTIVATE: Activated IP traffic export on interface FastEthernet 0/0.

After a profile is removed from the interface, a logging message such as the following will appear:


%RITE-5-DEACTIVATE: Deactivated IP traffic export on interface FastEthernet 0/0.

If you attempt to apply an incomplete profile to an interface, you will receive the following message:


Router(config-if)# ip traffic-export apply newone
RITE: profile newone has missing outgoing interface

ip traffic-export profile

To create or edit an IP traffic export profile or an IP traffic capture profile and enable the profile on an ingress interface, use the ip traffic-export profile command in global configuration mode. To remove an IP traffic export profile from your router configuration, use the no form of this command.

ip traffic-export profile profile-name

no ip traffic-export profile profile-name

Cisco 1841, Cisco 2800 Series, and Cisco 3800 Series Routers

ip traffic-export profile profile-name mode {capture | export}

no ip traffic-export profile profile-name

Syntax Description

profile-name

IP traffic export profile name.

mode {capture | export}

Specifies either capture or export mode.

  • capture --Captures data to memory.

  • export --Exports data to an interface.

Command Default

A profile does not exist.

Command Modes


Global configuration

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.4(11)T

This command was updated to incorporate the mode, capture, and export keywords on the Cisco 1841, Cisco 2800 series, and Cisco 3800 series routers.

Usage Guidelines

The ip traffic-export profile command allows you to begin a profile that can be configured to capture or export IP packets as they arrive on or leave from a selected router ingress interface.

When exporting IP packets, a designated egress interface exports IP packets out of the router. So, the router can export unaltered IP packets to a directly connected device.

When capturing IP packets, the packets are stored in local router memory. They may then be dumped to an external device.

IP Traffic Export Profiles

All exported IP traffic configurations are specified by profiles, which consist of RITE-related command-line interface (CLI) commands that control various attributes of both incoming and outgoing IP traffic. You can configure a router with multiple profiles. (Each profile must have a different name.) You can apply different profiles on different interfaces.

The two profiles to configure are:

  • Global configuration profile, which you configure using the ip traffic-export profile command.

  • Submode configuration profile, which you configure using any of the following RITE commands--bidirectional , incoming , interface , mac-address , and outgoing .

Use interface and mac-address commands to successfully create a profile. If you do not issue these commands, the user will receive a profile incomplete messages such as the following:


ip traffic-export profile newone 
! No outgoing interface configured
! No destination mac-address configured

After you configure your profiles, you can apply the profiles to an interface with the ip traffic-export apply profile command, which will activate it.

IP Traffic Capture Profiles

On the Cisco 1841, Cisco 2800 series, and Cisco 3800 series routers, you can also configure IP traffic capture. A captured IP traffic configuration is specified by a profile, which consists of RITE-related command-line interface (CLI) commands that control various attributes of both incoming and outgoing IP traffic.

The two profiles that you should configure are:

  • Global configuration profile, which you configure using the ip traffic-export profile mode capture command.

  • Submode configuration profile, which you configure using any of the following RITE commands--bidirectional , incoming , length , and outgoing .

After you configure your profiles, you can apply the profiles to an interface with the ip traffic-export apply profile command, which will activate it.

When the IP traffic capture profile is applied to an interface, use the traffic-export command to control the capture of the traffic.


Note


Cisco IOS Release 12.4(9)T and 12.4(15)T cannot capture outgoing router-generated Internet Control Message Protocol (ICMP) or IPsec traffic.


Examples

The following example shows how to configure the profile "corp1," which sends captured IP traffic to host "00a.8aab.90a0" at the interface "FastEthernet 0/1." This profile is also configured to export 1 in every 50 packets and to allow incoming traffic only from the access control list (ACL) "ham_ACL."


Router(config)# ip traffic-export profile corp1
Router(config-rite)# interface FastEthernet 0/1
Router(config-rite)# bidirectional
Router(config-rite)# mac-address 00a.8aab.90a0
Router(config-rite)# outgoing sample one-in-every 50
Router(config-rite)# incoming access-list ham_acl
Router(config-rite)# exit
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip traffic-export apply corp1

The following example shows how to configure the profile "corp2," which captures IP traffic and stores it in a local router memory buffer of 10,000,000 bytes. This profile also captures 1 in every 50 packets and allows incoming traffic only from the access control list (ACL) "ham_ACL."


