The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The following sections provide details about WSG commands.
Commands appear in the submodes under which you enter them.
To set up a local IPSec address pool from which to assign addresses to an endpoint during the SA establishment, use the start-ip command. To remove the address pool range configuration, use the no form of the command.
start-ip start- ip-address end-ip end- ip-address netmask netmask ipv6-prefix prefix
no start-ip start- ip-address end-ip end- ip-address netmask netmask ipv6-prefix prefix
Note To modify the pool range, you need to delete an address range and add a new one.
First IP address in the address pool range. The format is either A.B.C.D or X:X:X::X. |
|
Last IP address in the address pool range. The format is either A.B.C.D or X:X:X::X. |
|
|
|
---|---|
This command was introduced as the ipsec address-pool command. |
|
IPv6 support was added, and the ipv6-prefix keyword was added. |
Use the start-ip command to set up a local address pool from which to assign addresses to an endpoint.
The WSG keeps a pool of private addresses from the protected network. When the WSG receives an endpoint SA with an internal IP address request, it assigns an unused address from the address pool. The address does not expire as long as the SA is up. When the SA is removed, the address is released to the local pool.
This example shows how to set up an address pool name:
To specify the DNS server that is passed to the access point (the remote end point) when there is a request for a DNS server during IKE negotiation, use the dns-server command in crypto-profile submode. Use the no form of the command to disable this feature.
The ip_address is the DNS server IP address that is given to the endpoint by the WSG when requested. The ip_address format is either A.B.C.D or X:X:X::X. |
|
|
---|---|
If the DNS server name is not required to be sent to the remote access point, this command is not required.
In WSG Release 3.0, the dns-server command is modified to accept both IPv4 and IPv6 addresses for the server configuration.
This example shows how to enable the dns-server command:
Enter configuration commands, one per line. End with CNTL/Z.
WSG(config)# crypto address-pool foo
WSG(config-address-pool)# dns-server ?
WSG(config-address-pool)# dns-server 172.20.10.1
To activate a profile, use the activate command. To deactivate a profile, use the no form of the command.
Note ● The profile must be active to establish tunnels/SA.
|
|
---|---|
This example shows how to activate a profile using the activate command:
To enter the IPSec submode use the ipsec command in crypto profile submode. Use the no form of the command, or exit to exit the IPSec submode.
|
|
---|---|
To enter the ISAKMP submode, use the isakmp command under the crypto profile submode.
Use the no form of the command or exit to exit the ISAKMP submode.
|
|
---|---|
This example shows how to enter the ISAKMP submode:
To specify the type of each profile created by the user, use the profile- type command in crypto profile submode. Use the no form of the command to disable this feature.
profile-type {remote-access | site-to-site}
no profile-type {remote-access | site-to-site}
|
|
---|---|
A crypto profile can be either remote access type, or site-to-site type. The profile-type command is used to specify the type of each profile that you create. If the type is not specified the default is remote-access.
Only one remote access profile can be active.
Multiple Site-to-site profiles can be active.
You should take special care to configure the proper access-permit command that corresponds to the profile type used, as described in the access-permit command.
This example illustrates the default setting:
WSG(config)# crypto profile One
WSG(config-crypto-profile)# profile-type ?
To add an inside VRF, use the vrf-inside command to the IPSec submode of a profile. To remove a VRF, use the no form of the command, including the specific vrf_name.
|
|
---|---|
By default, the inner IP addresses of a profile belong to a VRF, which is
VRF_GLOBAL (VRF_NAME = global). In order to associate the inner IP addresses
with a specific VRF, use the vrf-inside vrf_name command. To remove an inside VRF,
use the no vrf-inside vrf_name command.
This example shows how to add an inside VRF using the vrf-inside command:
To add an outside VRF, use the vrf-outside command in the ISAKMP submode of a profile. To remove a VRF, use the no form of the command, including the specific vrf_name.
|
|
---|---|
By default, the outer IP addresses of a profile belong to a VRF, which is VRF_GLOBAL
(VRF_NAME = global). In order to associate the outer IP addresses with a specific VRF, use the vrf-outside vrf_name command.
This example shows how to add an outside VRF using the vrf-outside command:
To clear a pending CA request generated by this WSG, use the clear crypto cmp command in privileged EXEC mode.
|
|
---|---|
The clear crypto cmp command clears a pending CA request generated by this WSG. This allows you to make another CA request before the previous CA request is honored. No cancellation is sent to the CA server; only the state of the pending request on the WSG is cleared.
Note The clear crypto cmp command will not clear auto-update requests.
To clear all tunnels and security associations, use the clear crypto ipsec sa command in privileged EXEC mode.
clear crypto ipsec sa [ A.B.C.D | X:X:X::X ] [ vrf vrf_name ]
clear crypto ipsec sa [ profile_name ]
|
|
---|---|
Here is an example of the clear crypto ipsec sa command:
To delete all IKE and IPSec security associations with a remote ID, use the clear crypto isakmp sa remote-id command in privileged EXEC mode.
clear crypto isakmp sa remote-id {dn | email | fqdn | ip}
|
|
---|---|
Here is an example of the clear crypto isakmp sa remote-id command:
To delete the crypto RRI IP address, use the clear crypto rri command in privileged EXEC mode.
The IPv4 or IPv6 address. The format is either A.B.C.D or X:X:X::X. |
|
|
---|---|
Here is an example of the clear crypto rri command:
To delete the crypto throuhgput counters, use the clear crypto throughput counters command in privileged EXEC mode.
clear crypto throughput counters
|
|
---|---|
Here is an example of the clear crypto throughput counter command:
To copy files and running configurations to and from the SUP, use the copy-sup command in privileged EXEC mode.
|
|
---|---|
You can run the copy-sup command in single-entity mode.
If the source file is the running-config or a file from one of the following PPC filesystems:
Then the destination file is a file at one of the following SUP filesystems:
bootdisk-sup:
bootflash-sup:
disk0-sup:
If the source file is a file from one of the following SUP filesystems:
bootdisk-sup:
bootflash-sup:
disk0-sup:
Then the destination file can be the running-config or a file at one of the following PPC filesystems:
This command will attach the slot#ppc# tag for either entity all or entity none modes (i.e. SLOT3SAMIC3_) to the front of the file name saved at the SUPs. The commmand will also attach the “.cfg” tag to the end of the file name when you save the running configuration file to the SUPs.
You do not need to type in the tags when you specifiy the source or destination file names for copy-sup. The tags are automatically generated by the command.
The directory names used by this command that refer to the SUP filesystems are:
Here are examples of the copy-sup command:
A file at the PPC can be copied to the SUP's disk0, bootflash (or bootdisk) directory:
If the remote filename is not specified, this command will prompt you for the remote file name to be used on the SUP.
The following file on the SUP will be created as the result of above command:
The following example files are created on the SUP:
Here are examples of the copy-sup command used to copy running configurations to the SUP:
If the remote filename is not specified, this command prompts you for the remote file name to be used on the SUP. The configuration files at the SUP have the “.cfg.” attached.
The following file is created on the SUP as the result of the previous command (for example, the command is entered from slot#3/ppc#5):
The following files are created on the SUP as the result of the previous command:
Here are examples of the copy-sup command used to copy files from the SUP:
If the remote or local file names are not specified, this command prompt you for the local and remote file names to be copied.
The following file from the SUP is copied as the result of the previous command:
The following file from the SUP will be copied as the result of above command:
Here are examples of the copy-sup command used to copy running configuration files from the SUP:
If the remote file name is not specified, this command will prompt the user for the remote config file name to be copied.
As the result of issuing the previous command, the following file from the SUP is copied (for example, the command is entered from slot#3/ppc#5), and the current running configuration is replaced with it:
The following files from the SUP will be copied as the result of above command:
The running configuration of each of the PPCs is replaced by the corresponding file.
To allow an IPv6 address to be specified as the source or destination IP address in a copy configuration, use the copy tftp command in privileged EXEC mode.
|
|
---|---|
Here is an example of the copy tftp command:
To recopy the blacklist file from the SUP disk and inform the WSG IKE stack about the update, use the crypto blacklist file resync command in privileged EXEC mode.
|
|
---|---|
If you need to update the blacklist entries, follow this procedure:
Execute the crypto blacklist file resync command on the WSG. The WSG copies the updated file from the SUP disk to its ramdisk, and informs the IKE stack about the updated file. The IKE stack now uses the new blacklist file.
The following example shows how to resync the blacklist file:
To generate an enroll certificate request to the CA server using the public key, use the crypto cmp enroll command in privileged EXEC mode.
crypto cmp enroll current-wsg-cert wsg_certificate current-wsg-private-key wsg_privatekey modulus modulus id-type id-type id id subject-name subject_string ca-root root_certificate ca-url url [ pop ]
|
|
---|---|
You provide the exisiting WSG certificate and private key as input parameters to the CLI. The filenames for the new private key and the certificate files are automatically generated by the system. This request is similar to initialize except that it is authenticated using public-key methods.
Note In WSG Release 4.0 and below, the subject_string cannot include spaces.
Here is an example of the crypto cmp enroll command:
WSG# crypto cmp enroll current-wsg-cert wsg.crt current-wsg-private-key wsg.prv
modulus 1024 id-type fqdn id wsg.cisco.com subject-name "C=US,O=Cisco,OU=Security,CN=Example" ca-root root-ca.crt ca-url http://212.246.144.35:8700/pkix/
To configure the WSG to generate a private key and make an initialize request to the CA server using CMPv2, use the crypto cmp initialize command in privileged EXEC mode.
crypto cmp initialize modulus modulus id-type id-type id id subject-name subject_string ca-psk reference-number:key ca-root root_certificate ca-url url
|
|
---|---|
The request is authenticated using the reference number and corresponding PSK received from the CA. The data you input will be stored in a database that is synchronized between the active and standby SUPs. The initialize_config.txt file that has the init parameters is stored on the PPC /app/segw/initialize_config.txt.
