- Crypto Ad dress-Pool Submode Commands
- Crypto Pr ofile Submode Commands
- EXEC Commands
- Global Configuration Commands
- ISAKMP/IKE Commands
- Interface Submode Commands
- IPSec Commands
- Single OAM Commands
- Resource Monitoring Commands
- Show Commands
- SNMP Traps Commands
- Debug Commands
Command Reference for the WSG
The following sections provide details about WSG commands.
Commands appear in the submodes under which you enter them.
Crypto Address-Pool Submode Commands
Crypto Profile Submode Commands
EXEC Commands
Global Configuration Commands
- crypto address-pool
- crypto blacklist file
- crypto cert renewal retrieve
- crypto clear-traffic load
- crypto clear-traffic switch-distribution-scheme
- crypto cmp auto-update
- crypto cmp transport
- crypto datapath icmp rate-limit
- crypto dfp agent max-tunnels
- crypto dfp agent max-weight
- crypto dhcp-client
- crypto dhcp-client client-id-type extract-cn
- crypto dhcp-client link-address
- crypto dhcp-server
- crypto dhcp-dns server
- crypto facility
- crypto ike-retry-timeout
- crypto ike-retry-count
- crypto ike-nat-keepalive
- crypto ipsec-fragmentation
- crypto ipsec security-association replay
- crypto nameresolver
- crypto pki trustpoint
- crypto pki wsg-cert
- crypto pki wsg-cert-trap expiry notification
- crypto profile
- crypto radius accounting enable
- crypto radius nas-id
- crypto radius nas-ip
- crypto radius-server host
- crypto radius source-ip
- crypto redirect ip
- crypto remote-secret
- crypto responder-redirect enable
- crypto rri enable
- crypto snmp stats-refresh-interval
- crypto site-to-site-lookup
- crypto syslog-level
- crypto throughput threshold
- ha interface vlan
- ha interface vlan start-id
- ha redundancy-mode
- interface
- ip name-server
- ip route
- ip ssh auth-type
- ip ssh enable
- ip ssh key dsa
- ip ssh port
- ip ssh radius-server
- ipv6
- ip vrf
- logging
- router bgp
- neighbor
ISAKMP/IKE Commands
Interface Submode Commands
IPSec Commands
Single OAM Commands
Resource Monitoring Commands
Show Commands
- show crypto blacklist file
- show crypto blacklist stats
- show crypto cmp request
- show crypto dhcp
- show crypto ipsec info
- show crypto ipsec summary
- show crypto ipsec sa
- show crypto ipsec sa
- show crypto ipsec sa spi-in
- show crypto isakmp info
- show crypto isakmp sa
- show crypto isakmp summary
- show crypto pki certificate
- show crypto radius statistics
- show crypto throughput
- show crypto throughput ixp
- show crypto throughput distribution history
- show crypto throughput distribution history ixp
- show crypto throughput history
- show crypto throughput history ixp
- show debug crypto
- show ha info
- show hosts
- show icmp6 statistics
- show interface
- show interface internal iftable
- show ip bgp
- show ip interface brief
- show ip route
- show ip route np
- show ip ssh
- show ipv6 neighbors
- show ipv6 route
- show ipv6 route np
- show ip vrf
- show logging
SNMP Traps Commands
Debug Commands
start-ip
To set up a local IPSec address pool from which to assign addresses to an endpoint during the SA establishment, use the start-ip command. To remove the address pool range configuration, use the no form of the command.
start-ip start- ip-address end-ip end- ip-address netmask netmask ipv6-prefix prefix
no start-ip start- ip-address end-ip end- ip-address netmask netmask ipv6-prefix prefix
Note
To modify the pool range, you need to delete an address range and add a new one.
Syntax Description
First IP address in the address pool range. The format is either A.B.C.D or X:X:X::X. |
|
Last IP address in the address pool range. The format is either A.B.C.D or X:X:X::X. |
|
Defaults
Command Modes
Command History
|
|
|
|---|---|
This command was introduced as the ipsec address-pool command. |
|
IPv6 support was added, and the ipv6-prefix keyword was added. |
Usage Guidelines
Use the start-ip command to set up a local address pool from which to assign addresses to an endpoint.
The WSG keeps a pool of private addresses from the protected network. When the WSG receives an endpoint SA with an internal IP address request, it assigns an unused address from the address pool. The address does not expire as long as the SA is up. When the SA is removed, the address is released to the local pool.
Examples
This example shows how to set up an address pool name:
dns-server
To specify the DNS server that is passed to the access point (the remote end point) when there is a request for a DNS server during IKE negotiation, use the dns-server command in crypto-profile submode. Use the no form of the command to disable this feature.
Syntax Description
The ip_address is the DNS server IP address that is given to the endpoint by the WSG when requested. The ip_address format is either A.B.C.D or X:X:X::X. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
If the DNS server name is not required to be sent to the remote access point, this command is not required.
In WSG Release 3.0, the dns-server command is modified to accept both IPv4 and IPv6 addresses for the server configuration.
Examples
This example shows how to enable the dns-server command:
Enter configuration commands, one per line. End with CNTL/Z.
WSG(config)# crypto address-pool foo
WSG(config-address-pool)# dns-server ?
WSG(config-address-pool)# dns-server 172.20.10.1
activate
To activate a profile, use the activate command. To deactivate a profile, use the no form of the command.
Note • The profile must be active to establish tunnels/SA.
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example shows how to activate a profile using the activate command:
ipsec
To enter the IPSec submode use the ipsec command in crypto profile submode. Use the no form of the command, or exit to exit the IPSec submode.
Defaults
Command Modes
Command History
|
|
|
|---|---|
Examples
isakmp
To enter the ISAKMP submode, use the isakmp command under the crypto profile submode.
Use the no form of the command or exit to exit the ISAKMP submode.
Defaults
Command Modes
Command History
|
|
|
|---|---|
Examples
This example shows how to enter the ISAKMP submode:
profile-type
To specify the type of each profile created by the user, use the profile- type command in crypto profile submode. Use the no form of the command to disable this feature.
profile-type {remote-access | site-to-site}
no profile-type {remote-access | site-to-site}
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
A crypto profile can be either remote access type, or site-to-site type. The profile-type command is used to specify the type of each profile that you create. If the type is not specified the default is remote-access.
Only one remote access profile can be active.
Multiple Site-to-site profiles can be active.
You should take special care to configure the proper access-permit command that corresponds to the profile type used, as described in the access-permit command.
Examples
This example illustrates the default setting:
WSG(config)# crypto profile One
WSG(config-crypto-profile)# profile-type ?
vrf-inside
To add an inside VRF, use the vrf-inside command to the IPSec submode of a profile. To remove a VRF, use the no form of the command, including the specific vrf_name.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
By default, the inner IP addresses of a profile belong to a VRF, which is
VRF_GLOBAL (VRF_NAME = global). In order to associate the inner IP addresses
with a specific VRF, use the vrf-inside vrf_name command. To remove an inside VRF,
use the no vrf-inside vrf_name command.
Examples
This example shows how to add an inside VRF using the vrf-inside command:
vrf-outside
To add an outside VRF, use the vrf-outside command in the ISAKMP submode of a profile. To remove a VRF, use the no form of the command, including the specific vrf_name.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
By default, the outer IP addresses of a profile belong to a VRF, which is VRF_GLOBAL
(VRF_NAME = global). In order to associate the outer IP addresses with a specific VRF, use the vrf-outside vrf_name command.
Examples
This example shows how to add an outside VRF using the vrf-outside command:
clear crypto cmp
To clear a pending CA request generated by this WSG, use the clear crypto cmp command in privileged EXEC mode.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
The clear crypto cmp command clears a pending CA request generated by this WSG. This allows you to make another CA request before the previous CA request is honored. No cancellation is sent to the CA server; only the state of the pending request on the WSG is cleared.
Note The clear crypto cmp command will not clear auto-update requests.
Examples
clear crypto ipsec sa
To clear all tunnels and security associations, use the clear crypto ipsec sa command in privileged EXEC mode.
clear crypto ipsec sa [ A.B.C.D | X:X:X::X ] [ vrf vrf_name ]
clear crypto ipsec sa [ profile_name ]
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Examples
Here is an example of the clear crypto ipsec sa command:
clear crypto isakmp sa remote-id
To delete all IKE and IPSec security associations with a remote ID, use the clear crypto isakmp sa remote-id command in privileged EXEC mode.
clear crypto isakmp sa remote-id {dn | email | fqdn | ip}
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Examples
Here is an example of the clear crypto isakmp sa remote-id command:
clear crypto rri
To delete the crypto RRI IP address, use the clear crypto rri command in privileged EXEC mode.
Syntax Description
The IPv4 or IPv6 address. The format is either A.B.C.D or X:X:X::X. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
Examples
Here is an example of the clear crypto rri command:
clear crypto throughput counters
To delete the crypto throuhgput counters, use the clear crypto throughput counters command in privileged EXEC mode.
clear crypto throughput counters
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Examples
Here is an example of the clear crypto throughput counter command:
copy-sup
To copy files and running configurations to and from the SUP, use the copy-sup command in privileged EXEC mode.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
You can run the copy-sup command in single-entity mode.
If the source file is the running-config or a file from one of the following PPC filesystems:
Then the destination file is a file at one of the following SUP filesystems:
bootdisk-sup:
bootflash-sup:
disk0-sup:
If the source file is a file from one of the following SUP filesystems:
bootdisk-sup:
bootflash-sup:
disk0-sup:
Then the destination file can be the running-config or a file at one of the following PPC filesystems:
This command will attach the slot#ppc# tag for either entity all or entity none modes (i.e. SLOT3SAMIC3_) to the front of the file name saved at the SUPs. The commmand will also attach the “.cfg” tag to the end of the file name when you save the running configuration file to the SUPs.
You do not need to type in the tags when you specifiy the source or destination file names for copy-sup. The tags are automatically generated by the command.
The directory names used by this command that refer to the SUP filesystems are:
Examples
Here are examples of the copy-sup command:
Copy File to the Sup
A file at the PPC can be copied to the SUP's disk0, bootflash (or bootdisk) directory:
If the remote filename is not specified, this command will prompt you for the remote file name to be used on the SUP.
The following file on the SUP will be created as the result of above command:
The following example files are created on the SUP:
Copy Running Config File to the Sup
Here are examples of the copy-sup command used to copy running configurations to the SUP:
If the remote filename is not specified, this command prompts you for the remote file name to be used on the SUP. The configuration files at the SUP have the “.cfg.” attached.
The following file is created on the SUP as the result of the previous command (for example, the command is entered from slot#3/ppc#5):
The following files are created on the SUP as the result of the previous command:
Copy File from the Sup
Here are examples of the copy-sup command used to copy files from the SUP:
If the remote or local file names are not specified, this command prompt you for the local and remote file names to be copied.
