traffic-export through zone security

track(firewall)

To configure the redundancy group tracking, use the track command in redundancy application group configuration mode. To remove the redundancy group tracking, use the no form of this command.

track object-number {decrement value | shutdown}

no track object-number {decrement value | shutdown}

Syntax Description

object-number

ID of the event type.

decrement value

Specifies the value that the priority will be decremented. The range is from 1 to 255.

shutdown

Shuts down a redundancy group if the tracked object goes down instead of changing the priority.

Command Default

Objects and decrement priority per object are not tracked.

Command Modes


Redundancy application group configuration (config-red-app-grp)

Command History

Release

Modification

Cisco IOS XE Release 3.1S

This command was introduced.

Usage Guidelines

The redundancy group can track an object and decrease the priority value per object. Multiple objects can be tracked by the redundancy group to influence the priority appropriately. You can shut down a redundancy group if the tracked object goes down instead of changing the priority.

Examples

The following example shows how to track the redundancy group named group1 and assign a decrement value:


Router# configure terminal
Router(config)# redundancy
 
Router(config-red)# application redundancy
Router(config-red-app)# group 1
Router(config-red-app-grp)# track 200 decrement 50

tracking

To override the default tracking policy on a port, use the tracking command in Neighbor Discovery (ND) inspection policy configuration mode.

tracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}

Syntax Description

enable

Tracking is enabled.

reachable-lifetime

(Optional) The maximum amount of time a reachable entry is considered to be directly or indirectly reachable without proof of reachability.

  • The reachable-lifetime keyword can be used only with the enable keyword.

  • Use of the reachable-lifetime keyword overrides the global reachable lifetime configured by the ipv6 neighbor binding reachable-lifetime command.

value

Lifetime value, in seconds. The range is from 1 to 86400, and the default is 300.

infinite

Keeps an entry in a reachable or stale state for an infinite amount of time.

disable

Disables tracking.

stale-lifetime

(Optional) Keeps the time entry in a stale state, which overwrites the global stale-lifetime configuration.

  • The stale lifetime is 86,400 seconds.

  • The stale-lifetime keyword can be used only with the disable keyword.

  • Use of the stale-lifetime keyword overrides the global stale lifetime configured by the ipv6 neighbor binding stale-lifetime command.

Command Default

The time entry is kept in a reachable state.

Command Modes


ND inspection policy configuration (config-nd-inspection)

Command History

Release

Modification

12.2(50)SY

This command was introduced.

15.0(2)SE

This command was integrated into Cisco IOS Release 15.0(2)SE.

15.3(1)S

This command was integrated into Cisco IOS Release 15.3(1)S.

Usage Guidelines

The tracking command overrides the default tracking policy set by the ipv6 neighbor tracking command on the port on which this policy applies. This function is useful on trusted ports where, for example, you may not want to track entries but want an entry to stay in the binding table to prevent it from being stolen.

The reachable-lifetime keyword is the maximum time an entry will be considered reachable without proof of reachability, either directly through tracking or indirectly through ND inspection. After the reachable-lifetime value is reached, the entry is moved to stale. Use of the reachable-lifetime keyword with the tracking command overrides the global reachable lifetime configured by the ipv6 neighbor binding reachable-lifetime command.

The stale-lifetime keyword is the maximum time an entry is kept in the table before it is deleted or the entry is proven to be reachable, either directly or indirectly. Use of the stale-lifetime keyword with the tracking command overrides the global stale lifetime configured by the ipv6 neighbor binding stale-lifetime command.

Examples

The following example defines an ND policy name as policy1, places the router in ND inspection policy configuration mode, and configures an entry to stay in the binding table for an infinite length of time on a trusted port:


Router(config)# ipv6 nd inspection policy policy1
Router(config-nd-inspection)# tracking disable stale-lifetime infinite

traffic-export

To control the operation of IP traffic capture mode in IP traffic export, use the traffic-export command in privileged EXEC mode.

traffic-export interface type number {start | stop | clear | copy memory-device}

Syntax Description

type number

Type and number of the interface over which the packets being captured travel.

start

Initiates a packet capture sequence.

stop

Halts a packet capture sequence.

clear

Clears the packet capture buffer.

copy

Copies the contents of the packet capture buffer to an external device.

memory-device

External memory device to which captured packets are transmitted. Options are flash: , tftp: , or usbflash0: .

Command Default

This command has no defaults.

Command Modes


Privileged EXEC.

Command History

Release

Modification

12.4(11)T

This command was introduced.

Usage Guidelines

Use the traffic-export command to control the operation of IP traffic capture mode in IP traffic export. The operator uses CLI commands to start or stop capture of packets flowing across a monitored interface, to copy the captured packets to an external memory device, or to clear the internal buffer which holds the captured packets.

Examples

The following example illustrates the use of the traffic-export command to initiate the capture of packets on interface FastEthernet 0/0.


Router# traffic-export interface fastethernet 0/0 start
%RITE-5-CAPTURE_START: Started IP traffic capture for interface FastEthernet0/0
router# 

The following example illustrates the use of the traffic-export command to halt the packet capture sequence on interface FastEthernet 0/0.


Router# traffic-export interface fastethernet 0/0 stop
%RITE-5-CAPTURE_STOP: Stopped IP traffic capture for interface FastEthernet0/0
router# 

The following example illustrates the use of the traffic-export command to copy the contents of the packet capture buffer to an external memory device. The example of the interactive dialog identifies the external memory device and the remote host in which it resides.


Router# traffic-export interface fastethernet0/0 copy tftp:
 
Address or name of remote host []? 172.18.207.15
 
Capture buffer filename []? atmcapture
 
Copying capture buffer to tftp://172.18.207.15/atmcapture !!
router#

The following example illustrates the use of the traffic-export command to clear the packet capture buffer that is in local memory.


Router# traffic-export interface fastethernet 0/0 clear
%RITE-5-CAPTURE_CLEAR: Cleared IP traffic capture buffer for interface FastEthernet0/0
router#

transfer-encoding type

To permit or deny HTTP traffic according to the specified transfer-encoding of the message, use the transfer-encoding type command in appfw-policy-http configuration mode. To disable this inspection parameter, use the no form of this command.

transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {reset | allow} [alarm]

no transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {reset | allow} [alarm]

Syntax Description

chunked

Encoding format (specified in RFC 2616, Hypertext Transfer Protocol--HTTP/1 ) in which the body of the message is transferred in a series of chunks; each chunk contains its own size indicator.

compress

Encoding format produced by the UNIX "compress" utility.

deflate

"ZLIB" format defined in RFC 1950, ZLIB Compressed Data Format Specification version 3.3 , combined with the "deflate" compression mechanism described in RFC 1951, DEFLATE Compressed Data Format Specification version 1.3 .

gzip

Encoding format produced by the "gzip" (GNU zip) program.

identity

Default encoding, which indicates that no encoding has been performed.

default

All of the transfer encoding types.

action

Encoding types outside of the specified type are subject to the specified action (reset or allow ).

reset

Sends a TCP reset notification to the client or server if the HTTP message fails the mode inspection.

allow

Forwards the packet through the firewall.

alarm

(Optional) Generates system logging (syslog) messages for the given action.

Command Default

If a given type is not specified, all transfer-encoding types are supported with the reset alarm action.

Command Modes


appfw-policy-http configuration

Command History

Release

Modification

12.3(14)T

This command was introduced.

Usage Guidelines

Only encoding types specified by the transfer-encoding-type command are allowed through the firewall.

Examples

The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.


! Define the HTTP policy.
appfw policy-name mypolicy
 application http
  strict-http action allow alarm
  content-length maximum 1 action allow alarm
  content-type-verification match-req-rsp action allow alarm
  max-header-length request 1 response 1 action allow alarm
  max-uri-length 1 action allow alarm
  port-misuse default action allow alarm
  request-method rfc default action allow alarm
  request-method extension default action allow alarm
  transfer-encoding type default action allow alarm
!
!
! Apply the policy to an inspection rule. 
ip inspect name firewall appfw mypolicy
ip inspect name firewall http
!
!
! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.
interface FastEthernet0/0
 ip inspect firewall in
!
!

transport port

To configure the transport protocol for establishing a connection with the Diameter peer, use the transport port command in Diameter peer configuration mode. To block all sessions that are bound to the peer from using the connection, use the no form of this command.

transport tcp port port-number

no transport tcp port port-number

Syntax Description

tcp

Currently, TCP is the only supported transport protocol for establishing the connection with the Diameter peer.

port-number

Character string identifying the peer connection port.

Command Default

TCP is the default transport protocol.

Command Modes


Diameter peer configuration

Command History

Release

Modification

12.4(9)T

This command was introduced .

Examples

The following example configures TCP as the transport protocol and port 4100 as the peer connection port:


Router (config-dia-peer)# transport tcp port
 4100

transport port (ldap)

To configure the transport protocol for establishing a connection with the Lightweight Directory Access Protocol (LDAP) server, use the transport port command in LDAP server configuration mode. To delete all sessions that are bound to the server from using the connection, use the no form of this command.

transport port port-number

no transport port port-number

Syntax Description

port-number

Server connection port number. Valid port numbers range from 1 to 65535. The default is 389.

Command Default

The default port number is 389.

Command Modes


LDAP server configuration (config-ldap-server)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Examples

The following example shows how to configure the transport protocol and port 200 as the peer connection port:


Router(config)# ldap server server1
Router(config-ldap-server)# transport port 200

trm register

To allow the user to manually register the platform with the Trend Router Provisioning Server (TRPS), use the trm register command in privileged EXEC mode.

trm register [force]

Syntax Description

force

Sends a new registration request to TRPS.

Command Default

This command is not enabled.

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

12.4(15)XZ

This command was introduced.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

15.1(2)T

This command was modified. The force keyword was added.

Usage Guidelines

Use the trm register command to enable manual registration of the platform with the TRPS. If you do not use this command, the system sends a registration request to the TRPS every minute after boot-up until the registration is successful.

Examples

The following is sample output from the trm register command:


Router# trm register
Processing registration request.
Please run ‘show ip trm subscription" status to get more info 

trustpoint (tti-petitioner)

To specify the trustpoint that is to be associated with the Trusted Transitive Introduction (TTI) exchange between the Secure Device Provisioning (SDP) petitioner and the SDP registrar, use the trustpoint command in tti-petitioner configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.

trustpoint trustpoint-label

no trustpoint trustpoint-label

Syntax Description

trustpoint-label

Name of trustpoint.

Command Default

If a trustpoint is not specified, a default trustpoint called "tti" is generated.

Command Modes


tti-petitioner configuration

Command History

Release

Modification

12.3(8)T

This command was introduced.

Usage Guidelines

Use the trustpoint command in tti-petitioner configuration mode to associate a trustpoint with the SDP petitioner.

