Feedback
Contents
F through H
- filter-hash
- filter-id
- filter-version
- filter tunnel
- fingerprint
- firewall
- fpm package-group
- fpm package-info
- fqdn (IKEv2 profile)
- grant auto rollover
- grant auto trustpoint
- grant none
- grant ra-auto
- group (firewall)
- group (authentication)
- group (IKE policy)
- group (IKEv2 proposal)
- group (local RADIUS server)
- group (RADIUS)
- group-lock
- group-object
- group size
- gtp
- hardware statistics
- hash (ca-trustpoint)
- hash (cs-server)
- hash (IKE policy)
- heading
- hide-url-bar
- holdtime
- hop-limit
- host (webvpn url rewrite)
- hostname (IKEv2 keyring)
- hostname (WebVPN)
- http proxy-server
- http-redirect
- hw-module slot subslot only
filter-hash
NoteEffective with Cisco IOS Release 15.2(4)M, the filter-hash command is not available in Cisco IOS software.
To specify the hash for verification and validation of decrypted contents, use the filter-hash command in Flexible Packet Matching (FPM) encryption filter configuration mode.
Usage Guidelines
If you have access to an eTCDF or if you know valid values to configure encrypted FPM filters, you can configure the same eTCDF through the command-line interface instead of using the preferred method of loading the eTCDF on the router. You must create a class map of type access-control using the class-map type command, and use the match encrypted command to configure the match criteria for the class map on the basis of encrypted FPM filters and enter FPM match encryption filter configuration mode. You can then use the appropriate commands to specify the algorithm, cipher key, cipher value, filter hash, filter ID, and filter version. You can copy the values from the eTCDF by opening the eTCDF in any text editor.
Use the filter-hash command to specify the hash for verification and validation of decrypted contents.
Examples
The following example shows how to specify the hash value from the eTCDF file for verification and validation of decrypted contents:
Router(config)# class-map type access-control match-all c1 Router(config-cmap)# match encrypted Router(c-map-match-enc-config)# filter-hash AABBCCDD11223344 Router(c-map-match-enc-config)#filter-id
NoteEffective with Cisco IOS Release 15.2(4)M, the filter-id command is not available in Cisco IOS software.
To specify a filter-level ID for encrypted filters, use the filter-id command in FPM match encryption filter configuration mode.
Usage Guidelines
If you have access to an encrypted traffic classification definition file (eTCDF) or if you know valid values to configure encrypted Flexible Packet Matching (FPM) filters, you can configure the same eTCDF through the command-line interface instead of using the preferred method of loading the eTCDF on the router. You must create a class map of type access-control using the class-map type command, and use the match encrypted command to configure the match criteria for the class map on the basis of encrypted FPM filters and enter FPM match encryption filter configuration mode. You can then use the appropriate commands to specify the algorithm, cipher key, cipher value, filter hash, filter ID, and filter version. You can copy the values from the eTCDF by opening the eTCDF in any text editor.
Use the filter-id command to specify a filter-level ID for encrypted filters.
filter-version
NoteEffective with Cisco IOS Release 15.2(4)M, the filter-version command is not available in Cisco IOS software.
To specify the filter-level version value for the encrypted filter, use the filter-version command in FPM match encryption filter configuration mode.
Usage Guidelines
If you have access to an encrypted traffic classification definition file (eTCDF) or if you know valid values to configure encrypted Flexible Packet Matching (FPM) filters, you can configure the same eTCDF through the command-line interface instead of using the preferred method of loading the eTCDF on the router. You must create a class map of type access-control using the class-map type command, and use the match encrypted command to configure the match criteria for the class map on the basis of encrypted FPM filters and enter FPM match encryption filter configuration mode. You can then use the appropriate commands to specify the algorithm, cipher key, cipher value, filter hash, filter ID, and filter version. You can copy the values from the eTCDF by opening the eTCDF in any text editor.
Use the filter-version command to specify the filter-level version value for the encrypted filter.
filter tunnel
To configure a SSL VPN tunnel access filter, use filter tunnel command in webvpn group policy configuration mode. To remove the tunnel access filter, use the no form of this command.
Syntax Description
extended-acl Defines the filter on the basis of an extended access list (ACL). A named, numbered, or expanded access list is entered.
acl -name Specifies the name for the access list.
Command History
Examples
The following example shows how to configure a deny access filter for any host from the 192.0.2.0/24 network:
Device(config)# access-list 101 deny ip 192.0.2.0 0.0.0.255 any Device(config)# webvpn context context1 Device(config-webvpn-context)# policy group ONE Device(config-webvpn-group)# filter tunnel 101fingerprint
To preenter a fingerprint that can be matched against the fingerprint of a certification authority (CA) certificate during authentication, use the fingerprint command in ca-trustpoint configuration mode. To remove the preentered fingerprint, use the no form of this command.
Command Default
A fingerprint is not preentered for a trustpoint, and if the authentication request is interactive, you must verify the fingerprint that is displayed during authentication of the CA certificate. If the authentication request is noninteractive, the certificate will be rejected without a preentered fingerprint.
Command History
Release
Modification
12.3(12)
This command was introduced. This release supports only message digest algorithm 5 (MD5) fingerprints.
12.3(13)T
Support was added for Secure Hash Algorithm 1 (SHA1), but only for Cisco IOS T releases.
12.4(24)T
Support for IPv6 Secure Neighbor Discovery (SeND) was added.
Usage Guidelines
NoteSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.
NoteAn authentication request made using the CLI is considered an interactive request. An authentication request made using HTTP or another management tool is considered a noninteractive request.
Preenter the fingerprint if you want to avoid responding to the verify question during CA certificate authentication or if you will be requesting authentication noninteractively. The preentered fingerprint may be either the MD5 fingerprint or the SHA1 fingerprint of the CA certificate.
If you are authenticating a CA certificate and the fingerprint was preentered, if the fingerprint matches that of the certificate, the certificate is accepted. If the preentered fingerprint does not match, the certificate is rejected.
If you are requesting authentication noninteractively, the fingerprint must be preentered or the certificate will be rejected. The verify question will not be asked when authentication is requested noninteractively.
If you are requesting authentication interactively without preentering the fingerprint, the fingerprint of the certificate will be displayed, and you will be asked to verify it.
Examples
The following example shows how to preenter an MD5 fingerprint before authenticating a CA certificate:
Router(config)# crypto pki trustpoint myTrustpoint Router(ca-trustpoint)# fingerprint 6513D537 7AEA61B7 29B7E8CD BBAA510B Router(ca-trustpoint) exit Router(config)# crypto pki authenticate myTrustpoint Certificate has the following attributes: Fingerprint MD5: 6513D537 7AEA61B7 29B7E8CD BBAA510B Fingerprint SHA1: 998CCFAA 5816ECDE 38FC217F 04C11F1D DA06667E Trustpoint Fingerprint: 6513D537 7AEA61B7 29B7E8CD BBAA510B Certificate validated - fingerprints matched. Trustpoint CA certificate accepted. Router (config)#The following is an example for Cisco Release 12.3(12). Note that the SHA1 fingerprint is not displayed because it is not supported by this release.
Router(config)# crypto ca trustpoint myTrustpoint Router(ca-trustpoint)# fingerprint 6513D537 7AEA61B7 29B7E8CD BBAA510B Router(ca-trustpoint)# exit Router(config)# crypto ca authenticate myTrustpoint Certificate has the following attributes: Fingerprint: 6513D537 7AEA61B7 29B7E8CD BBAA510B Trustpoint Fingerprint: 6513D537 7AEA61B7 29B7E8CD BBAA510B Certificate validated - fingerprints matched. Trustpoint CA certificate accepted. Router(config)#firewall
To specify secure virtual LAN (VLAN) groups and to attach them to firewall modules, use the firewall command in global configuration mode. To disable the configuration, use the no form of this command.
firewall { autostate | module number vlan-group number | multiple-vlan-interfaces | vlan-group number vlan-range }
no firewall { autostate | module number vlan-group number | multiple-vlan-interfaces | vlan-group number vlan-range }
Syntax Description
autostate
Enables auto state.
module
Specifies the module number to which a VLAN group is attached.
number
Module number. Valid values are from 1 to 6.
vlan-group
Specifies the secure group to which the VLANs are attached.
number
Group number. The range is from 1 to 65535.
multiple-vlan-interfaces
Enables multiple VLAN interfaces mode for firewall modules.
vlan-range
VLAN range. Valid values are from 2 to 1001 and 1006 to 4094.
fpm package-group
NoteEffective with Cisco IOS Release 15.2(4)M, the fpm package-group command is not available in Cisco IOS software.
To configure flexible packet matching (fpm) package support, use the fpm package-group command in global configuration mode. To disable fpm package support, use the no form of this command.
fpm package-info
NoteEffective with Cisco IOS Release 15.2(4)M, the fpm package-info command is not available in Cisco IOS software.
To configure flexible packet matching (FPM) package transfer from an FPM server to a local server, use the fpm package-info command in global configuration mode. To disable fpm packet transfer, use the no form of this command.
fqdn (IKEv2 profile)
To derive the name mangler from the remote identity of type Fully Qualified Domain Name (FQDN), use the fqdn command in IKEv2 name mangler configuration mode. To remove the name derived from FQDN, use the no form of this command.
grant auto rollover
To enable automatic granting of certificate reenrollment requests for a Cisco IOS subordinate certificate authority (CA) server or registration authority (RA) mode CA, use the grant auto rollover command in certificate server configuration mode. To disable automatic granting of certificate reenrollment requests for a Cisco IOS subordinate or RA-mode CA server, use the no form of this command.
Command Default
Automatic granting of certificate reenrollment requests for a Cisco IOS subordinate CA server or RA-mode CA reenrollment requests is not enabled. Reenrollment requests will have to be granted manually.
Usage Guidelines
You must configure the crypto pki server command with the name of the certificate server in order to enter certificate server configuration mode and configure this command.
The first time a CA is enabled, a certificate request is sent to its superior CA. This initial request must be granted manually. The grant auto rollovercommand allows subsequent renewal certificate grant requests to be automatically processed by the CA for either a subordinate CA certificate (by designating the ca-cert keyword) or an RA-mode CA (by designating the ra-cert keyword), thereby eliminating the need for operator intervention.
Examples
The following example shows how the user can enable automatic granting of certificate reenrollment requests for a Cisco IOS subordinate CA server:Router(config)#crypto pki server CA Router(cs-server)#grant auto rollover ca-certRelated Commands
Command
Description
auto-rollover
Enables the automated CA certificate rollover functionality.
cdp-url
Specifies a CDP to be used in certificates that are issued by the certificate server.
crl (cs-server)
Specifies the CRL PKI CS.
crypto pki server
Enables a CS and enters certificate server configuration mode, or immediately generates shadow CA credentials
database archive
Specifies the CA certificate and CA key archive format--and the password--to encrypt this CA certificate and CA key archive file.
database level
Controls what type of data is stored in the certificate enrollment database.
database url
Specifies the location where database entries for the CS is stored or published.
database username
Specifies the requirement of a username or password to be issued when accessing the primary database location.
default (cs-server)
Resets the value of the CS configuration command to its default.
grant auto trustpoint
Specifies the CA trustpoint of another vendor from which the Cisco IOS certificate server automatically grants certificate enrollment requests.
grant none
Specifies all certificate requests to be rejected.
grant ra-auto
Specifies that all enrollment requests from an RA be granted automatically.
hash (cs-server)
Specifies the cryptographic hash function the Cisco IOS certificate server uses to sign certificates issued by the CA.
issuer-name
Specifies the DN as the CA issuer name for the CS.
lifetime (cs-server)
Specifies the lifetime of the CA or a certificate.
mode ra
Enters the PKI server into RA certificate server mode.
mode sub-cs
Enters the PKI server into sub-certificate server mode
redundancy (cs-server)
Specifies that the active CS is synchronized to the standby CS.
serial-number (cs-server)
Specifies whether the router serial number should be included in the certificate request.
show (cs-server)
Displays the PKI CS configuration.
shutdown (cs-server)
Allows a CS to be disabled without removing the configuration.
grant auto trustpoint
To specify the certification authority (CA) trustpoint of another vendor from which the Cisco IOS certificate server automatically grants certificate enrollment requests, use the grant auto trustpointcommand in certificate server configuration mode. To remove the name of the trustpoint holding the trusted CA certificate, use the no form of this command.
Usage Guidelines
You must configure the crypto pki server command with the name of the certificate server in order to enter certificate server configuration mode and configure this command.
After the network administrator for the server configures and authenticates a trustpoint for the CA of another vendor, the grant auto trustpoint command is issued to reference the newly created trustpoint and enroll the router with a Cisco IOS CA.
NoteThe newly created trustpoint can only be used one time (which occurs when the router is enrolled with the Cisco IOS CA). After the initial enrollment is successfully completed, the credential information will be deleted from the enrollment profile.
The Cisco IOS certificate server will automatically grant only the requests from clients who were already enrolled with the CA of another vendor. All other requests must be manually granted--unless the server is set to be in auto grant mode (through the grant automaticcommand).
Caution
The grant automaticcommand can be used for testing and building simple networks and should be disabled before the network is accessible by the Internet. However, it is recommended that you do not issue this command if your network is generally accessible .
Examples
The following example shows how to configure a client router and a Cisco IOS certificate server to exchange enrollment requests through a certificate enrollment profile:
! Define the trustpoint “msca-root” that points to the non-Cisco IOS CA and enroll and ! authenticate the client with the non-Cisco IOS CA. crypto pki trustpoint msca-root enrollment mode ra enrollment url http://msca-root:80/certsrv/mscep/mscep.dll ip-address FastEthernet2/0 revocation-check crl ! ! Configure trustpoint “cs” for Cisco IOS CA. crypto pki trustpoint cs enrollment profile cs1 revocation-check crl ! ! Define enrollment profile “cs1,” which points to Cisco IOS CA and mention (via the ! enrollment credential command) that “msca-root” is being initially enrolled with the ! Cisco IOS CA. crypto pki profile enrollment cs1 enrollment url http://cs:80 enrollment credential msca-root! ! Configure the certificate server, and issue the grant auto trustpoint command to ! instruct the certificate server to accept enrollment request only from clients who are ! already enrolled with trustpoint “msca-root.” crypto pki server cs database level minimum database url nvram: issuer-name CN=cs grant auto trustpoint msca-root ! crypto pki trustpoint cs revocation-check crl rsakeypair cs ! crypto pki trustpoint msca-root enrollment mode ra enrollment url http://msca-root:80/certsrv/mscep/mscep.dll revocation-check crlRelated Commands
Command
Description
auto-rollover
Enables the automated CA certificate rollover functionality.
cdp-url
Specifies a CDP to be used in certificates that are issued by the certificate server.
crl (cs-server)
Specifies the CRL PKI CS.
crypto pki server
Enables a CS and enters certificate server configuration mode, or immediately generates shadow CA credentials
database archive
Specifies the CA certificate and CA key archive format--and the password--to encrypt this CA certificate and CA key archive file.
database level
Controls what type of data is stored in the certificate enrollment database.
database url
Specifies the location where database entries for the CS is stored or published.
database username
Specifies the requirement of a username or password to be issued when accessing the primary database location.
default (cs-server)
Resets the value of the CS configuration command to its default.
grant auto rollover
Enables automatic granting of certificate reenrollment requests for a Cisco IOS subordinate CA server or RA mode CA.
grant none
Specifies all certificate requests to be rejected.
grant ra-auto
Specifies that all enrollment requests from an RA be granted automatically.
hash (cs-server)
Specifies the cryptographic hash function the Cisco IOS certificate server uses to sign certificates issued by the CA.
issuer-name
Specifies the DN as the CA issuer name for the CS.
lifetime (cs-server)
Specifies the lifetime of the CA or a certificate.
mode ra
Enters the PKI server into RA certificate server mode.
mode sub-cs
Enters the PKI server into sub-certificate server mode
redundancy (cs-server)
Specifies that the active CS is synchronized to the standby CS.
serial-number (cs-server)
Specifies whether the router serial number should be included in the certificate request.
show (cs-server)
Displays the PKI CS configuration.
shutdown (cs-server)
Allows a CS to be disabled without removing the configuration.
grant none
To specify all certificate requests to be rejected, use the grant none command in certificate server configuration mode. To disable automatic rejection of certificate enrollment, use the no form of this command.
Usage Guidelines
You must configure the crypto pki server command with the name of the certificate server in order to enter certificate server configuration mode and configure this command.
Examples
The following example shows how to automatically reject all certificate enrollment requests for the certificate server “myserver”:
Router#(config) ip http server Router#(config) crypto pki server myserver Router#(cs-server) database level minimum Router#(cs-server)# grant noneRelated Commands
Command
Description
auto-rollover
Enables the automated CA certificate rollover functionality.
cdp-url
Specifies a CDP to be used in certificates that are issued by the certificate server.
crl (cs-server)
Specifies the CRL PKI CS.
crypto pki server
Enables a CS and enters certificate server configuration mode, or immediately generates shadow CA credentials
database archive
Specifies the CA certificate and CA key archive format--and the password--to encrypt this CA certificate and CA key archive file.
database level
Controls what type of data is stored in the certificate enrollment database.
database url
Specifies the location where database entries for the CS is stored or published.
database username
Specifies the requirement of a username or password to be issued when accessing the primary database location.
default (cs-server)
Resets the value of the CS configuration command to its default.
grant auto rollover
Enables automatic granting of certificate reenrollment requests for a Cisco IOS subordinate CA server or RA mode CA.
grant auto trustpoint
Specifies the CA trustpoint of another vendor from which the Cisco IOS certificate server automatically grants certificate enrollment requests.
grant ra-auto
Specifies that all enrollment requests from an RA be granted automatically.
hash (cs-server)
Specifies the cryptographic hash function the Cisco IOS certificate server uses to sign certificates issued by the CA.
issuer-name
Specifies the DN as the CA issuer name for the CS.
lifetime (cs-server)
Specifies the lifetime of the CA or a certificate.
mode ra
Enters the PKI server into RA certificate server mode.
mode sub-cs
Enters the PKI server into sub-certificate server mode
redundancy (cs-server)
Specifies that the active CS is synchronized to the standby CS.
serial-number (cs-server)
Specifies whether the router serial number should be included in the certificate request.
show (cs-server)
Displays the PKI CS configuration.
shutdown (cs-server)
Allows a CS to be disabled without removing the configuration.
grant ra-auto
To specify that all enrollment requests from a Registration Authority (RA) be granted automatically, use the grant ra-auto command in certificate server configuration mode. To disable automatic certificate enrollment, use the no form of this command.
Usage Guidelines
You must configure the crypto pki server command with the name of the certificate server in order to enter certificate server configuration mode and configure this command.
When grant ra-auto mode is configured on the issuing certificate server, ensure that the RA mode certificate server is running in manual grant mode so that enrollment requests are authorized individually by the RA.
NoteFor the grant ra-auto command to work, you have to include “cn=ioscs RA” or “ou=ioscs RA” in the subject name of the RA certificate.
Examples
The following output shows that the issuing certificate server is configured to issue a certificate automatically if the request comes from an RA:
Router (config)# crypto pki server myserver Router-ca (cs-server)# grant ra-auto % This will cause all certificate requests that are already authorized by known RAs to be automatically granted. Are you sure you want to do this? [yes/no]:yesRelated Commands
Command
Description
auto-rollover
Enables the automated CA certificate rollover functionality.
cdp-url
Specifies a CDP to be used in certificates that are issued by the certificate server.
crl (cs-server)
Specifies the CRL PKI CS.
crypto pki server
Enables a CS and enters certificate server configuration mode, or immediately generates shadow CA credentials
database archive
Specifies the CA certificate and CA key archive format--and the password--to encrypt this CA certificate and CA key archive file.
database level
Controls what type of data is stored in the certificate enrollment database.
database url
Specifies the location where database entries for the CS is stored or published.
database username
Specifies the requirement of a username or password to be issued when accessing the primary database location.
default (cs-server)
Resets the value of the CS configuration command to its default.
grant auto rollover
Enables automatic granting of certificate reenrollment requests for a Cisco IOS subordinate CA server or RA mode CA.
grant auto trustpoint
Specifies the CA trustpoint of another vendor from which the Cisco IOS certificate server automatically grants certificate enrollment requests.
grant none
Specifies all certificate requests to be rejected.
hash (cs-server)
Specifies the cryptographic hash function the Cisco IOS certificate server uses to sign certificates issued by the CA.
issuer-name
Specifies the DN as the CA issuer name for the CS.
lifetime (cs-server)
Specifies the lifetime of the CA or a certificate.
mode ra
Enters the PKI server into RA certificate server mode.
mode sub-cs
Enters the PKI server into sub-certificate server mode
redundancy (cs-server)
Specifies that the active CS is synchronized to the standby CS.
serial-number (cs-server)
Specifies whether the router serial number should be included in the certificate request.
show (cs-server)
Displays the PKI CS configuration.
shutdown (cs-server)
Allows a CS to be disabled without removing the configuration.
group (firewall)
To enter redundancy application group configuration mode, use the group command in redundancy application configuration mode. To remove the group configuration, use the no form of this command.
group (authentication)
To specify the authentication, authorization, and accounting (AAA) TACACS+ server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.
Command History
Release
Modification
12.1(2)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
group (IKE policy)
To specify one or more Diffie-Hellman (DH) group identifier(s) for use in an Internet Key Exchange (IKE) policy, which defines a set of parameters to be used during IKE negotiation , use the groupcommand in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. To reset the DH group identifier to the default value, use the no form of this command.
Syntax Description
1
Specifies the 768-bit DH group.
2
Specifies the 1024-bit DH group.
5
Specifies the 1536-bit DH group.
14
Specifies the 2048-bit DH group.
15
Specifies the 3072-bit DH group.
16
Specifies the 4096-bit DH group.
19
Specifies the 256-bit elliptic curve DH (ECDH) group.
20
Specifies the 384-bit ECDH group.
24
Specifies the 2048-bit DH/DSA group.
Command History
Release
Modification
11.3 T
This command was introduced.
12.1(1.3)T
Support was added for DH group 5.
12.4(4)T
Support for IPv6 was added.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 2.2
Support was added for DH groups 14, 15, and 16 on the Cisco ASR 1000 series routers.
15.1(2)T
This command was modified. The 14, 15, 16, 19, and 20 keywords were added.
Usage Guidelines
NoteSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.
The group chosen must be strong enough (have enough bits) to protect the IPsec keys during negotiation. A generally accepted guideline recommends the use of a 2048-bit group after 2013 (until 2030). Either group 14 or group 24 can be selected to meet this guideline. Even if a longer-lived security method is needed, the use of Elliptic Curve Cryptography is recommended, but group 15 and group 16 can also be considered.
The ISAKMP group and the IPsec perfect forward secrecy (PFS) group should be the same if PFS is used. If PFS is not used, a group is not configured in the IPsec crypto map.
Examples
The following example shows how to configure an IKE policy with the 1024-bit DH group (all other parameters are set to the defaults):
Router(config)# crypto isakmp policy 15 Router(config-isakmp) group 2 Router(config-isakmp) exitRelated Commands
Command
Description
authentication (IKE policy)
Specifies the authentication method within an IKE policy.
crypto isakmp policy
Defines an IKE policy.
encryption (IKE policy)
Specifies the encryption algorithm within an IKE policy.
hash (IKE policy)
Specifies the hash algorithm within an IKE policy.
lifetime (IKE policy)
Specifies the lifetime of an IKE SA.
show crypto isakmp policy
Displays the parameters for each IKE policy.
group (IKEv2 proposal)
To specify one or more Diffie-Hellman (DH) group identifier(s) for use in an Internet Key Exchange Version 2 (IKEv2) proposal, use the groupcommand in IKEv2 proposal configuration mode. To reset the DH group identifier to the default value, use the no form of this command.
Syntax Description
1
Specifies the 768-bit DH group.
2
Specifies the 1024-bit DH group.
5
Specifies the 1536-bit DH group.
14
Specifies the 2048-bit DH group
15
Specifies the 3072-bit DH group.
16
Specifies the 4096-bit DH group.
19
Specifies the 256-bit elliptic curve DH (ECDH) group.
20
Specifies the 384-bit ECDH group.
24
Specifies the 2048-bit DH/DSA group.
Usage Guidelines
NoteSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.
The group chosen must be strong enough (have enough bits) to protect the IPsec keys during negotiation. A generally accepted guideline recommends the use of a 2048-bit group after 2013 (until 2030). Either group 14 or group 24 can be selected to meet this guideline. Even if a longer-lived security method is needed, the use of Elliptic Curve Cryptography is recommended, but group 15 and group 16 can also be considered.
Examples
The following example shows how to configure an IKEv2 proposal with the 1024-bit DH group:
Router(config)# crypto ikev2 proposal proposal1 Router(config-ikev2-proposal)# group 2 Router(config-ikev2-proposal)# exitRelated Commands
Command
Description
crypto ikev2 proposal
Defines an IKEv2 proposal.
encryption (ikev2 proposal)
Specifies the encryption algorithm in an IKEv2 proposal.
integrity (ikev2 proposal)
Specifies the integrity algorithm in an IKEv2 proposal.
show crypto ikev2 proposal
Displays the algorithms configured in each IKEv2 proposal.
group (local RADIUS server)
To enter user group configuration mode and to configure shared settings for a user group, use the groupcommand in local RADIUS server configuration mode. To remove the group configuration from the local RADIUS server, use the no form of this command.
Command History
Release
Modification
12.2(11)JA
This command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200.
12.3(11)T
This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.
Examples
The following example shows that shared settings are being configured for group “team1”:
group team1Related Commands
Command
Description
block count
Configures the parameters for locking out members of a group to help protect against unauthorized attacks.
clear radius local-server
Clears the statistics display or unblocks a user.
debug radius local-server
Displays the debug information for the local server.
nas
Adds an access point or router to the list of devices that use the local authentication server.
radius-server host
Specifies the remote RADIUS server host.
radius-server local
Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
reauthentication time
Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
show radius local-server statistics
Displays statistics for a local network access server.
ssid
Specifies up to 20 SSIDs to be used by a user group.
user
Authorizes a user to authenticate using the local authentication server.
vlan
Specifies a VLAN to be used by members of a user group.
group (RADIUS)
To specify the authentication, authorization, and accounting (AAA) RADIUS server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.
Usage Guidelines
You must configure a RADIUS server group with the aaa group server radius command in global configuration mode before using the group command in AAA preauthentication configuration mode.
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example shows the creation of a RADIUS server group called “maestro” and then specifies that DNIS preauthentication be performed using this server group:
aaa group server radius maestro server 10.1.1.1 server 10.2.2.2 server 10.3.3.3 aaa preauth group maestro dnis requiredRelated Commands
Command
Description
aaa group server radius
Groups different RADIUS server hosts into distinct lists and distinct methods.
clid
Preauthenticates calls on the basis of the CLID number.
ctype
Preauthenticates calls on the basis of the call type.
dnis (RADIUS)
Preauthenticates calls on the basis of the DNIS number.
dnis bypass (AAA preauthentication configuration)
Specifies a group of DNIS numbers that will be bypassed for preauthentication.
group-lock
The group-lock command attribute is used to check if a user attempting to connect to a group belongs to this group. This attribute is used in conjunction with the extended authentication (Xauth) username. The user name must include the group to which it belongs. The group is then matched against the VPN group name (ID_KEY_ID) that is passed during the Internet Key Exchange (IKE). If the groups do not match, then the client connection is terminated.
To allow the extended authentication (Xauth) username to be entered when preshared key authentication is used with IKE, use the group-lock command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove the group lock, use the no form of this command.
NotePreshared keys are supported only. Certificates are not supported.
Command History
Release
Modification
12.2(13)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
Usage Guidelines
The Group-Lock attribute can be used if preshared key authentication is used with IKE. When the user enables the group-lock command attribute, one of the following extended Xauth usernames can be entered:
name/group
name\group
name@group
name%group
where the \ / @ % are the delimiters. The group that is specified after the delimiter is then compared against the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.
Caution
Do not use the Group-Lock attribute if you are using RSA signature authentication mechanisms such as certificates. Use the User-VPN-Group attribute instead.
The Group-Lock attribute is configured on a Cisco IOS router or in the RADIUS profile. This attribute has local (gateway) significance only and is not passed to the client.
NoteIf local authentication is used, then the Group-Lock attribute is the only option.
The username in the local or RADIUS database must be of the following format:
username[/,\,%,@]group.
Examples
The following example shows how Group-Lock attribute is configured in the CLI using the group-lock command:
NoteYou must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the group-lock command.
crypto isakmp client configuration group cisco group-lockThe following example shows how an attribute-value (AV) pair for the User-VPN-Group attribute is added in the RADIUS configuration:
NoteIf RADIUS is used for user authentication, then use the User-VPN-Group attribute instead of the Group-Lock attribute.
ipsec:group-lock=1group-object
To specify a nested reference to a type of user group within an object group, use the group-object command in object-group identity configuration mode. To remove the user group from the object group, use the no form of this command.
Usage Guidelines
In addition to a security group that is specified for the object group, a group object can be specified for a nested user group. The group-object command is used in the class map configuration of the Security Group Access (SGA) Zone-Based Policy firewall (ZBPF). Multiple nested user groups can be specified using this command.
NoteA policy map must also be configured for the SGA ZBPF.
Examples
The following example shows how the group-object command is used in the class map configuration of the SGA ZBPF.
Router(config)# object-group security myobject1a Router(config-object-group)# security-group tag-id 1 Router(config-object-group)# end Router(config)# object-group security myobject1b Router(config-object-group)# security-group tag-id 2 Router(config-object-group)# end Router(config)# object-group security myobject1 Router(config-object-group)# group-object myobject1a Router(config-object-group)# group-object myobject1b Router(config-object-group)# end Router(config)# class-map type inspect match-any myclass1 Router(config-cmap)# match group-object security source myobject1 Router(config-cmap)# endRelated Commands
Command
Description
debug object-group event
Enables debug messages for object-group events.
match group-object security
Matches traffic from a user in the security group.
object-group security
Creates an object group to identify traffic coming from a specific user or endpoint.
security-group
Specifies the membership of the security group for an object group.
show object-group
Displays the content of all user groups.
group size
To set the group size (sender ID length) for Suite B, use the group size command in GDOI local server configuration mode. To return a group size to the default size, use the no form of this command.
group size { small { 8 | 12 | 16} | medium | large }
no group size [ small [ 8 | 12 | 16] | medium | large]
Usage Guidelines
SID lengths of 8, 12, or 16 bits ensure interoperability with the GDOI standard that is described in RFC 6054, Using Counter Modes with Encapsulating Security Payload (ESP) and Authentication Header (AH) to Protect Group Traffic.
For most deployments, a group size of medium is recommended; therefore, using this command is optional. Any group size other than medium should be used only for interoperability (for which a small 8-bit, small 12-bit, or small 16-bit size should be used) or if you need to strictly adhere to FIPS 140-2 compliance (in which case, large is required). If you use this command, you should choose the group size based on the anticipated number of key servers (KSs) and group members (GMs).
When you change the group size in a group with cooperative KSs while Suite B (meaning ESP-GCM or ESP-GMAC) is configured and while the Suite B policy has been generated, you must change the group size on all secondary KSs before changing it on the primary KS.
Changing the group size causes the group to reinitialize (so that the new SID length can be used). The following prompt appears:
Device(gdoi-local-server)# group size large % Changing Group Size from MEDIUM to LARGE will cause % the group to re-initialize... Are you sure you want to proceed? [yes/no]:If the group size is decreasing and KS SIDs (KSSIDs) were configured that are not supported in the new group size (for example, 256 was configured with large and you changed it to medium, which has a maximum KSSID value of 127), the following prompt appears:
Device(gdoi-local-server)# group size medium % Changing the Group Size from LARGE to MEDIUM will cause the group to % re-initialize & the following configured Key Server SIDs will be lost: % 256, 510-511 Are you sure you want to proceed? [yes/no]:If cooperative KSs are configured, changing the group size on a secondary cooperative KS will not change the group size used and will not cause reinitialization until the primary cooperative KS changes the group size and reinitializes the group:
Device(gdoi-local-server)# group size large % Secondary COOP-KS will change configured Group Size from MEDIUM to LARGE % but will not use this Group Size until Primary COOP-KS changes as well.If the group is currently reinitializing, changing the group size is denied:
Device(gdoi-local-server)# group size large % Group Size Configuration Denied: % Please wait for group getvpn to finish re-initialization % and try changing the Group Size again.If cooperative KSs are configured and the local KS is primary, changing the group size is denied if all of the secondary cooperative KS peers have not already changed their group size to the new group size:
Device(gdoi-local-server)# group size large % Primary COOP-KS cannot change Group Size from MEDIUM to LARGE while the % following Secondary COOP-KS peers have not changed to LARGE: % 10.0.9.1 (Group Size: MEDIUM)If cooperative KSs are configured and the local KS is primary, changing the group size is denied if all of the secondary cooperative KS peers are not alive (meaning that there is a network split):
Device(gdoi-local-server)# group size large % Primary COOP-KS cannot change Group Size from MEDIUM to LARGE while % there is a network split with the following COOP-KS peers: % 10.0.8.1 (Role: Primary, Status: Dead)gtp
To configure the inspection parameters for General Packet Radio Service (GPRS) Tunneling Protocol (GTP), use the gtp command in parameter-map profile configuration mode. To disable the inspection parameters for GTP, use the no form of this command.
gtp { request-queue elements | timeout { { gsn | pdp-context | signaling | tunnel } minutes | request-queue seconds } | tunnel-limit number }
no gtp { request-queue | timeout { gsn | pdp-context | signaling | tunnel | request-queue } | tunnel-limit }
Syntax Description
request-queue
Specifies the queue depth of GTP requests.
elements
Number of elements in a queue. The range is from 1 to 4294967295. The default is 200.
timeout
Configures the timeout values for GTP.
gsn
Specifies the timeout value for the inactive GPRS Support Node (GSN).
minutes
Timeout in minutes. The range is from 1 to 35791. The default is 30.
pdp-context
Specifies the timeout value for inactive Packet Data Protocol (PDP) -Context.
request-queue
Specifies the timeout value for the inactive request queue.
seconds
Timeout in seconds. The range is from 1 to 2147483. The default value is 60.
signaling
Specifies the timeout value for inactive signaling.
tunnel
Specifies the timeout value for an inactive tunnel. The default value is 30 minutes.
tunnel-limit
Specifies the number of maximum allowed GTP tunnels.
number
Number of allowed GTP tunnels. The range is from 1 to 4294967295. The default is 500.
Usage Guidelines
The request-queue keyword specifies the maximum number of GTP requests that will be queued while waiting for a response. When the specified limit is reached and a new request arrives, the request that has been in the queue for the longest time is removed. After the inactivity timer has elapsed, the request will be removed from the queue.
hardware statistics
hash (ca-trustpoint)
To specify the cryptographic hash algorithm function for the signature that the Cisco IOS client uses to sign its self-signed certificates, use the hash command in ca-trustpoint configuration mode. To return to the default cryptographic hash function, use the no form of this command.
NoteSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.
Syntax Description
md5
Specifies that Message-Digest algorithm 5 (MD5) hash function is used.
sha1
Specifies that Secure Hash Algorithm (SHA-1) hash function is used as the default hash algorithm for RSA keys.
sha256
Specifies that the SHA-256 hash function is used as the hash algorithm for Elliptic Curve (EC) 256 bit keys.
sha384
Specifies that the SHA-384 hash function is used as the hash algorithm for EC 384 bit keys.
sha512
Specifies that the SHA-512 hash function is used as the hash algorithm for EC 384 bit keys.
Command Default
The Cisco IOS client uses the MD5 cryptographic hash function for self-signed certificates by default.
Usage Guidelines
NoteSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.
Any specified hash command algorithm keyword option can be used to over-ride the default setting for the trustpoint. This setting then becomes the default cryptographic hash algorithm function for self-signed certificates by default.
NoteThe algorithm does not specify what kind of signature the certificate authority (CA) uses when it issues a certificate to the client.
hash (cs-server)
To specify the cryptographic hash function the Cisco IOS certificate server uses to sign certificates issued by the certificate authority (CA), use the hash command in certificate server configuration mode. To return to the default cryptographic hash function, use the no form of this command.
Syntax Description
md5
Specifies that the Message-Digest algorithm 5 (MD5), the default hash function is used.
sha1
Specifies that the Secure Hash Algorithm (SHA-1) hash function is used.
sha256
Specifies that the SHA-256 hash function is used.
sha384
Specifies that the SHA-384 hash function is used.
sha512
Specifies that the SHA-512 hash function is used.
Command Default
By default, to sign certificates issued by CA, the Cisco IOS client uses the MD5 cryptographic hash function.
Usage Guidelines
NoteSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.
You must configure the crypto pki server command with the name of the certificate server in order to enter certificate server configuration mode and configure this command.
The hash command in cs-server configuration mode sets the hash function for the signature that the Cisco IOS CA uses to sign all of the certificates issued by the server. If the CA is a root CA, it uses the hash function in its own, self-signed certificate.
Examples
The following example configures a certificate server, MyCS, and sets the cryptographic hash function to SHA-512 for the certificate server:
crypto pki server MyCS database level complete issuer-name CN=company,L=city,C=country grant auto trustpoint hash sha512 lifetime crl 168The following is sample output from the show crypto ca certificates command. This output shows that the CA has been configured and that the hash function SHA-512 has been specified.
CA Certificate Status: Available Certificate Serial Number: 01 Certificate Usage: Signature Issuer: cn=company l=city c=country Subject: cn=company l=city c=country Validity Date: start date: 01:32:35 GMT Aug 3 2006 end date: 01:32:35 GMT Aug 2 2009 Associated Trustpoints: MyTP Certificate Subject: Name: MyCS.cisco.com IP Address: 192.168.10.2 Status: Pending Key Usage: General Purpose Certificate Request Fingerprint SHA1: 05080A60 82DE9395 B35607C2 38F3A0C3 50609EF8 Associated Trustpoint: MyTPRelated Commands
Command
Description
auto-rollover
Enables the automated CA certificate rollover functionality.
cdp-url
Specifies a CDP to be used in certificates that are issued by the certificate server.
crl (cs-server)
Specifies the CRL PKI CS.
crypto pki server
Enables a CS and enters certificate server configuration mode, or immediately generates shadow CA credentials
database archive
Specifies the CA certificate and CA key archive format--and the password--to encrypt this CA certificate and CA key archive file.
database level
Controls what type of data is stored in the certificate enrollment database.
database url
Specifies the location where database entries for the CS is stored or published.
database username
Specifies the requirement of a username or password to be issued when accessing the primary database location.
default (cs-server)
Resets the value of the CS configuration command to its default.
grant auto rollover
Enables automatic granting of certificate reenrollment requests for a Cisco IOS subordinate CA server or RA mode CA.
grant auto trustpoint
Specifies the CA trustpoint of another vendor from which the Cisco IOS certificate server automatically grants certificate enrollment requests.
grant none
Specifies all certificate requests to be rejected.
grant ra-auto
Specifies that all enrollment requests from an RA be granted automatically.
issuer-name
Specifies the DN as the CA issuer name for the CS.
lifetime (cs-server)
Specifies the lifetime of the CA or a certificate.
mode ra
Enters the PKI server into RA certificate server mode.
mode sub-cs
Enters the PKI server into sub-certificate server mode
redundancy (cs-server)
Specifies that the active CS is synchronized to the standby CS.
serial-number (cs-server)
Specifies whether the router serial number should be included in the certificate request.
show (cs-server)
Displays the PKI CS configuration.
shutdown (cs-server)
Allows a CS to be disabled without removing the configuration.
hash (IKE policy)
To specify the hash algorithm within an Internet Key Exchange policy, use the hashcommand in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default secure hash algorithm (SHA) -1 hash algorithm, us e the no form of this command.
Command History
Release
Modification
11.3 T
This command was introduced.
12.4(4)T
IPv6 support was added.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 2.1
This command was introduced on Cisco ASR 1000 Series Routers.
15.1(2)T
This command was modified. The sha256 and sha384 keywords were added.
Usage Guidelines
NoteSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.
Use this command to specify the hash algorithm to be used in an IKE policy.
Examples
The following example configures an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):
crypto isakmp policy 15 hash md5 exitRelated Commands
Command
Description
authentication (IKE policy)
Specifies the authentication method within an IKE policy.
crypto isakmp policy
Defines an IKE policy.
encryption (IKE policy)
Specifies the encryption algorithm within an IKE policy.
group (IKE policy)
Specifies the Diffie-Hellman group identifier within an IKE policy.
lifetime (IKE policy)
Specifies the lifetime of an IKE SA.
show crypto isakmp policy
Displays the parameters for each IKE policy.
heading
To configure the heading that is displayed above URLs listed on the portal page of a SSL VPN, use the heading command in webvpn URL list configuration mode. To remove the heading, use the no form of this command.
hide-url-bar
To prevent the URL bar from being displayed on the SSL VPN portal page, use the hide-url-bar command in webvpn group policy configuration mode. To display the URL bar on the portal page, use the no form of this command.
holdtime
To configure the hold time for Internet Key Exchange Version 2 (IKEv2) gateways in a Hot Standby Router Protocol (HSRP) cluster, use the holdtime command in IKEv2 cluster configuration mode. To restore the default hold time, use the no form of this command.
Usage Guidelines
You must enable the crypto ikev2 cluster command before enabling the holdtime command.
hop-limit
To verify the advertised hop-count limit, use the hop-limit command in RA guard policy configuration mode.
Usage Guidelines
The hop-limit command enables verification that the advertised hop-count limit is greater than or less than the value set by the limit argument. Configuring the minimum limit keyword and argument can prevent an attacker from setting a low hop-count limit value on the hosts to block them from generating traffic to remote destinations; that is, beyond their default router. If the advertised hop-count limit value is unspecified (which is the same as setting a value of 0), the packet is dropped.
Configuring the maximum limit keyword and argument enables verification that the advertised hop-count limit is lower than the value set by the limit argument. If the advertised hop-count limit value is unspecified (which is the same as setting a value of 0), the packet is dropped.
Examples
The following example shows how the command defines a router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and sets a minimum hop-count limit of 3:
Router(config)# ipv6 nd raguard policy raguard1 Router(config-ra-guard)# hop-limit minimum 3host (webvpn url rewrite)
To select the name of the host site to be mangled on a Secure Socket Layer virtual private network (SSL VPN) gateway, use the host command in webvpn url rewrite configuration mode. To deselect a site, use the no form of this command.
hostname (IKEv2 keyring)
To specify the hostname for the peer in the Internet Key Exchange Version 2 (IKEv2) keyring, use the hostname command IKEv2 keyring peer configuration mode. To remove the hostname, use the no form of this command.
Usage Guidelines
When configuring the IKEv2 keyring, use this command to identify the peer using hostname, which is:
Examples
The following example shows how to configure the hostname for a peer when configuring an IKEv2 keyring:
Router(config)# crypto ikev2 keyring keyring-1 Router(config-ikev2-keyring)# peer peer1 Router(config-ikev2-keyring-peer)# description peer1 Router(config-ikev2-keyring-peer)# hostname peer1.example.comRelated Commands
Command
Description
address (ikev2 keyring)
Specifies the IPv4 address or the range of the peers in IKEv2 key.
crypto ikev2 keyring
Defines an IKEv2 keyring.
description (ikev2 keyring)
Describes an IKEv2 peer or a peer group for the IKEv2 keyring.
identity (ikev2 keyring)
Identifies the peer with IKEv2 types of identity.
peer
Defines a peer or a peer group for the keyring.
pre-shared-key (ikev2 keyring)
Defines a preshared key for the IKEv2 peer.
hostname (WebVPN)
To configure the hostname for a SSL VPN gateway, use the hostname command in webvpn gateway configuration mode. To remove the hostname from the SSL VPN gateway configuration, use the no form of this command.
Usage Guidelines
A hostname is configured for use in the URL and cookie-mangling process. In configurations where traffic is balanced among multiple SSL VPN gateways, the hostname configured with this command maps to the gateway IP address configured on the load-balancing device(s).
http proxy-server
To direct Secure Socket Layer virtual private network (SSL VPN) user requests through a backend HTTP proxy server, use the http proxy-server command in webvpn policy group configuration mode. To redirect user requests to internal servers, use the no form of this command.
Examples
The following example shows that requests from IP address 10.1.1.1 are to be routed to the proxy server (port number 2034):
Router (config)# webvpn context e1 Router (config-webvpn-context)# policy group g1 Router (config-webvpn-group)# http proxy-server 10.1.1.1 port 2034 Router (config-webvpn-group)# exit Router (config-webvpn-context)# default-group-policy g1http-redirect
To configure HTTP traffic to be carried over secure HTTP (HTTPS), use the http-redirect command in webvpn gateway configuration mode. To remove the HTTPS configuration from the SSL VPN gateway, use the no form of this command.
Command Default
The following default value is used if this command is configured without entering the port keyword:
port number : 80
Usage Guidelines
When this command is enabled, the HTTP port is opened and the SSL VPN gateway listens for HTTP connections. HTTP connections are redirected to use HTTPS. Entering the portkeyword and number argument configures the gateway to listen for HTTP traffic on the specified port. Entering the no form, disables HTTP traffic redirection. HTTP traffic is handled by the HTTP server if one is running.
hw-module slot subslot only
NoteThis command is deleted effective with Cisco IOS Release 12.2SXI.
To change the mode of the Cisco 7600 SSC-400 card to allocate full buffers to the specified subslot, use the hw-module slot subslot only command in global configuration mode. If this command is not used, the total amount of buffers available is divided between the two subslots on the Cisco 7600 SSC-400.
NoteThis command automatically generates a reset on the Cisco 7600 SSC-400. See Usage Guidelines below for details.
Syntax Description
slot
Chassis slot number where the Cisco 7600 SSC-400 is located. Refer to the appropriate hardware manual for slot information. For SIPs and SSCs, refer to the platform-specific SPA hardware installation guide or the corresponding “Identifying Slots and Subslots for SIPs and SPAs” topic in the platform-specific SPA software configuration guide.
subslot
Secondary slot number on the SSC where the IPSec VPN SPA is installed.
Command History
Release
Modification
12.2(18)SXF2
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.2SXI
This command was deleted.
Usage Guidelines
Follow these guidelines and restrictions when configuring a Cisco 7600 SSC-400 and IPSec VPN SPAs using the hw-module slot subslot onlycommand:
- This command is useful when supporting IP multicast over GRE on the IPSec VPN SPA.
- When this command is executed, it automatically takes a reset action on the Cisco 7600 SSC-400 and issues the following prompt to the console:
Module n will be reset? Confirm [n]:The prompt will default to “N” (no). You must type “Y” (yes) to activate the reset action.
Examples
The following example allocates full buffers to the SPA that is installed in subslot 0 of the SIP located in slot 1 of the router and takes a reset action of the Cisco 7600 SSC-400.
Router(config)# hw-module slot 4 subslot 1 only Module 4 will be reset? Confirm [no]: yNote that the prompt will default to “N” (no). You must type “Y” (yes) to activate the reset action.