The following file from the SUP is copied as the result of the previous command:
The following file from the SUP will be copied as the result of above command:
Copy Running Config file from the Sup
Here are examples of the copy-sup command used to copy running configuration files from the SUP:
If the remote file name is not specified, this command will prompt the user for the remote config file name to be copied.
As the result of issuing the previous command, the following file from the SUP is copied (for example, the command is entered from slot#3/ppc#5), and the current running configuration is replaced with it:
The following files from the SUP will be copied as the result of above command:
The running configuration of each of the PPCs is replaced by the corresponding file.
copy tftp
To allow an IPv6 address to be specified as the source or destination IP address in a copy configuration, use the copy tftp command in privileged EXEC mode.
Syntax Description
Command Modes
Command History
|
|
|
|---|---|
Examples
Here is an example of the copy tftp command:
crypto blacklist file resync
To recopy the blacklist file from the SUP disk and inform the WSG IKE stack about the update, use the crypto blacklist file resync command in privileged EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
If you need to update the blacklist entries, follow this procedure:
- Edit the blacklist file outside the Cisco 7600 chassis.
- Copy the blacklist to the SUP disk with the same file name that you initially used.
Execute the crypto blacklist file resync command on the WSG. The WSG copies the updated file from the SUP disk to its ramdisk, and informs the IKE stack about the updated file. The IKE stack now uses the new blacklist file.
Examples
The following example shows how to resync the blacklist file:
crypto cmp enroll
To generate an enroll certificate request to the CA server using the public key, use the crypto cmp enroll command in privileged EXEC mode.
crypto cmp enroll current-wsg-cert wsg_certificate current-wsg-private-key wsg_privatekey modulus modulus id-type id-type id id subject-name subject_string ca-root root_certificate ca-url url [ pop ]
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
You provide the exisiting WSG certificate and private key as input parameters to the CLI. The filenames for the new private key and the certificate files are automatically generated by the system. This request is similar to initialize except that it is authenticated using public-key methods.
Note In WSG Release 4.0 and below, the subject_string cannot include spaces.
Examples
Here is an example of the crypto cmp enroll command:
WSG# crypto cmp enroll current-wsg-cert wsg.crt current-wsg-private-key wsg.prv
modulus 1024 id-type fqdn id wsg.cisco.com subject-name "C=US,O=Cisco,OU=Security,CN=Example" ca-root root-ca.crt ca-url http://212.246.144.35:8700/pkix/
crypto cmp initialize
To configure the WSG to generate a private key and make an initialize request to the CA server using CMPv2, use the crypto cmp initialize command in privileged EXEC mode.
crypto cmp initialize modulus modulus id-type id-type id id subject-name subject_string ca-psk reference-number:key ca-root root_certificate ca-url url
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
The request is authenticated using the reference number and corresponding PSK received from the CA. The data you input will be stored in a database that is synchronized between the active and standby SUPs. The initialize_config.txt file that has the init parameters is stored on the PPC /app/segw/initialize_config.txt.
Note In WSG Release 4.0 and below, the subject_string cannot include spaces.
Examples
Here is an example of the crypto cmp initialize command:
Router# crypto cmp initialize modulus 1024 id-type fqdn id wsg.cisco.com subject-name "C=US,O=Cisco,OU=Security,CN=Example" ca-psk 32438:this_is_very_secret ca-root root-ca.crt ca-url http://212.246.144.35:8700/pkix/
crypto cmp poll
To configure the WSG to poll the CA server for the availability of the pending certificate request (update, enroll, or initialize), use the crypto cmp poll command in privileged EXEC mode.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show crypto cmp request command to see the pending request that will be polled.
Examples
Here is an example of the crypto cmp poll command:
crypto cmp update
To send an update request to the CA server using CMPv2 to update the existing WSG certificate, use the crypto cmp update command in privileged EXEC mode.
crypto cmp update current-wsg-cert wsg_certificate current-wsg-private-key wsg_privatekey ca-root root_certificate ca-url url
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
You provide the existing WSG certificate and private key as input parameters to the CLI. The filenames for the new private key and the certificate files are automatically generated by the system.
Note If you issue this command to update a certificate that has been configured for auto-update or retrieval, a notice is displayed. This is not an error, just a notification. A manual update will change the certificate’s certificate and private key filenames. If you perform auto-update or retrieval using the new certificate and private key files, the auto-update and renewal must be reconfigured on all the active PPCs.
Examples
Here is an example of the crypto cmp update command:
crypto rsa-keygen
To generate an RSA key pair and Certificate Signing Request (CSR), use the crypto rsa-keygen command in privileged EXEC mode.
crypto rsa-keygen modulus modulus_value id-type id-type id id subject-name subject-name
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
This command was introduced as the ipsec rsa-keygen command. |
|
Usage Guidelines
RSA key pairs sign, encrypt, and decrypt. To get a CA, you first need a CSR.
1. The crypto rsa-keygen command makes a private key (segwSLOTxSAMIx.prv) and a CSR (segw-pem.csr) based on the CSR parameters you enter.
2. The private key file is copied to the SUP engine bootflash or bootdisk, depending on which is available. The default filename for the the private key is segwSLOTxSAMIx.prv where x is a slot and processor number that may vary. An example would be asegwSLOT3SAMI6.prv.
3. The public key, the second key of the key pair, is embedded in the CSR. The default filename for the the certificate request is segw-pem.csr.
Note If all WSGs on a SAMI must share the same certificate, use the crypto rsa-keygen command one time on one WSG. If the WSGs must use separate certificates, use the crypto rsa-keygen command on each WSG on the SAMI.
Examples
This example shows how to generate an RSA key pair and CSR for a client:
username
To configure the SSH username, use the username configuration command. Use the no form of the command to unconfigure a user.
username name of user password 0 unencrypted password
username name of user password 5 encrypted password
Syntax Description
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
The first variant of the command takes an unencrypted password and subsequently encrypts it. When it is next displayed using the show running-configuration command, it will display the encrypted version.
The second variant requires an encrypted password, and is used mainly to transfer a login/password to a different card. Unencrypted passwords will never be displayed.
The no variant does not require the password.
The maximum length for the username is 32 characters. The maximum length for the unencrypted password is also 32 characters. The maximum permissible length for the encrypted password is 64 characters. Permitted characters for all of the above fields are standard alphanumeric characters with the exception of “]”, “?”, “$”, TAB, and spaces.
Examples
Here is an example of the username command:
alias
To configure the alias IP address for a VLAN on both the active and standby, use the alias command in interface configuration submode. Use the no form of the command to remove the alias.
Syntax Description
Specifies the alias IP address and its subnet netmask for a VLAN. |
Defaults
Command Modes
Interface configuration submode
Command History
|
|
|
|---|---|
Usage Guidelines
The alias IP address is configured for a VLAN on both the active and standby. FAP/HNB uses the alias IP address instead of the active IP address. When a switchover or failover occurs, the newly-active node starts receiving traffic destined to this alias IP address.
Examples
The following examples show how to configure the alias IP address on 2 PPCs:
crypto address-pool
To set up a local IPSec address pool from which to assign addresses to an endpoint during the SA creation, or to add an address pool, use the crypto address-pool command. To remove the address pool, use the no form of the command.
crypto address-pool pool_name [ start-ip start-ip end-ip end-ip < netmask | ipv6-prefix > netmask | dns-server ip_address | do | end | exit | no ]
no crypto address-pool pool_name
Note address pool configuration changes will only take effect after a no activate -> activate command sequence.
Syntax Description
The IPv4 or IPv6 DNS server address. The format is either A.B.C.D or X:X:X::X. |
|
Defaults
Command Modes
Command History
|
|
|
|---|---|
This command was introduced as the ipsec address-pool command. |
|
The command was modified to include IPv4 and IPv6 IP addresses and subnets. |
Usage Guidelines
Use the crypto address-pool command to change an address pool.
In WSG Release 3.0, the command is modified to accept both IPv4 (A.B.C.D) and IPv6 (X:X:X::X) addresses with the subnet in netmask and prefix format.
Additionally, the dns-server ip_address was modified to accept IPv6 addresses.
Examples
This example shows how to add an IPv6 address pool named foo:
crypto blacklist file
To configure the blacklist filename on the WSG, use the crypto blacklist file global configuration command. Use the no form of the command to disable the blacklisting feature.
crypto blacklist file filename
no crypto blacklist file filename
Syntax Description
The IKE ID that is to be blacklisted. The blacklist file must be present on the SUP disk before this configuration is done. If the file is not present on the SUP, the configuration fails. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
You must edit the blacklist file outside of the Cisco 7600 chassis, and copy it to the SUP bootflash or SUP bootdisk. Initially, you should configure the WSG with the filename of the blacklist file. During this configuration, the blacklist file is internally rcp-ed from the SUP disk to the WSG ram disk, and the IKE stack is informed of the location of the file. The IKE stack performs blacklisting based on the entries in the file. If you need to update the blacklist entries, follow this procedure:
- Edit the blacklist file outside the Cisco 7600 chassis.
- Copy the blacklist to the SUP disk with the same file name that you initially used.
Execute the crypto blacklist file resync command on the WSG. The WSG copies the updated file from the SUP disk to its ramdisk, and informs the IKE stack about the updated file. The IKE stack now uses the new blacklist file.
Examples
The following examples show how to configure the blacklisting feature on the WSG:
crypto cert renewal retrieve
To specify the parameters for copying renewed certificate files from the SUP, use the crypto cert renewal global configuration command. To disable this feature, use the no form of the command to remove all certificate entries configured for renewal retrieve.
crypto cert renewal retrieve current-wsg-cert cert_file current-wsg-private-key pvk_file
time time
no crypto cert renewal retrieve current-wsg-cert cert_file current-wsg-private-key pvk_file
Syntax Description
Name of the CMP certificate file to update, ending with.crt. |
|
Time in days to start automatic renewal before certificate expires. The range is 2 to 60 days. We suggest a minimum value of 8 days. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
This feature is enabled as long as there is at least one certificate configured for renewal retrieve. To disable this feature, use the no form of the command to remove all certificate entries configured for renewal retrieve.
Note If a manual update of the certificate and private key file is performed using the crypto cmp update EXEC mode command, use the crypto cert renewal retrieve command to remove the old certificate filename and add the updated certificate filename.