Examples

The following example shows how specify the trustpoint "mytrust":


crypto wui tti petitioner
 trustpoint mytrust

After the SDP exchange is complete, the petitioner will automatically enroll with the registrar and obtain a certificate. The following sample output from the show running-config command shows an automatically generated configuration which generates the default trustpoint "tti":


crypto pki trustpoint tti
 enrollment url http://pki1-36a.cisco.com:80 
 revocation-check crl
 rsakeypair tti 1024
 auto-enroll 70 

trustpoint signing

To specify the trustpoint and associated certificate to be used when signing all introduction data during the Secure Device Provisioning (SDP) exchange, use the trustpoint signing command in tti-petitioner configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.

trustpoint signing trustpoint-label

no trustpoint signing trustpoint-label

Syntax Description

trustpoint-label

Name of trustpoint.

Command Default

If a trustpoint is not specified, any existing device certificate is used. If none is available, a self-signed certificate is generated.

Command Modes


tti-petitioner configuration

Command History

Release

Modification

12.3(14)T

This command was introduced.

Usage Guidelines

Use the trustpoint signing command in tti-petitioner configuration mode to associate a specific trustpoint with the petitioner for signing its certificate.

Examples

The following example shows how to specify the trustpoint mytrust:


crypto provisioning petitioner
 trustpoint signing mytrust

After the SDP exchange is complete, the petitioner automatically enrolls with the registrar and obtains a certificate. The following sample output from the show running-config command shows an automatically generated configuration with the default trustpoint tti:


crypto pki trustpoint tti
 enrollment url http://pki1-36a.cisco.com:80 
 revocation-check crl
 rsakeypair tti 1024
 auto-enroll 70 

trusted-port (IPv6 NDP Inspection Policy)

To configure a port to become a trusted port, use the trusted-port command in Neighbor Discovery Protocol ( NDP) inspection policy configuration mode . To disable this function, use the no form of this command.

trusted-port

no trusted-port

Syntax Description

This command has no arguments or keywords.

Command Default

No ports are trusted.

Command Modes


NDP inspection policy configuration
(config-nd-inspection)

Command History

Release

Modification

12.2(50)SY

This command was introduced.

15.0(2)SE

This command was integrated into Cisco IOS Release 15.0(2)SE.

15.3(1)S

This command was integrated into Cisco IOS Release 15.3(1)S.

Usage Guidelines

When the trusted-port command is enabled, limited or no verification is performed when messages are received on ports that have this policy. However, to protect against address spoofing, messages are analyzed so that the binding information that they carry can be used to maintain the binding table. Bindings discovered from these ports will be considered more trustworthy than bindings received from ports that are not configured to be trusted.

Use the trusted-port command after enabling NDP inspection policy configuration mode using the ipv6 nd inspection policy command.

Examples

The following example defines an NDP policy name as policy1, places the router in NDP inspection policy configuration mode, and configures the port to be trusted:


Router(config)# ipv6 nd inspection policy policy1
Router(config-nd-inspection)# trusted-port

trusted-port (IPv6 RA Guard Policy)

To configure a port to become a trusted port, use the trusted-port command in router advertisement (RA) guard policy configuration . To disable this function, use the no form of this command.

trusted-port

no trusted-port

Syntax Description

This command has no arguments or keywords.

Command Default

No ports are trusted.

Command Modes


RA guard policy configuration
(config-ra-guard)

Command History

Release

Modification

12.2(50)SY

This command was introduced.

15.0(2)SE

This command was integrated into Cisco IOS Release 15.0(2)SE.

15.3(1)S

This command was integrated into Cisco IOS Release 15.3(1)S.

Usage Guidelines

When the trusted-port command is enabled, limited or no verification is performed when messages are received on ports that have this policy. However, the device-role command takes precedence over the trusted-port command; if the device role is configured as host, messages will be dropped regardless of trusted-port command configuration.

Examples

The following example defines an RA guard policy name as raguard1, places the router in RA guard policy configuration mode, and configures the port to be trusted:


Router(config)# ipv6 nd inspection policy policy1
Router(config-ra-guard)# trusted-port

tunnel-limit (GTP)

To specify the maximum number of General Packet Radio Service (GPRS) Tunneling Protocol (GTP) tunnels that can be configured, use the tunnel-limit command in parameter-map type inspect configuration mode. To return to the default tunnel limit, use the no form of this command.

tunnel-limit max-tunnels

no tunnel-limit

Syntax Description

max-tunnels

Number of GTP tunnels that can be configured. Valid values are from 1 to 4294967295. The default is 500.

Command Default

A tunnel limit of 500 is configured.

Command Modes

Parameter-map type inspect configuration (config-profile)

Command History

Release

Modification

Cisco IOS XE Release 3.7S

This command was introduced.

Examples

The following example shows how to limit the number of configured GTP tunnels to 23456:

Device(config)# parameter-map type inspect-global gtp
Device(config-profile)# tunnel-limit 23456
Device(config-profile)#  

tunnel mode

To set the encapsulation mode for the tunnel interface, use the tunnel mode command in interface configuration mode. To restore the default mode, use the no form of this command.

tunnel mode {aurp | auto | cayman | dvmrp | eon | gre | gre multipoint | gre ip | gre ipv6 | ipip [decapsulate-any] | ipsec ipv4 | iptalk | ipv6 | ipsec ipv6 | mpls | nos | rbscp}

no tunnel mode

Syntax Description

aurp

Specifies AppleTalk Update-Based Routing Protocol.

auto

Enables auto tunneling mode.

cayman

Specifies Cayman TunnelTalk AppleTalk encapsulation.

dvmrp

Specifies Distance Vector Multicast Routing Protocol.

eon

Specifies EON compatible Connectionless Network Protocol (CLNS) tunnel.

gre

Specifies generic routing encapsulation (GRE) protocol. This is the default.

gre multipoint

Specifies Multipoint GRE (mGRE).

gre ip

Specifies GRE tunneling using IPv4 as the delivery protocol.

gre ipv6

Specifies GRE tunneling using IPv6 as the delivery protocol.

ipip

Specifies IP-over-IP encapsulation.

decapsulate-any

(Optional) Terminates any number of IP-in-IP tunnels at one tunnel interface. This tunnel will not carry any outbound traffic; however, any number of remote tunnel endpoints can use a tunnel configured this way as their destination.

ipsec ipv4

Specifies tunnel mode is IPsec, and the transport is IPv4.

iptalk

Specifies Apple IPTalk encapsulation.

ipv6

Specifies static tunnel interface configured to encapsulate IPv6 or IPv4 packets in IPv6.

ipsec ipv6

Specifies tunnel mode is IPsec, and the transport is IPv6.

mpls

Specifies Multiprotocol Label Switching (MPLS) encapsulation.

nos

Specifies KA9Q/NOS compatible IP over IP.

rbscp

Specifies Rate Based Satellite Control Protocol (RBSCP).

Command Default

The default is GRE tunneling.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

10.0

This command was introduced.

10.3

This command was modified. The aurp , dvmrp , and ipip keywords were added.

11.2

This command was modified. The optional decapsulate-any keywords were added.

12.2(13)T

This command was modified. The gre multipoint keywords were added.

12.3(7)T

This command was modified. The following keywords were added:

  • gre ipv6 to support GRE tunneling using IPv6 as the delivery protocol.

  • ipv6 to allow a static tunnel interface to be configured to encapsulate IPv6 or IPv4 packets in IPv6.

  • rbscp to support RBSCP.

12.3(14)T

This command was modified. The ipsec ipv4 keywords were added.

12.2(18)SXE

This command was modified. The gre multipoint keywords were added.

12.2(30)S

This command was integrated into Cisco IOS Release 12.2(30)S.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.4(4)T

This command was modified. The ipsec ipv6 keywords were added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

Cisco IOS XE Release 2.1

This command was implemented on the Cisco ASR 1000 Series Aggregation Services Routers.

15.4(2)T

This command was modified. The auto keyword was added.

15.4(2)S

This command was implemented on the Cisco ASR 901 Series Aggregation Services Router.

Cisco IOS XE Release 3.12S

This command was integrated into Cisco IOS XE Release 3.12S.

Usage Guidelines

Auto Tunneling

Auto tunneling mode eases the configuration and spares you about knowing the responder’s details. It automatically applies the tunneling protocol (GRE or IPsec) and transport protocol (IPv4 or IPv6) on the virtual template as soon as the IKE profile creates the virtual access interface.

Cayman Tunneling

Designed by Cayman Systems, Cayman tunneling implements tunneling to enable Cisco devices to interoperate with Cayman GatorBoxes. With Cayman tunneling, you can establish tunnels between two devices or between a Cisco device and a GatorBox. When using Cayman tunneling, you must not configure the tunnel with an AppleTalk network address.

DVMRP

Use DVMRP when a device connects to an mrouted (multicast) device to run DVMRP over a tunnel. You must configure Protocol Independent Multicast (PIM) and an IP address on a DVMRP tunnel.

GRE with AppleTalk

GRE tunneling can be done between Cisco devices only. When using GRE tunneling for AppleTalk, you configure the tunnel with an AppleTalk network address. Using the AppleTalk network address, you can ping the other end of the tunnel to check the connection.

IPsec in IPv6 Transport

IPv6 IPsec encapsulation provides site-to-site IPsec protection of IPv6 unicast and multicast traffic. This feature allows IPv6 devices to work as a security gateway, establishes IPsec tunnels between another security gateway device, and provides crypto IPsec protection for traffic from an internal network when being transmitting across the public IPv6 Internet. IPv6 IPsec is very similar to the security gateway model using IPv4 IPsec protection.

Multipoint GRE

After enabling mGRE tunneling, you can enable the tunnel protection command, which allows you to associate the mGRE tunnel with an IPsec profile. Combining mGRE tunnels and IPsec encryption allows a single mGRE interface to support multiple IPsec tunnels, thereby simplifying the size and complexity of the configuration.


Note


GRE tunnel keepalives configured using the keepalive command under a GRE interface are supported only on point-to-point GRE tunnels.

RBSCP

RBSCP tunneling is designed for wireless or long-distance delay links with high error rates, such as satellite links. Using tunnels, RBSCP can improve the performance of certain IP protocols, such as TCP and IPsec, over satellite links without breaking the end-to-end model.

Source and Destination Address

You cannot have two tunnels that use the same encapsulation mode with exactly the same source and destination address. The workaround is to create a loopback interface and source packets off of the loopback interface.