Router(config)# ip traffic-export profile corp2 mode capture
Router(config-rite)# bidirectional
Router(config-rite)# outgoing sample one-in-every 50
Router(config-rite)# incoming access-list ham_acl
Router(config-rite)# length 512
Router(config-rite)# exit
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip traffic-export apply corp2 size 10000000

ip trigger-authentication (global)

To enable the automated part of double authentication at a device, use the ip trigger-authentication command in global configuration mode. To disable the automated part of double authentication, use the no form of this command.

ip trigger-authentication [timeout seconds] [port number]

no ip trigger-authentication

Syntax Description

timeout seconds

(Optional) Specifies how frequently the local device sends a User Datagram Protocol (UDP) packet to the remote host to request the user’s username and password (or PIN). The default is 90 seconds. See “The Timeout Keyword” in the Usage Guidelines section for details.

port number

(Optional) Specifies the UDP port to which the local router should send the UPD packet requesting the user’s username and password (or PIN). The default is port 7500. See “The Port Keyword” in the Usage Guidelines section for details.

Command Default

The default timeout is 90 seconds, and the default port number is 7500.

Command Modes


Global configuration

Command History

Release

Modification

11.3 T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Configure this command on the local device (router or network access server) that remote users dial in to. Use this command only if the local device has already been configured to provide double authentication; this command enables automation of the second authentication of double authentication.

The timeout Keyword

During the second authentication stage of double authentication--when the remote user is authenticated--the remote user must send a username and password (or PIN) to the local device. With automated double authentication, the local device sends a UDP packet to the remote user’s host during the second user-authentication stage. This UDP packet triggers the remote host to launch a dialog box requesting a username and password (or PIN).

If the local device does not receive a valid response to the UDP packet within a timeout period, the local device will send another UDP packet. The device will continue to send UDP packets at the timeout intervals until it receives a response and can authenticate the user.

By default, the UDP packet timeout interval is 90 seconds. Use the timeout keyword to specify a different interval.

(This timeout also applies to how long entries will remain in the remote host table; see the show ip trigger-authentication command for details.)

The port Keyword

As described in the previous section, the local device sends a UDP packet to the remote user’s host to request the user’s username and password (or PIN). This UDP packet is sent to UDP port 7500 by default. (The remote host client software listens to UDP port 7500 by default.) If you need to change the port number because port 7500 is used by another application, you should change the port number using the port keyword. If you change the port number you need to change it in both places--both on the local device and in the remote host client software.

Examples

The following example globally enables automated double authentication and sets the timeout to 120 seconds:


ip trigger-authentication timeout 120

ip trigger-authentication (interface)

To specify automated double authentication at an interface, use the ip trigger-authentication command in interface configuration mode. To turn off automated double authentication at an interface, use the no form of this command.

ip trigger-authentication

no ip trigger-authentication

Syntax Description

This command has no arguments or keywords.

Command Default

Automated double authentication is not enabled for specific interfaces.

Command Modes


Interface configuration

Command History

Release

Modification

11.3 T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Configure this command on the local router or network access server that remote users dial into. Use this command only if the local device has already been configured to provide double authentication and if automated double authentication has been enabled with the ip trigger-authentication (global) command.

This command causes double authentication to occur automatically when users dial into the interface.

Examples

The following example turns on automated double authentication at the ISDN BRI interface BRI0:


interface BRI0
 ip trigger-authentication
 encapsulation ppp
 ppp authentication chap

ip urlfilter alert

To enable URL filtering system alert messages, use the ip urlfilter alert command in global configuration mode. To disable the system alert, use the no form of this command.

ip urlfilter alert [vrf vrf-name]

no ip urlfilter alert

Syntax Description

vrf vrf-name

(Optional) Enables URL filtering system alert messages only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Default

URL filtering messages are enabled.