Examples
Here is an example of the crypto cert renewal retrieve command:
current-wsg-private-key wsg.prv time 30
crypto clear-traffic load
This command is used to set the number of punt entries to be programmed into traffic distribution hash table in IXP0 based on the current % of total traffic that is Clear. Use the no form of the command to remove the clear-traffic load distribution. This will set the default load % as 50%.
crypto clear-traffic load <50%-100%>
Syntax Description
Percentage of clear traffic load on IXP0. 50% — IXP0 is handling 50% of total incoming traffic. No punt entries will be programmed. |
|
Command Default
Command Modes
Command History
|
|
|
|---|---|
Examples
Here is an example of the crypto clear-traffic load command:
(If Clear traffic is 60% and ESP traffic is 40%, then command to be used is):
crypto clear-traffic switch-distribution-scheme
To set the traffic distribution hash table in IXP0 either with sequential punt entries or random punt entries, use the crypto clear-traffic switch-distribution-scheme command. Use the no form of the command to switch to the default distribution scheme.
crypto clear-traffic switch-distribution-scheme <1/2>
no crypto clear-traffic switch-distribution-scheme
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Examples
Here is an example of the crypto clear-traffic switch-distribution-scheme command:
crypto cmp auto-update
To provide the information necessary to automatically renew an enrolled CMP certificate, and to copy the updated certificate files to the SUP, use the crypto cmp auto-update global configuration command. Use the no form of the command to disable this feature.
crypto cmp auto-update current-wsg-cert cert_file current-wsg-private-key pvk_file ca-root ca_file ca-url url time time [ key-reuse ]
no crypto cmp auto-update current-wsg-cert cert_file current-wsg-private-key pvk_file ca-root ca_file ca-url url time time
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
This feature is enabled as long as there is at least one certificate configured for auto-update. To disable this feature, use the no form of the command to remove all certificate entries configured for auto-update.
Note If the CA is unreachable, the WSG will try 3 times with an hour wait between each attempt. The renewal notification trap is sent when the renewal is initiated and when it succeeds or fails. If it fails, the operator will need to correct the problem and manually update the certificate. If the CA acknowledges receiving the request but does not issue the renewed certificate, the WSG will poll for the certificate 10 times with an hour (or the CA provided time) between each poll. The renewal notification trap is sent with the status, and if the status is failed, the operator will need to manually renew the certificate.
Note If a manual update of the certificate and private key file is performed using the crypto cmp update EXEC mode command, use the crypto cmp auto-update command to remove the old certificate filename and add the updated certificate filename
Examples
Here is an example of the crypto cmp auto-update command:
crypto cmp transport
To configure the Transport Protocol for CMPv2 messages, use the crypto cmp transport global configuration command. Use the no form of the command to set the CMPv2 default protocol.
crypto cmp transport transport protocol
no crypto cmp transport transport protocol
Syntax Description
HTTP will be used as transport Protocol for all CMPv2 messages. |
|
TCP will be used as transport Protocol for all CMPv2 messages. |
|
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the crypto cmp transport to configure the transport protocol for CMPv2 messages.
Examples
Here is an example of the crypto cmp transport command:
crypto datapath icmp rate-limit
To control the rate at which the Segw datapath generates ICMP error packets, use the crypto datapath icmp rate-limit global configuration command. Use the no form of the command to remove the rate-limit.
crypto datapath icmp rate-limit interval
no crypto datapath icmp rate-limit interval
Syntax Description
Specifies the time interval in milliseconds before another ICMP error packet can be sent by the datapath. The value range is 1 to 10,000 ms. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example shows how to use the crypto datapath icmp rate-limit command to configure a 1000 ms time interval between sent ICMP error packets:
crypto dfp agent max-tunnels
To specify the maximum number of active tunnels supported on the WSG when the redirect feature is enabled, use the crypto dfp agent max-tunnels global configuration command. Use the no form of the command to remove the maximum number of tunnels.
crypto dfp agent max-tunnels number
no crypto dfp agent max-tunnels number
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
This command is configured in conjuction with crypto redirect ip and SLB commands on the SUP.
Examples
This example shows how to configure WSG to support 1000 maximum active tunnels when the redirect feature is enabled:
crypto dfp agent max-weight
To specify the maximum weight associated with the real server that will be reported to the Dynamic Feedback Protocol (DFP) manager on the SUP, use the crypto dfp agent max-weight global configuration command. Use the no form of the command to remove the maximum associated weight.
crypto dfp agent max-weight number
no crypto dfp agent max-weight number
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
This command is configured in conjuction with crypto redirect ip commands on the WSG and SLB commands on the SUP.
Examples
This example shows how to configure a maximum weight of 10:
crypto dhcp-client
To specify the relay agent IP address, and the server and client ports used on the WSG, use the crypto dhcp-client global configuration command. Use the no form of the command to remove the specified server and client ports.
crypto dhcp-client giaddr ip_address server-port port number client port port number
no crypto dhcp-client giaddr ip_address server-port port number client port port number
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
The server and client port number can be the same or different values.
The WSG sends DHCP messages with the client port number, and receives responses from the server on the server port number.
The giaddr must be unique for each PPC talking to the DHCP server.
This command is required if you require DHCP address allocation.
Examples
The following example shows how to configure the crypto dhcp-client command:
crypto dhcp-client client-id-type extract-cn
To specify the client ID that is sent by the WSG (in option 61 of a DHCP message), use the crypto dhcp-client client-id-type extract-cn global configuration command. Use the no form of the command to revert the client ID to the default setting.
crypto dhcp-client client-id-type extract-cn
no crypto dhcp-client client-id-type extract-cn
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
By default the HNB’s IKE ID is used as the client ID. If the HNB IKE ID is in the DN format, and the CN part of the DN is to be sent as the client ID, then this command must be configured.
Examples
The following example shows how to configure the crypto dhcp-client client-id-type extract-cn command:
crypto dhcp-client link-address
To specify the global unicast IPv6 Link-Address in Relay Forward message used by the WSG, use the crypto dhcp-client link-address global configuration command.
crypto dhcp-client link-address X:X:X::X server-port port number client port port number
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
This command is mandatory if DHCPv6 address allocation is required.
Examples
The following example shows how to configure the crypto dhcp-client link-address command:
crypto dhcp-server
To configure the DHCP server IP address and port number, use the crypto dhcp-server global configuration command. Use the no form of the command to remove a specific DHCP server from the configuration.
crypto dhcp-server ip A.B.C.D | X:X:X::X port port_number
no crypto dhcp-server ip A.B.C.D | X:X:X::X port port_number
Syntax Description
Specifies the DHCP port number. The range is from 1 to 65535. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
You must specify at least one DHCP server if you require DHCP address allocation.
You can configure multiple DHCP servers by repeating the command.
Examples
The following example shows how to configure the DHCP server IP address and port number:
crypto dhcp-dns server
To configure the DNS server IP address locally, use the crypto dhcp-dns server global configuration command.
Use the no form of the command to remove a specific DNS server IP from the configuration.
crypto dhcp-dns server ip < <A.B.C.D>|<X:X:X::X> Enter a valid IPv4 or IPv6 Address>
no crypto dhcp-dns server ip < <A.B.C.D>|<X:X:X::X> Enter a valid IPv4 or IPv6 Address>
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
This command is optional and is required only if locally configured DNS server IP is needed.
Examples
The following example shows how to configure the DNS server IPv4 address:
The following example shows how to configure the DNS server IPv6 address:
crypto facility
To configure the syslog facility value, use the crypto facility global configuration mode. Use the no form of the command to disable this feature.
Syntax Description
Defaults
By default, the facility value will be independent of the process.
Example: By default, the facility value for the syslog’s generated from IPSEC process will be four (4).
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the crypto facility command to control the WSG syslog facility value.
Examples
The following example shows how to configure the facility value:
crypto ike-retry-timeout
crypto ike-retry-timeout [ initial initial-value | max maximum-value ]
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Examples
Here is an example of the crypto ike-retry-timeout command:
crypto ike-retry-count
To set the number of IKE retry connection attempts, use the crypto ike-retry-count command. To remove the IKE retry connection attempts, use the no form of the command.
no crypto ike-retry-count value
Syntax Description
Specifies the maximum number of connection retry attempts, 1 to 10. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the crypto ike-retry-count command to set IKE retry connection attempts.
Examples
This example shows how to set IKE retry connection attempts:
crypto ike-nat-keepalive
To set the time interval for the nat keepalives from the WSG use the ike-nat-keepalive command. To remove the configuration, use the no version of the command.
crypto ike-nat-keepalive interval
no crypto ike-nat-keepalive interval
Syntax Description
Configures the NAT keepalive packets interval in seconds. The range is 20-3600. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use ike-nat-keepalive command to set the NAT keepalive interval.
Note This command cannot be entered if the profile is in active state.
Examples
crypto ipsec-fragmentation
To control the fragmentation point in hardware crypto engine for outbound traffic, use the crypto ipsec-fragmentation global configuration command. Use the no form of this command to remove the feature and reset the PMTU to the default value of 1400.
crypto ipsec-fragmentation [none | before-encryption {ipv6} mtu MTU]
no crypto ipsec-fragmentation [none | before-encryption {ipv6} mtu MTU]
Syntax Description
Defaults
IPv4: crypto ipsec-fragmentation before-encryption mtu 1400
IPv6: crypto ipsec-fragmentation before-encryption ipv6 mtu 1400
Command Modes
Command History
|
|
|
|---|---|
Allow configuration of a global PMTU value for IPv4 and IPv6. |
Usage Guidelines
Use crypto ipsec-fragmentation command control the fragmentation point in hardware crypto engine for outbound traffic.
When the MTU size is modified after a tunnel is already established, the new MTU size will be reflected in the output of the show crypto ipsec sa remote-ip command for that tunnel, the new MTU size will not be used by the data traffic flowing through the tunnel until that tunnel is re-keyed. Tunnels that are established after the MTU size is modified will use the new MTU size right away.
Examples
Here are two examples of the crypto ipsec-fragmentation command including its verification:
crypto ipsec security-association replay
To set the anti-replay window size, use the crypto ipsec security association replay global configuration command. Use the no form of the command to disable this feature.
crypto ipsec security-association replay [ window-size ] window-size
no crypto ipsec security-association replay [ window-size ] window-size
Syntax Description
Command Default
Default window size is 32 bits for short sequence number and 64 bit for extended sequence number. Supported window sizes are: 32, 64, 128, 256, 384 and 512.
Note If sequence number extended is configured, the window size default will be 64 instead of 32.
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
This example shows how to set the anti-replay window size:
crypto nameresolver
To enable the reverse DNS lookup feature, use the crypto nameresolver global configuration command. Use the no form of the command to disable this feature.
Defaults
Command Modes
Command History
|
|
|
|---|---|
Examples
This example shows how to enable the reverse DNS lookup feature:
This example shows how to disable the reverse DNS lookup feature:
crypto pki trustpoint
To set up a CA certificate to use for certificate-based authentication, use the crypto pki trustpoint command. To remove a CA certificate, use the no form of the command.
crypto pki trustpoint { rootCA | subCA } filename.crt crl disable
no crypto pki trustpoint {rootCA | subCA} filename.crt crl disable
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
The CA certificate must exist on the SUP before issuing this command.
Use the crypto pki trustpoint command multiple times to set up a certificate chain.
Up to 20 root certificates can be configured on the WSG.
Note crypto pki trustpoint configuration changes will only take effect after a no activate -> activate command sequence.
Examples
This example shows how to set up the WSG to use a CA certificate on the SUP named cert-ca1.crt:
For rootCA, there is an option to disable the CRL (Certificate Revocation List).
crypto pki wsg-cert
To set up the WSG certificate and (optionally) the private key file for a WSG to use for certificate-based authentication, use the crypto pki wsg-cert global configuration command. Use the no form of this command to remove the WSG certificate.
crypto pki wsg-cert cert_filename.crt [ wsg-private-key private-key-filename.prv ]
no crypto pki wsg-cert cert_filename.crt [ wsg-private-key private-key-filename.prv ]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
The WSG certificate must be in the SUP bootflash or SUP bootdisk file system before issuing this command. The WSG uses both file systems to locate the files.
If a private key filename is not specified, it is assumed the user is trying to use a locally generated private key (using the crypto rsa-keygen command).
Note In releases prior to WSG Release 4.0, wsg-cert configuration changes will only take effect after a no activate -> activate command sequence.
Note If a manual update of the certificate and private key file is performed using the crypto cmp update EXEC mode command, use the crypto pki wsg-cert command to remove the old certificate filename and add the updated certificate filename. This is not required after an automatic renewal.
Examples
To set up the WSG certificate with the name wsg.crt and a private key named wsg.prv, enter:
Copying cert1.crt from SUP...done
crypto pki wsg-cert-trap expiry notification
To specify the trap notification time before the trap expires, use the crypto pki wsg-cert-trap expiry notification global configuration command. The no form of this command sets the time before the trap is not valid back to the default 24 hours.
crypto pki wsg-cert-trap expiry notification time
no crypto pki wsg-cert-trap expiry notification time
Syntax Description
Time in hours to send the expiry trap before the certificate is not valid. The range is 1 to 720 hours (30 days). The default value is 24 hours. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Examples
Here is an example of the crypto pki wsg-cert-trap expiry notification command set for 72 hours (3 days):
Enter configuration commands, one per line. End with CNTL/Z
WSG(config)# crypto pki wsg-cert-trap expiry notification 72
crypto profile
To create a profile and to enter the crypto profile submode, use the crypto profile global configuration command. Use the no form of this command to remove a profile.
no crypto profile profile-name
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
A crypto profile can be either remote-access type or site-to-site type. The type command is used to specify the type of each profile that you create. If the type is not specified, the default is remote-access.
Examples
This example illustrates the crypto profile command:
crypto radius accounting enable
To enable the RADIUS accounting feature on the WSG, use the crypto radius accounting enable global configuration command. Use the no form of the command to disable the feature.
crypto radius accounting enable
no crypto radius accounting enable
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the crypto radius accounting enable command to enable the RADIUS accounting feature.
Note All profiles must be deactivated before enabling RADIUS accounting.
Examples
Here is an example configuration of the crypto radius accounting enable command:
crypto radius nas-id
Identification of the WSG as NAS to the RADIUS server is required. To configure the NAS Identifier on the WSG, use the crypto radius nas-id global configuration command. Use the no form of the command to disable the feature.
crypto radius nas-id identifier-string
no crypto radius nas-id identifier-string
Note This CLI command is applicable to both RADIUS Authentication and Accounting features. It is mandatory to configure one or both of the crypto radius nas-id and crypto radius nas-ip commands before configuring the crypto radius-server host command.
Syntax Description
This RADIUS attribute contains a string to identify the NAS originating the access request. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the crypto radius nas-id command to configure the NAS Identifier on the WSG.
Note When upgrading to WSG Release 3.0 from a previous 2.X release, if a RADIUS server configuration exists, the crypto profile(s) will be inactive after the upgrade. To reactivate, configure the crypto radius nas-id or crypto radius nas-ip commands and then activate the profile(s).
Examples
Here is an example configuration of the crypto radius nas-id command:
crypto radius nas-ip
Identification of the WSG as NAS to the RADIUS server is required. To configure the NAS IP address on the WSG, use the crypto radius nas-ip global configuration command. Use the no form of the command to disable the feature.
Syntax Description
IPv4 or IPv6 address of the NAS. Format is A.B.C.D or X:X:X::X. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the crypto radius nas-ip command to configure the NAS IP address on the WSG.
Note This CLI command is applicable to both RADIUS Authentication and Accounting features. It is mandatory to configure one or both of the crypto radius nas-id and crypto radius nas-ip commands before configuring the crypto radius-server host command.
Note When upgrading to WSG Release 3.0 from a previous 2.X release, if a RADIUS server configuration exists, the crypto profile(s) will be inactive after the upgrade. To reactivate, configure the crypto radius nas-id or crypto radius nas-ip commands and then activate the profile(s).
Examples
Here is an example configuration of the crypto radius nas-ip command:
crypto radius-server host
To authenticate remote end points with a RADIUS server, use the crypto radius-server host global configuration command. Use the no form of the command to disable this feature.
crypto radius-server host ip key keyword [ auth-port auth_port_# ] [ acct-port acct_port_# ]
no crypto radius-server host ip key keyword [ auth-port auth_port_# ] [ acct-port acct_port_#]
Syntax Description
Defaults
The default port number for auth_port is 1812 and for acct_port is 1813.
Command Modes
Command History
|
|
|
|---|---|
This command was modified to accept IPv6 addresses and added optional auth-port and acct-port parameters. |
Usage Guidelines
This command must be configured if you use the RADIUS authentication feature.
RADIUS authentication can be used with remote-access type profiles only.
Examples
Here is an example of the crypto radius-server host command:
WSG(config)# crypto radius-server host 5.5.5.5 key cisco123 auth-port 8120 acct-port 8112
crypto radius source-ip
To specify the source IP address of the RADIUS packets that are sent to the RADIUS server, use the crypto radius source-ip global configuration command. Use the no form of the command to disable this feature.
crypto radius source-ip src-ip-address
no crypto radius source-ip src-ip-address
Syntax Description
The source IPv4 or IPv6 address of the RADIUS packets that are sent to the RADIUS server. The format is either A.B.C.D or X:X:X::X. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
This is an optional command configured when the RADIUS authentication feature is used. If not specified, the IKE stack will get the source IP address to use for RADIUS packets from the kernel (which is based on the route to reach the RADIUS server). RADIUS authentication can be used with remote-access type profiles only.
Examples
Here is an example of the crypto radius source-ip command:
crypto redirect ip
To specify the real and redirect IP addresses for the IKEv2 redirect feature, use the crypto redirect ip command in global configuration mode. Use the no form of the command to remove the IP addresses.
crypto redirect ip real_IP redirect to redirect_IP [vrf vrf_name]
no crypto redirect ip real_IP redirect to redirect_IP [vrf vrf_name]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Unlike IPv4 real addresses, IPv6 real addresses do not report the weight to the SUP. IPv6 real addresses report the weight through IPv4 real addresses. Therefore, verify that the correct IPv4 and IPv6 real addresses are associated with each other on the SUP. Also, verify that a DFP agent with a IPv4 real address is defined on the SUP.
Note The DFP agent source port should always be 4700.
Examples
This example shows how to configure real and redirect IP addresses for the IKEv2 redirect feature:
crypto remote-secret
To set the remote shared secret, use the crypto remote-secret command. To remove the remote shared secret, use the no form of the command.
crypto remote-secret id_type id secret
no crypto remote-secret id_type id secret
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Remote secrets help set pre-shared keys for IKE authentication for remote clients. Use the
crypto remote-secret command to set the remote secret shared. The crypto remote-secret command is used for authentication and can be configured as an IP address. In WSG Release 3.0, the command accepts either an IPv4 or an IPv6 address.
Note The maximum number of supported remote-secret entries is 1000.
Examples
This example shows how to set pre-shared keys information for IKE authentication for remote clients.
crypto responder-redirect enable
To enable the IKEv2 redirect feature, use the crypto responder-redirect enable command in global configuration mode. Use the no form of the command to disable the feature.
crypto responder-redirect enable
no crypto responder-redirect enable
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example shows how to enable the IKEv2 redirect feature:
crypto rri enable
To enable the RRI feature, use the crypto rri enable command. To disable the RRI feature,
use the no form of the command.
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
For WSG Release 3.0, the RRI feature only supports IPv4.
Only site-to-site profiles are supported.
The VRF feature on the WSG cannot not be enabled when the RRI feature is already configured.
Examples
This example shows how to enable
crypto snmp stats-refresh-interval
To configure statistics refresh interval to either auto mode or manual mode. In auto mode, the refresh interval is adjusted automatically based on number of tunnels.
no crypto snmp stats-refresh-interval auto will change to the default setting (manual mode with 300 seconds interval) and no crypto snmp stats-refresh-interval manual interval will change to auto mode.
crypto snmp stats-refresh-interval {auto | manual interval }
no crypto snmp stats-refresh-interval {auto | manual}
Syntax Description
Set referesh interval automatically based on number of tunnels, on average about 1.5 sec for 1000 tunnels. |
|
Defaults
By defualt this command is set to manual mode 300 seconds interval.
Command Modes
Command History
|
|
|
|---|---|
This command was introduced as the crypto snmp stats-refresh-interval command. |
Usage Guidelines
Use the crypto snmp stats-refresh-interval command to configure the statistics refresh interval.
Examples
This example shows how to set up the WSG to configure the auto length for IKE/IPSec tunnel:
This example sets the defualt setting manual mode with 300 seconds interval:
crypto site-to-site-lookup
To configure the list of source-mask and destination-mask combinations, use the crypto site-to-site-lookup global configuration command. Use the no form of the command to disable this feature.
crypto site-to-site-lookup [ priority priority | source-netmask src-netmask | destination-netmask dst-netmask]
no crypto site-to-site-lookup [ priority priority | source-netmask src-netmask | destination-netmask dst-netmask]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
The N subnet mask format is increased from 0-32 to 0-128 for IPv6. |
Usage Guidelines
You must enter this command one or more times before activating any S2S profiles. S2S profile cannot be activated if this command is not configured on the WSG.
Examples
This example shows how to configure the crypto site-to-site-lookup command:
destination-netmask 24
destination-netmask 64
destination-netmask 112
crypto syslog-level
To configure the syslog level, use the crypto syslog-level global configuration mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
This command was introduced as the crypto syslog-level command. |
|
Usage Guidelines
Use the crypto syslog-level command to control WSG message types.
Syslog level 1 logs the largest amount of information.
A limited amount of the logs are saved on the WSG. You can send the syslog to a remote syslog server using the ip logging command.