Examples

The following example shows how to enable auto tunneling mode:


Device(config)# interface tunnel 0
Device(config-if)# tunnel source ethernet 0
Device(config-if)# tunnel destination 10.108.164.19
Device(config-if)# tunnel mode auto

The following example shows how to enable Cayman tunneling:


Device(config)# interface tunnel 0
Device(config-if)# tunnel source ethernet 0
Device(config-if)# tunnel destination 10.108.164.19
Device(config-if)# tunnel mode cayman

The following example shows how to enable GRE tunneling:


Device(config)# interface tunnel 0
Device(config-if)# appletalk cable-range 4160-4160 4160.19
Device(config-if)# appletalk zone Engineering
Device(config-if)# tunnel source ethernet0
Device(config-if)# tunnel destination 10.108.164.19
Device(config-if)# tunnel mode gre

The following example shows how to configure a tunnel using IPsec encapsulation with IPv4 as the transport mechanism:


Device(config)# crypto ipsec profile PROF
Device(config)# set transform tset
Device(config)# interface Tunnel0
Device(config)# ip address 10.1.1.1 255.255.255.0
Device(config)# tunnel mode ipsec ipv4
Device(config)# tunnel source Loopback0
Device(config)# tunnel destination 172.16.1.1
Device(config-if)# tunnel protection ipsec profile PROF

The following example shows how to configure an IPv6 IPsec tunnel interface:


Device(config)# interface tunnel 0 
Device(config-if)# ipv6 address 2001:0DB8:1111:2222::2/64 
Device(config-if)# tunnel destination 10.0.0.1
Device(config-if)# tunnel source Ethernet 0/0
Device(config-if)# tunnel mode ipsec ipv6
Device(config-if)# tunnel protection ipsec profile profile1

The following example shows how to enable mGRE tunneling:


interface Tunnel0
 bandwidth 1000
 ip address 10.0.0.1 255.255.255.0
! Ensures longer packets are fragmented before they are encrypted; otherwise, the ! receiving router would have to do the reassembly.
 ip mtu 1416
! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not ! advertise routes that are learned via the mGRE interface back out that interface.
 no ip split-horizon eigrp 1
 no ip next-hop-self eigrp 1
 delay 1000
! Sets IPSec peer address to Ethernet interface’s public address.
 tunnel source Ethernet0
 tunnel mode gre multipoint
! The following line must match on all nodes that want to use this mGRE tunnel.
 tunnel key 100000
 tunnel protection ipsec profile vpnprof

The following example shows how to enable RBSCP tunneling:

Device(config)# interface tunnel 0
Device(config-if)# tunnel source ethernet 0
Device(config-if)# tunnel destination 10.108.164.19
Device(config-if)# tunnel mode rbscp

tunnel mode ipsec dual-overlay

To configure the tunnel mode as dual-overlay, use the tunnel mode ipsec dual-overlay command in interface configuration mode. To restore the default mode, use the no form of this command.

tunnel mode ipsec dual-overlay

no tunnel mode ipsec dual-overlay

Syntax Description

ipsec

Tunnel mode is IPsec.

dual-overlay

Specifies a dual-overlay tunnel.

Command Default

None.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Cupertino 17.9.1a

This command was introduced.

Usage Guidelines

Use the tunnel mode ipsec dual-overlay command to specify the encapsulation protocol for the tunnel. IPsec dual-overlay tunnel modes provides the capabilities to carry both IPv4 and IPv6 traffic using a single IPsec Security Association (SA) that is tunnelled over IPv4.

Examples

The following example shows how to configure the tunnel mode as dual-overlay:


Device(config)# interface tunnel 1
Device(config-if)# ipv6 enable
Device(config-if)# tunnel source ethernet 0/0
Device(config-if)# tunnel mode ipsec dual-overlay
Device(config-if)# tunnel destination 10.108.164.19 255.255.255.255.0
Device(config-if)# tunnel protection IPsec profile ipsecprof 

tunnel protection

To associate a tunnel interface with an IP Security (IPsec) profile, use the tunnel protection command in interface configuration mode. To disassociate a tunnel with an IPsec profile, use the no form of this command.

tunnel protection { ipsec profile name [shared | { isakmp-profile | ikev2-profile } name ] } | { timeout pending-connection <timeout> }

no tunnel protection { ipsec profile name [shared | { isakmp-profile | ikev2-profile } name ] } | { timeout pending-connection <timeout> }

Syntax Description

ipsec profile

Enables generic routing encapsulation (GRE) tunnel encryption via IPsec.

name

Name of the IPsec profile. This value must match the name specified in the crypto ipsec profile command.

shared

(Optional) Allows the tunnel protection IPsec Security Association Database (SADB) to share the same dynamic crypto map instead of creating a unique crypto map per tunnel interface.

isakmp-profile

Specifies the isakmp profile for the crypto connection.

ikev2-profile

Specifies the ikev2 profile for the crypto connection.

shared name

Name of the shared socket for the crypto connection.

timeout pending-connection seconds

Specifies the timeout to terminate pending connections. The default value is 300 seconds. The range is 60-3600

Command Default

Tunnel interfaces are not associated with IPsec profiles.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

XE 17.3.4

The timeout pending-connection keyword was introduced.

12.2(13)T

This command was introduced.

12.3(5)T

The shared keyword was added.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.4(5)

The shared keyword was changed so that if it is used with the tunnel protection command, the tunnel source command must specify an interface instead of an IP address.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.(33)SRA.

Cisco IOS XE Release 2.5

This command was modified. This command was integrated into Cisco IOS XE Release 2.5.

15.4(2)S

This command was implemented on the Cisco ASR 901 Series Aggregation Services Router.

Usage Guidelines

Use the tunnel protection command to specify that IPsec encryption will be performed after the GRE has been added to the tunnel packet. The tunnel protection command can be used with multipoint GRE (mGRE) and point-to-point GRE (p-pGRE) tunnels. With p-pGRE tunnels, the tunnel destination address will be used as the IPsec peer address. With mGRE tunnels, multiple IPsec peers are possible; the corresponding Next Hop Resolution Protocol (NHRP) mapping nonbroadcast multiaccess (NBMA) destination addresses will be used as the IPsec peer addresses.

The shared Keyword

If you want to configure two Dynamic Multipoint VPN (DMVPN) mGRE and IPsec tunnels on the same router with the same local endpoint (tunnel source) configuration, you must issue the shared keyword.

The dynamic crypto map that is created by the tunnel protection command is always different from a crypto map that is configured directly on the interface.

Unlike with the tunnel protection command, which specifies that IPsec encryption will be performed after GRE encapsulation, configuring a crypto map on a tunnel interface specifies that encryption will be performed before GRE encapsulation.

If the shared keyword is used, the tunnel source command must specify an interface instead of an IP address. Crypto sockets are not shared if the tunnel source is not specified as an interface.


Note


GRE keepalive is supported only with crypto map. GRE tunnel keepalives (configured with the keepalive command under the GRE interface) are not supported in combination with the tunnel protection command.

The tunnel mode command must be configured before running the tunnel protection command. Changing the sequence by configuring this command followed by the tunnel mode command results in the tunnel not having connectivity.

Examples

The following example shows how to associate the IPsec profile “vpnprof” with an mGRE tunnel interface. In this example, the IPsec source peer address will be the IP address from Ethernet interface 0. There is a static NHRP mapping from IP address 10.0.0.3 to IP address 172.16.2.1, so for this NHRP mapping the IPsec destination peer address will be 172.16.2.1. The IPsec proxy will be as follows: permit gre host ethernet0-ip-address host ip-address . Other NHRP mappings (static or dynamic) will automatically create additional IPsec security associations (SAs) with the same source peer address and the destination peer address from the NHRP mapping. The IPsec proxy for these NHRP mappings will be as follows: permit gre host ethernet0-ip-address host NHRP-mapping-NBMA-address .


crypto ipsec profile vpnprof
 set transform-set trans2
!
interface Tunnel0
 bandwidth 1000
 ip address 10.0.0.1 255.255.255.0
! Ensures that longer packets are fragmented before they are encrypted; otherwise, the
! receiving router would have to do the reassembly.
 ip mtu 1416
 ip nhrp authentication donttell
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 ip nhrp holdtime 300
! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not
! advertise routes that are learned via the mGRE interface back out that interface.
 no ip split-horizon eigrp 1
 no ip next-hop-self eigrp 1
 delay 1000
! Sets the IPSec peer address to the Ethernet interface’s public address.
 tunnel source Ethernet0
 tunnel mode gre multipoint
! The following line must match on all nodes that want to use this mGRE tunnel.
 tunnel key 100000
 tunnel protection ipsec profile vpnprof

The following example shows how to associate the IPsec profile “vpnprof” with a p-pGRE tunnel interface. In this example, the IPsec source peer address will be the IP address from Ethernet interface 0. The IPsec destination peer address will be 172.16.1.10 (per the tunnel destination address command). The IPsec proxy will be as follows: permit gre host ethernet0-ip-address host ip-address .


interface Tunnel1
 ip address 10.0.1.1 255.255.255.252
! Ensures that longer packets are fragmented before they are encrypted; otherwise, the 
! receiving router would have to do the reassembly.
 ip mtu 1420
 tunnel source Ethernet0
 tunnel destination 172.16.1.10
 tunnel protection ipsec profile vpnprof

In the following example, the crypto sockets are shared between the Tunnel0 and Tunnel1 interfaces because the tunnel protection command on both interfaces uses the same profile and is configured with the shared keyword. Both tunnels specify the tunnel source to be an Ethernet0/0 interface.


interface Tunnel0
ip address 10.255.253.3 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication h1there
ip nhrp map 10.255.253.1 192.168.1.1
ip nhrp map multicast 192.168.1.1
ip nhrp network-id 253
ip nhrp holdtime 600
ip nhrp nhs 10.255.253.1
ip ospf message-digest-key 1 md5 wellikey        
ip ospf network broadcast
ip ospf cost 35
ip ospf priority 0
no ip mroute-cache
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 253
tunnel protection ipsec profile dmvpn-profile shared
interface Tunnel1
ip address 10.255.254.3 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication h1there
ip nhrp map multicast 192.168.1.3
ip nhrp map 10.255.254.1 192.168.1.3
ip nhrp network-id 254
ip nhrp holdtime 600
ip nhrp nhs 10.255.254.1
ip ospf message-digest-key 1 md5 wellikey        
ip ospf network broadcast
ip ospf priority 0
no ip mroute-cache
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 254
tunnel protection ipsec profile dmvpn-profile shared

tunnel protection ipsec policy

To associate an ACL with a Static Virtual Tunnel Interface (SVTI), use the tunnel protection ipsec policy command in the interface configuration mode. To disassociate an ACL from an SVTI, use the no form of this command.

tunnel protection ipsec policy {ipv4 | ipv6} acl

no tunnel protection ipsec policy {ipv4 | ipv6} acl

Syntax Description

ipv4

Specifies that the traffic selector is of type IPv4.

ipv6

Specifies that the traffic selector is of type IPv6.

acl

Name or number identifying the ACL to be associated.

Command Default

By default, an ACL is not associated with an SVTI and a traffic selector of ‘any any’ is used.

Command Modes

Interface configuration (config-if)

Command History

Release Modification
16.12.1

Command introduced.

Usage Guidelines

By default, an SVTI supports a single IPSec SA with ‘any any’ as the traffic selector. To create IPSec SAs for non-any-any proxies, define the non-any-any proxies in ACLs and associate the ACL with an SVTI using this command.

To disassociate an ACL from an SVTI use the no form of the command. When an ACL is disassociated from an SVTI, the SVTI resumes the default behavior of supporting a single IPSec SA with ‘any any’ as the traffic selector.