Note In WSG Release 4.0 and below, the subject_string cannot include spaces.
Here is an example of the crypto cmp initialize command:
Router# crypto cmp initialize modulus 1024 id-type fqdn id wsg.cisco.com subject-name "C=US,O=Cisco,OU=Security,CN=Example" ca-psk 32438:this_is_very_secret ca-root root-ca.crt ca-url http://212.246.144.35:8700/pkix/
To configure the WSG to poll the CA server for the availability of the pending certificate request (update, enroll, or initialize), use the crypto cmp poll command in privileged EXEC mode.
|
|
---|---|
Use the show crypto cmp request command to see the pending request that will be polled.
Here is an example of the crypto cmp poll command:
To send an update request to the CA server using CMPv2 to update the existing WSG certificate, use the crypto cmp update command in privileged EXEC mode.
crypto cmp update current-wsg-cert wsg_certificate current-wsg-private-key wsg_privatekey ca-root root_certificate ca-url url
|
|
---|---|
You provide the existing WSG certificate and private key as input parameters to the CLI. The filenames for the new private key and the certificate files are automatically generated by the system.
Note If you issue this command to update a certificate that has been configured for auto-update or retrieval, a notice is displayed. This is not an error, just a notification. A manual update will change the certificate’s certificate and private key filenames. If you perform auto-update or retrieval using the new certificate and private key files, the auto-update and renewal must be reconfigured on all the active PPCs.
Here is an example of the crypto cmp update command:
To generate an RSA key pair and Certificate Signing Request (CSR), use the crypto rsa-keygen command in privileged EXEC mode.
crypto rsa-keygen modulus modulus_value id-type id-type id id subject-name subject-name
|
|
---|---|
This command was introduced as the ipsec rsa-keygen command. |
|
RSA key pairs sign, encrypt, and decrypt. To get a CA, you first need a CSR.
1. The crypto rsa-keygen command makes a private key (segwSLOTxSAMIx.prv) and a CSR (segw-pem.csr) based on the CSR parameters you enter.
2. The private key file is copied to the SUP engine bootflash or bootdisk, depending on which is available. The default filename for the the private key is segwSLOTxSAMIx.prv where x is a slot and processor number that may vary. An example would be asegwSLOT3SAMI6.prv.
3. The public key, the second key of the key pair, is embedded in the CSR. The default filename for the the certificate request is segw-pem.csr.
Note If all WSGs on a SAMI must share the same certificate, use the crypto rsa-keygen command one time on one WSG. If the WSGs must use separate certificates, use the crypto rsa-keygen command on each WSG on the SAMI.
This example shows how to generate an RSA key pair and CSR for a client:
To configure the SSH username, use the username configuration command. Use the no form of the command to unconfigure a user.
username name of user password 0 unencrypted password
username name of user password 5 encrypted password
|
|
---|---|
The first variant of the command takes an unencrypted password and subsequently encrypts it. When it is next displayed using the show running-configuration command, it will display the encrypted version.
The second variant requires an encrypted password, and is used mainly to transfer a login/password to a different card. Unencrypted passwords will never be displayed.
The no variant does not require the password.
The maximum length for the username is 32 characters. The maximum length for the unencrypted password is also 32 characters. The maximum permissible length for the encrypted password is 64 characters. Permitted characters for all of the above fields are standard alphanumeric characters with the exception of “]”, “?”, “$”, TAB, and spaces.
Here is an example of the username command:
To configure the alias IP address for a VLAN on both the active and standby, use the alias command in interface configuration submode. Use the no form of the command to remove the alias.
Specifies the alias IP address and its subnet netmask for a VLAN. |
Interface configuration submode
|
|
---|---|
The alias IP address is configured for a VLAN on both the active and standby. FAP/HNB uses the alias IP address instead of the active IP address. When a switchover or failover occurs, the newly-active node starts receiving traffic destined to this alias IP address.
The following examples show how to configure the alias IP address on 2 PPCs:
To set up a local IPSec address pool from which to assign addresses to an endpoint during the SA creation, or to add an address pool, use the crypto address-pool command. To remove the address pool, use the no form of the command.
crypto address-pool pool_name [ start-ip start-ip end-ip end-ip < netmask | ipv6-prefix > netmask | dns-server ip_address | do | end | exit | no ]
no crypto address-pool pool_name
Note address pool configuration changes will only take effect after a no activate -> activate command sequence.
The IPv4 or IPv6 DNS server address. The format is either A.B.C.D or X:X:X::X. |
|
|
|
---|---|
This command was introduced as the ipsec address-pool command. |
|
The command was modified to include IPv4 and IPv6 IP addresses and subnets. |
Use the crypto address-pool command to change an address pool.
In WSG Release 3.0, the command is modified to accept both IPv4 (A.B.C.D) and IPv6 (X:X:X::X) addresses with the subnet in netmask and prefix format.
Additionally, the dns-server ip_address was modified to accept IPv6 addresses.
This example shows how to add an IPv6 address pool named foo:
To configure the blacklist filename on the WSG, use the crypto blacklist file global configuration command. Use the no form of the command to disable the blacklisting feature.
crypto blacklist file filename
no crypto blacklist file filename
The IKE ID that is to be blacklisted. The blacklist file must be present on the SUP disk before this configuration is done. If the file is not present on the SUP, the configuration fails. |
|
|
---|---|
You must edit the blacklist file outside of the Cisco 7600 chassis, and copy it to the SUP bootflash or SUP bootdisk. Initially, you should configure the WSG with the filename of the blacklist file. During this configuration, the blacklist file is internally rcp-ed from the SUP disk to the WSG ram disk, and the IKE stack is informed of the location of the file. The IKE stack performs blacklisting based on the entries in the file. If you need to update the blacklist entries, follow this procedure:
Execute the crypto blacklist file resync command on the WSG. The WSG copies the updated file from the SUP disk to its ramdisk, and informs the IKE stack about the updated file. The IKE stack now uses the new blacklist file.
The following examples show how to configure the blacklisting feature on the WSG:
To specify the parameters for copying renewed certificate files from the SUP, use the crypto cert renewal global configuration command. To disable this feature, use the no form of the command to remove all certificate entries configured for renewal retrieve.
crypto cert renewal retrieve current-wsg-cert cert_file current-wsg-private-key pvk_file
time time
no crypto cert renewal retrieve current-wsg-cert cert_file current-wsg-private-key pvk_file
Name of the CMP certificate file to update, ending with.crt. |
|
Time in days to start automatic renewal before certificate expires. The range is 2 to 60 days. We suggest a minimum value of 8 days. |
|
|
---|---|
This feature is enabled as long as there is at least one certificate configured for renewal retrieve. To disable this feature, use the no form of the command to remove all certificate entries configured for renewal retrieve.
Note If a manual update of the certificate and private key file is performed using the crypto cmp update EXEC mode command, use the crypto cert renewal retrieve command to remove the old certificate filename and add the updated certificate filename.
Here is an example of the crypto cert renewal retrieve command:
This command is used to set the number of punt entries to be programmed into traffic distribution hash table in IXP0 based on the current % of total traffic that is Clear. Use the no form of the command to remove the clear-traffic load distribution. This will set the default load % as 50%.
crypto clear-traffic load <50%-100%>
Percentage of clear traffic load on IXP0. 50% — IXP0 is handling 50% of total incoming traffic. No punt entries will be programmed. |
|
|
|
---|---|
Here is an example of the crypto clear-traffic load command:
(If Clear traffic is 60% and ESP traffic is 40%, then command to be used is):
To set the traffic distribution hash table in IXP0 either with sequential punt entries or random punt entries, use the crypto clear-traffic switch-distribution-scheme command. Use the no form of the command to switch to the default distribution scheme.
crypto clear-traffic switch-distribution-scheme <1/2>
no crypto clear-traffic switch-distribution-scheme
|
|
---|---|
Here is an example of the crypto clear-traffic switch-distribution-scheme command:
To provide the information necessary to automatically renew an enrolled CMP certificate, and to copy the updated certificate files to the SUP, use the crypto cmp auto-update global configuration command. Use the no form of the command to disable this feature.
crypto cmp auto-update current-wsg-cert cert_file current-wsg-private-key pvk_file ca-root ca_file ca-url url time time [ key-reuse ]
no crypto cmp auto-update current-wsg-cert cert_file current-wsg-private-key pvk_file ca-root ca_file ca-url url time time
|
|
---|---|
This feature is enabled as long as there is at least one certificate configured for auto-update. To disable this feature, use the no form of the command to remove all certificate entries configured for auto-update.
Note If the CA is unreachable, the WSG will try 3 times with an hour wait between each attempt. The renewal notification trap is sent when the renewal is initiated and when it succeeds or fails. If it fails, the operator will need to correct the problem and manually update the certificate. If the CA acknowledges receiving the request but does not issue the renewed certificate, the WSG will poll for the certificate 10 times with an hour (or the CA provided time) between each poll. The renewal notification trap is sent with the status, and if the status is failed, the operator will need to manually renew the certificate.
Note If a manual update of the certificate and private key file is performed using the crypto cmp update EXEC mode command, use the crypto cmp auto-update command to remove the old certificate filename and add the updated certificate filename
Here is an example of the crypto cmp auto-update command:
To configure the Transport Protocol for CMPv2 messages, use the crypto cmp transport global configuration command. Use the no form of the command to set the CMPv2 default protocol.
crypto cmp transport transport protocol
no crypto cmp transport transport protocol
HTTP will be used as transport Protocol for all CMPv2 messages. |
|
TCP will be used as transport Protocol for all CMPv2 messages. |
|
|
|
---|---|
Use the crypto cmp transport to configure the transport protocol for CMPv2 messages.
