-
Cisco IOS Security Command Reference: Commands A to C
-
aaa accounting through aaa local authentication attempts max-fail
-
aaa max-sessions through algorithm
-
all profile map configuration through browser-proxy
-
ca trust-point through clear eou
-
clear ip access-list counters through crl-cache none
-
crypto aaa attribute list through crypto ipsec transform-set
-
crypto isakmp aggressive-mode disable through crypto mib topn
-
crypto pki authenticate through cts sxp retry period
-
Index
-
Feedback
Contents
ca trust-point through clear eou
- cabundle url
- cache authentication profile (server group configuration)
- cache authorization profile (server group configuration)
- cache clear age
- cache disable
- cache expiry (server group configuration)
- cache max
- cache refresh
- call admission limit
- call guard-timer
- category (ips)
- cdp-url
- certificate
- chain-validation (ca-trustpool)
- chain-validation
- cifs-url-list
- cipherkey
- ciphervalue
- cisco (ips-auto-update)
- cisp enable
- citrix enabled
- class type inspect
- class type urlfilter
- class-map type inspect
- class-map type urlfilter
- clear aaa cache filterserver acl
- clear aaa cache filterserver group
- clear aaa cache group
- clear aaa counters servers
- clear aaa local user fail-attempts
- clear aaa local user lockout
- clear access-list counters
- clear access-template
- clear appfw dns cache
- clear ase signatures
- clear authentication sessions
- clear content-scan
- clear crypto call admission statistics
- clear crypto ctcp
- clear crypto datapath
- clear crypto engine accelerator counter
- clear crypto gdoi
- clear crypto gdoi ks cooperative role
- clear crypto ikev2 sa
- clear crypto ikev2 stats
- clear crypto ipsec client ezvpn
- clear crypto isakmp
- clear crypto sa
- clear crypto session
- clear crypto pki benchmarks
- clear crypto pki crls
- clear dmvpn session
- clear dmvpn statistics
- clear dot1x
- clear eap
- clear eou
cabundle url
To configure the URL from which the public key infrastructure (PKI) trustpool certificate authority (CA) bundle is downloaded, use the cabundle url command in ca-trustpool configuration mode. To remove the URL, use the no form of this command.Usage Guidelines
Before you can configure this command, you must enable the crypto pki trustpool policy command, which enters ca-trustpool configuration mode.
Multiple bundle commands can be issued so that the bundle update process is not connected to a single application.
Examples
Router(config)# crypto pki trustpool policy Router(ca-trustpool)# cabundle url http://www.cisco.com/security/pki/crl/crca2048.crlRelated Commands
Command
Description
chain-validation
Enables chain validation from the peer's certificate to the root CA certificate in the PKI trustpool.
crl
Specifes the CRL query and cache options for the PKI trustpool.
crypto pki trustpool import
Manually imports (downloads) the CA certificate bundle into the PKI trustpool to update or replace the existing CA certificate bundle.
crypto pki trustpool policy
Configures PKI trustpool policy parameters.
default
Resets the value of a ca-trustpool configuration command to its default.
match
Enables the use of certificate maps for the PKI trustpool.
ocsp
Specifies OCSP settings for the PKI trustpool.
revocation-check
Disables revocation checking when the PKI trustpool policy is being used.
show
Displays the PKI trustpool policy of the router in ca-trustpool configuration mode.
show crypto pki trustpool
Displays the PKI trustpool certificates of the router and optionally shows the PKI trustpool policy.
source interface
Specifies the source interface to be used for CRL retrieval, OCSP status, or the downloading of a CA certificate bundle for the PKI trustpool.
storage
Specifies a file system location where PKI trustpool certificates are stored on the router.
vrf
Specifies the VRF instance to be used for CRL retrieval.
cache authentication profile (server group configuration)
To specify a cache authentication profile to use in a named RADIUS or TACACS+ server group, use the cache authentication profilecommand in server group configuration mode. To disable an authentication cache profile, use the no form of this command.
Usage Guidelines
Use this command to specify a cache authentication profile for a RADIUS or TACACS+ server group.
Configure the authentication profile prior to applying it to a RADIUS or TACACS+ server group to avoid an error message.
Examples
The following example caches authentication responses from a RADIUS server according to the rules configured in the authentication profile authen-profile:
Router# configure terminal Router(config)# aaa new-model Router(config)# aaa group server radius networkauthentications Router(config-sg-radius)# cache authentication profile authen-profilecache authorization profile (server group configuration)
To specify a cache authorization profile to use in a named RADIUS or TACACS+ server group, use the cache authorization profilecommand in server group configuration mode. To disable an authorization cache profile, use the no form of this command.
Usage Guidelines
Use this command to specify an authorization profile for a RADIUS or TACACS+ server group.
Examples
The following example caches authorization responses from a RADIUS server according to the rules configured in the authorization profile author-profile:
Router# configure terminal Router(config)# aaa new-model Router(config)# aaa group server radius authorizations Router(config-sg-radius)# cache authorization profile author-profile The authorization profile author-profile must be configured prior to applying it to a RADIUS or TACACS+ server group or an error message is generated.cache clear age
To specify when, in minutes, cache entries expire and the cache is cleared, use the cache clear age command in AAA filter configuration mode. To return to the default value, use the no form of this command.
Usage Guidelines
After enabling the aaa cache filtercommand, which allows you to configure cache filter parameters, you can use the cache clear age command to specify when cache entries should expire. If this command is not specified, the default value (1440 minutes) will be enabled.
cache disable
To disable the cache, use the cache disable command in AAA filter configuration mode. To return to the default, use the no form of this command.
cache expiry (server group configuration)
To configure how long cached database profile entries in RADIUS or TACACS+ server groups are stored before they expire, use the cache expirycommand in server group configuration mode. To reset the expiration time to the default value, use the no form of this command.
Usage Guidelines
Use this command to set the amount of time before a cache entry expires (becomes stale). A stale entry is still usable, but the entry will, by default, revise its record with more updated information.
cache max
To limit the absolute number of entries that a cache can maintain for a particular server, use the cache max command in AAA filter configuration mode. To return to the default value, use the no form of this command.
Usage Guidelines
After enabling the aaa cache filtercommand, which allows you to configure cache filter parameters, you can use the cache max command to specify the maximum number of entries the cache can have at any given time. If this command is not specified, the default value (100 entries) will be enabled.
cache refresh
To refresh a cache entry after a new session begins, use the cache refresh command in AAA filter configuration mode. To disable this functionality, use the no form of this command.
Usage Guidelines
The cache refresh command is used in an attempt to keep cache entries from the filter server, that are being referred to by new sessions, within the cache. This command resets the idle timer for these entries when they are referenced by new calls.
call admission limit
To instruct Internet Key Exchange (IKE) to drop security association (SA) requests (that is, calls for Call Admission Control [CAC]) when a specified level of system resources is being consumed, use the call admission limit command in global configuration mode. To disable this feature, use the no form of this command.
Usage Guidelines
To prevent IKE processes from using excessive CPU resources, you can set a limit value depending on the network topology, the capabilities of the router, and the traffic patterns.
Examples
The following example causes IKE to drop calls when a given level of system resources are being used:
Router(config)# call admission limit 90000Related Commands
Command
Description
call admission load
Configures a CAC metric for scaling WAN protocol session load.
crypto call admission limit
Specifies the maximum number of IKE SAs that the router can establish before IKE begins rejecting new SA requests.
show call admission statistics
Monitors the global CAC configuration parameters and the behavior of CAC.
call guard-timer
To set a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request, use the call guard-timer command in controller configuration mode. To remove the call guard-timer command from your configuration file, use the no form of this command.
call guard-timer milliseconds [ on-expiry { accept | reject } ]
no call guard-timer milliseconds [ on-expiry { accept | reject } ]
Syntax Description
milliseconds
Specifies the number of milliseconds to wait for a response from the RADIUS server.
on-expiry accept
(Optional) Accepts the call if a response is not received from the RADIUS server within the specified time.
on-expiry reject
(Optional) Rejects the call if a response is not received from the RADIUS server within the specified time.
Command History
Release
Modification
12.1(3)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Examples
The following example shows a guard timer that is set at 20000 milliseconds. A call will be accepted if the RADIUS server has not responded to a preauthentication request when the timer expires.
controller T1 0 framing esf clock source line primary linecode b8zs ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis cas-custom 0 call guard-timer 20000 on-expiry accept aaa preauth group radius dnis requiredcategory (ips)
To specify a signature category that is to be used for multiple signature actions or conditions, use the category command in IPS-category configuration mode.
Syntax Description
category
Category name. For a list of supported top-level categories, use the router CLI help (?).
sub-category
(Optional) Category submode. Submode categories are dependent on the category type; that is, submode categories vary from category to category.
For a list of supported submode categories, use the router CLI help (?).
Usage Guidelines
Cisco IOS Intrusion Prevention System (IPS) 5.x uses signatures and signature categories. All signatures are pregrouped into categories; the categories are hierarchical. An individual signature can belong to more than one category. Top-level categories help to define general types of signatures. Subcategories exist beneath each top-level signature category.