Examples

The following example shows how to configure multi-SA support for an SVTI with an IPv4 traffic selector:

Device(conf)# interface Tunnel0
Device(config-if)# ip address 11.1.1.2 255.255.255.0 
Device(config-if)# tunnel source Ethernet0/0 
Device(config-if)# tunnel mode ipsec ipv4 
Device(config-if)# tunnel destination 172.168.17.1
Device(config-if)# tunnel protection ipsec policy ipv4 ipsec_acl1 
Device(config-if)# tunnel protection ipsec profile ipsec_prof                                           

ip access-list extended ipsec_acl1
permit ip 30.0.0.0 0.0.0.255 40.0.0.0 0.0.0.255
permit ip 50.0.0.0 0.0.0.255 60.0.0.0 0.0.0.255

The following example shows how to configure multi-SA support for an SVTI with an IPv6 traffic selector:

Device(config)# interface Tunnel0 
Device(config-if)# ipv6 address 400::10:1/112  
Device(config-if)# tunnel destination 2003::8:2
Device(config-if)# tunnel source Ethernet 0/0
Device(config-if)# tunnel mode ipsec ipv6 
Device(config-if)# tunnel protection ipsec policy ipv6 ipsec_acl2
Device(config-if)# tunnel protection ipsec profile ipsec_prof

ipv6 access-list ipsec_acl2
sequence 10 permit ipv6 host 2005::10:1 host 2005::11:1
sequence 20 permit ipv6 host 2005::15:1 host 2005::16:1
sequence 30 permit ipv6 host 2005::20:1 host 2005::21:1

type echo protocol ipIcmpEcho


Note


Effective with Cisco IOS Release 12.4(4)T, 12.2(33)SRB, 12.2(33)SB, and 12.2(33)SXI, the type echo protocol ipIcmpEcho command is replaced by the icmp-echo command. See the icmp- echo command for more information.


To configure an IP Service Level Agreements (SLAs) Internet Control Message Protocol (ICMP) echo operation, use the type echo protocol ipIcmpEcho command in IP SLA monitor configuration mode.

type echo protocol ipIcmpEcho {destination-ip-address | destination-hostname} [source-ipaddr {ip-address | hostname} | source-interface interface-name]

Syntax Description

destination-ip-address | destination-hostname

Destination IP address or hostname for the operation.

source-ipaddr {ip-address | hostname }

(Optional) Specifies the source IP address or hostname . When a source IP address or hostname is not specified, IP SLAs chooses the IP address nearest to the destination.

source-interface interface-name

(Optional) Specifies the source interface for the operation.

Command Default

No IP SLAs operation type is configured for the operation being configured.

Command Modes

IP SLA monitor configuration (config-sla-monitor)

Command History

Release

Modification

11.2

This command was introduced.

12.0(5)T

The following keyword and arguments were added:

  • source-ipaddr {ip-address | hostname

12.3(7)XR

The source-interface keyword and interface-name argument were added.

12.3(11)T

The source-interface keyword and interface-name argument were added.

12.4(4)T

This command was replaced by the icmp-echo command.

12.2(33)SRB

This command was replaced by the icmp-echo command.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.2(33)SB

This command was replaced by the icmp-echo command.

12.2(33)SXI

This command was replaced by the icmp-echo command.

Usage Guidelines

The default request packet data size for an ICMP echo operation is 28 bytes. Use the request-data-size command to modify this value. This data size is the payload portion of the ICMP packet, which makes a 64-byte IP packet.

You must configure the type of IP SLAs operation (such as User Datagram Protocol [UDP] jitter or Internet Control Message Protocol [ICMP] echo) before you can configure any of the other parameters of the operation. To change the operation type of an existing IP SLAs operation, you must first delete the IP SLAs operation (using the no ip sla monitor global configuration command) and then reconfigure the operation with the new operation type.

Examples

In the following example, IP SLAs operation 10 is created and configured as an echo operation using the IP/ICMP protocol and the destination IP address 172.16.1.175.


ip sla monitor 10
 type echo protocol ipIcmpEcho 172.16.1.175
!
ip sla monitor schedule 10 start-time now

udp half-open

To configure timeout values for UDP half-opened sessions, use the udp half-open command in parameter-map type inspect configuration mode. To disable the timeout values for UDP half-opened sessions, use the no form of this command.

udp half-open idle-time milliseconds [ageout-time miliiseconds]

udp half-open idle-time

Syntax Description

idle-time

Specifies the idle timeout for UDP half-opened sessions going through the firewall.

milliseconds

Amount of time, in milliseconds, during which a UDP session will continue to be managed while there is no activity. Valid values are from 1 to 2147483.

ageout-time milliseconds

(Optional) Specifies the aggressive aging time for UDP half-opened sessions. Valid values are from 1 to 2147483.

Command Default

The timeout default is 30 seconds.

Command Modes

Parameter-map type inspect configuration (config-profile)

Command History

Release

Modification

Cisco IOS XE Release 3.4S

This command was introduced.

Usage Guidelines

You must configure the parameter-map type inspect command before you can configure the udp half-open command.

An UDP half-opened session is when only one UDP packet is detected in the UDP flow.

Examples

The following example shows how to configure the idle timeout and the aggressive aging time for UDP half-open sessions:

Router(config)# parameter-map type inspect pmap
Router(config-profile)# udp half-open idle-time 67800 ageout-time 67800
Router(config-profile)# end
        
      

udp idle-time

To configure the idle timeout for UDP sessions, use the udp idle-time command in parameter-map type inspect configuration mode. To disable the timeout, use the no form of this command.

udp idle-time seconds [ageout-time seconds]

no udp idle-time

Syntax Description

seconds

Amount of time, in seconds, during which a UDP session will continue to be managed while there is no activity. Valid values are from 1 to 2147483.

ageout-time seconds

(Optional) Specifies the aggressive aging time for UDP packets. Valid values are from 1 to 2147483.

Command Default

The timeout default is 30 seconds.

Command Modes

Parameter-map type inspect configuration

Command History

Release

Modification

12.4(6)T

This command was introduced.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

Cisco IOS XE Release 3.4S

This command was modified. The ageout-time seconds keyword and argument pair was added.

Usage Guidelines

When you configure an inspect parameter map, you can enter the udp idle-time command after you enter the parameter-map type inspect command.

When the software detects a valid UDP packet, it establishes state information for a new UDP session. Because UDP is a connectionless service, there are no actual sessions, and the software examines the information in the packet and determines if the packet is similar to other UDP packets (for example, it has similar source or destination addresses and if the packet was detected soon after another similar UDP packet).

If the software detects no UDP packets for the UDP session for the period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session.

For detailed information about creating a parameter map, see the parameter-map type inspect command.

Examples

The following example shows that there is no activity and the UDP session will continue to be managed for 75 seconds:


Router(config)# parameter-map type inspect eng-network-profile 
Router(config-profile)# udp idle-time 75 
Router(config-profile)# end

The following example shows how to configure the aging out time for UDP sessions:


Router(config)# parameter-map type inspect eng-network-profile 
Router(config-profile)# udp idle-time 75 ageout-time 50 
Router(config-profile)# end

unmatched-action

To define the action when the user request does not match the IP address or host site configuration, use the unmatched-action command in URL rewrite configuration mode. To disable the action, use the no form of this command.

unmatched-action [direct-access | redirect]

no unmatched-action [direct-access | redirect]

Syntax Description

direct-access

(Optional) Provides direct access to the URL and an information page stating that the user can access the URL directly.

redirect

(Optional) Provides the user with direct access to the URL, but the user does not receive the information page as with the direct-access keyword.

Command Default

Direct access to the URL

Command Modes


URL rewrite configuration (config-webvpn-url-rewrite)

Command History

Release

Modification

12.4(20)T

This command was introduced.

Examples

The following example shows that the user has direct access to the URL:


Router (config)# webvpn context
Router (config-webvpn-context)# url rewrite
Router (config-webvpn-url-rewrite)# unmatched-action direct-access

url (ips-auto-update)

To define a location in which to retrieve the Cisco IOS Intrusion Prevention System (IPS) signature configuration files, use the url command in IPS-auto-update configuration mode.

url url

Syntax Description

url

Location in which the router retrieves the latest signature files.

Command Default

The default value is defined in the signature definition XML.

Command Modes


IPS-auto-update configuration

Command History

Release

Modification

12.4(11)T

This command was introduced.

Usage Guidelines

Automatic signature updates allow users to override the existing IPS configuration and automatically keep signatures up to date on the basis of a preset time, which can be configured to a preferred setting.

Examples

In this example, the signature package file is pulled from the TFTP server at the start of every hour or every day, Sunday through Thursday. (Note that adjustments are made for months without 31 days and daylight savings time.)


Router# show ip ips auto-update
 
IPS Auto Update Configuration
URL : tftp://192.168.0.2/jdoe/ips-auto-update/IOS_reqSeq-dw.xml
Username : not configured
Password : not configured
Auto Update Intervals
  minutes (0-59) : 0
  hours (0-23) : 0-23
  days of month (1-31) : 1-31
  days of week: (0-6) : 1-5

url rewrite

To mangle selective URL requests on a Secure Socket Layer virtual private network (SSL VPN) gateway and enter URL rewrite mode, use the url rewrite command in webvpn context configuration mode. To disable selected URL requests, use the no form of this command.

url rewrite

no url rewrite

Syntax Description

This command has no arguments or keywords.

Command Default

All requests are mangled.

Command Modes


Webvpn context configuration (config-webvpn-context)

Command History

Release

Modification

12.4(20)T

This command was introduced.

Usage Guidelines

Configuring the url rewrite command enters the url rewrite submode, in which selected IP addresses or hosts are defined for mangling.

Examples

The following example shows that selective URL mangling has been configured for IP address 10.1.1.0 255.255.0.0:


Router (config)# webvpn context
Router (config-webvpn-context)# url rewrite
Router (config-webvpn-url-rewrite)# ip 10.1.0.0 255.255.0.0

urlfilter

To enable Cisco IOS URL filtering, use the urlfilter command in policy-map-class configuration mode. To disable URL filtering, use the no form of this command.

urlfilter parameter-map-name

no urlfilter parameter-map-name

Syntax Description

parameter-map-name

Name of the parameter map for the URL filter.

Command Default

None

Command Modes


Policy-map-class configuration

Command History

Release

Modification

12.4(6)T

This command was introduced.

Usage Guidelines

You can use this command only after entering the policy-map type inspect , class type inspect , and parameter-map type inspect commands.

Examples

The following example enables Cisco IOS firewall URL filtering:


policy-map type inspect p1 
 class type inspect c1
  urlfilter param1 

url-list

To enter webvpn URL list configuration mode to configure a list of URLs to which a user has access on the portal page of a Secure Sockets Layer Virtual Private Network (SSL VPN) and to attach the URL list to a policy group, use the url-list command in webvpn context configuration and webvpn group policy configuration mode, respectively. To remove the URL list from the SSL VPN context configuration and from the policy group, use the no form of this command.

url-list name

no url-list name

Syntax Description

name

Name of the URL list. The list name can up to 64 characters in length.