Here is an example of the crypto cmp transport command:
To control the rate at which the Segw datapath generates ICMP error packets, use the crypto datapath icmp rate-limit global configuration command. Use the no form of the command to remove the rate-limit.
crypto datapath icmp rate-limit interval
no crypto datapath icmp rate-limit interval
Specifies the time interval in milliseconds before another ICMP error packet can be sent by the datapath. The value range is 1 to 10,000 ms. |
|
|
---|---|
This example shows how to use the crypto datapath icmp rate-limit command to configure a 1000 ms time interval between sent ICMP error packets:
To specify the maximum number of active tunnels supported on the WSG when the redirect feature is enabled, use the crypto dfp agent max-tunnels global configuration command. Use the no form of the command to remove the maximum number of tunnels.
crypto dfp agent max-tunnels number
no crypto dfp agent max-tunnels number
|
|
---|---|
This command is configured in conjuction with crypto redirect ip and SLB commands on the SUP.
This example shows how to configure WSG to support 1000 maximum active tunnels when the redirect feature is enabled:
To specify the maximum weight associated with the real server that will be reported to the Dynamic Feedback Protocol (DFP) manager on the SUP, use the crypto dfp agent max-weight global configuration command. Use the no form of the command to remove the maximum associated weight.
crypto dfp agent max-weight number
no crypto dfp agent max-weight number
|
|
---|---|
This command is configured in conjuction with crypto redirect ip commands on the WSG and SLB commands on the SUP.
This example shows how to configure a maximum weight of 10:
To specify the relay agent IP address, and the server and client ports used on the WSG, use the crypto dhcp-client global configuration command. Use the no form of the command to remove the specified server and client ports.
crypto dhcp-client giaddr ip_address server-port port number client port port number
no crypto dhcp-client giaddr ip_address server-port port number client port port number
|
|
---|---|
The server and client port number can be the same or different values.
The WSG sends DHCP messages with the client port number, and receives responses from the server on the server port number.
The giaddr must be unique for each PPC talking to the DHCP server.
This command is required if you require DHCP address allocation.
The following example shows how to configure the crypto dhcp-client command:
To specify the client ID that is sent by the WSG (in option 61 of a DHCP message), use the crypto dhcp-client client-id-type extract-cn global configuration command. Use the no form of the command to revert the client ID to the default setting.
crypto dhcp-client client-id-type extract-cn
no crypto dhcp-client client-id-type extract-cn
|
|
---|---|
By default the HNB’s IKE ID is used as the client ID. If the HNB IKE ID is in the DN format, and the CN part of the DN is to be sent as the client ID, then this command must be configured.
The following example shows how to configure the crypto dhcp-client client-id-type extract-cn command:
To specify the global unicast IPv6 Link-Address in Relay Forward message used by the WSG, use the crypto dhcp-client link-address global configuration command.
crypto dhcp-client link-address X:X:X::X server-port port number client port port number
|
|
---|---|
This command is mandatory if DHCPv6 address allocation is required.
The following example shows how to configure the crypto dhcp-client link-address command:
To configure the DHCP server IP address and port number, use the crypto dhcp-server global configuration command. Use the no form of the command to remove a specific DHCP server from the configuration.
crypto dhcp-server ip A.B.C.D | X:X:X::X port port_number
no crypto dhcp-server ip A.B.C.D | X:X:X::X port port_number
Specifies the DHCP port number. The range is from 1 to 65535. |
|
|
---|---|
You must specify at least one DHCP server if you require DHCP address allocation.
You can configure multiple DHCP servers by repeating the command.
The following example shows how to configure the DHCP server IP address and port number:
To configure the DNS server IP address locally, use the crypto dhcp-dns server global configuration command.
Use the no form of the command to remove a specific DNS server IP from the configuration.
crypto dhcp-dns server ip < <A.B.C.D>|<X:X:X::X> Enter a valid IPv4 or IPv6 Address>
no crypto dhcp-dns server ip < <A.B.C.D>|<X:X:X::X> Enter a valid IPv4 or IPv6 Address>
|
|
---|---|
This command is optional and is required only if locally configured DNS server IP is needed.
The following example shows how to configure the DNS server IPv4 address:
The following example shows how to configure the DNS server IPv6 address:
To configure the syslog facility value, use the crypto facility global configuration mode. Use the no form of the command to disable this feature.
By default, the facility value will be independent of the process.
Example: By default, the facility value for the syslog’s generated from IPSEC process will be four (4).
|
|
---|---|
Use the crypto facility command to control the WSG syslog facility value.
The following example shows how to configure the facility value:
crypto ike-retry-timeout [ initial initial-value | max maximum-value ]
|
|
---|---|
Here is an example of the crypto ike-retry-timeout command:
To set the number of IKE retry connection attempts, use the crypto ike-retry-count command. To remove the IKE retry connection attempts, use the no form of the command.
no crypto ike-retry-count value
Specifies the maximum number of connection retry attempts, 1 to 10. |
|
|
---|---|
Use the crypto ike-retry-count command to set IKE retry connection attempts.
This example shows how to set IKE retry connection attempts:
To set the time interval for the nat keepalives from the WSG use the ike-nat-keepalive command. To remove the configuration, use the no version of the command.
crypto ike-nat-keepalive interval
no crypto ike-nat-keepalive interval
Configures the NAT keepalive packets interval in seconds. The range is 20-3600. |
|
|
---|---|
Use ike-nat-keepalive command to set the NAT keepalive interval.
Note This command cannot be entered if the profile is in active state.
To control the fragmentation point in hardware crypto engine for outbound traffic, use the crypto ipsec-fragmentation global configuration command. Use the no form of this command to remove the feature and reset the PMTU to the default value of 1400.
crypto ipsec-fragmentation [none | before-encryption {ipv6} mtu MTU]
no crypto ipsec-fragmentation [none | before-encryption {ipv6} mtu MTU]
IPv4: crypto ipsec-fragmentation before-encryption mtu 1400
IPv6: crypto ipsec-fragmentation before-encryption ipv6 mtu 1400
|
|
---|---|
Allow configuration of a global PMTU value for IPv4 and IPv6. |
Use crypto ipsec-fragmentation command control the fragmentation point in hardware crypto engine for outbound traffic.
When the MTU size is modified after a tunnel is already established, the new MTU size will be reflected in the output of the show crypto ipsec sa remote-ip command for that tunnel, the new MTU size will not be used by the data traffic flowing through the tunnel until that tunnel is re-keyed. Tunnels that are established after the MTU size is modified will use the new MTU size right away.
Here are two examples of the crypto ipsec-fragmentation command including its verification:
To set the anti-replay window size, use the crypto ipsec security association replay global configuration command. Use the no form of the command to disable this feature.
crypto ipsec security-association replay [ window-size ] window-size
no crypto ipsec security-association replay [ window-size ] window-size
Default window size is 32 bits for short sequence number and 64 bit for extended sequence number. Supported window sizes are: 32, 64, 128, 256, 384 and 512.
Note If sequence number extended is configured, the window size default will be 64 instead of 32.
|
|
---|---|
This example shows how to set the anti-replay window size:
To enable the reverse DNS lookup feature, use the crypto nameresolver global configuration command. Use the no form of the command to disable this feature.
|
|
---|---|
This example shows how to enable the reverse DNS lookup feature:
This example shows how to disable the reverse DNS lookup feature:
To set up a CA certificate to use for certificate-based authentication, use the crypto pki trustpoint command. To remove a CA certificate, use the no form of the command.
crypto pki trustpoint { rootCA | subCA } filename.crt crl disable
no crypto pki trustpoint {rootCA | subCA} filename.crt crl disable
|
|
---|---|
The CA certificate must exist on the SUP before issuing this command.
Use the crypto pki trustpoint command multiple times to set up a certificate chain.
Up to 20 root certificates can be configured on the WSG.
Note crypto pki trustpoint configuration changes will only take effect after a no activate -> activate command sequence.
This example shows how to set up the WSG to use a CA certificate on the SUP named cert-ca1.crt:
For rootCA, there is an option to disable the CRL (Certificate Revocation List).
To set up the WSG certificate and (optionally) the private key file for a WSG to use for certificate-based authentication, use the crypto pki wsg-cert global configuration command. Use the no form of this command to remove the WSG certificate.
crypto pki wsg-cert cert_filename.crt [ wsg-private-key private-key-filename.prv ]
no crypto pki wsg-cert cert_filename.crt [ wsg-private-key private-key-filename.prv ]
|
|
---|---|
The WSG certificate must be in the SUP bootflash or SUP bootdisk file system before issuing this command. The WSG uses both file systems to locate the files.
If a private key filename is not specified, it is assumed the user is trying to use a locally generated private key (using the crypto rsa-keygen command).
Note In releases prior to WSG Release 4.0, wsg-cert configuration changes will only take effect after a no activate -> activate command sequence.
Note If a manual update of the certificate and private key file is performed using the crypto cmp update EXEC mode command, use the crypto pki wsg-cert command to remove the old certificate filename and add the updated certificate filename. This is not required after an automatic renewal.
To set up the WSG certificate with the name wsg.crt and a private key named wsg.prv, enter:
Copying cert1.crt from SUP...done
To specify the trap notification time before the trap expires, use the crypto pki wsg-cert-trap expiry notification global configuration command. The no form of this command sets the time before the trap is not valid back to the default 24 hours.
crypto pki wsg-cert-trap expiry notification time
no crypto pki wsg-cert-trap expiry notification time
Time in hours to send the expiry trap before the certificate is not valid. The range is 1 to 720 hours (30 days). The default value is 24 hours. |
|
|
---|---|
Here is an example of the crypto pki wsg-cert-trap expiry notification command set for 72 hours (3 days):
Enter configuration commands, one per line. End with CNTL/Z
WSG(config)# crypto pki wsg-cert-trap expiry notification 72
To create a profile and to enter the crypto profile submode, use the crypto profile global configuration command. Use the no form of this command to remove a profile.
no crypto profile profile-name
|
|
---|---|
A crypto profile can be either remote-access type or site-to-site type. The type command is used to specify the type of each profile that you create. If the type is not specified, the default is remote-access.