Examples
The following example shows how to tune event-action parameters for the signature category “adware/spyware.” All tuning information will be applied to all signatures that belong to the adware/spyware category.
Router(config)# ip ips signature-categor y Router(config-ips-category)# category attack adware/spyware Router(config-ips-category-action)# event-action produce-alert Router(config-ips-category-action)# event-action deny-packet-inline Router(config-ips-category-action)# event-action reset-tcp-connection Router(config-ips-category-action)# retired false Router(config-ips-category-action)# ^Z Do you want to accept these changes? [confirm]ycdp-url
To specify a certificate revocation list (CRL) distribution point (CDP) to be used in certificates that are issued by the certificate server, use the cdp-url command in certificate server configuration mode. To remove a CDP from your configuration, use the no form of this command.
Command Default
When verifying a certificate that does not have a specified CDP, Cisco IOS public key infrastructure (PKI) clients use the Simple Certificate Enrollment Protocol (SCEP) to retrieve the CRL directly from their configured certificate server.
Usage Guidelines
You must configure the crypto pki server command with the name of the certificate server in order to enter certificate server configuration mode and configure this command.
CRLs can be distributed through SCEP, which is the default method, or a CDP, if configured and available. If you set up a CDP, use the cdp-urlcommand to specify the CDP location. The CDP URL may be changed after the certificate server is running, but existing certificates are not reissued with the new CDP that is specified through the cdp-url command.
You may specify the CDP location by a simple HTTP URL string for example,
cdp-url http://server.company.com/ca1.crl
The certificate server supports only one CDP; thus, all certificates that are issued include the same CDP.
If you have PKI clients that are not running Cisco IOS software and that do not support a SCEP GetCRL request, you can specify a non-SCEP request for the retrieval of the CRL from the certificate server by specifying cdp-url command with the URL in the following format where cs-addr is the location of the certificate server:
cdp-url http://cs-addr/cgi-bin/pkiclient.exe?operation=GetCRL
NoteIf your Cisco IOS certificate authority (CA) is also configured as your HTTP CDP server, specify your CDP with the cdp-url http://cs-addr/cgi-bin/pkiclient.exe?operation=GetCRL command syntax.
It is the responsibility of the network administrator to ensure that the CRL is available from the location that is specified through the cdp-url command.
In order to force the parser to retain the embedded question mark within the specified location, enter Ctrl-v prior to the question mark. If this action is not taken, CRL retrieval through HTTP returns an error message.
Examples
The following example shows how to configure a CDP location where the PKI clients do not support SCEP GetCRL requests:
Router(config)# crypto pki server aaa Router(cs-server)# database level minimum Router(cs-server)# database url tftp://10.1.1.1/username1/ Router(cs-server)# issuer-name CN=aaa Router(cs-server)# cdp-url http://server.company.com/certEnroll/aaa.crlThe following example shows how to configure a CDP location where the PKI clients support SCEP GetCRL requests:
Router(config)# crypto pki server aaa Router(cs-server)# database level minimum Router(cs-server)# database url tftp://10.1.1.1/username1 / Router(cs-server)# issuer-name CN=aaa Router(cs-server)# cdp-url http://aaa/cgi-bin/pkiclient.exe?operation=GetCRLExamples
The following example is sample output from the show crypto ca certificates command, which allows you to verify the specified CDP. In this example, the CDP is “http://msca-root.cisco.com/certEnroll/aaa.crl.”
Router# show crypto ca certificates Certificate Status: Available Certificate Serial Number: 03 Certificate Usage: General Purpose Issuer: CN = aaa Subject: Name: Router.cisco.com OID.1.2.840.113549.1.9.2 = Router.cisco.com CRL Distribution Point: http://msca-root.cisco.com/certEnroll/aaa.crl Validity Date: start date: 18:44:49 GMT Jun 6 2003 end date: 18:44:49 GMT Jun 5 2004 renew date: 00:00:00 GMT Jan 1 1970 Associated Trustpoints: bbbRelated Commands
Command
Description
auto-rollover
Enables the automated CA certificate rollover functionality.
crl (cs-server)
Specifies the CRL PKI CS.
crypto pki server
Enables a CS and enters certificate server configuration mode, or immediately generates shadow CA credentials
database archive
Specifies the CA certificate and CA key archive format--and the password--to encrypt this CA certificate and CA key archive file.
database level
Controls what type of data is stored in the certificate enrollment database.
database url
Specifies the location where database entries for the CS is stored or published.
database username
Specifies the requirement of a username or password to be issued when accessing the primary database location.
default (cs-server)
Resets the value of the CS configuration command to its default.
grant auto rollover
Enables automatic granting of certificate reenrollment requests for a Cisco IOS subordinate CA server or RA mode CA.
grant auto trustpoint
Specifies the CA trustpoint of another vendor from which the Cisco IOS certificate server automatically grants certificate enrollment requests.
grant none
Specifies all certificate requests to be rejected.
grant ra-auto
Specifies that all enrollment requests from an RA be granted automatically.
hash (cs-server)
Specifies the cryptographic hash function the Cisco IOS certificate server uses to sign certificates issued by the CA.
issuer-name
Specifies the DN as the CA issuer name for the CS.
lifetime (cs-server)
Specifies the lifetime of the CA or a certificate.
mode ra
Enters the PKI server into RA certificate server mode.
mode sub-cs
Enters the PKI server into sub-certificate server mode
redundancy (cs-server)
Specifies that the active CS is synchronized to the standby CS.
serial-number (cs-server)
Specifies whether the router serial number should be included in the certificate request.
show (cs-server)
Displays the PKI CS configuration.
shutdown (cs-server)
Allows a CS to be disabled without removing the configuration.
certificate
To manually add certificates, use the certificate command in certificate chain configuration mode. To delete your router’s certificate or any registration authority certificates stored on your router, use the no form of this command.
Command History
Release
Modification
11.3 T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
You could use this command to manually specify a certificate. However, this command is rarely used in this manner. Instead, this command is usually used only to add or delete certificates.
Examples
The following example deletes the router’s certificate. In this example, the router had a general purpose RSA key pair with one corresponding certificate. The show command is used in this example to determine the serial number of the certificate to be deleted.
myrouter# show crypto ca certificates Certificate Subject Name Name: myrouter.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF Key Usage: General Purpose CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set myrouter# configure terminal myrouter(config)# crypto ca certificate chain myca myrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF % Are you sure you want to remove the certificate [yes/no]? yes % Be sure to ask the CA administrator to revoke this certificate. myrouter(config-cert-chain)# exitchain-validation (ca-trustpool)
To enable chain validation from the peer's certificate to the root certificate authority (CA) certificate in the public key infrastructure (PKI) trustpool, use the chain-validation command in ca-trustpool configuration mode. To revert to the command default, use the no form of this command.
Usage Guidelines
Before you can configure this command, you must enable the crypto pki trustpool policy command, which enters ca-trustpool configuration mode.
If the chain-validation command is not configured, then the validation stops at the peer certificate's issuer.
Related Commands
Command
Description
cabundle url
Configures the URL from which the PKI trustpool CA bundle is downloaded.
crl
Specifes the CRL query and cache options for the PKI trustpool.
crypto pki trustpool import
Manually imports (downloads) the CA certificate bundle into the PKI trustpool to update or replace the existing CA bundle.
crypto pki trustpool policy
Configures PKI trustpool policy parameters.
default
Resets the value of a ca-trustpool configuration command to its default.
match
Enables the use of certificate maps for the PKI trustpool.
ocsp
Specifies OCSP settings for the PKI trustpool.
revocation-check
Disables revocation checking when the PKI trustpool policy is being used.
show
Displays the PKI trustpool policy of the router in ca-trustpool configuration mode.
show crypto pki trustpool
Displays the PKI trustpool certificates of the router and optionally shows the PKI trustpool policy.
source interface
Specifies the source interface to be used for CRL retrieval, OCSP status, or the downloading of a CA certificate bundle for the PKI trustpool.
storage
Specifies a file system location where PKI trustpool certificates are stored on the router.
vrf
Specifies the VRF instance to be used for CRL retrieval.
chain-validation
To configure the level to which a certificate chain is processed on all certificates, including subordinate certificate authority (CA) certificates, use the chain-validation command in ca-trustpoint configuration mode. To revert to the command default, use the no form of this command.
chain-validation [ { stop | continue } [parent-trustpoint] ]
no chain-validation [ { stop | continue } [parent-trustpoint] ]
Command Default
Certificate chain path processing continues until the first trusted certificate, or trustpoint, is reached.
Usage Guidelines
Configuring the level to which a certificate chain is processed allows for the reauthentication of trusted certificates, the extension of a trusted certificate chain, or the completion of a certificate chain that contains a gap. Devices must be enrolled in your PKI hierarchy and the appropriate key pair associated with the certificate.
If there is more than one parent trustpoint configured, Cisco IOS will select a parent trustpoint based upon configured settings to validate the certificate chain. If you want a specific parent trustpoint to validate certificates, then that trustpoint must be configured with the parent-trustpoint argument specified. All certificates, peer and subordinate CA certificates, are validated in the same manner. All trustpoint settings--ACLs, AAA authorization lists, CDP or OCSP overrides--will apply, as will trustpoint policies for trusted and untrusted certificates.
A trustpoint associated with the root CA cannot be configured to be validated to the next level. If chain-validation continue is configured for the trustpoint associated with the root CA, an error message will be displayed and the chain validation will revert to the default chain-validation stop.
Examples
In the following configuration example, all of the certificates will be validated--the peer, SubCA11, SubCA1, and RootCA certificates.
crypto pki trustpoint RootCA enrollment terminal chain-validation stop revocation-check none rsakeypair RootCA crypto pki trustpoint SubCA1 enrollment terminal chain-validation continue RootCA revocation-check none rsakeypair SubCA1 crypto pki trustpoint SubCA11 enrollment terminal chain-validation continue SubCA1 revocation-check none rsakeypair SubCA11In the following configuration example, the following certificates will be validated--the peer and SubCA1 certificates.
crypto pki trustpoint RootCA enrollment terminal chain-validation stop revocation-check none rsakeypair RootCA crypto pki trustpoint SubCA1 enrollment terminal chain-validation continue RootCA revocation-check none rsakeypair SubCA1 crypto pki trustpoint SubCA11 enrollment terminal chain-validation continue SubCA1 revocation-check none rsakeypair SubCA11In the following configuration example, SubCA1 is not in the configured Cisco IOS hierarchy but is expected to have been supplied in the certificate chain presented by the peer.
If the peer sends SubCA1, SubCA11, and the peer certificates in the certificate chain, the following certificates will be validated--the peer, SubCA11, and SubCA1 certificates.
If the peer does not supply the SubCA1 certificate in the presented certificate chain, the chain validation will fail.
crypto pki trustpoint RootCA enrollment terminal chain-validation stop revocation-check none rsakeypair RootCA crypto pki trustpoint SubCA11 enrollment terminal chain-validation continue RootCA revocation-check none rsakeypair SubCA11cifs-url-list
To enter webvpn URL list configuration mode to configure a list of Common Internet File System (CIFS) server URLs to which a user has access on the portal page of a Secure Sockets Layer Virtual Private Network (SSL VPN) and to attach the URL list to a policy group, use the cifs-url-list command in webvpn context configuration and webvpn group policy configuration mode, respectively. To remove the CIFS server URL list from the SSL VPN context configuration and from the policy group, use the no form of this command.
Command Default
Webvpn URL list configuration mode is not entered, and a list of URLs to which a user has access on the portal page of an SSL VPN website is not configured. If the command is not used to attach a CIFS server URL list to a policy group, then a URL list is not attached to a group policy.
Command Modes
Webvpn context configuration (config-webvpn-context)
Webvpn group policy configuration (config-webvpn-group)Usage Guidelines
Entering this command places the router in webvpn URL list configuration mode. In this mode, the list of CIFS server URLs is configured. A URL list can be configured under the SSL VPN context configuration and then separately for each individual policy group configuration. Individual CIFS server URL list configurations must have unique names.
Examples
The following example shows that CIFS URL lists have been added under the webvpn context and for a policy group:
webvpn context context1 ssl authenticate verify all ! acl "acl1" error-msg "warning!!!..." permit url "http://www.exampleurl1.com" deny url "http://www.exampleurl2.com" permit http any any ! nbns-list l1 nbns-server 10.1.1.20 ! cifs-url-list "c1" heading "cifs-url" url-text "SSLVPN-SERVER2" url-value "\\SSLVPN-SERVER2" url-text "SSL-SERVER2" url-value "\\SSL-SERVER2" ! policy group default acl "acl1" cifs-url-list "c1" nbns-list "l1" functions file-access functions file-browse functions file-entry default-group-policy default gateway public inserviceRelated Commands
Command
Description
heading
Configures the heading that is displayed above URLs listed on the portal page of a SSL VPN website.
policy group
Attaches a URL list to policy group configuration.
url-text
Adds an entry to a URL list.
webvpn context
Enters webvpn context configuration mode to configure the SSL VPN context.
cipherkey
NoteEffective with Cisco IOS Release 15.2(4)M, the cipherkey command is not available in Cisco IOS software.
To specify the symmetric keyname that is used to decrypt the filter, use the cipherkey command in FPM match encryption filter configuration mode.
Usage Guidelines
If you have access to an encrypted traffic classification definition file (eTCDF) or if you know valid values to configure encrypted Flexible Packet Matching (FPM) filters, you can configure the same eTCDF through the command-line interface instead of using the preferred method of loading the eTCDF on the router. You must create a class map of type access-control using the class-map type command, and use the match encrypted command to configure the match criteria for the class map on the basis of encrypted FPM filters and enter FPM match encryption filter configuration mode. You can then use the appropriate commands to specify the algorithm, cipher key, cipher value, filter hash, filter ID, and filter version. You can copy the values from the eTCDF by opening the eTCDF in any text editor.
Use the cipherkey command to specify the the symmetric keyname that is used to decrypt the filter.
ciphervalue
Note
Effective with Cisco IOS Release 15.2(4)M, the ciphervalue command is not available in Cisco IOS software.
To specify the encrypted filter contents, use the ciphervalue command in FPM match encryption filter configuration mode.
Usage Guidelines
If you have access to an encrypted traffic classification definition file (eTCDF) or if you know valid values to configure encrypted Flexible Packet Matching (FPM) filters, you can configure the same eTCDF through the command-line interface instead of using the preferred method of loading the eTCDF on the router. You must create a class map of type access-control using the class-map type command, and use the match encrypted command to configure the match criteria for the class map on the basis of encrypted FPM filters and enter FPM match encryption filter configuration mode. You can then use the appropriate commands to specify the algorithm, cipher key, cipher value, filter hash, filter ID, and filter version. You can copy the values from the eTCDF by opening the eTCDF in any text editor.
Use the ciphervalue command to specify the encrypted filter contents. You can enter up to 200 characters at a time in a multiline input mode for the encrypted filter contents. The new line character (\n) and line feed character (\r) entered in the multiline input mode are ignored in the final cipher value contents.
Examples
The following example shows how to specify the encrypted filter contents:
Router(config)# class-map type access-control match-all c1 Router(config-cmap)# match encrypted Router(c-map-match-enc-config)# ciphervalue #2bcXhFL8Ld1v+DqU+dnxgmONCxl4JrYfcLl95xg ET0b2B1z0sjoCkozE8YxiH/SXL+eG2wf3ogaA7/Fh awIH7OF3tUcS5Jwim/u95Xlzh2RLNw819tuIBCdorV Cu0ZzWCF3vqwpGQzaxtSE4sFgPAvSE2LxZc/VT22 F7EQKBhRo=# Router(c-map-match-enc-config)#cisco (ips-auto-update)
To enable automatic Cisco IOS Intrusion Prevention System (IPS) signature updates from Cisco.com, use the cisco command in IPS-auto-update configuration mode. To disable automatic IPS signature updates from Cisco.com, use the no form of this command.
Examples
The following example shows how to configure automatic signature updates from Cisco.com that occur at the third hour of the 5 day of the month, at the 56th minute of this hour.
NoteAdjustments are made for months without 31 days and daylight savings time.
Router(config)# ip ips auto-update Router(config-ips-auto-update)# cisco Router(config-ips-auto-update)# occur-at monthly 5 56 3cisp enable
To enable Client Information Signalling Protocol (CISP) on a switch so that it acts as an authenticator to a supplicant switch, use the cisp enable command in global configuration mode. To disable CISP, use the no form of this command.
Usage Guidelines
Use CISP on a switch so that it acts as an authenticator to a supplicant switch. The link between the authenticator and supplicant switch is a trunk. When you enable VLAN Trunk Protocol (VTP) on both switches, the VTP domain name must be the same, and the VTP mode must be server.
citrix enabled
To enable Citrix application support for end users in a policy group, use the citrix enabled command in webvpn group policy configuration mode. To remove Citrix support from the policy group configuration, use the no form of this command.
Usage Guidelines
Citrix support allows a citrix client to use applications running on a remote server as if they were running locally. Entering the citrix-enabled command configures Citrix support for the policy group.
class type inspect
To specify the traffic (class) on which an action is to be performed, use the class type inspect command in policy-map configuration mode. To delete a class, use the no form of this command.
class type inspect class-map-name
no class type inspect class-map-name
Layer 7 (Application-Specific) Traffic Class Syntax
class type inspect protocol-name class-map-name
no class type inspect protocol-name class-map-name
Syntax Description
Command History
Release
Modification
12.4(6)T
This command was introduced.
12.4(9)T
This command was modified. Support for the IM protocol and the following keywords was added: aol, msnmsgr, ymsgr.
Support for the P2P protocol and the following keywords was added: edonkey, fasttrack, gnutella, kazaa2.
12.4(20)T
This command was modified. Support for the ICQ and Windows Messenger IM protocols and the following keywords was added: icq, winmsgr.
Support for the H.323 protocol and the following keyword was added: h323.
Support for SIP and the following keyword was added: sip.
Cisco IOS XE Release 3.4S
This command was modified. The following GTP keywords were added: gtpv0, gtpv1.
Usage Guidelines
Use the class type inspect command to specify the class and protocol (if applicable) on which an action is to be performed.
Thereafter, you can specify any of the following actions: drop, inspect, pass, reset, urlfilter, or attach a Layer 7 (application-specific) policy map to a “top-level” (Layer 3 or Layer 4) policy map (with the service-policy (policy-map) command).
NoteA Layer 7 policy is considered to be a nested policy of the top-level policy, and it is called a child policy.
NoteTo attach a Layer 7 policy-map, it is mandatory to configure the inspect action under class type inspect .
Examples
The following example shows how to configure the “my-im-pmap” policy map with two IM classes (AOL and Yahoo Messenger) and only allow text-chat messages to pass through. When any packet with a service other than “text-chat” is seen, the connection will be reset.
class-map type inspect aol match-any my-aol-cmap match service text-chat ! class-map type inspect ymsgr match-any my-ysmgr-cmap match service any ! policy-map type inspect im my-im-pmap class type inspect aol my-aol-cmap allow log ! class type inspect ymsgr my-ysmgr-cmap rest log ! class-map type inspect gtpv1 match-any gtp_policy_gtpv1 match message-id 18 policy-map type inspect gtpv1 gtp_policy_gtpv1 class type inspect gtpv1 gtp_policy_gtpv1 logRelated Commands
Command
Description
class-map type inspect
Creates a Layer 3 and Layer 4 or a Layer 7 (application-specific) inspect-type class map.
policy-map type inspect
Creates a Layer 3 and Layer 4 or a Layer 7 (application-specific) inspect-type policy map.
service-policy (policy-map)
Attaches a Layer 7 policy map to a top-level Layer 3 or Layer 4 policy map.
class type urlfilter
To associate a URL filter class with a URL filtering policy map, use the class type urlfilter command in policy-map configuration mode. To disassociate the class, use the no form of this command.
class type urlfilter [ trend | n2h2 | websense ] class-map-name
no class type urlfilter [ trend | n2h2 | websense ] class-map-name
Syntax Description
trend
(Optional) Specifies that the class map applies to a Trend Micro filtering URL filtering policy. If a keyword is not specified, the class map applies to a local filtering policy.
n2h2
(Optional) Specifies that the class map applies to a SmartFilter URL filtering policy. If a keyword is not specified, the class map applies to a local filtering policy.
websense
(Optional) Specifies that the class map applies to a Websense URL filtering policy. If a keyword is not specified, the class map applies to a local filtering policy.
class-map-name
Name of the URL filter class map.
Usage Guidelines
Use the class type urlfilter command to associate a class with a URL filtering policy map. You can associate one or more classes with the URL filtering policy map. You must create the class map for the class before you can associate the class with the policy map. In addition, you must use the parameter type urlfpolicy command to associate URL filtering parameters with the policy before you canassociate a class with the URL filtering policy map.
Examples
The following example shows how the class type urlfiltercommand is used to create the URL filtering policy map trend-policy and associate three classes with the policy map--trusted-domain-class, untrusted-domain-class, and drop-category.
policy-map type inspect urlfilter trend-policy parameter type urlfpolicy trend trend-param-map class type urlfilter trusted-domain-class log allow class type urlfilter untrusted-domain-class log reset class type urlfilter trend drop-category log resetclass-map type inspect
To create a Layer 3 and Layer 4 or a Layer 7 (application-specific) inspect type class map, use the class-map type inspect command in global configuration mode. To remove a class map from the router configuration file, use the no form of this command.
Layer 3 and Layer 4 (Top Level) Class Map Syntax
class-map type inspect { match-any | match-all } class-map-name
no class-map type inspect { match-any | match-all } class-map-name
Layer 7 (Application-Specific) Class Map Syntax
class-map type inspect protocol-name { match-any | match-all } class-map-name
no class-map type inspect protocol-name { match-any | match-all } class-map-name
Syntax Description
Command History
Release
Modification
12.4(6)T
This command was introduced.
12.4(9)T
This command was modified. The following P2P protocol keywords were added: edonkey, fasttrack, gnutella, kazaa2.
The following IM protocol keywords were added: aol, msnmsgr, ymsgr.
12.4(15)XZ
This command was modified. Support for the Session Initiation Protocol (SIP) was added.
12.4(20)T
This command was modified. The following IM protocol keywords were added: icq, winmsgr.
The following VoIP protocol keyword was added: h323 (Version 4).
15.1(2)T
This command was modified. Support for IPv6 was added.
Cisco IOS XE Release 3.2S
This command was modified. The following keywords were added: smtp, imap, pop3, and sunrpc.
Cisco IOS XE Release 3.4S
This command was modified. The following GTP keywords were added: gtpv0, gtpv1.
Cisco IOS XE Release 3.9S
This command was modified. The gtpv2 keyword was added.
Usage Guidelines
Use the class-map type inspect command to specify the name and protocol (if applicable) of a Layer 3, Layer 4, or Layer 7 class map.
Layer 3 and Layer 4 (Top-Level) Class Maps
You can configure a top-level (Layer 3 or Layer 4) class map, which allows you to identify the traffic stream at a high level, by issuing the match access-group and match protocol commands. These class maps cannot be used to classify traffic at the application level (the Layer 7 level).
Layer 7 (Application-Specific) Class Maps
Application-specific class maps allow you to identify traffic based on the attributes of a given protocol. Match conditions in these class maps are specific to an application (for example, HTTP or SMTP). In addition to the type inspect, you must specify a protocol name (protocol-name argument) to create an application-specific class map.
NoteConfiguring the match access-group 101 filter enables Layer-4 inspection. As a result, Layer-7 inspection is skipped unless the class-map is of type match-all.
Examples
The following example shows how to configure class map c1 with the match criterion of ACL 101 based on the HTTP protocol:
class-map type inspect match-all c1 match access-group 101 match protocol httpThe following example shows how to configure the class map winmsgr-textchat with the match criterion of text-chat based on the Windows IM protocol:
class-map type inspect match-any winmsgr winmsgr-textchat match service text-chatThe following example shows how to configure the class map gtpv2_l4c with the match criterion of Layer7 based on the GTPv1 protocol:
class-map type inspect match-all gtpv2_l4c match protocol gtpv1Related Commands
Command
Description
match access-group
Configures the match criteria for a class map based on the specified ACL number or name.
match class-map
Uses a traffic class as a classification policy.
match protocol
Configures the match criteria for a class map based on the specified protocol.
match service
Configures the match criteria for a class map based on the specified IM protocol.
class-map type urlfilter
To create or modify a URL filter class map, use the class-map type urlfilter command in global configuration mode. To remove the class map, use the no form of this command.
class-map type urlfilter [ trend | n2h2 | websense ] [match-any] class-map-name
no class-map type urlfilter [ trend | n2h2 | websense ] [match-any] class-map-name
Syntax Description
trend
(Optional) Specifies that the class map applies to a Trend Micro URL filtering policy. If a keyword is not specified, the class map applies to a local URL filtering policy.
n2h2
(Optional) Specifies that the class map applies to a SmartFilter URL filtering policy. If a keyword is not specified, the class map applies to a local URL filtering policy.
websense
(Optional) Specifies that the class map applies to a Websense URL filtering policy. If a keyword is not specified, the class map applies to a local URL filtering policy.
match-any
(Optional) Specifies how URL requests are evaluated when multiple match criteria exist in a class map.
class-map-name
Name of the URL filter class map.
Usage Guidelines
Use the class-map type urlfilter command to enter class-map configuration mode and create or modify a URL filter class map. The class map is used as a traffic filter to segregate HTTP traffic for which a URL filtering policy applies. If you specify multiple match criteria and want to segregate the traffic when there is at least one match, use the match-any keyword. If you do not specify a type of filtering policy with the trend, n2h2, or websense keyword, then the class map applies to a local URL filtering policy.
Local Class Maps
Use the class-map type urlfilter match-any class-m ap-name to create or modify a local class map. filtering mode. Typically, you create three local class maps: one to specify trusted domains, one to specify untrusted domains, and one to specify keywords to block.
To specify the match criteria for the trusted and untrusted domain classes, use the following command:
- match server-domain urlf-glob parameter-map-name
Before you use this command, you must configure the urlf-glob parameter with the parameter-map type urlf-glob command.
To specify the match criteria for the keyword class map use the following command:
- match url-keyword urlf-glob parameter-map-name
Before you use this command, you must configure the urlf-glob keyword with the parameter-map type urlf-glob command.
Trend Micro Class Maps
Use the class-map type urlfilter trend match-any class-m ap-name command to create or modify a URL class map for the Trend Router Provisioning Server (TRPS). Typically, you create two Trend Micro class maps: one to specify URL categories and one to specify URL reputations.