Examples
This example shows how to set up the WSG to generate messages at and above level 1:
crypto throughput threshold
To configure the system to generate an SNMP trap when WSG throughput utilization goes above the configured value for a sustained number of intervals, use the crypto throughput threshold global configuration mode.
no crypto throughput threshold will change values back to the default setting; i.e. threshold with 50% and interval value 2.
crypto throughput threshold threshold interval interval
no crypto throughput threshold threshold interval interval
Syntax Description
Number of sustained intervals where each interval is of 5 mins. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
This command was introduced as the crypto throughput threshold command. |
Usage Guidelines
Use the crypto throughput threshold command to generate an SNMP trap when WSG throughput utilization goes above the configured value for a sustained number of intervals.
Examples
This example shows how to set up the WSG to generate an SNMP trap when WSG throughput utilization goes above the configured value for a sustained number of intervals:
ha interface vlan
To configure the HA VLAN that is used to communicate among the nodes in the same cluster (subnet), use the ha interface vlan global configuration command. Use the no form to disable this functionality.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
These CLIs must to be configured on each PPC. The 2 PPCs that are to be paired together should have the same VLAN ID. 6 different VLAN IDs will be used for 6 pairs of PPCs.
Examples
The following examples show how to configure the HA VLAN/IP address for the PPC#3 on Slot#1 and the PPC#3 on Slot#3:
ha interface vlan start-id
To configure the VLAN and IP address using a single point configuration, use the ha interface vlan start-id command in global configuration mode. Use the no form of the command to disable this functionality.
ha interface vlan start-id vlan_ID [processor-count count] increment increment_vlan_ID
no ha interface vlan start-id vlan_ID
Syntax Description
Specifies how many PPCs the HA VLAN interface should be applied to. Without this optional keyword, the HA VLAN interface is applied to all 6 PPCs. |
|
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
This command is available in the entity-all mode on the director PPC (PPC3). You can use the ip address start-ip submode command to configure the start IP address for the director PPC (PPC3) and the increment value for the IP addresses of the slave PPCs (PPC4 to PPC8).
Examples
If you execute the following CLI commands on the director PPC (PPC3):
The resulting configurations of the 6 PPCs appear as follows:
If you execute the following CLI commands on the director PPC (PPC3):
Then PPC3 and PPC4 are configured as follows:
ha redundancy-mode
To configure the redundancy mode of the HA feature, use the ha redundancy-mode command in global configuration mode. Use the no form of the command to remove a redundancy mode.
ha redundancy-mode {active-active | active-standby} preferred-role {primary | secondary} [revertive]
no ha redundancy-mode {active-active | active-standby} preferred-role {primary | secondary} [revertive]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Modified to support active-active and active-standby node redundancy. |
Usage Guidelines
The ha redundancy-mode active-active CLI command can only be executed on the director PPC (PPC3) under entity-all mode. The command would then be applied to PPC3 and PPC4 only. The roles on PPC3 and PPC4 would be either primary/secondary or secondary/primary, depending on the preferred-role setting. If preferred-role is configured to be primary, PPC3 is primary and PPC4 is secondary. If preferred-role is configured to be secondary, PPC3 is secondary and PPC4 is primary.
In active-active mode, a failure in a PPC triggers a failover to its redundant peer PPC. The rest of the PPCs on the SAMI are not affected. However, if the failure occurs on the card level (such as IXP), the entire SAMI reloads.
Note Since PPC3 and PPC4 have different roles in active-active mode, the entity-all mode should not be used to configure the HA setup.
Note In active-active mode, the revertive keyword is a mandatory option. You must enter the revertive keyword for this CLI to be executed.
The ha redundancy-mode active-standby CLI command can only be executed on the director PPC (PPC3). It can be applied to just the PPC3 or, if under entity-all mode, applied to all of the PPCs. If under entity-all mode, the same preferred-role (primary or secondary) would be applied to all of the PPCs.
In active-standby mode, a failover causes the SAMI to reload, regardless of whether the failure occurred on an individual PPC or on the card level.
When the command is configured, the redundancy mode remains the same. The redundancy mode is applied and takes effect only after the SAMI reloads. You must save the configuration and reload the SAMI in order to activate these commands.
If the command is executed in the all mode, the command is applied to all PPCs so that the same role is assigned to them all. If the command is executed in the single mode, the role is assigned to only that particular PPC. The SAMI that is configured with the preferred-role of secondary needs to be reset before the redundant pairs can take effect.
Examples
The following command configures PPC3 as primary and PPC4 as secondary:
The following command configures PPC3 as secondary and PPC4 as primary:
Note You are responsible to clean up the remaining (non-HA) configuration and bring the system back to operational state. Also, the system will not reboot automatically as a result of removing the HA configuration.
interface
To create a VLAN interface, use the interface command. The CLI prompt changes to (config-if). Use the no form of this command to remove the interface.
Syntax Description
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the interface vlan command to configure a VLAN interface on a PPC.
WSG Release 3.0 and above allows you to configure an IPv6 address and alias on the interface.
Each interface is allowed to have one or both IPv4 address/alias and IPv6 address/alias.
While in interface configuration mode, you can use the following commands:
- alias —Alias IPv4 address for the interface
- do —Issue EXEC mode command from within configuration mode
- end —Exit configuration mode
- description —Description for the interface
- ip address —IPv4 address for the interface
- ipv6 address —IPv6 address for the interface
- ipv6 alias —Alias IPv6 address for the interface
- mtu —Maximum Transmission Unit (MTU) for the interface
- no —Negate an interface configuration command or return it to its default value
- shutdown —Shut down the interface
- vrf —Specify the VRF for the interface
Note This CLI is a node-specific command, and cannot be executed under entity-all mode.
Examples
To create VLAN interface 100, enter the following command:
ip address
To configure the IP address used by the HA infrastructure to communicate among the nodes in the same cluster (subnet), use the ip address command in interface configuration submode. Use the no form of the command to remove the IP address.
no ip address ip_address netmask
Syntax Description
Defaults
Command Modes
Interface configuration submode
Command History
|
|
|
|---|---|
Usage Guidelines
These CLIs must to be configured on each PPC. The 2 PPCs that are to be paired together should have the same VLAN ID. 6 different VLAN IDs will be used for 6 pairs of PPCs.
Examples
The following examples show how to configure the HA VLAN/IP addresses for the PPC#3 on Slot#1 and the PPC#3 on Slot#3:
ip address start-ip
To configure the start IP address of the HA VLANs that you are configuring for incremental sync, use the ip address start-ip command in interface configuration submode. Use the no form of the command to disable this functionality.
ip address start-ip ip_address increment increment mask ip_address_netmask
Syntax Description
Defaults
Command Modes
Interface configuration submode
Command History
|
|
|
|---|---|
Usage Guidelines
This command is available in the entity-all mode at director PPC (PPC3).
Examples
If you execute the following CLI on the director PPC (PPC3):
The resulting configurations on the 6 PPCs appear as follows:
ip name-server
To specify the name-server address, use the ip name-server global configuration command. Use the no form of the command to disable this feature.
ip name-server A.B.C.D | X:X:X::X
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
If multiple DNS servers are configured, verify that all DNS servers are redundant with each other and identically configured.
Examples
This example shows how to enable the ip name-server command for IPv6:
ip route
To add a route to a VRF, use the ip route global configuration command. Use the no form of the command to disable a route.
ip route ip_address subnet_mask gateway [ vrf vrf_name ]
no ip route ip_address subnet_mask gateway [ vrf vrf_name ]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Up to 10 IPv4/IPv6 routes can be configured for each VRF on each PPC. A total of 60 routes can be configured for a SAMI.
Examples
This example shows how to add a route to a VRF with the ip route command:
ip ssh auth-type
To start the SSH server or RADIUS client, use the ip ssh auth-type global configuration command. Use the no form of the command to stop this feature.
ip ssh auth-type {radius | local}
no ip ssh auth-type {radius | local}
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
The following authentication types are possible:
If more than one auth-type is specified, they are tried in order. The authentication attempt fails only if both attempts fail.
Examples
Here is an example of the ip ssh auth-type command:
ip ssh enable
To start the SSH service, use the ip ssh enable global configuration command. Use the no form of the command to stop the SSH service.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Examples
Here is an example of the ip ssh enable command:
ip ssh key dsa
To create a dsa key for the ssh service, use the ip ssh key dsa global configuration command. Use the no form of the command to disable this feature.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Since generating a dsa key is not easy, we recommend that you allow the service to automatically generate a key. If one is not configured when the ssh service is enabled using ip ssh enable, then one will be automatically generated. This command is mainly used to transfer the key between blades.
The no variant does not require that the user enter the entire key. Instead it stops short with:
This is avoid having to cut and paste the whole key. Issuing a no ip ssh key dsa command while the ssh service is running will cause it to automatically generate a new key. If you wish to avoid this, first disable the ssh service.
Examples
Here is an example of the ip ssh key dsa command:
ip ssh port
To change the port used by SSH, use the ip ssh port global configuraion command. Use the no form of the command to remove this assignment.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
This command has no variant to revert back to the default port value of 22.
Examples
Here is an example of the ip ssh port command:
ip ssh radius-server
To configure one or more RADIUS servers, use the ip ssh radius-server global configuration command. Use the no form of the command to remove specified RADIUS servers.
ip ssh radius-server host host_IP key key_str [port port_number timeout timeout_number]
no ip ssh radius-server host host_IP key key_str [port port_number timeout timeout_number]
Syntax Description
Port number to be used with the RADIUS server. Default is port 1812. |
|
Number of seconds to wait before deciding that the server has failed to respond. Default is 3 seconds. |
Command Default
The default value for port_number is port 1812. The default value for timeout_number is 3 seconds.
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
If multiple RADIUS servers are configured, they are tried in order. The first server to return a success or failure determines the RADIUS authentication status. A server that fails to respond is skipped, and the next server is used.
Examples
This example shows how to add a RADIUS server to the WSG:
ipv6
To add an IPv6 host or route, use the ipv6 global configuration command. Use the no form of the command to remove an IPv6 host or route.
ipv6 { host ipv6_address | route ipv6_prefix ipv6_gateway }
no ipv6 { host ipv6_address | route ipv6_prefix ipv6_gateway }
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Up to 10 IPv4/IPv6 routes can be configured for each VRF on each PPC. A total of 60 routes can be configured for a SAMI.
This CLI is node-specific and cannot be executed under entity-all mode.
Examples
This example shows how to enter an IPv6 host and route:
ip vrf
To add a VRF, use the ip vrf global configuration command. To remove a VRF, use the no form of the command, including the specific vrf_name.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
By default, a network interface belongs to exactly one VRF, which is VRF_GLOBAL
(VRF_NAME = global). In order to associate a VLAN interface with a specific VRF,
use the vrf vrf_name command after the interface is created (but before the IP address is assigned):
After associating a VLAN device to a VRF, IP addresses can be added to the VLAN interface. These addresses and any automatic routes created as a result of address addition belong to the same VRF as the VLAN interface. Use the show interface vlan command to display the VRF membership of an interface.
Note VRFs can be set on an interface that already has an IP address assigned. After adding the interface to the new VRF, the IPv4/IPv6 addresses on the interface are deleted. Any routes associated with the interface within the old VRF are also removed.
To remove a vrf-interface association, use the no vrf command. Upon removal, interfaces that are part of the deleted VRF are migrated back to the VRF global. The IPv4/IPv6 addresses and routes associated with the migrated interfaces are cleared.
Examples
This example shows how to enable the ip vrf command:
logging
To configure the IP address of the external logging server, use the logging global configuration command. Use the no form of the command to disable this feature.
logging { ip A.B.C.D | ipv6 X:X:X::X | lineread}
no logging { ip A.B.C.D | ipv6 X:X:X::X | lineread}
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Allow multiple external logging servers with IPv4 addresses. |
Usage Guidelines
In WSG Release 3.1 and above, the logging command allows you to configure multiple external logging servers with IPv4 addresses. However, only a single logging server with an IPv6 address can be configured at a time.
Examples
This example shows how to enable the logging command for IPv6:
router bgp
To enable Border Gateway Protocol (BGP) routing and place you in the BGP configuration mode, use the router bgp global configuration command. Use the no form of the command to disable BGP routing.
Syntax Description
The autonomous system (AS) number is a required parameter that specifies the local BGP. The range is from 1 to 65535. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
In WSG Release 3.0, the BGP neighboring address only supports IPv4 addresses.
Examples
Here is an example of the router bgp command:
neighbor
To configure a BGP peer, use the neighbor command in BGP configuration submode. To remove a BGP peer, use the no form of the command.
neighbor ip_address remote-as remote _ asn next-hop-alias next_ip_address
no neighbor ip_address remote-as remote _ asn
Syntax Description
Defaults
Command Modes
Router BGP configuration submode
Command History
|
|
|
|---|---|
Usage Guidelines
Support for IPv6 addresses in ip_address and next_ip_address was added in WSG Release 4.0.
Examples
Here is an example of the neighbor command:
auto-initiate
To configure the WSG to initiate a tunnel with a peer when a site-to-site type profile is activated, use the auto-initiate command in ISAKMP submode. Use the no form of the command to disable this feature.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
When auto-initiate is configured, the peer’s IP address must be specified in the profile.
Examples
This example shows how to initiate a tunnel:
dpd-timeout
To define the interval in which the DPD packets are initiated from the WSG, use the dpd-timeout command in ISAKMP submode. Use the no form of the command to disable DPD initiation on the profile tunnels.
Syntax Description
Value of the dpd-timeout in seconds. Default value is 0. Range is 0 to 5040. Enter timeout value as 0, 90, 180, 270, etc. (by multiples of 90) up to 5040. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
The timeout argument is enhanced to count in multiples of 90. |
Usage Guidelines
The no dpd-timeout timeout form of the command disables DPD initiation on the profile tunnels.
Note When upgrading the WSG, a previously configured DPD value will be rounded to a WSG Release 3.0 value.
Note For solutions requiring more than 5,000 tunnels per PPC, Cisco recommends configuring a dpd-timeout greater than 180 seconds.
Examples
This example shows how to enter a DPD value of 270 seconds:
sequence-number
To specify that a 32-bit (short) or 64-bit (extended) sequence number is used for a profile, use the sequence-number command in ISAKMP submode. Use the no form of the command to disable the sequence number.
sequence-number { extended | short }
no sequence-number { extended | short }
Syntax Description
Defaults
Command Modes
Command History.
|
|
|
|---|---|
Examples
This example shows the extended sequence number:
eap-type
To set the EAP method, use the eap-type command in ISAKMP submode.
To remove an EAP method, use the no form of the command.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Extensible Authentication Protocol (EAP) is an authentication framework that defines message formats. WSG supports the following EAP authentication methods:
- UMTS Authentication and Key Agreement (EAP-AKA)
- Message Digest algorithm 5 (EAP-MD5)
- GSM Subscriber Identity Module (EAP-SIM)
Use the eap-type command to set the EAP method. When all user-entered configurations for this parameter are removed, then the feature again becomes disabled by default.
Multiple eap-type authentication methods can be configured in a profile. This is not supported in S2S profiles.
Examples
This example shows how to set an EAP method using 128-bit SIM:
encryption
WSG supports the following IKE secret encryption schemes:
- Data Encryption Standard (DES)
- Triple DES (3DES), also known as Triple Data Encryption Algorithm (3TDEA)
- Advanced Encryption Standard (AES)
To set the IKE secret encryption scheme, use the encryption command in ISAKMP submode. To remove an IKE secret encryption scheme, use the no form of the command.
encryption {des | 3des | aes | aes192 | aes256}
no encryption {des | 3des | aes | aes192 | aes256}
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
This command was enhanced to configure multiple encryptions. |
Usage Guidelines
Use the encryption command to set the IKE secret encryption scheme. Multiple algorithms can be configured together. The default values are not displayed. When you enter a scheme, the default is overwritten. When all user-entered configurations for this parameter are removed, then the default again becomes the aes value.
Examples
This example shows how to set an IKE encryption scheme using the 128-bit AES encryption algorithm:
group
IKE uses Diffie-Hellman to establish session keys. Diffie-Hellman is a public-key cryptography protocol that allows two parties to share a secret over an unsecured channel. IKE Groups set the allowed Diffie-Hellman groups for IKE SAs.
To set a group ID, use the group command in ISAKMP submode. To remove the group ID, use the no form of the command.
group {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18}
no group {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18}
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example shows how to set the group ID to 5:
hash
Hash algorithms are used to authenticate packet data. WSG Release 1.2 and above supports three types of ISAKMP hash protocols: Message Digest Algorithm 5 (MD5), Secure Hash Algorithm (SHA) and AES Cipher Block Chaining Algorithm (aes-xcbc).
To set a hash algorithm, use the hash command in ISAKMP submode. To remove the hash algorithm, use the no form of the command.
hash { aes-xcbc | md5 | sha1 | sha2 }
no hash {aes-xcbc | md5 | sha1 | sha2}
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the hash command to set a hash algorithm. In WSG Release 2.2 and above, multiple hash algorithms can be combined. The default values are not displayed. When you enter an algorithm, the default is overwritten. When all user entered configurations for this parameter are removed, then the default again becomes the sha1 value.
Examples
This example shows how to set the hash algorithm to md5:
self-identity
To set up an ID type for the local client to use during IKE negotiation, use the self-identity command in the ISAKMP submode. To remove the configuration, use the no form of the command.
self-identity id-type id-type id id
no self-identity id-type id-type id id
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
This command was introduced as the ipsec local-identity command. |
|
Usage Guidelines
Use the self-identity command to set up an identity for the local client.
Note • local-identity must match the certificate’s identity when using certificates for authentication.
Examples
This example shows how to define the local client IKE identity as an IP address:
lifetime
The IKE SA is kept by each peer until it’s lifetime expires. Because new SAs are negotiated before current SAs expire, they can be reused to save time. Shorter lifetimes mean more secure negotiations. Longer lifetimes mean SAs are more quickly set up.
To set the IKE lifetime of an SA, use the lifetime command. To reset the SA lifetime to the default value, use the no form of the command.
Syntax Description\
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the lifetime command to set how long an IKE SA lives before expiring.
Depending on the application, the IKE SA lifetime may also be configured on the peer. We recommend that you do not configure a peer IKE SA lifetime that is shorter than the minimum supported by the WSG.
Examples
This example shows how to set an SA lifetime to 7200 seconds (120 minutes):
local-secret
To set a shared key, use the local-secret command. To remove the key, use the no form of the command.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example shows how to set the shared key name to foo:
peer-ip
To set the peer for the IKE and IPSec negotiations, use the peer-ip command. To remove the configuration use the no form of the command.
Note Only for site-to-site configuration. Not applicable to Remote access profile.
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the peer-ip command to set peer-ip for the tunnel profile.
Note You should not configure this command for remote access type profiles.
Examples
This example shows how to set peer-ip for the tunnel profile.
ike-version
To set the IKE version, use the ike-version command. To remove the IKE version, use the no form of the command.
Syntax Description
| both—IKE version 1 and IKE version 2, use this if you are not sure which IKE version the client is using. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the ike-version {1 | 2 | both} command to set the IKE version.
Note ike-version both is not supported with auto-initiate in site-to-site profiles.
Examples
This example shows how to set the IKE version to 1:
ike-start-with-natt
WSG can be configured to disable the usage of NAT ports when an IKE message is initiated from WSG like in case of a rekey.
This would make sure that the IKE messages on a rekey are sent out on port 500 instead of 4500. This command is only required for IKEV1. The NAT ports will be enabled by default; to disable it and make the WSG use the port 500 on IKE negotiations, use this command.
To disable the IKE initiations on the NAT ports, use ike-start-with-natt command. To undo the configuration use the no command.
no ike-start-with-natt disable
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use ike-start-with-natt command to disable IKE initiation with NATT for IKEV1.
Examples
authentication
To set the IKE authentication method, use the authentication command. To remove the IKE authentication method, use the no form of the command.
authentication { rsa-sig | pre-shared }
no authentication { rsa-sig | pre-shared }
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the authentication command to set IKE authentication method.
Examples
This example shows how to set IKE authentication method:
ipv6
To enter the IPv6 address or alias, use the ipv6 command in interface configuration submode. Use the no form of the command to disable this feature.
Syntax Description
Defaults
Command Modes
Interface configuration submode
Command History
|
|
|
|---|---|
Usage Guidelines
Each interface is allowed to have one or both IPv4 address/alias and IPv6 address/alias.
Examples
This example shows how to enable various instances of the ipv6 command:
Each interface is allowed to have one or both IPv4 address/alias and IPv6 address/alias. For example,
ip address 10.10.10.3 255.255.255.0
alias 10.10.10.1 255.255.255.0
ipv6 address 2001:88:88:94::4/96
Note This CLI is a node-specific command and cannot be executed under entity-all mode.
ip address-pool
To specify when a profile is required to use DHCP-based address allocation, or to specify the name of the address pool to be used for a profile, set the ip address-pool command. Use the no form of the command to remove the address-pool name configuration.
ip address-pool { dhcp | address-pool-name}
no ip address-pool { dhcp | address-pool-name}
Syntax Description
Specifies when a profile is required to use DHCP-based address allocation. |
|
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the ip address-pool command to set the address pool to be used for the profile.
Note This command is not applicable for a site-to-site profile.
Use the dhcp keyword in the command when a profile is required to use DHCP-based address allocation. When the profile is activated, the mandatory global DHCP configuration is checked for completeness. If any profile is activated with DHCP address allocation, the global DHCP configuration commands cannot be modified or removed.
Examples
This example shows how to set the address pool for a profile named foo.
This example activates the profile for DHCP-based address allocation:
local-ip
To set up the local IP address to use during SA negotiation, use the local-ip command. To return to the default value, use the no form of the command.
Syntax Description
IP address of the local client. This can be an IPv4 or IPv6 address. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the local-ip command to set up a local IP address that is used during SA negotiation.
Examples
This example shows how to define 10.95.10.110 as the IP address of the WSG to use during SA negotiation:
pfs
To set a Perfect Forward Secrecy (PFS) group ID to use for negotiations during a new SA exchange, use the pfs command. Use the no form of the command to remove the key.
pfs { group1 | group2 | group5 | group14 | group15 | group16 | group17 | group18 }
no pfs { group1 | group2 | group5 | group14 | group15 | group16 | group17 | group18 }
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Added group14, group15, group16, group17, and group18 keywords. |
Usage Guidelines
Use the pfs command to set a group type for use in negotiations during a child SA exchange.
Examples
This example shows how to set group2 as the group ID:
security-association lifetime
To set the SA timed lifetime, use the security-association lifetime command in IPSec submode. To remove the SA timed lifetime, use the no form of this command.
security-association lifetime { megabytes megabytes | seconds seconds}
no security-association lifetime { megabytes megabytes | seconds seconds}
Syntax Description
Specifies the lifetime in megabytes. The minimum value is 4500MB. |
|
Specifies the lifetime in seconds. The range is 3600 to 2147483647. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the security-association lifetime command to set the SA timed lifetime in megabytes or seconds.
Depending on the application, the IPSec SA lifetime may also be configured on the peer. We recommend that you do not configure peer IPSec SA lifetimes that are shorter than the minimum values supported by the WSG.
Examples
This example shows how to set the IPSec SA lifetime in seconds or megabytes:
security-association replay
To disable IPSec security association replay, use the security-association replay command. To enable IPSec security association replay, use the no form of the command.
security-association replay disable
no security-association replay disable
Defaults
Security association replay is enabled with window size 32 bits.
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the security-association replay command to disable IPSec security association replay.
Examples
This example shows how to disable IPSec security association replay:
access-permit
To configure the protected IP address to which traffic is allowed from a remote access tunnel, or traffic selectors and multiple child SA features for site-to-site tunnels, use the access-permit command. Use the no form of the command to remove the access-permit configuration.
access-permit ip ip-address subnet subnet
no access-permit ip ip-address subnet subnet
access-permit rule-name protocol { any | sctp | udp | tcp }
[ src-ip src_ip src_prefix | src-port start_src_port end_src_port |
dst-ip dst_ip dst_prefix | dst-port start_dst_port end_dst_port]
Syntax Description
Defaults
A specific access-permit must be specified based on the network configuration.
Command Modes
Command History
|
|
|
|---|---|
The following keywords and arguments were changed for site-to-site scalability improvements: |
|
Allow up to 5 multiple access-permit statements in a remote-access crypto profile. |
Usage Guidelines
Use the access-permit command to set the IP address and subnet from which traffic is allowed from the remote-access tunnel.
In WSG Release 4.2 and above when a customer is configuring a site to site access permit, a check has been added to determine, if the user has configured overlapping traffic selectors. If misconfigured a warning will be triggered to the user and will be logged into the syslog.
In WSG Release 3.1 and above, you can configure multiple access-permit statements in a remote-access crypto profile. Up to 5 access-permit statements can be added.
For site-to-site tunnels, the extended access-permit configuration defines the parameters of the traffic permitted on the tunnel.
There is no default, and at least one access-permit needs to be specified for each profile. If multiple child SAs are required, multiple access-permit configurations need to be entered.
In WSG Release 1.2, the rule-name argument is added, and applies to site-to-site type profiles only. The WSG Release 1.1 syntax for access-permit only applies to the remote-access type profile. The profile name should be unique; you cannot use the same name for two different profiles.
Examples
This example shows how to allow traffic from all remote-access clients to the 100.1.3.0/24 and 88.88.0.0/16 subnets:
The following is an example of the extended access-permit command with the protocol options and IPv6
The following is an example that includes the ras type access permit:
transform-set
To set an Encapsulating Security Payload (ESP) encryption and hash type, use the transform-set command in IPSec submode.
transform-set esp {3des | aes | aes192 | aes256 | des | null} {aes-xcbc | md5 | sha1}
Syntax Description
See encryption |
|
See hash |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
ESP is a security protocol that gives data privacy services, data authentication, and anti-replay services. ESP encapsulates data to be protected. Use the transform-set command to set ESP encryption and hash type. In WSG Release 2.2 and above, multiple transform sets can be configured together.
Examples
This example shows how to set ESP encryption and hash type:
oam mode single
To identify the interface used for single mode OAM traffic, use the oam mode single command.
Use the no form of the command to disable this feature.
no oam mode single vlan_ number
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example shows a sample configure with the oam mode single command. All management traffic from the director and subordinate PPCs destined to the VLAN 223 subnet will now be directed through this interface:
oam-ip route
To configure the static routes on the director and subordinate PPCs for subnet management, use the oam-ip route command. Use the no form of the command to disable these routes.
oam-ip route ip_address subnet_mask gateway
no oam-ip route ip_address subnet_mask gateway
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
This command is similar to ip route in functionality, with the exception that it affects the routes on the subordinate PPCs as well. It does not support IPv6.
Examples
This example shows how to configure the oam-ip route command:
process cpu threshold
To enable the CPU Threshold Notification feature and establish the rising and falling percentage threshold values, use the process cpu threshold Global configuration command. Use the no form to disable this feature.
process cpu threshold rising percentage interval seconds [ falling percentage interval seconds ]
no process cpu threshold [ rising percentage interval seconds | falling percentage interval seconds
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
The CPU Threshold Notification feature notifies users by generating a SNMP trap message when a predefined threshold of CPU usage is crossed. Two types of CPU utilization threshold are supported: rising threshold and falling threshold. A rising CPU utilization threshold specifies the percentage of CPU resources that, when exceeded for a configured period of time, triggers the cpmCPURisingThreshold notification. Similarly, a falling CPU utilization threshold specifies the percentage of CPU resources that, when CPU usage falls below this level for a configured period of time, triggers cpmCPUFallingThreshold notification.
Examples
The following example shows how to set a rising CPU threshold notification for total CPU utilization. When total CPU utilization exceeds 95 percent for a period of 5 seconds or longer, a rising threshold notification is sent.
memory free low watermark processor
To configure the memory threshold that generates a syslog when free memory falls below the configured value, use the memory free low watermark processor command. Use the no form to disable this function.
memory free low watermark processor threshold
no memory free low watermark processor threshold
Syntax Description
Specifies the memory threshold. When free memory falls below the configured value a syslog is generated. The free memory threshold value can range from 1024KB to1996000KB. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Examples
The following example specifies a threshold of 10000 KB of free processor memory before a low-memory syslog is generated:
Once the available free memory rises to above 5 percent of the threshold (1.05 x 10000 in the above example), another message is generated that indicates that the free memory has recovered.
show crypto blacklist file
To list all of the current blacklisted IKE IDs, use the show crypto blacklist file command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show crypto blacklist file command to view the current blacklisted IDs.
Examples
Here is example show output for the show crypto blacklist file command:
show crypto blacklist stats
To display the number of IDs in a blacklist, and the number of tunnel setup attempts blocked due to blacklisting, use the show crypto blacklist stats command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show crypto blacklist stats command to display the number of IDs in a blacklist, and the number of tunnel setup attempts blocked due to blacklisting.
Examples
Here is example show output for the show crypto blacklist stats command:
show crypto cmp request
To display the current status of pending CMPv2 request, use the show crypto cmp request command in EXEC mode. The output also indicates if no request is pending.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show crypto cmp request command to display the current status of pending CMPv2 request. This is the pending request that will be polled by the crypto cmp poll command. If an update and an initialize or enroll request is pending, only the pending update request is displayed.
Examples
Here is example output for the show crypto cmp request command:
show crypto dhcp
To display DHCP address allocation statistics, use the show crypto dhcp command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show crypto dhcp command to view DHCP address allocation statistics.
Examples
Here is an example of crypto DHCP statistics after tunnel set-up and tear-down:
show crypto ipsec info
To display IPSec parameters for all configured profiles, use the show crypto ipsec info command in EXEC mode.
show crypto ipsec info [profile_name]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show crypto ipsec info command to view IPSec parameters configured for all the profiles.
Examples
This example shows how to view configured IPSec parameters:
show crypto ipsec summary
To display all global IPSec statistics, use the show crypto ipsec summary command in EXEC mode.
show crypto ipsec summary {fast-path | slow-path}
Syntax Description
For global fast path statistics. Applicable to the entire card. |
|
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show crypto ipsec summary command to view all global IPSec statistics.
Table 3-1 lists the Field description for IPSec fast-path Stats:
Table 3-1 Field Descriptions for IPSec fast-path Stats
Examples
This example shows how to view all global IPSec statistics:
show crypto ipsec sa
To show a list of all SAs on the WSG, use the show crypto ipsec sa command in EXEC mode.
show crypto ipsec sa [remote-ip remote_ipv4_address mask remote_ipv4_mask]
[remote-ip remote_ipv6_address ipv6-prefix ipv6_prefix_length] [remote-host remote_host] [vrf-local vrf_name]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Added hostname in reverse DNS lookup feature for IKE peer support. |
Usage Guidelines
Use the show crypto ipsec sa command to view all SAs on the WSG.
Examples
This example shows how to view all SAs on the WSG:
This example shows how to view information on a specific SA:
show crypto ipsec sa spi-in
To show information on a specific SA on the WSG, use the show crypto ipsec sa spi-in command in EXEC mode.
show crypto ipsec sa spi-in inbound_spi
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show crypto ipsec sa spi-in command to view information on a specific SA.
Examples
This example shows how to view information on a specific SA:
show crypto isakmp info
To show IKE parameters, use the show crypto isakmp info command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show crypto isakmp info command to view configured IKE parameters.
Examples
This example shows how to view configured IKE parameters:
show crypto isakmp sa
To show IKE SA information and statistics, use the show crypto isakmp sa command in EXEC mode.
show crypto isakmp sa [remote-ip remote_ipv4_address mask remote_ipv4_mask]
[remote-ip remote_ipv6_address ipv6-prefix ipv6_prefix_length] [remote-host remote_host] [vrf-local vrf_name]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Added hostname in reverse DNS lookup feature for IKE peer support. |
Usage Guidelines
Use the show crypto isakmp sa command to view IKE SA information and statistics.