This example illustrates the crypto profile command:
To enable the RADIUS accounting feature on the WSG, use the crypto radius accounting enable global configuration command. Use the no form of the command to disable the feature.
crypto radius accounting enable
no crypto radius accounting enable
|
|
---|---|
Use the crypto radius accounting enable command to enable the RADIUS accounting feature.
Note All profiles must be deactivated before enabling RADIUS accounting.
Here is an example configuration of the crypto radius accounting enable command:
Identification of the WSG as NAS to the RADIUS server is required. To configure the NAS Identifier on the WSG, use the crypto radius nas-id global configuration command. Use the no form of the command to disable the feature.
crypto radius nas-id identifier-string
no crypto radius nas-id identifier-string
Note This CLI command is applicable to both RADIUS Authentication and Accounting features. It is mandatory to configure one or both of the crypto radius nas-id and crypto radius nas-ip commands before configuring the crypto radius-server host command.
This RADIUS attribute contains a string to identify the NAS originating the access request. |
|
|
---|---|
Use the crypto radius nas-id command to configure the NAS Identifier on the WSG.
Note When upgrading to WSG Release 3.0 from a previous 2.X release, if a RADIUS server configuration exists, the crypto profile(s) will be inactive after the upgrade. To reactivate, configure the crypto radius nas-id or crypto radius nas-ip commands and then activate the profile(s).
Here is an example configuration of the crypto radius nas-id command:
Identification of the WSG as NAS to the RADIUS server is required. To configure the NAS IP address on the WSG, use the crypto radius nas-ip global configuration command. Use the no form of the command to disable the feature.
IPv4 or IPv6 address of the NAS. Format is A.B.C.D or X:X:X::X. |
|
|
---|---|
Use the crypto radius nas-ip command to configure the NAS IP address on the WSG.
Note This CLI command is applicable to both RADIUS Authentication and Accounting features. It is mandatory to configure one or both of the crypto radius nas-id and crypto radius nas-ip commands before configuring the crypto radius-server host command.
Note When upgrading to WSG Release 3.0 from a previous 2.X release, if a RADIUS server configuration exists, the crypto profile(s) will be inactive after the upgrade. To reactivate, configure the crypto radius nas-id or crypto radius nas-ip commands and then activate the profile(s).
Here is an example configuration of the crypto radius nas-ip command:
To authenticate remote end points with a RADIUS server, use the crypto radius-server host global configuration command. Use the no form of the command to disable this feature.
crypto radius-server host ip key keyword [ auth-port auth_port_# ] [ acct-port acct_port_# ]
no crypto radius-server host ip key keyword [ auth-port auth_port_# ] [ acct-port acct_port_#]
The default port number for auth_port is 1812 and for acct_port is 1813.
|
|
---|---|
This command was modified to accept IPv6 addresses and added optional auth-port and acct-port parameters. |
This command must be configured if you use the RADIUS authentication feature.
RADIUS authentication can be used with remote-access type profiles only.
Here is an example of the crypto radius-server host command:
WSG(config)# crypto radius-server host 5.5.5.5 key cisco123 auth-port 8120 acct-port 8112
To specify the source IP address of the RADIUS packets that are sent to the RADIUS server, use the crypto radius source-ip global configuration command. Use the no form of the command to disable this feature.
crypto radius source-ip src-ip-address
no crypto radius source-ip src-ip-address
The source IPv4 or IPv6 address of the RADIUS packets that are sent to the RADIUS server. The format is either A.B.C.D or X:X:X::X. |
|
|
---|---|
This is an optional command configured when the RADIUS authentication feature is used. If not specified, the IKE stack will get the source IP address to use for RADIUS packets from the kernel (which is based on the route to reach the RADIUS server). RADIUS authentication can be used with remote-access type profiles only.
Here is an example of the crypto radius source-ip command:
To specify the real and redirect IP addresses for the IKEv2 redirect feature, use the crypto redirect ip command in global configuration mode. Use the no form of the command to remove the IP addresses.
crypto redirect ip real_IP redirect to redirect_IP [vrf vrf_name]
no crypto redirect ip real_IP redirect to redirect_IP [vrf vrf_name]
|
|
---|---|
Unlike IPv4 real addresses, IPv6 real addresses do not report the weight to the SUP. IPv6 real addresses report the weight through IPv4 real addresses. Therefore, verify that the correct IPv4 and IPv6 real addresses are associated with each other on the SUP. Also, verify that a DFP agent with a IPv4 real address is defined on the SUP.
Note The DFP agent source port should always be 4700.
This example shows how to configure real and redirect IP addresses for the IKEv2 redirect feature:
To set the remote shared secret, use the crypto remote-secret command. To remove the remote shared secret, use the no form of the command.
crypto remote-secret id_type id secret
no crypto remote-secret id_type id secret
|
|
---|---|
Remote secrets help set pre-shared keys for IKE authentication for remote clients. Use the
crypto remote-secret command to set the remote secret shared. The crypto remote-secret command is used for authentication and can be configured as an IP address. In WSG Release 3.0, the command accepts either an IPv4 or an IPv6 address.
Note The maximum number of supported remote-secret entries is 1000.
This example shows how to set pre-shared keys information for IKE authentication for remote clients.
To enable the IKEv2 redirect feature, use the crypto responder-redirect enable command in global configuration mode. Use the no form of the command to disable the feature.
crypto responder-redirect enable
no crypto responder-redirect enable
|
|
---|---|
This example shows how to enable the IKEv2 redirect feature:
To enable the RRI feature, use the crypto rri enable command. To disable the RRI feature,
use the no form of the command.
|
|
---|---|
For WSG Release 3.0, the RRI feature only supports IPv4.
Only site-to-site profiles are supported.
The VRF feature on the WSG cannot not be enabled when the RRI feature is already configured.
This example shows how to enable
To configure statistics refresh interval to either auto mode or manual mode. In auto mode, the refresh interval is adjusted automatically based on number of tunnels.
no crypto snmp stats-refresh-interval auto will change to the default setting (manual mode with 300 seconds interval) and no crypto snmp stats-refresh-interval manual interval will change to auto mode.
crypto snmp stats-refresh-interval {auto | manual interval }
no crypto snmp stats-refresh-interval {auto | manual}
Set referesh interval automatically based on number of tunnels, on average about 1.5 sec for 1000 tunnels. |
|
By defualt this command is set to manual mode 300 seconds interval.
|
|
---|---|
This command was introduced as the crypto snmp stats-refresh-interval command. |
Use the crypto snmp stats-refresh-interval command to configure the statistics refresh interval.
This example shows how to set up the WSG to configure the auto length for IKE/IPSec tunnel:
This example sets the defualt setting manual mode with 300 seconds interval:
To configure the list of source-mask and destination-mask combinations, use the crypto site-to-site-lookup global configuration command. Use the no form of the command to disable this feature.
crypto site-to-site-lookup [ priority priority | source-netmask src-netmask | destination-netmask dst-netmask]
no crypto site-to-site-lookup [ priority priority | source-netmask src-netmask | destination-netmask dst-netmask]
|
|
---|---|
The N subnet mask format is increased from 0-32 to 0-128 for IPv6. |
You must enter this command one or more times before activating any S2S profiles. S2S profile cannot be activated if this command is not configured on the WSG.
This example shows how to configure the crypto site-to-site-lookup command:
To configure the syslog level, use the crypto syslog-level global configuration mode.
|
|
---|---|
This command was introduced as the crypto syslog-level command. |
|
Use the crypto syslog-level command to control WSG message types.
Syslog level 1 logs the largest amount of information.
A limited amount of the logs are saved on the WSG. You can send the syslog to a remote syslog server using the ip logging command.
This example shows how to set up the WSG to generate messages at and above level 1:
To configure the system to generate an SNMP trap when WSG throughput utilization goes above the configured value for a sustained number of intervals, use the crypto throughput threshold global configuration mode.
no crypto throughput threshold will change values back to the default setting; i.e. threshold with 50% and interval value 2.
crypto throughput threshold threshold interval interval
no crypto throughput threshold threshold interval interval
Number of sustained intervals where each interval is of 5 mins. |
|
|
---|---|
This command was introduced as the crypto throughput threshold command. |
Use the crypto throughput threshold command to generate an SNMP trap when WSG throughput utilization goes above the configured value for a sustained number of intervals.
This example shows how to set up the WSG to generate an SNMP trap when WSG throughput utilization goes above the configured value for a sustained number of intervals:
To configure the HA VLAN that is used to communicate among the nodes in the same cluster (subnet), use the ha interface vlan global configuration command. Use the no form to disable this functionality.
|
|
---|---|
These CLIs must to be configured on each PPC. The 2 PPCs that are to be paired together should have the same VLAN ID. 6 different VLAN IDs will be used for 6 pairs of PPCs.
The following examples show how to configure the HA VLAN/IP address for the PPC#3 on Slot#1 and the PPC#3 on Slot#3:
To configure the VLAN and IP address using a single point configuration, use the ha interface vlan start-id command in global configuration mode. Use the no form of the command to disable this functionality.
ha interface vlan start-id vlan_ID [processor-count count] increment increment_vlan_ID
no ha interface vlan start-id vlan_ID
Specifies how many PPCs the HA VLAN interface should be applied to. Without this optional keyword, the HA VLAN interface is applied to all 6 PPCs. |
|
|
|
---|---|
This command is available in the entity-all mode on the director PPC (PPC3). You can use the ip address start-ip submode command to configure the start IP address for the director PPC (PPC3) and the increment value for the IP addresses of the slave PPCs (PPC4 to PPC8).