To specify the Trend Micro URL categories for which filtering takes place, use the following command:
- match url category category-name
To specify the Trend Micro URL reputations for which filtering takes place, use the following command:
- match url reputation reputation-name
SmartFilter Class Maps
Use the class-map type urlfilter n2h2 class-map-name command to create or modify a URL filter class map for a SmartFilter filtering service. Use the following command to specify the match condition for the class map:
- match server-response any
Websense Class Maps
Use the class-map type urlfilter websense class-map-name command to create or modify a URL filter class map for a Websense filtering server. Use the following command to specify the match condition for the class map:
- match server-response any
Examples
The following example configures the parameters for local filtering, and then specifies three class maps for local URL filtering: trusted-domain-class, untrusted-domain-class, and keyword-class:
parameter-map type urlf-glob trusted-domains-param pattern www.example.com pattern *.example1.com parameter-map type urlf-glob untrusted-domain-param pattern www.example2.com pattern www.example3.org parameter-map type urlf-glob keyword-param pattern games pattern adult class-map type urlfilter match-any trusted-domain-class match server-domain urlf-glob trusted-domain-param class-map type urlfilter match-any untrusted-domain-class match server-domain urlf-glob untrusted-domain-param class-map type urlfilter match-any keyword-class match url-keyword urlf-glob keyword-paramThe following example configures two class maps for Trend Micro filtering: drop-category and drop-reputation:
class-map type urlfilter trend match-any drop-category match url category Gambling match url category Personals-Dating class-map type urlfilter trend match-any drop-reputation match url reputation PHISHING match url reputation ADWAREThe following example specifies a class map for SmartFilter filtering called n2h2-class and configures the match criteria as any response from the SmartFilter server:
class-map type urlfilter n2h2 match-any n2h2-class match server-response anyRelated Commands
Command
Description
match server-domain urlf-glob
Specifies the server domain match criteria for a URL filtering class map.
match server-response any
Specifies the match criterion for SmartFilter and Websense class maps.
match url category
Specifies the URL category match criteria for a URL filtering class map.
match url-keyword urlf-glob
Specifies the URL keyword match criteria for a URL filtering class map.
match url reputation
Specifies the URL reputation match criteria for a URL filtering class map.
parameter-map type urlf-glob
Specifies the filtering parameters for trusted domains, untrusted domains, and blocked keywords.
clear aaa cache filterserver acl
To clear the cache status for a particular filter or all filters, use the clear aaa cache filterserver aclcommand in EXEC mode.
Usage Guidelines
After you clear the cache status for a particular filter or all filters, it is recommended that you enable the show aaa cache filterserver command to verify that the cache status.
clear aaa cache filterserver group
To clear contents of the server group cache, use the clear aaa cache filterserver group command in privileged EXEC mode.
Command History
Release
Modification
15.0(1)M
This command was introduced in a release earlier than Cisco IOS Release 15.0(1)M.
12.2(33)SRC
This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SRC.
12.2(33)SXI
This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SXI.
Cisco IOS XE Release 2.1
This command was integrated into Cisco IOS XE Release 2.1.
clear aaa cache group
To clear an individual entry or all entries in the cache, use the clear aaa cache groupcommand in privileged EXEC mode.
Usage Guidelines
Use this command to clear cache entries.
NoteTo update an old record with profile cache settings and to remove an old record from the cache, clear the cache for the profile.
clear aaa counters servers
To clear the authentication, authorization, and accounting (AAA) server information, use the clear aaa counters serverscommand in privileged EXEC mode.
Command History
Release
Modification
15.0(1)M
This command was introduced in a release earlier than Cisco IOS Release 15.0(1)M.
12.2(33)SRC
This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SRC.
12.2(33)SXI
This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SXI.
Cisco IOS XE Release 2 .1
This command was integrated into Cisco IOS XE Release 2.1.
15.2(4)S1
This command was modified. The all keyword was modified to clear all AAA counter server information except for the estimated outstanding and throttled (access and accounting) transactions.
clear aaa local user fail-attempts
To clear the unsuccessful login attempts of a user, use the clear aaa local user fail-attemptscommand in privileged EXEC mode.
Examples
The following example shows that the unsuccessful login attempts for all users will be cleared:
Router# clear aaa local user fail-attempts allclear aaa local user lockout
To unlock the locked-out users, use the clear aaa local user lockout command in privileged EXEC mode.
Examples
The following example shows that all locked-out users will be unlocked:
Router# clear aaa local user lockout allRelated Commands
Command
Description
aaa local authentication attempts max-fail
Specifies the maximum number of unsuccessful authentication attempts before a user is locked out.
clear aaa local user fail-attempts
Clears the unsuccessful login attempts of a user.
show aaa local user loced
Displays a list of all locked-out users.
clear access-list counters
To clear the counters of an access list, use the clear access-list counterscommandin privilegedEXEC mode.
Command History
Release
Modification
11.0
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
Some access lists keep counters that count the number of packets that pass each line of an access list. The show access-lists command displays the counters as a number of matches. Use the clear access-list counters command to restart the counters for a particular access list to 0.
clear access-template
To manually clear a temporary access list entry from a dynamic access list, use the clear access-template command in privileged EXEC mode.
clear access-template { access-list-number | name } template-name { source-address source-wildcard-bit | any | host { hostname | source-address } } { destination-address dest-wildcard-bit | any | host { hostname | destination-address } } [ timeout minutes ]
Syntax Description
access-list-number
Number of the dynamic access list. The ranges are from 100 to 199 and from 2000 to 2699.
name
Name of an IP access list.
- The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.
template-name
Name of a dynamic access list.
source-address
Source address in a dynamic access list.
- All other attributes are inherited from the original access-list entry.
source-wildcard-bit
Source wildcard bits.
any
Specifies any source hostname.
host
Specifies a specific source host.
hostname
Name of the host.
destination-address
Destination address in a dynamic access list.
- All other attributes are inherited from the original access-list entry.
dest-wildcard-bit
Destination wildcard bits.
timeout minutes
(Optional) Specifies a maximum time limit, in minutes, for each entry within this dynamic list. The range is from 1 to 9999.
- This is an absolute time, from creation, that an entry can reside in the list. The default is an infinite time limit and allows an entry to remain permanently.
Command History
Release
Modification
11.1
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
15.0(1)M
This command was modified in a release earlier than Cisco IOS Release 15.0(1)M. The any, host hostname, and timeout minutes keywords and arguments were added.
Usage Guidelines
The clear access-template command is related to the lock-and-key access feature. It clears any temporary access list entries that match the parameters you define.
Examples
The following example shows how to clear any temporary access list entries with a source of 172.20.1.12 from the dynamic access list named vendor:
Router> enable Router# clear access-template vendor 172.20.1.12 any host 172.20.1.13clear appfw dns cache
To clear at least one IP address from the Domain Name System (DNS) cache, use the clear appfw dns cachecommand in privileged EXEC mode.
Syntax Description
name dns-name
DNS name of the IM server as entered in the server name command in application firewall policy.
address address
(Optional) Deletes a specific IP address from the DNS server cache.
If an IP address is not specified, all IP addresses for the dns-name are deleted from the DNS server cache.
Usage Guidelines
Resolved IP addresses are never “timed out” and not automatically removed from the DNS cache. Thus, if you find an obsolete IP address in the instant messenger database (DNS cache), you can issue the clear appfw dns cache command to remove the IP address and prevent the address from being interpreted by the router as an IM server.
Only one IP address can be deleted at a time. If the deleted IP address appears in the subsequent DNS resolution, the IP address is added to the DNS cache again.
clear ase signatures
NoteEffective with Cisco IOS Release 12.4(24), the clear ase signatures command is not available in Cisco IOS software.
To remove all Automatic Extraction Signatures (ASEs), use the clear ase signatures command in privileged EXEC configuration mode.
Usage Guidelines
This command is used to remove all the generated signatures that are displayed in the show ase signatures command output.
This command is used on the Cisco 1800, 2800, and 7200 series routers, Cisco 7301 router, and Integrated Services Routers (ISRs) as ASE sensors.
Examples
The following example output demonstrates the result of removing generated signatures:
Router# show ase signatures Automatic Signature Extraction Detected Signatures ================================================== Signature Hash: 0x1E4A2076AAEA19B1, Offset: 54, Dest Port: TCP 135, Signature: 05 00 00 03 10 00 00 00 F0 00 10 00 01 00 00 00 B8 00 00 00 00 00 03 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Signature Hash: 0x24EC60FB1CF9A800, Offset: 72, Dest Port: TCP 445, Signature: 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 00 00 00 00 62 00 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 52 41 4D Signature Hash: 0x0B0275535FFF480C, Offset: 54, Dest Port: TCP 445, Signature: 00 00 00 85 FF 53 4D 42 72 00 00 00 00 18 53 C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 00 00 00 00 62 00 02 Router# clear ase signatures Router# show ase signatures Automatic Signature Extraction Detected Signatures ==================================================The table below describes the significant fields shown in the display.
Table 1 clear ase signatures Field Descriptions Field
Description
Signature Hash
Hash (total) value of the 40-byte pattern, used as a check number for error control
Offset
Offset within the packet where the pattern begins
Dest Port
Layer 4 destination port for packets that contain this pattern
Signature
40 bytes of packet data used to potentially identify a piece of malware
Related Commands
Command
Description
ase collector
Enters the ASE collector server IP address so that the ASE sensor has IP connectivity to the ASE collector.
ase group
Identifies the TIDP group number for the ASE feature.
ase enable
Enables the ASE feature on a specified interface.
ase signature extraction
Enables the ASE feature globally on the router.
debug ase
Provides error, log, messaging, reporting, status, and timer information.
show ase
Shows the ASE run-time status, which includes the TIDP group number.
clear authentication sessions
To clear information about current Auth Manager sessions and force 802.1X clients on all 802.1X-enabled interfaces to initialize or reauthenticate, use the clear authentication sessionscommand in privileged EXEC mode.
NoteEffective with Cisco IOS Release 12.2(33)SXI, the clear authentication session command replaces the dot1x intitialize and dot1x re-authenticate commands.
clear authentication sessions [ handle handle-id ] [ interface type number ] [ mac mac-address ] [ method method-name ] [ session-id session-name ]
Syntax Description
handle handle-id
(Optional) Specifies the particular handle for which Auth Manager information is to be displayed.
interface type number
(Optional) Specifies a particular interface type and number for which Auth Manager information is to be displayed.
mac mac-address
(Optional) Specifies the particular MAC address for which you want to display information.
method method-name
(Optional) Specifies the particular authentication method for which Auth Manager information is to be displayed.
session-id session-name
(Optional) Clears a particular authentication session by reference to its session ID.
Examples
The following example shows how to use the clear authentication sessions command to clear information for all Auth Manager sessions:
Switch# clear authentication sessionsThe following example shows how to use the clear authentication sessions command to clear information for the Auth Manager session on a particular interface:
Switch# clear authentication sessions interface GigabitEthernet/0/23The following example shows how to use the clear authentication sessions command to clear information for the Auth Manager session on a particular MAC address:
Switch# clear authentication sessions mac 000e.84af.59bdclear content-scan
To clear the content scan configuration information, use the clear content-scan command in privileged EXEC mode.
Usage Guidelines
Cisco ScanSafe web security provides content scanning of HTTP and secure HTTP (HTTPS) traffic and malware protection service to web traffic. The content scanning process redirects client web traffic to the ScanSafe web servers. ScanSafe servers scan the web traffic content and either allow or block traffic based on compliance with the configured policies and thus protect clients from malware. Content scanning is enabled on an Internet-facing WAN interface to protect the web traffic that goes out. Use the clear content-scan command to clear content scan configuration information.
clear crypto call admission statistics
To clear the counters that track the number of accepted and rejected Internet Key Exchange (IKE) requests, use the call admission limit command in global configuration mode.
clear crypto ctcp
To clear all Cisco Tunnel Control Protocol (cTCP) sessions and all Internet Key Exchange (IKE) and IPsec security associations (SAs) that are created on those sessions, use the clear crypto ctcpcommand in privileged EXEC mode.
Examples
The following example shows that all cTCP sessions and all IKE and IPsec SAs that are created on those sessions are to be cleared:
Router# clear crypto ctcpThe following example shows that only cTCP sessions for peer 10.76.235.21 and all IKE and IPsec SAs that are created on those sessions are to be cleared.
Router# clear crypto ctcp peer 10.76.235.21clear crypto datapath
To clear the counters or error history buffers in an encrypted network, use the clear crypto datapathcommand in privileged EXEC mode.
Syntax Description
ipv4
Clears all counters in a network using IPv4.
ipv6
Clears all counters in a network using IPv6.
error
(Optional) Clears the error history buffer.
internal
(Optional) Clears the internal event counter.
punt
(Optional) Clears the punt event counter.
success
(Optional) Clears the success event counter.
Usage Guidelines
Use the clear crypto datapath command to clear the history buffers or counters associated with an encrypted data path. You must specify the IP version for the network. If you only use the IP version keyword, all counters will be cleared. To clear only a specific counter, enter the keyword for that counter.
clear crypto engine accelerator counter
To reset the statistical and error counters of the hardware accelerator of the router or the IPsec Virtual Private Network (VPN) Shared Port Adapter (SPA) to zero, use the clear crypto engine accelerator counter command in privileged EXEC mode.
clear crypto engine accelerator counter
IPsec VPN SPA
clear crypto engine accelerator statistic [ slot slot /subslot | all ] [detail]
Syntax Description
slot slot / subslot
(IPsec VPN SPA only--Optional) Chassis slot number and secondary slot number on the SPA Interface Processor (SIP) where the SPA is installed. Refer to the appropriate hardware manual for slot information. For SIPs, refer to the platform-specific SPA hardware installation guide or the corresponding “Identifying Slots and Subslots for SIPs and SPAs” topic in the platform-specific SPA software configuration guide.
Resets platform statistics for the corresponding IPsec VPN SPA to zero. This output will not include network interface controller statistics.
all
(IPsec VPN SPA only--Optional) Resets platform statistics for all IPsec VPN SPAs on the router to zero. This reset will not include network interface controller statistics.
detail
(IPsec VPN SPA only--Optional) Resets platform statistics for the IPsec VPN SPA and network interface controller statistics to zero.
Command History
Release
Modification
12.1(3)XL
This command was introduced for the Cisco uBR905 cable access router.
12.2(2)XA
Support was added for the Cisco uBR925 cable access router.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII and AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.
12.2(15)ZJ
This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
12.3(4)T
The AIM-VPN/BPII was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA to support the IPsec VPN SPA on Cisco 7600 series routers and Catalyst 6500 series switches.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Usage Guidelines
No specific usage guidelines apply to the hardware accelerators.
IPsec VPN SPA
Enter the slot keyword to reset platform statistics for the corresponding IPsec VPN SPA to zero. This reset will not include network interface controller statistics.
Enter the all keyword to reset platform statistics for all IPsec VPN SPAs on the router to zero. This reset will not include network interface controller statistics.
Enter the detail keyword to reset both the platform statistics for the IPsec VPN SPA and network interface controller statistics to zero.
Examples
The following example shows the statistical and error counters of the hardware accelerator being cleared to zero:
Router# clear crypto engine accelerator counterIPsec VPN SPA
The following example shows the platform statistics for the IPsec VPN SPA in slot 2, subslot 1 being cleared to zero:
Router# clear crypto engine accelerator counter slot 2/1The following example shows the platform statistics for all IPsec VPN SPAs on the router being cleared to zero:
Router# clear crypto engine accelerator counter allRelated Commands
Command
Description
crypto ca
Defines the parameters for the certification authority used for a session.
crypto cisco
Defines the encryption algorithms and other parameters for a session.
crypto dynamic map
Creates a dynamic map crypto configuration for a session.
crypto engine accelerator
Enables the use of the onboard hardware accelerator for IPsec encryption.
crypto ipsec
Defines the IPSec security associations and transformation sets.
crypto isakmp
Enables and defines the IKE protocol and its parameters.
crypto key
Generates and exchanges keys for a cryptographic session.
crypto map
Creates and modifies a crypto map for a session.
debug crypto engine accelerator control
Displays each control command as it is given to the crypto engine.
debug crypto engine accelerator packet
Displays information about each packet sent for encryption and decryption.
show crypto engine accelerator ring
Displays the contents of command and transmits rings for the crypto engine.
show crypto engine accelerator sa database
Displays the active (in-use) entries in the crypto engine SA database.
show crypto engine accelerator statistic
Displays the current run-time statistics and error counters for the crypto engine.
show crypto engine brief
Displays a summary of the configuration information for the crypto engine.
show crypto engine configuration
Displays the version and configuration information for the crypto engine.
show crypto engine connections
Displays a list of the current connections maintained by the crypto engine.
clear crypto gdoi
To clear the state of the current session of a Group Domain of Interpretation (GDOI) group member (GM) with the key server, use the clear crypto gdoi command in privileged EXEC mode.
clear crypto gdoi [ group group-name ] [ ks coop { counter | role } | ks members [ counters | now ] | replay counter ]
Syntax Description
group group-name
(Optional) Name of the group.
ks coop
(Optional) Specifies that data will be cleared for the cooperative key server (KS).
counter
(Optional) Clears the counters for the cooperative KS.
role
(Optional) Clears the role of the cooperative KS.
ks members
(Optional) Specifies that the data will be cleared for GMs on the current KS.
counters
(Optional) Clears the counters for all GMs on the current KS.
now
(Optional) Forces GMs to delete old TEKs and KEKs immediately and re-register.
replay counter
(Optional) Clears the anti-replay counters.
Command History
Release
Modification
12.4(6)T
This command was introduced.
12.4(11)T
This command was modified. The group and replay keywords and the group-name argument were added.
Cisco IOS XE Release 2.3
This command was integrated into Cisco IOS XE Release 2.3.
15.1(3)T
This command was modified. The ks members counters keyword combination was added.
15.2(1)T
This command was modified. The now keyword was added.
Cisco IOS XE Release 3.8S
This command was modified. The now keyword was added.
Usage Guidelines
If this command is issued on the group member, the policy of the group member is deleted, and the group member re-registers with the key server.
If this command is issued on the key server, the state on the key server is deleted. If redundancy is configured and this command is issued on the key server, the key server goes back into election mode to elect a new primary key server.
Examples
If the following command is issued on the key server, the state on the key server is cleared. If the command is issued on a group member, the state is cleared for the entire group, and a re-registration to the key server is forced:
Device# clear crypto gdoiIf the following command is issued on the key server, the state of the group that is specified is cleared on the key server. If the command is issued on a group member, the state of the group that is specified is cleared on the group member, and re-registration to the key server is forced:
Device# clear crypto gdoi group group1The following command clears the anti-replay counters for the GDOI groups:
Device# clear crypto gdoi replay counterThe following command clears the counters for the cooperative key server:
Device# clear crypto gdoi ks coop counterThe following command clears all counters for all GMs on the current key server:
Device# clear crypto gdoi ks members countersThe following command forces GMs to delete old TEKs and KEKs immediately and re-register:
Device# clear crypto gdoi ks members nowclear crypto gdoi ks cooperative role
To reset the cooperative role of the key server and to initiate the election process on the key server, use the clear crypto gdoi ks cooperative role command in privileged EXEC mode.
Usage Guidelines
If the clear crypto gdoi ks cooperative role command is executed on a secondary key server, the election is triggered on that secondary key server although that server would most likely remain a secondary key server because there has been an elected primary key server. However, if the clear crypto gdoi ks cooperative role command is executed on the primary key server, the primary key server is reassigned to a secondary role, and as a result, a new election that involves all the key servers is triggered. If the previous primary server has the highest priority (of all the key servers), it again becomes the primary server. If the previous primary server does not have the highest priority, the server having the highest priority is elected as the new primary server.
clear crypto ikev2 sa
To clear the Internet Key Exchange Version 2 (IKEv2) security associations (SA), use the clear crypto ikev2 sa command in privileged EXEC mode.
clear crypto ikev2 sa [ local { ipv4-address | ipv6-address } | remote { ipv4-address | ipv6-address } | fvrf vrf-name | psh number | reconnect ]
Syntax Description
local {ipv4-address | ipv6-address} (Optional) Clears the IKEv2 security associations matching the local address.
remote {ipv4-address | ipv6-address} (Optional) Clears the IKEv2 security associations matching the remote address.
fvrf vrf-name (Optional) Clears the IKEv2 security associations matching the specified front door virtual routing and forwarding (FVRF) instance.
psh number (Optional) Clears the IKEv2 platform service handler matching the specified connection ID.
reconnect (Optional) Clears the IKEv2 reconnect security associations.
Command History
Release
Modification
15.1(1)T
This command was introduced.
15.1(4)M
This command was modified. Support was added for IPv6 addresses.
Cisco IOS XE Release 3.3S
This command was integrated into Cisco IOS XE Release 3.3S.
15.4(1)T
This command was modified. The reconnect keyword was added.
Cisco IOS XE Release 3.11S
This command was integrated into Cisco IOS XE Release 3.11S.
clear crypto ikev2 stats
To clear Internet Key Exchange Version 2 (IKEv2) security associations (SAs) statistics, use the clear crypto ikev2 stats command in privileged EXEC mode.
Syntax Description
exchange (Optional) Clears information about IKEv2 exchange and notification statistics.
detailed (Optional) Provides detailed information about IKEv2 exchange and notification statistics.
ext-service (Optional) Clears information about pass and fail counters for IKEv2 external services.
priority-queue (Optional) Clears information about the priority queue.
timeout (Optional) Clears information about IKEv2 internal timers.
clear crypto ipsec client ezvpn
To reset the Cisco Easy VPN remote state machine and bring down the Cisco Easy VPN remote connection on all interfaces or on a given interface (tunnel), use the clear crypto ipsec client ezvpn command in privileged EXEC mode. If a tunnel name is specified, only the specified tunnel is cleared.
Command History
Release
Modification
12.2(4)YA
This command was introduced for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(8)YJ
This command was enhanced to specify an IPSec VPN tunnel to be cleared or disconnected for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
Usage Guidelines
The clear crypto ipsec client ezvpn command resets the Cisco Easy VPN remote state machine, bringing down the current Cisco Easy VPN remote connection and bringing it back up on the interface. If you specify a tunnel name, only that tunnel is cleared. If no tunnel name is specified, all active tunnels on the machine are cleared.
If the Cisco Easy VPN remote connection for a particular interface is configured for autoconnect, this command also initiates a new Cisco Easy VPN remote connection.
clear crypto isakmp
To clear active Internet Key Exchange (IKE) connections, use the clear crypto isakmp command in privileged EXEC mode.
Syntax Description
connection-id
(Optional) ID of the connection that is to be cleared. If this argument is not used, all existing connections will be cleared.
active
(Optional) Clears only IKE security associations (SAs) in the active state. For each active SA that is cleared, the standby router will be notified to clear the corresponding standby SA.
standby
(Optional) Clears only IKE SAs in the standby (secondary) state.
Note If the router is in standby mode, the router will immediately resynchronize the standby SAs; thus, it may appear as though the standby SAs were not cleared.
Command History
Release
Modification
11.3 T
This command was introduced.
12.3(11)T
The active and standby keywords were added.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
Caution
If the connection-idargument is not used, all existing IKE connections will be cleared when this command is issued.
Examples
The following example clears an IKE connection between two peers connected by interfaces 172.21.114.123 and 172.21.114.67:
Router# show crypto isakmp sa dst src state conn-id slot 172.21.114.123 172.21.114.67 QM_IDLE 1 0 209.165.201.1 209.165.201.2 QM_IDLE 8 0 Router # clear crypto isakmp 1 Router# show crypto isakmp sa dst src state conn-id slot 209.165.201.1 209.165.201.2 QM_IDLE 8 0 Router#clear crypto sa
To delete IP Security (IPSec) security associations (SAs), use the clear crypto sa command in privileged EXEC mode.
clear crypto sa [ active | standby ]
Virtual Routing and Forwarding (VRF) Syntax
clear crypto sa peer [ vrf fvrf-name ] address
clear crypto sa [ vrf ivrf-name ]
Crypto Map Syntax
clear crypto sa map map-name
IP Address, Security Protocol Standard, and SPI Syntax
clear crypto sa entry destination-address protocol spi
Traffic Counters Syntax
clear crypto sa counters
Syntax Description
active
(Optional) Clears only IPSec SAs that are in the active state.
standby
(Optional) Clears only IPSec SAs that are in the standby state.
Note If the router is in standby mode, the router will immediately resynchronize the standby SAs; thus, it may appear as though the standby SAs were not cleared.
peer vrf fvrf-name] address
Deletes any IPSec SAs for the specified peer. The fvrf-name argument specifies the front door VRF (FVRF) of the peer address.
vrf ivrf-name
(Optional) Clears all IPSec SAs whose inside virtual routing and forwarding (IVRF) is the same as the ivrf-name.
map
Deletes any IPSec SAs for the named crypto map set.
map-name
Specifies the name of a crypto map set.
entry
Deletes the IPSec SA with the specified address, protocol, and security parameter index (SPI).
destination-address
Specifies the IP address of the remote peer.
protocol
Specifies either the Encapsulation Security Protocol (ESP) or Authentication Header (AH).
spi
Specifies an SPI (found by displaying the SA database).
counters
Clears the traffic counters maintained for each SA; the counters keyword does not clear the SAs themselves.
Command History
Release
Modification
11.3 T
This command was introduced.
12.2(15)T
The vrfkeywordand fvrf-nameargument for clear crypto sa peer were added. The vrf keyword and ivrf-nameargument for clear crypto sa were added.
12.3(11)T
The active and standby keywords were added.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 2.6
This command was integrated into Cisco IOS XE Release 2.6.
Usage Guidelines
This command clears (deletes) IPSec SAs.
If the SAs were established via Internet Key Exchange (IKE), they are deleted and future IPSec traffic will require new SAs to be negotiated. (When IKE is used, the IPSec SAs are established only when needed.)
If the SAs are manually established, the SAs are deleted and reinstalled. (When IKE is not used, the IPSec SAs are created as soon as the configuration is completed.)
NoteIf the peer, map, entry, counters, active, or standbykeywords are not used, all IPSec SAs will be deleted.
- The peer keyword deletes any IPSec SAs for the specified peer.
- The map keyword deletes any IPSec SAs for the named crypto map set.
- The entry keyword deletes the IPSec SA with the specified address, protocol, and SPI.
- The active and standby keywords delete the IPSec SAs in the active or standby state, respectively.
If any of the above commands cause a particular SA to be deleted, all the “sibling” SAs--that were established during the same IKE negotiation--are deleted as well.
The counters keyword simply clears the traffic counters maintained for each SA; it does not clear the SAs themselves.
If you make configuration changes that affect SAs, these changes will not apply to existing SAs but to negotiations for subsequent SAs. You can use the clear crypto sa command to restart all SAs so that they will use the most current configuration settings. In the case of manually established SAs, if you make changes that affect SAs you must use the clear crypto sa command before the changes take effect.
If the router is processing active IPSec traffic, it is suggested that you clear only the portion of the SA database that is affected by the changes, to avoid causing active IPSec traffic to temporarily fail.
Note that this command clears only IPSec SAs; to clear IKE state, use the clear crypto isakmp command.
Examples
The following example clears (and reinitializes if appropriate) all IPSec SAs at the router:
clear crypto saThe following example clears (and reinitializes if appropriate) the inbound and outbound IPSec SAs established, along with the SA established for address 10.0.0.1 using the AH protocol with the SPI of 256:
clear crypto sa entry 10.0.0.1 AH 256The following example clears all the SAs for VRF VPN1:
clear crypto sa vrf vpn1clear crypto session
To delete crypto sessions (IP security [IPsec] and Internet Key Exchange [IKE] security associations [SAs]), use the clear crypto session command in privileged EXEC mode.
clear crypto session [ local { ipv4-address | ipv6-address } [ port local-port ] ] [ remote { ipv4-address | ipv6-address } [ port remote-port ] ] [ fvrf vrf-name ] [ ivrf vrf-name ] isakmp group group-nameusername user-name
IPsec and IKE Stateful Failover Syntax
clear crypto session [ active | standby ]
Syntax Description
local {ipv4-address| ipv6-address
(Optional) Clears crypto sessions for a local crypto endpoint.
port local-port
(Optional) IKE port of the local endpoint. The local-port value can be 1 through 65535. The default value is 500.
remote {ipv4-address| ipv6-address
(Optional) Clears crypto sessions for a remote IKE peer.
port remote-port
(Optional) IKE port of the remote endpoint to be deleted. The remote-port value can be from 1 through 65535. The default value is 500.
fvrf vrf-name
(Optional) Specifies the front door virtual routing and forwarding (FVRF) session that is to be cleared.
ivrf vrf-name
(Optional) Specifies the inside VRF (IVRF) session that is to be cleared.
isakmp group group- name
(Optional) Clears the specified crypto session using the isakmp group.
username user- name
(Optional) Clears the crypto session for the specified xauth or pki-aaa username.
active
(Optional) Clears only IPsec and IKE SAs in the active state.
standby
(Optional) Clears only IPsec and IKE SAs in the standby state.
Note If the router is in standby mode, the router will immediately resynchronize the standby SAs with the active router.
Command Default
All existing sessions will be deleted. The IPsec SAs will be deleted first. Then the IKE SAs are deleted.
Usage Guidelines
To clear a specific crypto session or a subset of all the sessions, you need to provide session-specific parameters, such as a local or remote IP address, a local or remote port, an FVRF name, or an IVRF name.
If a local IP address is provided as a parameter when you use the clear crypto session command, all the sessions (and their IKE SAs and IPsec SAs) that share the IP address as a local crypto endpoint (IKE local address) will be deleted.
Examples
The following example shows that all crypto sessions will be deleted:
Router# clear crypto sessionThe following example shows that the crypto session of the FVRF named “blue” will be deleted:
Router# clear crypto session fvrf blueThe following example shows that the crypto sessions of the FVRF “blue” and the IVRF session “green” will be deleted:
Router# clear crypto session fvrf blue ivrf greenThe following example shows that the crypto sessions of the local endpoint 10.1.1.1 and remote endpoint 10.2.2.2 will be deleted. The local endpoint port is 5, and the remote endpoint port is 10.
Router# clear crypto session local 10.1.1.1 port 5 remote 10.2.2.2 port 10clear crypto pki benchmarks
To clear Public Key Infrastructure (PKI) benchmarking data and release all memory associated with this data, use the clear crypto pki benchmarkscommand in privileged EXEC mode.
Usage Guidelines
Use the clear crypto pki benchmarkscommand to clear all PKI benchmarking data and release all memory associated with this data. PKI benchmarking data is used for IOS PKI performance monitoring and optimization. PKI performance monitoring and optimization is turned on or off by using the crypto pki benchmark command.
clear crypto pki crls
To remove the certificate revocation list (CRL) database that determines the validity status of digital certificates presented by encryption peers in a PKI, use the clear crypto pki crlscommand in privileged EXEC mode.
clear dmvpn session
To clear Dynamic Multipoint VPN (DMVPN) sessions, use the clear dmvpn session command in privileged EXEC mode.
clear dmvpn session [ interface tunnel number | peer { ipv4-address | FQDN-string | ipv6-address } | vrf vrf-name ] [static]
Syntax Description
interface
(Optional) Displays DMVPN information based on a specific interface.
tunnel number
(Optional) Specifies the tunnel address for the DMVPN peer. The range is from 0 to 2147483647.
peer
(Optional) Specifies a DMVPN peer.
ipv4-address
(Optional) The IPv4 address for the DMVPN peer.
FQDN-string
(Optional) Next hop server (NHS) fully qualified domain name (FQDN) string.
ipv6-address
(Optional) The IPv6 address for the DMVPN peer.
vrf vrf-name
(Optional) Clears all Next Hop Resolution Protocol (NHRP) sessions related to the specified virtual routing and forwarding (VRF) configuration.
static
(Optional) Clears all static and dynamic NHRP entries.
Note If the static keyword is not specified, only dynamic NHRP entries are cleared.
Command History
Release
Modification
12.4(9)T
This command was introduced.
12.4(20)T
This command was modified. The ipv6-address argument was added.
Cisco IOS XE Release 2.5
This command was integrated into Cisco IOS XE Release 2.5 and implemented on the Cisco ASR 1000 Series Aggregation Services Routers.
15.1(2)T
This command was modified. The FQDN-string argument was added.
15.2(1)T
This command was modified. The ipv6-address argument was added for the peer keyword.
Examples
The following example shows how to clear all DMVPN sessions, both static and dynamic, for the specified peer nonbroadcast multiple access (NBMA) address:
Router# clear dmvpn session peer nbma staticThe following example shows how to clear all DMVPN sessions, both static and dynamic, for the specified peer FQDN string:
Router# clear dmvpn session peer examplehub.example1.com staticclear dmvpn statistics
To clear Dynamic Multipoint VPN (DMVPN)-related counters, use the clear dmvpn statisticscommand in privileged EXEC mode.
clear dmvpn statistics [ peer { nbma | tunnel } ip-address ] [ interface tunnel number ] [ vrf vrf-name ]
Syntax Description
peer
(Optional) Specifies a DMVPN peer.
nbma
(Optional) Specifies nonbroadcast mapping access (NBMA).
tunnel
(Optional) Specifies a tunnel.
ip-address
(Optional) Specifies the IP address for the DMVPN peer.
interface
(Optional) Displays DMVPN information based on a specific interface.
tunnel number
(Optional) Specifies the tunnel address for the DMVPN peer.
vrf vrf-name
(Optional) Clears all DMVPN counters related to the specified virtual routing forwarding (VRF) configuration.
clear dot1x
Command History
Release
Modification
12.3(2)XA
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
12.2(25)SEE
This command was integrated into Cisco IOS Release 12.2(25)SEE.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Examples
The following configuration shows that 802.1X information will be cleared for all interfaces:
Router# clear dot1x allThe following configuration shows that 802.1X information will be cleared for the Ethernet 0 interface:
Router# clear dot1x interface ethernet 0You can verify that the information was deleted by entering the show dot1x command.
clear eap
To clear Extensible Authentication Protocol (EAP) information on a switch or for a specified port, use the clear eap command in privileged EXEC mode.
clear eap [ sessions [ credentials credentials-name | interface interface-name | method method-name | transport transport-name ] ]
Syntax Description
sessions
(Optional) Clears EAP sessions on a switch or a specified port.
credentials credentials-name
(Optional) Clears EAP credential information for only the specified profile.
interface interface-name
(Optional) Clears EAP credential information for only the specified interface.
method method-name
(Optional) Clears EAP credential information for only the specified method.
transport transport-name
(Optional) Clears EAP credential information for only the specified lower layer.
Usage Guidelines
You can clear all counters by using the clear eap command with the sessions keyword, or you can clear only the specified information by using the credentials, interface, method, or transport keywords.
clear eou
To clear all client device entries that are associated with a particular interface or that are on the network access device (NAD), use the clear eou command in privileged EXEC mode.
clear eou { all | authentication { clientless | eap | static } | interface interface-type | ip ip-address | mac mac-address | posturetoken name }
Syntax Description
all
Clears all client device entries.
authentication
Authentication type.
clientless
Authentication type is clientless.
eap
Authentication type is Extensible Authentication Procotol (EAP).
static
Authentication type is static.
interface
Provides information about the interface.
interface-type
Type of interface (see the table below for a list of interface types).
ip
Specifies an IP address.
ip-address
IP address of the client device.
mac
Specifies a MAC address.
mac-address
The 48-bit address of the client device.
posturetoken
Posture token name.
name
Name of the posture token.
Usage Guidelines
The table below lists the interface types that may be used for the interface-type argument.
Table 2 Description of Interface Types Interface Type
Description
Async
Asynchronous interface
BVI
Bridge-Group Virtual Interface
CDMA-Ix
Code division multiple access Internet exchange (CDMA Ix) interface
CTunnel
Connectionless Network Protocol (CLNS) tunnel (Ctunnel) interface
Dialer
Dialer interface
Ethernet
IEEE 802.3 standard interface
Lex
Lex interface
Loopback
Loopback interface
MFR
Multilink Frame Relay bundle interface
Multilink
Multilink-group interface
Null
Null interface
Serial
Serial interface
Tunnel
Tunnel interface
Vif
Pragmatic General Multicast (PGM) Multicase Host interface
Virtual-PPP
Virtual PPP interface
Virtual-Template
Virtual template interface
Virtual-TokenRing
Virtual TokenRing interface