Examples
This example shows how to view IKE SA information and statistics:
This example shows how to view information on a specific SA by IP or hostname:
show crypto isakmp summary
To show all global IKE statistics, use the show crypto isakmp summary command in EXEC mode.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
The output of this command was modified with new information. |
Usage Guidelines
Use the show crypto isakmp summary command to view all global IKE statistics.
Examples
This example shows how to view all global ISAKMP statistics:
show crypto pki certificate
To display the certificate information, use the show crypto pki certificate command in EXEC mode.
show crypto pki certificate certificate
Syntax Description
| Note This is a show command and does not affect the running configuration. |
|
Defaults
Command Modes
Command History
|
|
|
|---|---|
Examples
This example shows how to configure the show crypto pki certificate command:
show crypto radius statistics
To display the count of different RADIUS messages sent and received, as well as the RADIUS timeout and retry counters, use the show crypto radius statistics command in EXEC mode.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the crypto radius statistics command to display the count of different RADIUS messages sent and received, as well as the RADIUS timeout and retry counters.
Examples
Here is sample output for the show crypto radius statistics command:
show crypto throughput
To display the throughput data for the last calculated 5 minute interval on the WSG, use the show crypto throughput command in EXEC mode.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show crypto throughput command to display throughput data for the last calculated 5 minute interval on the WSG.
Examples
Here is a sample output for the show crypto throughput command:
show crypto throughput ixp
Displays the throughput data for packets to/from Nitrox and the average throughput utilization for the last calculated interval on WSG for each IXP. IXP0 display also shows the packet data punted to IXP1.
show crypto throughput ixp <1/2>
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show crypto throughput ixp command to display throughput data for the last calculated 5 minute interval on the WSG.
Examples
Here are the sample outputs for the show crypto throughput ixp <1/2> command:
show crypto throughput distribution history
To display the number of intervals the throughput fell in a certain bucket range with each Interval being 5 minutes, use the show crypto throughput distribution history command in EXEC mode.
show crypto throughput distribution history
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
This command was introduced as the crypto throughput distribution history command. |
Usage Guidelines
Use the show crypto throughput distribution history command display the history of throughput.
Examples
Here is a sample output for the show crypto throughput distribution history command:
show crypto throughput distribution history ixp
To display the number of intervals the throughput fell in a certain bucket range for each IXP, with each Interval being 5 minutes, use the show crypto throughput distribution history ixp <1/2> command in EXEC mode.
show crypto throughput distribution history ixp <1/2>
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show crypto throughput distribution history ixp command to display the history of throughput.
Examples
Here are the sample outputs for the show crypto throughput distribution history ixp commands:
show crypto throughput history
To display the history of throughput in Mbp/s and Packets/s from 3 hours, 1 day to 1 week history, use the show crypto throughput history command in EXEC mode.
show crypto throughput history interval interval type
Syntax Description
Type of unit value to display the throughput. Valid values are: |
Defaults
Command Modes
Command History
|
|
|
|---|---|
This command was introduced as the crypto throughput history command. |
Usage Guidelines
Use the show crypto throughput history command to display the history of throughput.
Examples
Here are the sample outputs for the show crypto throughput history commands:
show crypto throughput history ixp
To display the history of throughput in Mbp/s and Packets/s separately for each IXP, use the show crypto throughput history command in EXEC mode.
show crypto throughput history interval interval type ixp <1/2>
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show crypto throughput history interval interval type ixp command to display the history of throughput.
Examples
Here is a sample output for the show crypto throughput history interval interval type ixp command:
show debug crypto
To view crypto debug information on the WSG, use the show debug crypto command in EXEC mode.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show debug crypto command to view crypto debug information.
Note The show debug command does not show the debugs related to the crypto module.
Examples
This example shows how to configure the show debug crypto command:
show ha info
To display the configuration, states, and statistics of the local node and its peer, use the show ha info command in EXEC mode.
show ha info [ brief | detail ]
Syntax Description
Display includes extra information about the cluster and the node names. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Examples
The show ha info command shows the configuration, states, and statistics of the local node and its peer:
Redundancy mode (configured) : active-standby
Bulk Sync done : Thu Sep 15 01:24:36 2011
The show ha info brief command shows the configuration and the state of the local node:
The show ha info detail command includes extra information about the cluster and node names:
Redundancy mode (configured) : active-standby
show hosts
To display the hosts on a PPC, use the show hosts command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
The show hosts command lists the name servers and their corresponding IP addresses. It also lists the hostnames, their corresponding IP addresses, and their corresponding aliases (if applicable) in a host table summary.
Examples
To display a list of hosts on a PPC, enter:
show icmp6 statistics
To display the ICMP6 statistics, use the show icmp6 statistics command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example shows how to enable the show icmp6 statistics command:
show interface
To display interface information, use the show interface command in EXEC mode.
show interface [ vlan number ]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
To display all of the interface statistical information, enter the show interface command without using the optional vlan keyword.
Examples
To display all of the interface statistical information, enter:
To display the details, statistics, or IP information for all or a specified VLAN interface (51 in this example), enter:
show interface internal iftable
To display internal iftable statistics, use the show interface internal iftable command in EXEC mode.
show interface internal iftable
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example shows how to enable the show interface internal iftable command:
show ip bgp
To display general information about bgp routing processes, use the show ip bgp command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Examples
Here is an example to display BGP-related information:
show ip interface brief
To display a brief configuration and status summary of all interfaces or a specified VLAN, enter:
show ip interface brief [ vlan number ]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the show ip interface brief command to display a brief configuration and status summary of all the interfaces or a specified VLAN.
Examples
To display a brief configuration and status summary of all the interfaces, enter:
show ip route
To display the IPv4 destination routes, use the show ip route command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example shows how to display the IPv4 destination routes:
show ip route np
To display the IPv4 routes configured on the Network Processor, use the show ip route np command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example shows how to display the IPv4 routes configured on the Network Processor:
show ip ssh
To display the SSH information, use the show ip ssh command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example shows how to display the SSH information:
show ipv6 neighbors
To display information about IPv6 neighbors, use the show ipv6 neighbors command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example displays the output of the show ipv6 neighbors command:
show ipv6 route
To display the IPv6 destination route, use the show ipv6 route command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example displays the output of the show ipv6 route command:
show ipv6 route np
To display the IPv6 routes configured on the Network Processor, use the show ipv6 route np command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Examples
This example shows how to display the IPv6 routes configured on the Network Processor:
show ip vrf
To display all VRFs in the system, use the show ip vrf command. To display a specific VRF, use the show ip vrf vrf_name command.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
To display all VRFs in the system, use the show ip vrf command.
Examples
The following is an example of how to display all VRFs in the system:
member devices: eth0 lo dummy0 tunl0 sit0 ip6tnl0 eth0.70 eth0.32 eth0.72
vrf: id - 2, name - insideBlue
vrf: id - 3, name - outsideRed
vrf: id - 4, name - outsideBlue
The following is an example of how to display the specific VRF named insideRed:
show logging
To display the current syslog configuration and syslog messages, use the show logging command.
show logging { config [ | ] [ > ] | message { all cpuid cpu-id | module mod-id }}
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
To enable system logging, use the logging configuration command. The show logging command lists the current syslog messages and identifies which logging command options are enabled.
Prior to WSG Release 3.1, syslog messages display the CPU ID as the name of the source host where messages originated from. The enhancement in WSG Release 3.1 adds the configured hostname along with the CPU ID to the syslog in order to make management easier.
Examples
To display the syslog configuration, enter:
snmp-server enable traps ipsec
To enable SNMP IPSec traps, use the snmp-server enable trap ipsec global configuration command. To disable traps, use the no form of this command.
snmp-server enable traps ipsec [address-pool-exhaust | too-many-sas | tunnel {start | stop} | cert-expiry | cert-renewal | throughput-threshold]
no snmp-server enable traps ipsec [address-pool-exhaust | too-many-sas | tunnel {start | stop} | cert-expiry | cert-renewal | throughput-threshold]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use the snmp-server enable traps ipsec command to enable SNMP IPSec traps.
Examples
Here is an example showing how to enable all SNMP IPSec traps:
snmp-server host
To specify the hosts to receive SNMP notifications, use the snmp-server host global configuration command. Use the no form of the command to disable this functionality.
snmp-server host A.B.C.D | X:X:X::X
Syntax Description
Defaults
Command Modes
Command History
|
|
|
|---|---|
Examples
This example shows how to enable the snmp-server host command:
wsg(config)# snmp-server host ?
<A.B.C.D>|<X:X:X::X> Enter an IP address
wsg(config)# snmp-server host 44.44.44.16 traps version 2c public
wsg(config)# snmp-server host 2001:88:88:94::1 traps version 2c public
Debug Commands
This section lists the debug commands for the WSG. Please be aware of the following cautions and restrictions:
Be sure to turn on debugs from within a telnet session and not a console session.
Be sure to deactivate session-timeout on the PPC debug terminal.
Ensure that you turn off debugs before you exit a terminal session. If you exit a terminal session that has debugs on, be sure to turn off the debugs from the console before opening a new PPC terminal session
Note Debugs are activated on a per-terminal basis. You must turn off debugs from the same terminal you turned them on for them to be deactivated.
Note Turning debugs off from a different terminal will deactivate the application debugs, but it will not deactivate the internal debugging flags.
debug crypto
To enable debugging for various crypto parameters, use the debug crypto command in EXEC mode.
Use the no form of the command to disable debugging.
debug crypto { config | snmp | stats | dhcp | eap | engine | fastapi | ha | ike | pki | policy }
{ errors | events } [ trace ]
no debug crypto { config | snmp | stats | dhcp | eap | engine | fastapi | ha | ike | pki | policy }
{ errors | events } [ trace ]
Syntax Description
| Debug crypto SNMP configuration. Debug crypto statistics configuration. |
|
Defaults
Command Modes
Command History
|
|
|
|---|---|
Added eap, engine, fastapi, ha, ike, pki, and policy options. |
Examples
This example displays how to use the debug crypto ike events command:
debug crypto ike remote-ip
To enable debugging of tunnel setup and IKE protocol exchanges by peer IP address, use the
debug crypto ike remote-ip command in EXEC mode. Use the no form of the command to disable crypto IKE debugging.
debug crypto ike remote-ip ip_address {netmask netmask | ipv6_prefix prefix} [vrf vrf_name] {errors | events | info | verbose } [ trace ]
no debug crypto ike remote-ip ip_address {netmask netmask | ipv6_prefix prefix} [vrf vrf_name] {errors | events | info | verbose } [ trace ]
Syntax Description
Debug tunnel exchange failures. Debug tunnel establishment and removal. Debug tunnel initiation and short decodes. |
Defaults
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
The debug crypto ike remote-ip command requires at least one active profile.
You can configure up to 4 tunnel sets.
|
|
|
|
|---|---|---|
IKE exchange initiation, successful completions, |
||
Examples
This example shows the use of the debug crypto ike remote-ip command:
Feedback