If you execute the following CLI commands on the director PPC (PPC3):
The resulting configurations of the 6 PPCs appear as follows:
If you execute the following CLI commands on the director PPC (PPC3):
Then PPC3 and PPC4 are configured as follows:
To configure the redundancy mode of the HA feature, use the ha redundancy-mode command in global configuration mode. Use the no form of the command to remove a redundancy mode.
ha redundancy-mode {active-active | active-standby} preferred-role {primary | secondary} [revertive]
no ha redundancy-mode {active-active | active-standby} preferred-role {primary | secondary} [revertive]
|
|
---|---|
Modified to support active-active and active-standby node redundancy. |
The ha redundancy-mode active-active CLI command can only be executed on the director PPC (PPC3) under entity-all mode. The command would then be applied to PPC3 and PPC4 only. The roles on PPC3 and PPC4 would be either primary/secondary or secondary/primary, depending on the preferred-role setting. If preferred-role is configured to be primary, PPC3 is primary and PPC4 is secondary. If preferred-role is configured to be secondary, PPC3 is secondary and PPC4 is primary.
In active-active mode, a failure in a PPC triggers a failover to its redundant peer PPC. The rest of the PPCs on the SAMI are not affected. However, if the failure occurs on the card level (such as IXP), the entire SAMI reloads.
Note Since PPC3 and PPC4 have different roles in active-active mode, the entity-all mode should not be used to configure the HA setup.
Note In active-active mode, the revertive keyword is a mandatory option. You must enter the revertive keyword for this CLI to be executed.
The ha redundancy-mode active-standby CLI command can only be executed on the director PPC (PPC3). It can be applied to just the PPC3 or, if under entity-all mode, applied to all of the PPCs. If under entity-all mode, the same preferred-role (primary or secondary) would be applied to all of the PPCs.
In active-standby mode, a failover causes the SAMI to reload, regardless of whether the failure occurred on an individual PPC or on the card level.
When the command is configured, the redundancy mode remains the same. The redundancy mode is applied and takes effect only after the SAMI reloads. You must save the configuration and reload the SAMI in order to activate these commands.
If the command is executed in the all mode, the command is applied to all PPCs so that the same role is assigned to them all. If the command is executed in the single mode, the role is assigned to only that particular PPC. The SAMI that is configured with the preferred-role of secondary needs to be reset before the redundant pairs can take effect.
The following command configures PPC3 as primary and PPC4 as secondary:
The following command configures PPC3 as secondary and PPC4 as primary:
Note You are responsible to clean up the remaining (non-HA) configuration and bring the system back to operational state. Also, the system will not reboot automatically as a result of removing the HA configuration.
To create a VLAN interface, use the interface command. The CLI prompt changes to (config-if). Use the no form of this command to remove the interface.
|
|
---|---|
Use the interface vlan command to configure a VLAN interface on a PPC.
WSG Release 3.0 and above allows you to configure an IPv6 address and alias on the interface.
Each interface is allowed to have one or both IPv4 address/alias and IPv6 address/alias.
While in interface configuration mode, you can use the following commands:
Note This CLI is a node-specific command, and cannot be executed under entity-all mode.
To create VLAN interface 100, enter the following command:
To create a service VLAN interface, use the service interface command. Use the no form of this command to remove the service interface.
no service interface vlan number
|
|
---|---|
Use the service interface vlan command to configure a service VLAN interface.
This command is allowed to have IPv4 address with netmask /32 and IPv6 with netmask /128, which acts as a sort of loopback interface.
While in service interface configuration mode, you can use the following commands:
Note ● This CLI is a node-specific command, and cannot be executed under entity-all mode.
To create service VLAN interface 1000, enter the following command:
To configure the IP address used by the HA infrastructure to communicate among the nodes in the same cluster (subnet), use the ip address command in interface configuration submode. Use the no form of the command to remove the IP address.
no ip address ip_address netmask
Interface configuration submode
|
|
---|---|
These CLIs must to be configured on each PPC. The 2 PPCs that are to be paired together should have the same VLAN ID. 6 different VLAN IDs will be used for 6 pairs of PPCs.
The following examples show how to configure the HA VLAN/IP addresses for the PPC#3 on Slot#1 and the PPC#3 on Slot#3:
To configure the start IP address of the HA VLANs that you are configuring for incremental sync, use the ip address start-ip command in interface configuration submode. Use the no form of the command to disable this functionality.
ip address start-ip ip_address increment increment mask ip_address_netmask
Interface configuration submode
|
|
---|---|
This command is available in the entity-all mode at director PPC (PPC3).
If you execute the following CLI on the director PPC (PPC3):
The resulting configurations on the 6 PPCs appear as follows:
To specify the name-server address, use the ip name-server global configuration command. Use the no form of the command to disable this feature.
ip name-server A.B.C.D | X:X:X::X
|
|
---|---|
If multiple DNS servers are configured, verify that all DNS servers are redundant with each other and identically configured.
This example shows how to enable the ip name-server command for IPv6:
To add a route to a VRF, use the ip route global configuration command. Use the no form of the command to disable a route.
ip route ip_address subnet_mask gateway [ vrf vrf_name ]
no ip route ip_address subnet_mask gateway [ vrf vrf_name ]
|
|
---|---|
Up to 10 IPv4/IPv6 routes can be configured for each VRF on each PPC. A total of 60 routes can be configured for a SAMI.
This example shows how to add a route to a VRF with the ip route command:
To start the SSH server or RADIUS client, use the ip ssh auth-type global configuration command. Use the no form of the command to stop this feature.
ip ssh auth-type {radius | local}
no ip ssh auth-type {radius | local}
|
|
---|---|
The following authentication types are possible:
If more than one auth-type is specified, they are tried in order. The authentication attempt fails only if both attempts fail.
Here is an example of the ip ssh auth-type command:
To start the SSH service, use the ip ssh enable global configuration command. Use the no form of the command to stop the SSH service.
|
|
---|---|
Here is an example of the ip ssh enable command:
To create a dsa key for the ssh service, use the ip ssh key dsa global configuration command. Use the no form of the command to disable this feature.
|
|
---|---|
Since generating a dsa key is not easy, we recommend that you allow the service to automatically generate a key. If one is not configured when the ssh service is enabled using ip ssh enable, then one will be automatically generated. This command is mainly used to transfer the key between blades.
The no variant does not require that the user enter the entire key. Instead it stops short with:
This is avoid having to cut and paste the whole key. Issuing a no ip ssh key dsa command while the ssh service is running will cause it to automatically generate a new key. If you wish to avoid this, first disable the ssh service.
Here is an example of the ip ssh key dsa command:
To change the port used by SSH, use the ip ssh port global configuraion command. Use the no form of the command to remove this assignment.
|
|
---|---|
This command has no variant to revert back to the default port value of 22.
Here is an example of the ip ssh port command:
To configure one or more RADIUS servers, use the ip ssh radius-server global configuration command. Use the no form of the command to remove specified RADIUS servers.
ip ssh radius-server host host_IP key key_str [port port_number timeout timeout_number]
no ip ssh radius-server host host_IP key key_str [port port_number timeout timeout_number]
Port number to be used with the RADIUS server. Default is port 1812. |
|
Number of seconds to wait before deciding that the server has failed to respond. Default is 3 seconds. |
The default value for port_number is port 1812. The default value for timeout_number is 3 seconds.
|
|
---|---|
If multiple RADIUS servers are configured, they are tried in order. The first server to return a success or failure determines the RADIUS authentication status. A server that fails to respond is skipped, and the next server is used.
This example shows how to add a RADIUS server to the WSG:
To add an IPv6 host or route, use the ipv6 global configuration command. Use the no form of the command to remove an IPv6 host or route.
ipv6 { host ipv6_address | route ipv6_prefix ipv6_gateway }
no ipv6 { host ipv6_address | route ipv6_prefix ipv6_gateway }
|
|
---|---|
Up to 10 IPv4/IPv6 routes can be configured for each VRF on each PPC. A total of 60 routes can be configured for a SAMI.
This CLI is node-specific and cannot be executed under entity-all mode.
This example shows how to enter an IPv6 host and route:
To add a VRF, use the ip vrf global configuration command. To remove a VRF, use the no form of the command, including the specific vrf_name.
|
|
---|---|
By default, a network interface belongs to exactly one VRF, which is VRF_GLOBAL
(VRF_NAME = global). In order to associate a VLAN interface with a specific VRF,
use the vrf vrf_name command after the interface is created (but before the IP address is assigned):
After associating a VLAN device to a VRF, IP addresses can be added to the VLAN interface. These addresses and any automatic routes created as a result of address addition belong to the same VRF as the VLAN interface. Use the show interface vlan command to display the VRF membership of an interface.
Note VRFs can be set on an interface that already has an IP address assigned. After adding the interface to the new VRF, the IPv4/IPv6 addresses on the interface are deleted. Any routes associated with the interface within the old VRF are also removed.
To remove a vrf-interface association, use the no vrf command. Upon removal, interfaces that are part of the deleted VRF are migrated back to the VRF global. The IPv4/IPv6 addresses and routes associated with the migrated interfaces are cleared.
This example shows how to enable the ip vrf command:
To configure the IP address of the external logging server, use the logging global configuration command. Use the no form of the command to disable this feature.
logging { ip A.B.C.D | ipv6 X:X:X::X | lineread}
no logging { ip A.B.C.D | ipv6 X:X:X::X | lineread}
|
|
---|---|
Allow multiple external logging servers with IPv4 addresses. |
In WSG Release 3.1 and above, the logging command allows you to configure multiple external logging servers with IPv4 addresses. However, only a single logging server with an IPv6 address can be configured at a time.
This example shows how to enable the logging command for IPv6:
To enable Border Gateway Protocol (BGP) routing and place you in the BGP configuration mode, use the router bgp global configuration command. Use the no form of the command to disable BGP routing.