Command Modes

Global configuration

Command History

Release

Modification

12.2(11)YU

This command was introduced.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.

12.3(14)T

The vrf vrf-name keyword/argument pair was added.

Usage Guidelines

Use the ip urlfilter alert command to display system messages, such as a server entering allow mode, a server going down, or a URL that is too long for the lookup request.

Examples

The following example shows how to enable URL filtering alert messages:


ip inspect name test http urlfilter
ip urlfilter cache 5
ip urlfilter exclusive-domain permit .weapons.com
ip urlfilter exclusive-domain deny .nbc.com
ip urlfilter exclusive-domain permit www.cisco.com
ip urlfilter audit-trail
ip urlfilter alert
ip urlfilter server vendor websense 192.168.3.1

Afterward, system alert messages such as the following are displayed:


%URLF-3-SERVER_DOWN:Connection to the URL filter server 10.92.0.9 is down

This level three LOG_ERR-type message is displayed when a configured URL filter server (UFS) goes down. When this happens, the firewall will mark the configured server as secondary and try to bring up one of the other secondary servers and mark that server as the primary server. If there is no other server configured, the firewall will enter into allow mode and display the URLF-3-ALLOW_MODE message described.


%URLF-3-ALLOW_MODE:Connection to all URL filter servers are down and ALLOW MODE is OFF

This LOG_ERR type message is displayed when all UFSs are down and the system enters into allow mode.


Note


Whenever the system goes into allow mode (all filter servers are down), a periodic keepalive timer will be triggered that will try to bring up a server by opening a TCP connection.



%URLF-5-SERVER_UP:Connection to an URL filter server 10.92.0.9 is made, the system is returning from ALLOW MODE

This LOG_NOTICE-type message is displayed when the UFSs are detected as being up and the system is returning from allow mode.


%URLF-4-URL_TOO_LONG:URL too long (more than 3072 bytes), possibly a fake packet?

This LOG_WARNING-type message is displayed when the URL in a lookup request is too long; any URL longer than 3K will be dropped.


%URLF-4-MAX_REQ:The number of pending request exceeds the maximum limit <1000>

This LOG_WARNING-type message is displayed when the number of pending requests in the system exceeds the maximum limit and all further requests are dropped.

ip urlfilter allowmode

To turn on the default mode (allow mode) of the filtering algorithm, use the ip urlfilter allowmode command in global configuration mode. To disable the default mode, use the no form of this command.

ip urlfilter allowmode [on | off] [vrf vrf-name]

no ip urlfilter allowmode [on | off]

Syntax Description

on

(Optional) Allow mode is on.

off

(Optional) Allow mode is off.

vrf vrf-name

(Optional) Turns on the default mode of the filtering algorithm only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Default

Allow mode is off.

Command Modes


Global configuration

Command History

Release

Modification

12.2(11)YU

This command was introduced.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.

12.3(14)T

The vrf vrf-name keyword and argument pair was added.

Usage Guidelines

The system will go into allow mode when connections to all vendor servers (Websense or N2H2) are down. The system will return to normal mode when a connection to at least one web vendor server is up. Allow mode directs your system to forward or drop all packets on the basis of the configurable allow mode setting: if allow mode is on and the vendor servers are down, the HTTP requests will be allowed to pass; if allow mode is off and the vendor servers are down, the HTTP requests will be forbidden.

Examples

The following example shows how to enable allow mode on your system:


ip urlfilter allowmode on

Afterward, the following alert message will be displayed when the system goes into allow mode:


%URLF-3-ALLOW_MODE: Connection to all URL filter servers are down and ALLOW MODE if OFF

The following alert message will be displayed when the system returns from allow mode:


%URLF-5-SERVER_UP: Connection to an URL filter server 12.0.0.3 is made, the system is returning from allow mode

ip urlfilter audit-trail

To log messages into the syslog server or router, use the ip urlfilter audit-trail command in global configuration mode. To disable this functionality, use the no form of this command.

ip urlfilter audit-trail [vrf vrf-name]

no ip urlfilter audit-trail

Syntax Description

vrf vrf-name

(Optional) Logs messages into the syslog server or router only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Default

This command is disabled.

Command Modes

Global configuration

Command History

Release

Modification

12.2(11)YU

This command was introduced.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.

12.3(14)T

The vrf vrf-name keyword and argument pair was added.

Usage Guidelines

Use the ip urlfilter audit-trail command to log messages such as URL request status (allow or deny) into your syslog server.

Examples

The following example shows how to enable syslog message logging:


ip inspect name test http urlfilter
ip urlfilter cache 5
ip urlfilter exclusive-domain permit .weapons.com
ip urlfilter exclusive-domain deny .nbc.com
ip urlfilter exclusive-domain permit www.cisco.com
ip urlfilter audit-trail
ip urlfilter alert
ip urlfilter server vendor websense 209.165.202.130

Afterward, audit trail messages such as the following are displayed and logged into the log server:


%URLF-6-SITE_ALLOWED:Client 209.165.201.15:12543 accessed server 10.76.82.21:8080

This message is logged for each request whose destination IP address is found in the cache. It includes the source IP address, source port number, destination IP address, and destination port number. The URL is not logged in this case because the IP address of the request is found in the cache; thus, parsing the request and extracting the URL is a waste of time.


%URLF-4-SITE-BLOCKED: Access denied for the site ‘www.sports.com’; client 209.165.200.230:34557 server 209.165.201.2:80

This message is logged when a request finds a match against one of the blocked domains in the exclusive-domain list or the corresponding entry in the IP cache.


%URLF-6-URL_ALLOWED:Access allowed for URL http://www.N2H2.com/; client 209.165.200.230:54123  server 192.168.0.1:80

This message is logged for each URL request that is allowed by the vendor server (Websense or N2H2). It includes the allowed URL, source IP address, source port number, destination IP address, and destination port number. Longer URLs will be truncated to 300 bytes and then logged.


%URLF-6-URL_BLOCKED:Access denied URL http://www.google.com; client 209.165.200.230:54678 server 209.165.201.2:80

This message is logged for each URL request that is blocked by the vendor server. It includes the blocked URL, source IP address, source port number, destination IP address, and destination port number. Longer URLs will be truncated to 300 bytes and then logged.

ip urlfilter cache

To configure cache parameters, use the ip urlfilter cache command in global configuration mode. To clear the configuration, use the no form of this command.

ip urlfilter cache number [vrf vrf-name]

no ip urlfilter cache number

Syntax Description

number

Maximum number of destination IP addresses that can be cached into the cache table. The default value is 5000.

vrf vrf-name

(Optional) Configures cache parameters only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Default

Maximum number of destination IP addresses is 5000.

The cache table is cleared out every 12 hours.

Command Modes

Global configuration

Command History

Release

Modification

12.2(11)YU

This command was introduced.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.

12.3(14)T

The vrf vrf-name keyword and argument pair was added.

Usage Guidelines

The cache table consists of the most recently requested IP addresses and respective authorization status for each IP address.

The caching algorithm involves three parameters--the maximum number of IP addresses that can be cached, an idle time, and an absolute time. The algorithm also involves two timers--idle timer and absolute timer. The idle timer is a small periodic timer (1 minute) that checks to see whether the number of cached IP addresses in the cache table exceeds 80 percent of the maximum limit. If the cached IP addresses have exceeded 80 percent, it will start removing idle entries; if it has not exceeded 80 percent, it will quit and wait for the next cycle. The absolute timer is a large periodic timer (1 hour) that is used to remove all of the elapsed entries. (The age of an elapsed entry is greater than the absolute time.) An elapsed entry will also be removed during cache lookup.

The idle time value is fixed at 10 minutes. The absolute time value is taken from the vendor server look-up response, which is often greater than 15 hours. The absolute value for cache entries made out of exclusive-domains is 12 hours. The maximum number of cache entries is configurable by enabling the ip urlfilter cache command.


Note


The vendor server is not able to inform the Cisco IOS firewall of filtering policy changes in the database.


Examples

The following example shows how to configure the cache table to hold a maximum of five destination IP addresses:


ip inspect name test http urlfilter
ip urlfilter cache 5
ip urlfilter exclusive-domain permit .weapons.com
ip urlfilter exclusive-domain deny .nbc.com
ip urlfilter exclusive-domain permit www.cisco.com
ip urlfilter audit-trail
ip urlfilter alert
ip urlfilter server vendor websense 192.168.3.1

ip urlfilter exclusive-domain

To add or remove a domain name to or from the exclusive domain list so that the firewall does not have to send lookup requests to the vendor server, use the ip urlfilter exclusive-domain command in global configuration mode. To remove a domain name from the exclusive domain name list, use the no form of this command.

ip urlfilter exclusive-domain {permit | deny} domain-name [vrf vrf-name]

no ip urlfilter exclusive-domain {permit | deny} domain-name

Syntax Description

permit

Permits all traffic destined for the specified domain name.

deny

Blocks all traffic destined for the specified domain name.

domain-name

Domain name that is added or removed from the exclusive domain name list; for example, www.cisco.com .

vrf vrf-name

(Optional) Adds or removes a domain name only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Default

This command is not enabled.

Command Modes

Global configuration

Command History

Release

Modification

12.2(11)YU

This command was introduced.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.

12.3(14)T

The vrf vrf-name keyword and argument pair was added.

Usage Guidelines

The ip urlfilter exclusive-domain command allows you to specify a list of domain names (exclusive domains) so that the firewall will not create a lookup request for the HTTP traffic that is destined for one of the domains in the exclusive list. Thus, you can avoid sending look-up requests to the web server for HTTP traffic that is destined for a host that is completely allowed to all users.

Flexibility when entering domain names is also provided; that is, the user can enter the complete domain name or a partial domain name.

Complete Domain Name

If the user adds a complete domain name, such as “www.cisco.com,” to the exclusive domain list, all HTTP traffic whose URLs are destined for this domain (such as www.cisco.com/news and www.cisco.com/index) will be excluded from the URL filtering policies of the vendor server (Websense or N2H2), and on the basis of the configuration, the URLs will be permitted or blocked (denied).

Partial Domain Name

If the user adds only a partial domain name to the exclusive domain list, such as “.cisco.com,” all URLs whose domain names end with this partial domain name (such as www.cisco.com/products and www.cisco.com/eng) will be excluded from the URL filtering policies of the vendor server (Websense or N2H2), and on the basis of the configuration, the URLs will be permitted or blocked (denied).

Examples

The following example shows how to add the complete domain name “www. cisco.com ” to the exclusive domain name list. This configuration will block all traffic destined to the www.cisco.com domain.


ip urlfilter exclusive-domain deny www.cisco.com

The following example shows how to add the partial domain name “. cisco.com ” to the exclusive domain name list. This configuration will permit all traffic destined to domains that end with .cisco.com.


ip urlfilter exclusive-domain permit .cisco.com
      
      

ip urlfilter max-request

To set the maximum number of outstanding requests that can exist at any given time, use the ip urlfilter max-request command in global configuration mode. To disable this function, use the no form of this command.

ip urlfilter max-request number [vrf vrf-name]

no ip urlfilter max-request number

Syntax Description

number

Maximum number of outstanding requests. The default value is 1000.

vrf vrf-name

(Optional) Sets the maximum number of outstanding requests only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Default

Maximum number of requests is 1000.

Command Modes

Global configuration

Command History

Release

Modification

12.2(11)YU

This command was introduced.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T.

12.3(14)T

The vrf vrf-name keyword and argument pair was added.

Usage Guidelines

If the specified maximum number of outstanding requests is exceeded, new requests will be dropped.


Note


Allow mode is not considered because it should be used only when servers are down.


Examples

The following example shows how to configure the maximum number of outstanding requests to 950:


ip inspect name url_filter http
ip urlfilter max-request 950

ip urlfilter max-resp-pak

To configure the maximum number of HTTP responses that the firewall can keep in its packet buffer, use the ip urlfilter max-resp-pak command in global configuration mode. To return to the default, use the no form of this command.

ip urlfilter max-resp-pak number [vrf vrf-name]

no ip urlfilter max-resp-pak number

Syntax Description