Command Default

Webvpn URL list configuration mode is not entered, and a list of URLs to which a user has access on the portal page of a SSL VPN website is not configured. If the command is not used to attach a URL list to a policy group, then a URL list is not attached to a group policy.

Command Modes


Webvpn context configuration
Webvpn group policy configuration

Command History

Release

Modification

12.3(14)T

This command was introduced.

Usage Guidelines

Entering this command places the router in SSL VPN URL list configuration mode. In this mode, the list of URLs is configured. A URL list can be configured under the SSL VPN context configuration and then separately for each individual policy group configuration. Individual URL list configurations must have unique names.

Examples

The following example creates a URL list:


Router(config)# webvpn context context1
 
Router(config-webvpn-context)# url-list ACCESS
 
Router(config-webvpn-url)# heading "Quick Links"
 
Router(config-webvpn-url)# url-text "Human Resources" url-value hr.mycompany.com
 
Router(config-webvpn-url)# url-text Engineering url-value eng.mycompany.com 
Router(config-webvpn-url)# url-text "Sales and Marketing" products.mycompany.com

The following example attaches a URL list to a policy group configuration:


Router(config)# webvpn context context1
 
Router(config-webvpn-context)# url-list ACCESS
 
Router(config-webvpn-url)# heading "Quick Links"
 
Router(config-webvpn-url)# url-text "Human Resources" url-value hr.mycompany.com
 
Router(config-webvpn-url)# url-text Engineering url-value eng.mycompany.com 
Router(config-webvpn-url)# url-text "Sales and Marketing" products.mycompany.com
Router(config-webvpn-url)# exit
 
Router(config-webvpn-context)# policy group ONE
 
Router(config-webvpn-group)# url-list ACCESS

url-profile

To specify a URL profile that configures the SDP registrar to run HTTPS, use the url-profile command in tti-registrar configuration mode. To remove this configuration, use the no form of this command.

url-profile {start profile-name | intro profile-name}

nourl-profile {start profile-name | intro profile-name}

Syntax Description

start

Indicates that a URL profile is to be associated with the Start SDP deployment phase of iPhone deployment.

intro

indicate that a URL profile is to be associated with the Introduction SDP deployment phase of iPhone deployment.

profile-name

Specifies the name of a unique URL profile.

Command Default

No URL profile is defined for the iPhone deployment.

Command Modes


Tti-registrar configuration mode (tti-registrar)

Command History

Release

Modification

15.1(2)T

This command was introduced.

Usage Guidelines

The SDP Registrar is enabled to run HTTPs. It is recommended that the ip http secure-server command is issued to enable the HTTPS web server. If a secure server is enabled, then the ip http secure-trustpoint command should also be issued. Disable standard HTTP server through the no ip http server command (if the standard server is enabled). The specified trustpoint is a registrar local trustpoint appropriate for HTTPS communication between the registrar and the iPhone’s browser.

The url-profile command can use the same or a different URL profile for the Introduction and Start SDP deployment phases.

Examples

The following example configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network from global configuration mode:


Router(config)# crypto provisioning registrar
Router(tti-registrar)# url-profile start START
Router(tti-registrar)# url-profile intro INTRO
Router(tti-registrar)# match url /sdp/intro
Router(tti-registrar)# match authentication trustpoint apple-tp
Router(tti-registrar)# match certificate cat 10
Router(tti-registrar)# mime-type application/x-apple-aspen-config
Router(tti-registrar)# template location flash:intro.mobileconfig
Router(tti-registrar)# template variable p iphone-vpn

validate source-mac

To check the source media access control (MAC) address against the link-layer address, use the validate source-mac command in Neighbor Discovery ( ND) inspection policy configuration mode .

validate source-mac

no validate source-mac

Syntax Description

This command has no arguments or keywords.

Command Default

This command is disabled by default.

Command Modes


ND inspection policy configuration (config-nd-inspection)
RA guard policy configuration
(config-ra-guard)

Command History

Release

Modification

12.2(50)SY

This command was introduced.

Usage Guidelines

When the router receives an ND message that contains a link-layer address, the source MAC address is checked against the link-layer address. Use the validate source-mac command to drop the packet if the link-layer address and the MAC addresses are different from each other.

Examples

The following example enables the router to drop an ND message whose link-layer address does not match the MAC address:


Router(config)# ipv6 nd inspection policy policy1
Router(config-nd-inspection)# validate source-mac

url-text

To add an entry to a URL list, use the url-text command in webvpn URL list configuration mode. To remove the entry from a URL list, use the no form of this command.

url-text name url-value url

no url-text name url-value url

Syntax Description

name

Text label for the URL. The label must be inside quotation marks if it contains spaces.

url-value url

An HTTP URL.

Command Default

An entry is not added to a URL list.

Command Modes


Webvpn URL list configuration

Command History

Release

Modification

12.3(14)T

This command was introduced.

Examples

The following example configures a heading for a URL list:


Router(config)# webvpn context context1
 
Router(config-webvpn-context)# url-list ACCESS 
Router(config-webvpn-url)# heading "Quick Links"
 
Router(config-webvpn-url)# url-text "Human Resources" url-value hr.mycompany.com
 
Router(config-webvpn-url)# url-text Engineering url-value eng.mycompany.com 
Router(config-webvpn-url)# url-text "Sales and Marketing" products.mycompany.com

usage

To specify the intended use for the certificate, use the usage command in ca-trustpoint configuration mode. To restore the default behavior, use the no form of this command.

usage method1 [method2 [method3] ]

no usage method1 [method2 [method3] ]

Syntax Description

method1 method2 method3 ]]

Intended use for the certificate; the available options are ike , ssl-client , and ssl-server .

You must choose at least one method, and you may choose all three methods.

Command Default

ike

Command Modes


Ca-trustpoint configuration

Command History

Release

Modification

12.2(8)T

This command was introduced.

Usage Guidelines

Before you can issue the usage command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.

This command may be used as a hint to set or clear key usage or other attributes in the certificate request.

Examples

The following example shows how to specify the certificate named "frog" for Internet Key Exchange (IKE):


crypto ca trustpoint frog
 enrollment url http://frog.phoobin.com/  
 subject-name OU=Spiral Dept., O=tiedye.com
 ip-address ethernet-0
 usage ike
 auto-enroll regenerate
 password revokeme
 rsa-key frog 2048

user

To enter the names of users that are allowed to authenticate using the local authentication server, use the user command in local RADIUS server configuration mode. To remove the username and password from the local RADIUS server, use the no form of this command.

user username {password | nthash} password [group group-name | mac-auth-only]

no user username {password | nthash} password [group group-name | mac-auth-only]

Syntax Description

username

Name of the user that is allowed to authenticate using the local authentication server.

password

Indicates that the user password will be entered.

nthash

Indicates that the NT value of the password will be entered.

password

User password.

group group-name

(Optional) Name of group to which the user will be added.

mac-auth-only

(Optional) Specifies that the user is allowed to authenticate using only MAC authentication.

Command Default

If no group name is entered, the user is not assigned to a VLAN and is never required to reauthenticate.

Command Modes


Local RADIUS server configuration

Command History

Release

Modification

12.2(11)JA

This command was introduced on the Cisco Aironet Access Point 1100 and the Cisco Aironet Access Point 1200.

12.2(15)JA

This command was modified to support MAC address authentication on the local authenticator.

12.3(2)JA

This command was modified to support EAP-FAST authentication on the local authenticator.

12.3(11)T

This command was integrated into Cisco IOS Release 12.3(11)T and implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.

Usage Guidelines

This command is not supported on bridges.

If you do not know the user password, look up the NT value of the password in the authentication server database, and enter the NT hash as a hexadecimal string.

Examples

The following example shows that the user named "user1" has been allowed to authenticate using the local authentication server (using the password "userisok"). This user will be added to the group named "team1".


Router(config-radsrv)# user user1 password userisok group team1

The following example shows how to add a user to the list of clients allowed to authenticate using MAC-based authentication on the local authenticator.


AP(config-radsrv)# user 00074218d01b password 00074218d01b group cashiers

user-group

To define a user group for dynamically authenticating and enforcing security policies on a per user basis, use the user-group command in identity policy configuration mode. To delete the user-group, use the no form of this command.

user-group group-name

no user-group group-name

Syntax Description

group-name

Name of the user-group.

Command Default

None

Command Modes


Identity policy configuration (config-identity policy)

Command History

Release

Modification

12.4(20)T

This command was introduced.

Usage Guidelines

The user-group command is used if the Tag and Template method of user-group support is used. The Tag and Template method associates IP addresses with user-groups using locally defined policies. A tag is received from the access control server (ACS), and this tag matches a template (identity policy with defined user-group) on the network access device (NAD).

To use the user-group command, you must first enter identity policy configuration mode by using the identity policy command. The identity policy defines one or more user-groups, to which source IP addresses are associated.


Note


Another method of user-group association is available. User-group support can be achieved by configuring the supplicant-group attribute on the ACS.


Examples

The following example creates the identity policy "auth_proxy_ip" and configures the user-group "auth_proxy_ug":


Router(config)# identity policy auth_proxy_ip
Router(config-identity-policy)# user-group auth_proxy_ug

user-group (parameter-map)

To configure the user group associations for Cloud Web Security content scanning, use the user-group command in parameter-map type inspect configuration mode. To disable the user group association, use the no form of this command.

user-group {group-name [username] | exclude | include} username

no user-group {name [username] | exclude | include} username

Syntax Description

group-name

Name of the default user group.

username

(Optional) Specifies the default username.

exclude

Excludes the specified user group.

include

Includes the specified user group.

username

Username.

Command Default

A user group is not configured.

Command Modes

Parameter-map type inspect configuration (config-profile)      

Command History

Release

Modification

15.2(1)T1

This command was introduced.

Usage Guidelines

Use the group-name argument to have the same content scanning policy for all users in a branch office. A prefix of LDAP:// is attached the group-name argument when this information is sent to Cloud Web Security to match the configured directory groups.

The username keyword is the global username that is sent to Cloud Web Security when there is no content scanning session specific to the configured username.

By default, all the configured user groups of a user are sent to Cloud Web Security. Use the user-group command to allow the administrator to filter the user groups sent to Cloud Web Security by configuring the include or the exclude keywords. When you configure the include keyword, only user groups that are in the include list are sent to Cloud Web Security. User groups in the exclude list are filtered from the list of user groups that is sent to Cloud Web Security. The default value for the include list is everything and the exclude list is empty. You can configure multiple instances of include and exclude user groups.

You can configure only one group on an interface. The static user group that is configured on the interface takes precedence over the group name configured in the Cloud Web Security parameter map.

Examples

The following example shows how to exclude a user group from being sent to Cloud Web Security:

Device(config)# parameter-map type cws global 
Device(config-profile)# user-group exclude group1

      

user-group logging

To enable user-group syslogs, use the user-group logging command in global configuration mode. To disable user-group syslogs, use the no form of this command.

user-group logging [group group-name]

no user-group logging [group group-name]

Syntax Description

group

(Optional) Configures logging for a specific user group.

group-name

(Optional) Name of the user-group.