The autonomous system (AS) number is a required parameter that specifies the local BGP. The range is from 1 to 65535. |
|
|
---|---|
In WSG Release 3.0, the BGP neighboring address only supports IPv4 addresses.
Here is an example of the router bgp command:
To configure a BGP peer, use the neighbor command in BGP configuration submode. To remove a BGP peer, use the no form of the command.
neighbor ip_address remote-as remote _ asn next-hop-alias next_ip_address
no neighbor ip_address remote-as remote _ asn
Router BGP configuration submode
|
|
---|---|
Support for IPv6 addresses in ip_address and next_ip_address was added in WSG Release 4.0.
Here is an example of the neighbor command:
To configure the WSG to initiate a tunnel with a peer when a site-to-site type profile is activated, use the auto-initiate command in ISAKMP submode. Use the no form of the command to disable this feature.
|
|
---|---|
When auto-initiate is configured, the peer’s IP address must be specified in the profile.
This example shows how to initiate a tunnel:
To define the interval in which the DPD packets are initiated from the WSG, use the dpd-timeout command in ISAKMP submode. Use the no form of the command to disable DPD initiation on the profile tunnels.
Value of the dpd-timeout in seconds. Default value is 0. Range is 0 to 5040. Enter timeout value as 0, 90, 180, 270, etc. (by multiples of 90) up to 5040. |
|
|
---|---|
The timeout argument is enhanced to count in multiples of 90. |
The no dpd-timeout timeout form of the command disables DPD initiation on the profile tunnels.
Note When upgrading the WSG, a previously configured DPD value will be rounded to a WSG Release 3.0 value.
Note For solutions requiring more than 5,000 tunnels per PPC, Cisco recommends configuring a dpd-timeout greater than 180 seconds.
This example shows how to enter a DPD value of 270 seconds:
To specify that a 32-bit (short) or 64-bit (extended) sequence number is used for a profile, use the sequence-number command in ISAKMP submode. Use the no form of the command to disable the sequence number.
sequence-number { extended | short }
no sequence-number { extended | short }
|
|
---|---|
This example shows the extended sequence number:
To set the EAP method, use the eap-type command in ISAKMP submode.
To remove an EAP method, use the no form of the command.
|
|
---|---|
Extensible Authentication Protocol (EAP) is an authentication framework that defines message formats. WSG supports the following EAP authentication methods:
Use the eap-type command to set the EAP method. When all user-entered configurations for this parameter are removed, then the feature again becomes disabled by default.
Multiple eap-type authentication methods can be configured in a profile. This is not supported in S2S profiles.
This example shows how to set an EAP method using 128-bit SIM:
WSG supports the following IKE secret encryption schemes:
To set the IKE secret encryption scheme, use the encryption command in ISAKMP submode. To remove an IKE secret encryption scheme, use the no form of the command.
encryption {des | 3des | aes | aes192 | aes256}
no encryption {des | 3des | aes | aes192 | aes256}
|
|
---|---|
This command was enhanced to configure multiple encryptions. |
Use the encryption command to set the IKE secret encryption scheme. Multiple algorithms can be configured together. The default values are not displayed. When you enter a scheme, the default is overwritten. When all user-entered configurations for this parameter are removed, then the default again becomes the aes value.
This example shows how to set an IKE encryption scheme using the 128-bit AES encryption algorithm:
IKE uses Diffie-Hellman to establish session keys. Diffie-Hellman is a public-key cryptography protocol that allows two parties to share a secret over an unsecured channel. IKE Groups set the allowed Diffie-Hellman groups for IKE SAs.
To set a group ID, use the group command in ISAKMP submode. To remove the group ID, use the no form of the command.
group {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18}
no group {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18}
|
|
---|---|
This example shows how to set the group ID to 5:
Hash algorithms are used to authenticate packet data. WSG Release 1.2 and above supports three types of ISAKMP hash protocols: Message Digest Algorithm 5 (MD5), Secure Hash Algorithm (SHA) and AES Cipher Block Chaining Algorithm (aes-xcbc).
To set a hash algorithm, use the hash command in ISAKMP submode. To remove the hash algorithm, use the no form of the command.
hash { aes-xcbc | md5 | sha1 | sha2 }
no hash {aes-xcbc | md5 | sha1 | sha2}
|
|
---|---|
Use the hash command to set a hash algorithm. In WSG Release 2.2 and above, multiple hash algorithms can be combined. The default values are not displayed. When you enter an algorithm, the default is overwritten. When all user entered configurations for this parameter are removed, then the default again becomes the sha1 value.
This example shows how to set the hash algorithm to md5:
To set up an ID type for the local client to use during IKE negotiation, use the self-identity command in the ISAKMP submode. To remove the configuration, use the no form of the command.
self-identity id-type id-type id id
no self-identity id-type id-type id id
|
|
---|---|
This command was introduced as the ipsec local-identity command. |
|
Use the self-identity command to set up an identity for the local client.
Note ● local-identity must match the certificate’s identity when using certificates for authentication.
This example shows how to define the local client IKE identity as an IP address:
The IKE SA is kept by each peer until it’s lifetime expires. Because new SAs are negotiated before current SAs expire, they can be reused to save time. Shorter lifetimes mean more secure negotiations. Longer lifetimes mean SAs are more quickly set up.
To set the IKE lifetime of an SA, use the lifetime command. To reset the SA lifetime to the default value, use the no form of the command.
|
|
---|---|
Use the lifetime command to set how long an IKE SA lives before expiring.
Depending on the application, the IKE SA lifetime may also be configured on the peer. We recommend that you do not configure a peer IKE SA lifetime that is shorter than the minimum supported by the WSG.
This example shows how to set an SA lifetime to 7200 seconds (120 minutes):
To set a shared key, use the local-secret command. To remove the key, use the no form of the command.
|
|
---|---|
This example shows how to set the shared key name to foo:
To set the peer for the IKE and IPSec negotiations, use the peer-ip command. To remove the configuration use the no form of the command.
Note Only for site-to-site configuration. Not applicable to Remote access profile.
|
|
---|---|
Use the peer-ip command to set peer-ip for the tunnel profile.
Note You should not configure this command for remote access type profiles.
This example shows how to set peer-ip for the tunnel profile.
To set the IKE version, use the ike-version command. To remove the IKE version, use the no form of the command.
both—IKE version 1 and IKE version 2, use this if you are not sure which IKE version the client is using. |
|
|
---|---|
Use the ike-version {1 | 2 | both} command to set the IKE version.
Note ike-version both is not supported with auto-initiate in site-to-site profiles.
This example shows how to set the IKE version to 1:
WSG can be configured to disable the usage of NAT ports when an IKE message is initiated from WSG like in case of a rekey.
This would make sure that the IKE messages on a rekey are sent out on port 500 instead of 4500. This command is only required for IKEV1. The NAT ports will be enabled by default; to disable it and make the WSG use the port 500 on IKE negotiations, use this command.
To disable the IKE initiations on the NAT ports, use ike-start-with-natt command. To undo the configuration use the no command.
no ike-start-with-natt disable
|
|
---|---|
Use ike-start-with-natt command to disable IKE initiation with NATT for IKEV1.
To set the IKE authentication method, use the authentication command. To remove the IKE authentication method, use the no form of the command.
authentication { rsa-sig | pre-shared }
no authentication { rsa-sig | pre-shared }
|
|
---|---|
Use the authentication command to set IKE authentication method.
This example shows how to set IKE authentication method:
To enter the IPv6 address or alias, use the ipv6 command in interface configuration submode. Use the no form of the command to disable this feature.
Interface configuration submode
|
|
---|---|
Each interface is allowed to have one or both IPv4 address/alias and IPv6 address/alias.
This example shows how to enable various instances of the ipv6 command:
Each interface is allowed to have one or both IPv4 address/alias and IPv6 address/alias. For example,
ip address 10.10.10.3 255.255.255.0
alias 10.10.10.1 255.255.255.0
ipv6 address 2001:88:88:94::4/96
Note This CLI is a node-specific command and cannot be executed under entity-all mode.
To specify when a profile is required to use DHCP-based address allocation, or to specify the name of the address pool to be used for a profile, set the ip address-pool command. Use the no form of the command to remove the address-pool name configuration.
ip address-pool { dhcp | address-pool-name}
no ip address-pool { dhcp | address-pool-name}
Specifies when a profile is required to use DHCP-based address allocation. |
|
|
|
---|---|
Use the ip address-pool command to set the address pool to be used for the profile.
Note This command is not applicable for a site-to-site profile.
Use the dhcp keyword in the command when a profile is required to use DHCP-based address allocation. When the profile is activated, the mandatory global DHCP configuration is checked for completeness. If any profile is activated with DHCP address allocation, the global DHCP configuration commands cannot be modified or removed.
This example shows how to set the address pool for a profile named foo.
This example activates the profile for DHCP-based address allocation:
To set up the local IP address to use during SA negotiation, use the local-ip command. To return to the default value, use the no form of the command.
IP address of the local client. This can be an IPv4 or IPv6 address. |
|
|
---|---|
Use the local-ip command to set up a local IP address that is used during SA negotiation.
This example shows how to define 10.95.10.110 as the IP address of the WSG to use during SA negotiation:
To set a Perfect Forward Secrecy (PFS) group ID to use for negotiations during a new SA exchange, use the pfs command. Use the no form of the command to remove the key.
pfs { group1 | group2 | group5 | group14 | group15 | group16 | group17 | group18 }
no pfs { group1 | group2 | group5 | group14 | group15 | group16 | group17 | group18 }
|
|
---|---|
Added group14, group15, group16, group17, and group18 keywords. |
Use the pfs command to set a group type for use in negotiations during a child SA exchange.
This example shows how to set group2 as the group ID:
To set the SA timed lifetime, use the security-association lifetime command in IPSec submode. To remove the SA timed lifetime, use the no form of this command.
security-association lifetime { megabytes megabytes | seconds seconds}
no security-association lifetime { megabytes megabytes | seconds seconds}
Specifies the lifetime in megabytes. The minimum value is 4500MB. |
|
Specifies the lifetime in seconds. The range is 3600 to 2147483647. |
|
|
---|---|
Use the security-association lifetime command to set the SA timed lifetime in megabytes or seconds.
Depending on the application, the IPSec SA lifetime may also be configured on the peer. We recommend that you do not configure peer IPSec SA lifetimes that are shorter than the minimum values supported by the WSG.
This example shows how to set the IPSec SA lifetime in seconds or megabytes:
To disable IPSec security association replay, use the security-association replay command. To enable IPSec security association replay, use the no form of the command.
security-association replay disable
no security-association replay disable
Security association replay is enabled with window size 32 bits.
|
|
---|---|
Use the security-association replay command to disable IPSec security association replay.
This example shows how to disable IPSec security association replay:
To configure the protected IP address to which traffic is allowed from a remote access tunnel, or traffic selectors and multiple child SA features for site-to-site tunnels, use the access-permit command. Use the no form of the command to remove the access-permit configuration.
access-permit ip ip-address subnet subnet
no access-permit ip ip-address subnet subnet
access-permit rule-name protocol { any | sctp | udp | tcp }
[ src-ip src_ip src_prefix | src-port start_src_port end_src_port |
dst-ip dst_ip dst_prefix | dst-port start_dst_port end_dst_port]
A specific access-permit must be specified based on the network configuration.
|
|
---|---|
The following keywords and arguments were changed for site-to-site scalability improvements: |
|
Allow up to 5 multiple access-permit statements in a remote-access crypto profile. |
Use the access-permit command to set the IP address and subnet from which traffic is allowed from the remote-access tunnel.
In WSG Release 4.2 and above when a customer is configuring a site to site access permit, a check has been added to determine, if the user has configured overlapping traffic selectors. If misconfigured a warning will be triggered to the user and will be logged into the syslog.
In WSG Release 3.1 and above, you can configure multiple access-permit statements in a remote-access crypto profile. Up to 5 access-permit statements can be added.
For site-to-site tunnels, the extended access-permit configuration defines the parameters of the traffic permitted on the tunnel.
There is no default, and at least one access-permit needs to be specified for each profile. If multiple child SAs are required, multiple access-permit configurations need to be entered.
In WSG Release 1.2, the rule-name argument is added, and applies to site-to-site type profiles only. The WSG Release 1.1 syntax for access-permit only applies to the remote-access type profile. The profile name should be unique; you cannot use the same name for two different profiles.
This example shows how to allow traffic from all remote-access clients to the 100.1.3.0/24 and 88.88.0.0/16 subnets:
The following is an example of the extended access-permit command with the protocol options and IPv6
The following is an example that includes the ras type access permit:
To set an Encapsulating Security Payload (ESP) encryption and hash type, use the transform-set command in IPSec submode.
transform-set esp {3des | aes | aes192 | aes256 | des | null} {aes-xcbc | md5 | sha1}
See encryption |
|
See hash |
|
|
---|---|
ESP is a security protocol that gives data privacy services, data authentication, and anti-replay services. ESP encapsulates data to be protected. Use the transform-set command to set ESP encryption and hash type. In WSG Release 2.2 and above, multiple transform sets can be configured together.
This example shows how to set ESP encryption and hash type:
To identify the interface used for single mode OAM traffic, use the oam mode single command.
Use the no form of the command to disable this feature.
no oam mode single vlan_ number
|
|
---|---|
This example shows a sample configure with the oam mode single command. All management traffic from the director and subordinate PPCs destined to the VLAN 223 subnet will now be directed through this interface:
To configure the static routes on the director and subordinate PPCs for subnet management, use the oam-ip route command. Use the no form of the command to disable these routes.
oam-ip route ip_address subnet_mask gateway
no oam-ip route ip_address subnet_mask gateway
|
|
---|---|
This command is similar to ip route in functionality, with the exception that it affects the routes on the subordinate PPCs as well. It does not support IPv6.
This example shows how to configure the oam-ip route command:
To enable the CPU Threshold Notification feature and establish the rising and falling percentage threshold values, use the process cpu threshold Global configuration command. Use the no form to disable this feature.
process cpu threshold rising percentage interval seconds [ falling percentage interval seconds ]
no process cpu threshold [ rising percentage interval seconds | falling percentage interval seconds
|
|
---|---|
The CPU Threshold Notification feature notifies users by generating a SNMP trap message when a predefined threshold of CPU usage is crossed. Two types of CPU utilization threshold are supported: rising threshold and falling threshold. A rising CPU utilization threshold specifies the percentage of CPU resources that, when exceeded for a configured period of time, triggers the cpmCPURisingThreshold notification. Similarly, a falling CPU utilization threshold specifies the percentage of CPU resources that, when CPU usage falls below this level for a configured period of time, triggers cpmCPUFallingThreshold notification.
The following example shows how to set a rising CPU threshold notification for total CPU utilization. When total CPU utilization exceeds 95 percent for a period of 5 seconds or longer, a rising threshold notification is sent.
To configure the memory threshold that generates a syslog when free memory falls below the configured value, use the memory free low watermark processor command. Use the no form to disable this function.
memory free low watermark processor threshold
no memory free low watermark processor threshold
Specifies the memory threshold. When free memory falls below the configured value a syslog is generated. The free memory threshold value can range from 1024KB to1996000KB. |
|
|
---|---|
The following example specifies a threshold of 10000 KB of free processor memory before a low-memory syslog is generated:
Once the available free memory rises to above 5 percent of the threshold (1.05 x 10000 in the above example), another message is generated that indicates that the free memory has recovered.
To list all of the current blacklisted IKE IDs, use the show crypto blacklist file command in EXEC mode.
|
|
---|---|
Use the show crypto blacklist file command to view the current blacklisted IDs.
Here is example show output for the show crypto blacklist file command:
To display the number of IDs in a blacklist, and the number of tunnel setup attempts blocked due to blacklisting, use the show crypto blacklist stats command in EXEC mode.
|
|
---|---|
Use the show crypto blacklist stats command to display the number of IDs in a blacklist, and the number of tunnel setup attempts blocked due to blacklisting.
Here is example show output for the show crypto blacklist stats command:
To display the current status of pending CMPv2 request, use the show crypto cmp request command in EXEC mode. The output also indicates if no request is pending.
|
|
---|---|
Use the show crypto cmp request command to display the current status of pending CMPv2 request. This is the pending request that will be polled by the crypto cmp poll command. If an update and an initialize or enroll request is pending, only the pending update request is displayed.
Here is example output for the show crypto cmp request command:
To display DHCP address allocation statistics, use the show crypto dhcp command in EXEC mode.
|
|
---|---|
Use the show crypto dhcp command to view DHCP address allocation statistics.
Here is an example of crypto DHCP statistics after tunnel set-up and tear-down:
To display IPSec parameters for all configured profiles, use the show crypto ipsec info command in EXEC mode.
show crypto ipsec info [profile_name]
|
|
---|---|
Use the show crypto ipsec info command to view IPSec parameters configured for all the profiles.
This example shows how to view configured IPSec parameters:
To display all global IPSec statistics, use the show crypto ipsec summary command in EXEC mode.
show crypto ipsec summary {fast-path | slow-path}
For global fast path statistics. Applicable to the entire card. |
|
|
|
---|---|
Use the show crypto ipsec summary command to view all global IPSec statistics.
Table 3-1 lists the Field description for IPSec fast-path Stats:
Table 3-1 Field Descriptions for IPSec fast-path Stats
This example shows how to view all global IPSec statistics:
To show a list of all SAs on the WSG, use the show crypto ipsec sa command in EXEC mode.
show crypto ipsec sa [remote-ip remote_ipv4_address mask remote_ipv4_mask]
[remote-ip remote_ipv6_address ipv6-prefix ipv6_prefix_length] [remote-host remote_host] [vrf-local vrf_name]
|
|
---|---|
Added hostname in reverse DNS lookup feature for IKE peer support. |
Use the show crypto ipsec sa command to view all SAs on the WSG.
This example shows how to view all SAs on the WSG:
This example shows how to view information on a specific SA:
To show information on a specific SA on the WSG, use the show crypto ipsec sa spi-in command in EXEC mode.
show crypto ipsec sa spi-in inbound_spi
|
|
---|---|
Use the show crypto ipsec sa spi-in command to view information on a specific SA.
This example shows how to view information on a specific SA:
To show IKE parameters, use the show crypto isakmp info command in EXEC mode.
|
|
---|---|
Use the show crypto isakmp info command to view configured IKE parameters.
This example shows how to view configured IKE parameters:
To show IKE SA information and statistics, use the show crypto isakmp sa command in EXEC mode.
show crypto isakmp sa [remote-ip remote_ipv4_address mask remote_ipv4_mask]
[remote-ip remote_ipv6_address ipv6-prefix ipv6_prefix_length] [remote-host remote_host] [vrf-local vrf_name]
|
|
---|---|
Added hostname in reverse DNS lookup feature for IKE peer support. |
Use the show crypto isakmp sa command to view IKE SA information and statistics.
This example shows how to view IKE SA information and statistics:
This example shows how to view information on a specific SA by IP or hostname:
To show all global IKE statistics, use the show crypto isakmp summary command in EXEC mode.
|
|
---|---|
The output of this command was modified with new information. |
Use the show crypto isakmp summary command to view all global IKE statistics.