Command Default

None

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(20)T

This command was introduced.

Examples

The following example enables syslogs for the user-group "auth_proxy_ug":


Router(config)# user-group logging group auth_proxy_ug

username

To establish a username-based authentication system, use the username command in global configuration mode. To remove an established username-based authentication, use the no form of this command.

username name [aaa attribute list aaa-list-name]

username name [access-class access-list-number]

username name [autocommand command]

username name [callback-dialstring telephone-number]

username name [callback-line [tty] line-number [ending-line-number] ]

username name [callback-rotary rotary-group-number]

username name [dnis]

username name [mac]

username name [nocallback-verify]

username name [noescape]

username name [nohangup]

username name [nopassword | password password | password encryption-type encrypted-password]

username name [one-time {password {0 | 7 | password} | secret {0 | 5 | password}}]

username name [password secret]

username name [privilege level]

username name [secret {0 | 5 | password}]

username name [user-maxlinks number]

username [lawful-intercept] name [privilege privilege-level | view view-name] password password

no username name

Syntax Description

name

Hostname, server name, user ID, or command name. The name argument can be only one word. Blank spaces and quotation marks are not allowed.

aaa attribute list aaa-list-name

Uses the specified authentication, authorization, and accounting (AAA) method list.

access-class access-list-number

(Optional) Specifies an outgoing access list that overrides the access list specified in the access-class command available in line configuration mode. It is used for the duration of the user’s session.

autocommand command

(Optional) Causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line.

callback-dialstring telephone-number

(Optional) For asynchronous callback only: permits you to specify a telephone number to pass to the DCE device.

callback-line line-number

(Optional) For asynchronous callback only: relative number of the terminal line (or the first line in a contiguous group) on which you enable a specific username for callback. Numbering begins with zero.

ending-line-number

(Optional) Relative number of the last line in a contiguous group on which you want to enable a specific username for callback. If you omit the keyword (such as tty ), then line-number and ending-line-number are absolute rather than relative line numbers.

tty

(Optional) For asynchronous callback only: standard asynchronous line.

callback-rotary rotary-group-number

(Optional) For asynchronous callback only: permits you to specify a rotary group number on which you want to enable a specific username for callback. The next available line in the rotary group is selected. Range: 1 to 100.

dnis

Does not require a password when obtained via Dialed Number Identification Service (DNIS).

mac

Allows a MAC address to be used as the username for MAC filtering done locally.

nocallback-verify

(Optional) Specifies that the authentication is not required for EXEC callback on the specified line.

noescape

(Optional) Prevents a user from using an escape character on the host to which that user is connected.

nohangup

(Optional) Prevents Cisco IOS software from disconnecting the user after an automatic command (set up with the autocommand keyword) has completed. Instead, the user gets another EXEC prompt.

nopassword

No password is required for this user to log in. This is usually the most useful keyword to use in combination with the autocommand keyword.

password

Specifies the password to access the name argument. A password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.

password

Password that a user enters.

encryption-type

Single-digit number that defines whether the text immediately following is encrypted and if so, what type of encryption is used. Defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco-defined encryption algorithm.

encrypted-password

Encrypted password that a user enters.

one-time

Specifies that the username and password is valid for only one time. This configuration is used to prevent default credentials from remaining in user configurations.

0

Specifies that an unencrypted password or secret (depending on the configuration) follows.

7

Specifies that a hidden password follows.

5

Specifies that a hidden secret follows.

secret

Specifies a secret for the user.

secret

For Challenge Handshake Authentication Protocol (CHAP) authentication: specifies the secret for the local router or the remote device. The secret is encrypted when it is stored on the local router. The secret can consist of any string of up to 11 ASCII characters. There is no limit to the number of username and password combinations that can be specified, allowing any number of remote devices to be authenticated.

privilege privilege-level

(Optional) Sets the privilege level for the user. Range: 1 to 15.

user-maxlinks number

Maximum number of inbound links allowed for a user.

lawful-intercept

(Optional) Configures lawful intercept users on a Cisco device.

name

Hostname, server name, user ID, or command name. The name argument can be only one word. Blank spaces and quotation marks are not allowed.

view view-name

(Optional) For CLI view only: associates a CLI view name, which is specified with the parser view command, with the local AAA database.

password password

Password to access the CLI view.

Command Default

No username-based authentication system is established.

Command Modes


Global configuration (config)

Command History

Release

Modification

10.0

This command was introduced.

11.1

This command was modified. The following keywords and arguments were added:

  • callback-dialstring telephone-number

  • callback-rotary rotary-group-number

  • callback-line [tty ] line-number [ending-line-number

  • nocallback-verify

12.3(7)T

This command was modified. The following keywords and arguments were added:

  • lawful-intercept

  • view

  • view-name

12.2(33)SRB

This command was modified. The following keywords and arguments were integrated into Cisco IOS Release 12.2(33)SRB:

  • lawful-intercept

  • view

  • view-name

12.2(33)SB

This command was modified. The following keywords and arguments were integrated into Cisco IOS Release 12.2(33)SB:

  • lawful-intercept

  • view

  • view-name

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

12.2(33)SXI

This command was integrated into Cisco IOS Release 12.2(33)SXI.

12.4

This command was modified. The following keywords were integrated into Cisco IOS Release 12.4:

  • one-time

  • secret

  • 0, 5, 7

15.1(1)S

This command was modified. Support for the nohangup keyword was removed from Secure Shell (SSH).

Cisco IOS XE Release 3.2SE

This command was modified. The mac keyword was added.

Usage Guidelines

The username command provides username or password authentication, or both, for login purposes only.

Multiple username commands can be used to specify options for a single user.

Add a username entry for each remote system with which the local router communicates and from which it requires authentication. The remote device must have a username entry for the local router. This entry must have the same password as the local router’s entry for that remote device.

This command can be useful for defining usernames that get special treatment. For example, you can use this command to define an "info" username that does not require a password but connects the user to a general purpose information service.

The username command is required as part of the configuration for CHAP. Add a username entry for each remote system from which the local router requires authentication.


Note


To enable the local router to respond to remote CHAP challenges, one username name entry must be the same as the hostname entry that has already been assigned to the other router.


  • To avoid the situation of a privilege level 1 user entering into a higher privilege level, configure a per-user privilege level other than 1 (for example, 0 or 2 through 15).

  • Per-user privilege levels override virtual terminal privilege levels.

In Cisco IOS Release 15.1(1)S and later releases, the nohangup keyword is not supported with SSH. If the username user autocommand command-name command is configured and SSH is used, the session disconnects after executing the configured command once. This behavior with SSH is opposite to the Telnet behavior, where Telnet continuously asks for authentication and keeps executing the command until the user exits Telnet manually.

CLI and Lawful Intercept Views

Both CLI views and lawful intercept views restrict access to specified commands and configuration information. A lawful intercept view allows a user to secure access to lawful intercept commands that are held within the TAP-MIB, which is a special set of Simple Network Management Protocol (SNMP) commands that stores information about calls and users.

Users who are specified via the lawful-intercept keyword are placed in the lawful-intercept view, by default, if no other privilege level or view name has been explicitly specified.

If no value is specified for the secret argument and the debug serial-interface command is enabled, an error is displayed when a link is established and the CHAP challenge is not implemented. The CHAP debugging information is available using the debug ppp negotiation , debug serial-interface , and debug serial-packet commands. For more information about debug commands, refer to the Cisco IOS Debug Command Reference .

Examples

The following example shows how to implement a service similar to the UNIX who command, which can be entered at the login prompt and lists the current users of the router:


username who nopassword nohangup autocommand show users

The following example shows how to implement an information service that does not require a password to be used. The command takes the following form:


username info nopassword noescape autocommand telnet nic.ddn.mil

The following example shows how to implement an ID that works even if all the TACACS+ servers break. The command takes the following form:


username superuser password superpassword

The following example shows how to enable CHAP on interface serial 0 of "server_l." It also defines a password for a remote server named "server_r."


hostname server_l
username server_r password theirsystem
interface serial 0
 encapsulation ppp
 ppp authentication chap

The following is output from the show running-config command displaying the passwords that are encrypted:


hostname server_l
username server_r password 7 121F0A18
interface serial 0
 encapsulation ppp
 ppp authentication chap

In the following example, a privilege level 1 user is denied access to privilege levels higher than 1:


username user privilege 0 password 0 cisco
username user2 privilege 2 password 0 cisco

The following example shows how to remove the username-based authentication for user2:


no username user2

username (dot1x credentials)

To specify the username for an 802.1X credentials profile, use the username command in dot1x credentials configuration mode. To remove the username, use the no form of this command.

username name

no username

Syntax Description

name

Name of the credentials profile.

Command Default

A username is not specified.

Command Modes


Dot1x credentials configuration

Command History

Release

Modification

12.4(6)T

This command was introduced.

Usage Guidelines

Before using this command, the dot1x credentials command must have been configured.

Examples

The following example shows which credentials profile should be used when configuring a supplicant:


dot1x credentials basic-user
 username router
 password secret
 description This credentials profile should be used for most configured ports

The credentials structure can be applied to an interface, along with the dot1x pae supplicant command and keyword, to enable supplicant functionality on that interface.


interface fastethernet 0/1
 dot1x credentials basic-user
 dot1x pae supplicant

username (ips-autoupdate)

To define a username and password in which to access signature files from the server, use the username command in IPS-auto-update configuration mode.

username name password password

Syntax Description

name

Username required to access the latest updated signature file package.

password password

Password required to access the latest updated signature file package.

Command Default

The default value is defined in the signature definition XML.

Command Modes


IPS-auto-update configuration

Command History

Release

Modification

12.4(11)T

This command was introduced.

Usage Guidelines

Automatic signature updates allow users to override the existing Intrusion Prevention System (IPS) configuration and automatically keep signatures up to date on the basis of a preset time, which can be configured to a preferred setting.

Use the ip ips auto-update command to enable Cisco IOS IPS to automatically update the signature file on the system. Thereafter, you can optionally issue the username command to specify a username and password to access signature files.

Examples

The following example shows how to configure automatic signature updates and issue the show ip ips auto-update command to verify the configuration:


Router# clock set ?
hh:mm:ss Current Time
Router# clock set 10:38:00 20 apr 2006
Router#
*Apr 20 17:38:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:37:55 MST Thu Apr 20 2006 to 10:38:00 MST Thu Apr 20 2006, configured from console by cisco on console.
Router(config)# ip ips auto-update
Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5
Router(config-ips-auto-update)# $s-auto-update/IOS_reqSeq-dw.xml
 
Router(config-ips-auto-update)#^Z
Router#
*May 4 2006 15:50:28 MST: IPS Auto Update: setting update timer for next update: 0 hrs 10 min
*May 4 2006 15:50:28 MST: %SYS-5-CONFIG_I: Configured from console by cisco on console
Router#
Router# show ip ips auto-update
 
IPS Auto Update Configuration
URL : tftp://192.168.0.2/jdoe/ips-auto-update/IOS_reqSeq-dw.xml
Username : not configured
Password : not configured
Auto Update Intervals
  minutes (0-59) : 0
  hours (0-23) : 0-23
  days of month (1-31) : 1-31
  days of week: (0-6) : 1-5

username algorithm-type

To set the algorithm type to hash a user password configured using the username secret command, use the username algorithm-type command in global configuration mode.

username name algorithm-type {md5 | scrypt | sha256}

Syntax Description

md5

Selects the message digest algorithm 5 (MD5) as the hashing algorithm.

scrypt

Selects scrypt as the hashing algorithm.

sha256

Selects Password-Based Key Derivation Function 2 (PBKDF2) with Secure Hash Algorithm, 26-bits (SHA-256) as the hashing algorithm.

Command Default

No algorithm type is established for the username-based authentication system.

Command Modes


Global configuration (config)

Command History

Release Modification

15.3(3)M

This command was introduced.

15.3(3)S

This command was integrated into the Cisco IOS Release 15.3(3)S.

Usage Guidelines

You must configure the password using the username secret command before hashing the password with the username algorithm-type command.

Use the username algorithm-type command to generate the following types of passwords:

Command keyword

Type of password

md5

Type 5

sha256

Type 8

scrypt

Type 9


Note


Type 5, 8, and 9 passwords are not reversible.


If you configure type 8 or type 9 passwords and then downgrade to a release that does not support type 8 and type 9 passwords, you must configure the type 5 passwords before downgrading. If not, you are locked out of the device and a password recovery is required.


Note


If you are using an external AAA server to manage privilege levels, you are not locked out of the device.


Examples

The following example shows how to generate a type 8 (PBKDF2 with SHA-256) or a type 9 (SCRYPT) password:


Device# configure terminal
Device(config)# enable algorithm-type sha256 secret cisco
Device(config)# enable algorithm-type scrypt secret cisco
Device(config)# end
Device# show running-config | inc username

enable secret 8 $8$dsYGNam3K1SIJO$7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE9UlMQFs
enable secret 9 $9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v7pqCxkKM

username secret

To encrypt a user password with irreversible encryption, use the username secret command in global configuration mode.

username name secret {0 password | 5 secret-string | 4 secret-string | 8 secret-string | 9 secret-string}

Syntax Description

name

Username.

0

Specifies an unencrypted secret.

password

Clear-text password.

5 secret-string

message digest alogrithm5 (MD5) encrypted secret text string, which is stored as the encrypted user password.

4 secret-string

Secure Hash Algorithm, 26-bits (SHA-256) encrypted secret text string, which is stored as the encrypted user password.

Note

 

NOTE: Effective with CSCue95644, the 4 keyword is deprecated.

8 secret-string

Password-Based Key Derivation Function 2 (PBKDF2) with SHA-256 hashed secret text string, which is stored as the hashed user password.

9 secret-string

Scrypt hashed secret text string, which is stored as the hashed user password.

Command Default

No username-based authentication system is established.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.0(18)S

This command was introduced.

12.1(8a)E

This command was integrated into Cisco IOS Release 12.1(8a)E.

12.2(8)T

This command was integrated into Cisco IOS Release 12.2(8)T.

12.2(14)SX

Support for this command was introduced on the Supervisor Engine 720.

12.2(17d)SXB

Support for this command on the Supervisor Engine 2 was extended to Cisco IOS Release 12.2(17d)SXB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

15.0(1)S

This command was integrated into Cisco IOS Release 15.0(1)S. Algorithm types 0 , 4 , and 5 were added.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

15.3(3)M

This command was modified.

  • The 4 keyword was deprecated and support for type 8 and type 9 algorithms were added.

  • The warning message for the type 5 algorithm was removed.

  • The warning message for removal of support for the type 4 algorithm was added.

15.3(3)S

The command modifications were integrated into Cisco IOS Release 15.3(3)S.

Usage Guidelines

Use the username secret command to configure a username and MD5-encrypted user password. MD5 encryption is a strong encryption method that is not retrievable; thus, you cannot use MD5 encryption with protocols that require clear-text passwords, such as Challenge Handshake Authentication Protocol (CHAP).

The username secret command provides an additional layer of security over the username password. It also provides better security by encrypting the password using non reversible MD5 encryption and storing the encrypted text. The added layer of MD5 encryption is useful in environments in which the password crosses the network or is stored on a TFTP server.

Use MD5 as the encryption type if you paste into this command an encrypted password that you copied from a router configuration file.

Use this command to enable Enhanced Password Security for the specified, unretrievable username. This command enables MD5 encryption on the password. MD5 encryption is a strong encryption method. You cannot use MD5 encryption with protocols, such as CHAP, that require clear-text passwords.

This command can be useful for defining usernames that get special treatment. For example, you can use this command to define an “info” username that does not require a password but connects the user to a general-purpose information service.

With CSCue95644, you can use the username secret command to configure a username and hash the user password with MD5, PBKDF2 with SHA-256, or scrypt hashing algorithms.


Note


If you use type 8 or type 9 passwords and then downgrade to an older version of Cisco IOS software that does not support type 8 and type 9 passwords, you must reconfigure the passwords to use type 5 hashing before downgrading. If not, you are locked out of the device and password recovery is required. If you are using an external AAA server to manage privilege levels, you are not locked out of the device.


The username command provides username or secret authentication for login purposes only. The name argument can be one word only. Spaces and quotation marks are not allowed. You can use multiple username commands to specify options for a single user.

Examples

The following example shows how to configure username “abc” and enable MD5 encryption on the clear-text password “xyz”:


username abc secret 0 xyz

The following example shows how to configure username “cde” and enter an MD5 encrypted text string that is stored as the username password:


username cde secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0

The following example shows how to configure username “xyz” and enter an MD5 encrypted text string that is stored as the username password:


username xyz secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0

The following example shows the sample warning message that is displayed when a user enters the username secret 4 encrypted-password command:


Device# configure terminal
Device(config)# username demo secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

WARNING: Command has been added to the configuration but Type 4 passwords have been deprecated.
Migrate to a supported password type

Device(config)# end
Device# show running-config | inc username

username demo secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

user-profile location

To store user bookmarks in a directory on a device, use the user-profile location command in webvpn context configuration mode. To remove a directory that has been configured, use the no form of this command.

user-profile location device:directory

nouser-profile location device:directory

Syntax Description

device:

Storage location on a device. See the table below for a list of acceptable storage locations.

directory

Name of the directory.

Command Default

The default location is flash:/webvpn/<context-name>/.

Command Modes


Webvpn context configuration (config-webvpn-context)

Command History

Release

Modification

12.4(15)T

This command was introduced.

Usage Guidelines

The table below lists accept storage locations.

Table 1. Type of Storage Location

Type of Storage Location

Description

archive

Archived file system.

Bootflash

Bootflash memory.

disk0

On Disk 0.

disk1

On Disk 1.

Flash

Flash memory.

FTP

FTP network server.

HTTP

HTTP file server.

HTTPS

HTTP secure server.

null

Null destination for copies. You can copy a remote file to null to determine its size.

NVRAM

Storage location is in NVRAM.

PRAM

Phase-change memory (PRAM)--type of nonvolatile computer memory.

RCP

Remote copy protocol network server.

SCP

Secure Copy--A means of securely transferring computer files between a local and a remote host or between two remote hosts using the Secure Shell (SSH) protocol.

slot0

On Slot 0.

slot1

On Slot 1.

system

System memory, including the running configuration.

tmpsys

Temporary system in a file system.

Examples

The following example shows bookmarks are stored in flash on the directory webvpn/sslvpn_context/.


Router# webvpn context context1
Router# user-profile location flash:/webvpn/sslvpn_context/

variable

To define the next-hop variable in a mitigation parameter map for Transitory Messaging Services (TMS), use the variable command in parameter-map configuration mode. To remove the next-hop variable from the mitigation parameter map, use the no form of this command.


Note


Effective with Cisco IOS Release 12.4(20)T, the variable command is not available in Cisco IOS software.


variable name {number | ipv4 ip-address | null0}

no variable name

Syntax Description

name

Specifies the variable name.

number

Specifies the number associated with this variable from 0 to 4294967295.

ipv4 ip-address

Sets the next hop action-variable type to a specific IP address.

null0

Sets the next hop to interface null 0 (null route).

Command Default

The next-hop variable in a mitigation parameter map for TMS is not defined.

Command Modes


Parameter-map configuration (config-profile)

Command History

Release

Modification

12.4(6)T

This command was introduced.

12.4(15)XZ

This command was integrated into Cisco IOS Release 12.4(15)XZ.

Usage Guidelines

The variable command is configured to set the next-hop variable in a mitigation type parameter map. The next hop can be configured to route to a null 0 interface (null route) or route to a specific interface for collection and analysis.


Note


If the next hop is defined in a threat file and as a variable by configuring this command, the next-hop value defined in the threat file will have precedence over the parameter map variable.


Examples

The following example configures a variable that routes all priority 5 traffic to the null0 interface:


Router(config)# class-map type control mitigation match-all MIT_CLASS_2
 
Router(config-cmap)# match primitive any
 
Router(config-cmap)# match priority 5 
Router(config-cmap)# exit 
Router(config)# parameter-map type mitigation MIT_PAR_2 
Router(config-profile)# variable RTBH null0 
Router(config-profile)# exit 
Router(config)# policy-map type control mitigation MIT_POL_2
 
Router(config-pmap)# class MIT_CLASS_2 
Router(config-pmap-c)# redirect route $RTBH 
Router(config-pmap-c)# source parameter MIT_PAR_2 
Router(config-pmap-c)# exit 
Router(config-pmap)# exit
 

view

To add a normal command-line interface (CLI) view to a superview, use the view command in view configuration mode. To remove a CLI view from a superview, use the no form of this command.

view view-name

no view view-name

Syntax Description

view-name

CLI view that is to be added to the given superview.

Command Default

A superview will not contain any CLI views until this command is enabled.

Command Modes


View configuration (config-view)

Command History

Release

Modification

12.3(11)T

This command was introduced.

12.2(33)SRB

This command was integrated into Cisco IOS Release 12.2(33)SRB.

Cisco IO XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

12.2(33)SXI

This command was integrated into Cisco IOS Release 12.2(33)SXI.

Usage Guidelines

Before you can use this command to add normal views to a superview, ensure that the following steps have been taken:

  • A password has been configured for the superview (via the secret 5 command).

  • The normal views that are to be added to the superview are valid views in the system; that is, the views have been successfully created via the parser view command.

Examples

The following sample output from the show running-config command shows that "view_one" and "view_two" have been added to superview "su_view1," and "view_three" and "view_four" have been added to superview "su_view2":


!
parser view su_view1 superview
 secret 5 <encoded password>
 view view_one
 view view_two
!
parser view su_view2 superview
 secret 5 <encoded password>
 view view_three
 view view_four
!

virtual-template (IKEv2 profile)

To configure an Internet Key Exchange (IKEv2) profile with a virtual template to be used for cloning the virtual access interfaces, use the virtual-template command in IKEv2 profile configuration mode. To remove the virtual template from IKEv2 profile, use the no form of this command.

virtual-template template-number mode auto

no virtual-template template-number

Syntax Description

template-number

Identifying number of the virtual template that will be used to clone virtual access interfaces.

mode auto

Enables auto tunneling mode.

Command Default

A virtual template is not specified.

Command Modes

IKEv2 profile configuration (config-ikev2-profile)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

15.4(2)T

This command was modified. The mode auto keywords were added.

Cisco IOS XE Release 3.12S

This command was integrated into Cisco IOS XE Release 3.12S.

Usage Guidelines

Use this command to specify the virtual template for cloning a virtual access interface.

Auto tunneling mode eases the configuration and spares you about knowing the responder’s details. It automatically applies the tunneling protocol (GRE or IPsec) and transport protocol (IPv4 or IPv6) on the virtual template as soon as the IKE profile creates the virtual access interface.

Examples

The following example shows how virtual-template 1 is configured for profile1:

Device(config)# crypto ikev2 profile profile1
Device(config-ikev2-profile)# virtual-template 1

The following example shows how auto tunneling mode is configured for profile A:

Device(config)# crypto ikev2 profile profile A
Device(config-ikev2-profile)# virtual-template 1 mode auto

virtual-template (webvpn context)

To associate a virtual template with a Secure Socket Layer Virtual Private Network (SSL VPN) context, use the virtual-template command in webvpn context configuration mode. To disable the configuration, use the no form of this command.

virtual-template template-number [tunnel]

no virtual-template

Syntax Description

template-number

Number of the virtual template that will be used to clone virtual access interfaces. The range is from 1 to 1000.

tunnel

(Optional) Applies the virtual template for every full tunnel session.

Command Default

No virtual template is enabled.

Command Modes


Webvpn context configuration (config-webvpn-context)

Command History

Release

Modification

15.0(1)M

This command was introduced.

15.1(1)T

This command was modified. The tunnel keyword was added.

Usage Guidelines

You can configure the desired IP features in the virtual template and then use the virtual-template command to apply the configuration on a per-context or per-tunnel basis. The per-context configuration applies the IP features to all the users connecting to that WebVPN context and the per-tunnel configuration applies the IP features for each SSL VPN full tunnel established in the WebVPN context.

Examples

The following example shows how to associate a virtual template with an SSL VPN context:


Router# configure terminal
Router(config)# webvpn context context1
Router(config-webvpn-context)# virtual-template 1

vlan (local RADIUS server group)

To specify a VLAN to be used by members of the user group, use the vlan command in local RADIUS server group configuration mode. To reset the parameter to the default value, use the no form of this command.

vlan vlan

no vlan vlan

Syntax Description

vlan

VLAN ID.

Command Default

No default behavior or values

Command Modes


Local RADIUS server group configuration

Command History

Release

Modification

12.2(11)JA

This command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200.

12.3(11)T

This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.

Usage Guidelines

The access point or router moves group members into the VLAN that you specify, overriding any other VLAN assignments. You can assign only one VLAN to a user group.

Examples

The following example shows that VLAN "225" is to be used by members of the user group:


vlan 225

vlan group

To create or modify a VLAN group, use the vlan group command in global configuration mode. To remove a VLAN list from the VLAN group, use the no form of this command.

vlan group group-name vlan-list vlan-list

no vlan group group-name vlan-list vlan-list

Syntax Description

group-name

VLAN group name.

vlan-list

VLAN list name. See the "Usage Guidelines" section for additional information about the vlan-list argument.

Command Default

This command has no default settings.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.2(33)SXI1

This command was introduced.

Usage Guidelines

The VLAN group name may contain up to 32 characters and must begin with a letter.

The vlan-list argument can be a single VLAN ID, a list of VLAN IDs, or VLAN ID ranges (vlan-id -vlan-id ). Multiple entries are separated by a hyphen (-) or a comma (,).

If the named VLAN group does not exist, the vlan group command creates the group and maps the specified VLAN list to the group. If the named VLAN group exists, the specified VLAN list is mapped to the group.

The no form of the vlan group command removes the specified VLAN list from the VLAN group. When you remove the last VLAN from the VLAN group, the VLAN group is deleted.

A maximum of 100 VLAN groups can be configured, and a maximum of 4094 VLANs can be mapped to a VLAN group.

Examples

This example shows how to map VLANs 7 through 9 and 11 to a VLAN group:


Router(config)# vlan group ganymede vlan-list 7-9,11 

This example shows how to remove VLAN 7 from the VLAN group:


Router(config)# no vlan group ganymede vlan-list 7 

vpdn aaa attribute

To enable reporting of network access server (NAS) authentication, authorization, and accounting (AAA) attributes related to a virtual private dialup network (VPDN) to the AAA server, use the vpdn aaa attribute command in global configuration mode. To disable reporting of AAA attributes related to VPDN, use the no form of this command.

vpdn aaa attribute {nas-ip-address {vpdn-nas | vpdn-tunnel-client} | nas-port {physical-channel-id | vpdn-nas}}

no vpdn aaa attribute {nas-ip-address {vpdn-nas | vpdn-tunnel-client} | nas-port}

Syntax Description

nas-ip-address vpdn-nas

Enables reporting of the VPDN NAS IP address to the AAA server.

nas-ip-address vpdn-tunnel-client

Enables reporting of the VPDN tunnel client IP address to the AAA server.

nas-port vpdn-nas

Enables reporting of the VPDN NAS port to the AAA server.

nas-port physical-channel-id

Enables reporting of the VPDN NAS port physical channel identifier to the AAA server.

Command Default

AAA attributes are not reported to the AAA server.

Command Modes


Global configuration

Command History

Release

Modification

11.3NA

This command was introduced.

11.3(8.1)T

This command was integrated into Cisco IOS Release 11.3(8.1)T.

12.1(5)T

This command was modified to support the PPP extended NAS-Port format.

12.2(13)T

The physical-channel-id keyword was added

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.4(24)T

The vpdn-tunnel-client keyword was added.

12.2(33)XND

The vpdn-tunnel-client keyword was added.

12.2(33)SRE

The vpdn-tunnel-client keyword was added.

Cisco IOS XE Release 2.5

The vpdn-tunnel-client keyword was added.

Usage Guidelines

This command can be used with RADIUS or TACACS+, and is applicable only on the VPDN tunnel server.

The PPP extended NAS-Port format enables the NAS-Port and NAS-Port-Type attributes to provide port details to a RADIUS server when one of the following protocols is configured:

  • PPP over ATM

  • PPP over Ethernet (PPPoE) over ATM

  • PPPoE over 802.1Q VLANs

Before PPP extended NAS-Port format attributes can be reported to the RADIUS server, the radius-server attribute nas-port format command with the d keyword must be configured on both the tunnel server and the NAS, and the tunnel server and the NAS must both be Cisco routers.

When you configure the vpdn aaa attribute nas-ip-address vpdn-nas command, the L2TP network server (LNS) reports the IP address of the last multihop node for multihop over Layer 2 Forwarding (L2F). For multihop over Layer 2 Tunneling Protocol (L2TP), the IP address of the originating NAS is reported.

When you configure the vpdn aaa attribute nas-ip-address vpdn-tunnel-client command, the LNS reports the IP address of the last multihop node in the RADIUS NAS-IP-Address attribute for the L2TP multihop. This eases the migration for customers moving from L2F to L2TP.


Note


Reporting of NAS AAA attributes related to a VPDN on a AAA server is not supported for Point-to-Point Tunneling Protocol (PPTP) sessions with multihop deployment.


Examples

The following example configures VPDN on a tunnel server and enables reporting of VPDN AAA attributes to the AAA server:


vpdn enable
vpdn-group 1
 accept-dialin
  protocol any
  virtual-template 1
!
 terminate-from hostname nas1
 local name ts1
!
vpdn aaa attribute nas-ip-address vpdn-nas
vpdn aaa attribute nas-port vpdn-nas
vpdn aaa attribute nas-port physical-channel-id

The following example configures the tunnel server for VPDN, enables AAA, configures a RADIUS AAA server, and enables reporting of PPP extended NAS-Port format values to the RADIUS server. PPP extended NAS-Port format must also be configured on the NAS for this configuration to be effective.


vpdn enable
vpdn-group L2TP-tunnel
 accept-dialin
  protocol l2tp
  virtual-template 1
!
 terminate-from hostname nas1
 local name ts1
!
aaa new-model
aaa authentication ppp default local group radius
aaa authorization network default local group radius
aaa accounting network default start-stop group radius
!
radius-server host 172.16.79.76 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server attribute nas-port format d
radius-server key ts123
!
vpdn aaa attribute nas-port vpdn-nas

vrf (ca-trustpoint)

To specify the VRF instance in the public key infrastructure (PKI) trustpoint to be used for enrollment, certificate revocation list (CRL) retrieval, and online certificate status protocol (OCSP) status, use the vrf command in ca-trustpoint configuration mode. To remove the VRF instance that was specified, use the no form of this command.

vrf vrf-name

no vrf vrf-name

Syntax Description

vrf vrf-name

Specifies the name of the VRF.

Command Default

No VRF is specified.

Command Modes

Ca-trustpoint configuration (ca-trustpoint)

Command History

Release

Modification

15.1T

This command was introduced.

Usage Guidelines

Before you can configure this command, you must enable the crypto pki trustpoint command with and the trustpoint-name argument, which enters ca-trustpoint configuration mode.

Examples

Router(config)# crypto pki trustpoint mytp
Router(ca-trustpoint)# vrf myvrf

vrf (ca-trustpool)

To specify the VRF instance in the public key infrastructure (PKI) trustpool to be used for enrolment, certificate revocation list (CRL) retrieval, and online certificate status protocol (OCSP) status, use the vrf command in ca-trustpool configuration mode. To remove the VRF instance that was specified, use the no form of this command.

vrf vrf-name

no vrf vrf-name

Syntax Description

vrf vrf-name

Specifies the name of the VRF.

Command Default

No VRF is specified.

Command Modes

Ca-trustpool configuration (ca-trustpool)

Command History

Release

Modification

15.2(2)T

This command was introduced.

15.1(1)SY

This command was integrated into Cisco IOS 15.1(1)SY.

Usage Guidelines

Before you can configure this command, you must enable the crypto pki trustpool policy command, which enters ca-trustpool configuration mode.

Examples


Router(config)# crypto pki trustpool policy
Router(ca-trustpool)# vrf myvrf

      

vrf (isakmp profile)

To define the virtual routing and forwarding (VRF) value to which the IP Security (IPSec) tunnel will be mapped, use the vrf command in Internet Security Association Key Management (ISAKMP) profile configuration mode. To disable the VRF that was defined, use the no form of this command.

vrf ivrf

no vrf ivrf

Syntax Description

ivrf