This example shows how to view all global ISAKMP statistics:
To display the certificate information, use the show crypto pki certificate command in EXEC mode.
show crypto pki certificate certificate
Note This is a show command and does not affect the running configuration. |
|
|
|
---|---|
This example shows how to configure the show crypto pki certificate command:
To display the count of different RADIUS messages sent and received, as well as the RADIUS timeout and retry counters, use the show crypto radius statistics command in EXEC mode.
|
|
---|---|
Use the crypto radius statistics command to display the count of different RADIUS messages sent and received, as well as the RADIUS timeout and retry counters.
Here is sample output for the show crypto radius statistics command:
To display the throughput data for the last calculated 5 minute interval on the WSG, use the show crypto throughput command in EXEC mode.
|
|
---|---|
Use the show crypto throughput command to display throughput data for the last calculated 5 minute interval on the WSG.
Here is a sample output for the show crypto throughput command:
Displays the throughput data for packets to/from Nitrox and the average throughput utilization for the last calculated interval on WSG for each IXP. IXP0 display also shows the packet data punted to IXP1.
show crypto throughput ixp <1/2>
|
|
---|---|
Use the show crypto throughput ixp command to display throughput data for the last calculated 5 minute interval on the WSG.
Here are the sample outputs for the show crypto throughput ixp <1/2> command:
To display the number of intervals the throughput fell in a certain bucket range with each Interval being 5 minutes, use the show crypto throughput distribution history command in EXEC mode.
show crypto throughput distribution history
|
|
---|---|
This command was introduced as the crypto throughput distribution history command. |
Use the show crypto throughput distribution history command display the history of throughput.
Here is a sample output for the show crypto throughput distribution history command:
To display the number of intervals the throughput fell in a certain bucket range for each IXP, with each Interval being 5 minutes, use the show crypto throughput distribution history ixp <1/2> command in EXEC mode.
show crypto throughput distribution history ixp <1/2>
|
|
---|---|
Use the show crypto throughput distribution history ixp command to display the history of throughput.
Here are the sample outputs for the show crypto throughput distribution history ixp commands:
To display the history of throughput in Mbp/s and Packets/s from 3 hours, 1 day to 1 week history, use the show crypto throughput history command in EXEC mode.
show crypto throughput history interval interval type
Type of unit value to display the throughput. Valid values are: |
|
|
---|---|
This command was introduced as the crypto throughput history command. |
Use the show crypto throughput history command to display the history of throughput.
Here are the sample outputs for the show crypto throughput history commands:
To display the history of throughput in Mbp/s and Packets/s separately for each IXP, use the show crypto throughput history command in EXEC mode.
show crypto throughput history interval interval type ixp <1/2>
|
|
---|---|
Use the show crypto throughput history interval interval type ixp command to display the history of throughput.
Here is a sample output for the show crypto throughput history interval interval type ixp command:
To view crypto debug information on the WSG, use the show debug crypto command in EXEC mode.
|
|
---|---|
Use the show debug crypto command to view crypto debug information.
Note The show debug command does not show the debugs related to the crypto module.
This example shows how to configure the show debug crypto command:
To display the configuration, states, and statistics of the local node and its peer, use the show ha info command in EXEC mode.
show ha info [ brief | detail ]
Display includes extra information about the cluster and the node names. |
|
|
---|---|
The show ha info command shows the configuration, states, and statistics of the local node and its peer:
Redundancy mode (configured) : active-standby
Bulk Sync done : Thu Sep 15 01:24:36 2011
The show ha info brief command shows the configuration and the state of the local node:
The show ha info detail command includes extra information about the cluster and node names:
Redundancy mode (configured) : active-standby
To display the hosts on a PPC, use the show hosts command in EXEC mode.
|
|
---|---|
The show hosts command lists the name servers and their corresponding IP addresses. It also lists the hostnames, their corresponding IP addresses, and their corresponding aliases (if applicable) in a host table summary.
To display a list of hosts on a PPC, enter:
To display the ICMP6 statistics, use the show icmp6 statistics command in EXEC mode.
|
|
---|---|
This example shows how to enable the show icmp6 statistics command:
To display interface information, use the show interface command in EXEC mode.
show interface [ vlan number ]
|
|
---|---|
To display all of the interface statistical information, enter the show interface command without using the optional vlan keyword.
To display all of the interface statistical information, enter:
To display the details, statistics, or IP information for all or a specified VLAN interface (51 in this example), enter:
To display internal iftable statistics, use the show interface internal iftable command in EXEC mode.
show interface internal iftable
|
|
---|---|
This example shows how to enable the show interface internal iftable command:
To display general information about bgp routing processes, use the show ip bgp command in EXEC mode.
|
|
---|---|
Here is an example to display BGP-related information:
To display a brief configuration and status summary of all interfaces or a specified VLAN, enter:
show ip interface brief [ vlan number ]
|
|
---|---|
Use the show ip interface brief command to display a brief configuration and status summary of all the interfaces or a specified VLAN.
To display a brief configuration and status summary of all the interfaces, enter:
To display the IPv4 destination routes, use the show ip route command in EXEC mode.
|
|
---|---|
This example shows how to display the IPv4 destination routes:
To display the IPv4 routes configured on the Network Processor, use the show ip route np command in EXEC mode.
|
|
---|---|
This example shows how to display the IPv4 routes configured on the Network Processor:
To display the SSH information, use the show ip ssh command in EXEC mode.
|
|
---|---|
This example shows how to display the SSH information:
To display information about IPv6 neighbors, use the show ipv6 neighbors command in EXEC mode.
|
|
---|---|
This example displays the output of the show ipv6 neighbors command:
To display the IPv6 destination route, use the show ipv6 route command in EXEC mode.
|
|
---|---|
This example displays the output of the show ipv6 route command:
To display the IPv6 routes configured on the Network Processor, use the show ipv6 route np command in EXEC mode.
|
|
---|---|
This example shows how to display the IPv6 routes configured on the Network Processor:
To display all VRFs in the system, use the show ip vrf command. To display a specific VRF, use the show ip vrf vrf_name command.
|
|
---|---|
To display all VRFs in the system, use the show ip vrf command.
The following is an example of how to display all VRFs in the system:
member devices: eth0 lo dummy0 tunl0 sit0 ip6tnl0 eth0.70 eth0.32 eth0.72
vrf: id - 2, name - insideBlue
vrf: id - 3, name - outsideRed
vrf: id - 4, name - outsideBlue
The following is an example of how to display the specific VRF named insideRed:
To display the current syslog configuration and syslog messages, use the show logging command.
show logging { config [ | ] [ > ] | message { all cpuid cpu-id | module mod-id }}
|
|
---|---|
To enable system logging, use the logging configuration command. The show logging command lists the current syslog messages and identifies which logging command options are enabled.
Prior to WSG Release 3.1, syslog messages display the CPU ID as the name of the source host where messages originated from. The enhancement in WSG Release 3.1 adds the configured hostname along with the CPU ID to the syslog in order to make management easier.
To display the syslog configuration, enter:
To enable SNMP IPSec traps, use the snmp-server enable trap ipsec global configuration command. To disable traps, use the no form of this command.
snmp-server enable traps ipsec [address-pool-exhaust | too-many-sas | tunnel {start | stop} | cert-expiry | cert-renewal | throughput-threshold | tunnel-rate {create <1-1000> | delete <1-1000>}]
no snmp-server enable traps ipsec [address-pool-exhaust | too-many-sas | tunnel {start | stop} | cert-expiry | cert-renewal | throughput-threshold | tunnel-rate {create <1-1000> | delete <1-1000>}]
|
|
---|---|
Use the snmp-server enable traps ipsec command to enable SNMP IPSec traps.
Here is an example showing how to enable all SNMP IPSec traps:
To specify the hosts to receive SNMP notifications, use the snmp-server host global configuration command. Use the no form of the command to disable this functionality.
snmp-server host A.B.C.D | X:X:X::X
|
|
---|---|
This example shows how to enable the snmp-server host command:
wsg(config)# snmp-server host ?
<A.B.C.D>|<X:X:X::X> Enter an IP address
wsg(config)# snmp-server host 44.44.44.16 traps version 2c public
wsg(config)# snmp-server host 2001:88:88:94::1 traps version 2c public
This section lists the debug commands for the WSG. Please be aware of the following cautions and restrictions:
Note Debugs are activated on a per-terminal basis. You must turn off debugs from the same terminal you turned them on for them to be deactivated.
Note Turning debugs off from a different terminal will deactivate the application debugs, but it will not deactivate the internal debugging flags.
To enable debugging for various crypto parameters, use the debug crypto command in EXEC mode.
Use the no form of the command to disable debugging.
debug crypto { config | snmp | stats | dhcp | eap | engine | fastapi | ha | ike | pki | policy }
{ errors | events } [ trace ]
no debug crypto { config | snmp | stats | dhcp | eap | engine | fastapi | ha | ike | pki | policy }
{ errors | events } [ trace ]
Debug crypto SNMP configuration. Debug crypto statistics configuration. |
|
|
|
---|---|
Added eap, engine, fastapi, ha, ike, pki, and policy options. |
This example displays how to use the debug crypto ike events command:
To enable debugging of tunnel setup and IKE protocol exchanges by peer IP address, use the
debug crypto ike remote-ip command in EXEC mode. Use the no form of the command to disable crypto IKE debugging.
debug crypto ike remote-ip ip_address {netmask netmask | ipv6_prefix prefix} [vrf vrf_name] {errors | events | info | verbose } [ trace ]
no debug crypto ike remote-ip ip_address {netmask netmask | ipv6_prefix prefix} [vrf vrf_name] {errors | events | info | verbose } [ trace ]
Debug tunnel exchange failures. Debug tunnel establishment and removal. Debug tunnel initiation and short decodes. |
|
|
---|---|
The debug crypto ike remote-ip command requires at least one active profile.
You can configure up to 4 tunnel sets.
|
|
|
---|---|---|
IKE exchange initiation, successful completions, |
||
This example shows the use of the debug crypto ike remote-ip command: