-
Cisco IOS Security Command Reference: Commands S to Z
-
sa ipsec through sessions maximum
-
set aggressive-mode client-endpoint through show content-scan
-
show crypto ace redundancy through show cts sxp
-
show diameter peer through show object-group
-
show parameter-map type consent through show users
-
show vlan group through switchport port-security violation
-
tacacs-server administration through title-color
-
traffic-export through zone security
-
Index
-
Feedback
Contents
show vlan group through switchport port-security violation
- show vasi pair
- show vlan group
- show vtemplate
- show webvpn context
- show webvpn gateway
- show webvpn install
- show webvpn license
- show webvpn nbns
- show webvpn policy
- show webvpn session
- show webvpn sessions
- show webvpn statistics
- show webvpn stats
- show wlccp wds
- show xsm status
- show xsm xrd-list
- show zone security
- show zone-pair security
- shutdown (firewall)
- shutdown (cs-server)
- single-connection
- signature
- slave (IKEv2 cluster)
- smart-tunnel list
- smartcard-removal-disconnect
- snmp-server enable traps gdoi
- snmp-server enable traps ipsec
- snmp-server enable traps isakmp
- snmp-server enable traps nhrp
- snmp trap ip verify drop-rate
- source
- source interface
- source interface (ca-trustpool)
- source interface (Diameter peer)
- source-interface (URL parameter-map)
- source (parameter-map)
- split-dns
- ssh
- ssid (local RADIUS server group)
- ssl encryption
- ssl-proxy module allowed-vlan
- ssl truspoint
- sso-server
- standby-group
- status
- strict-http
- storage
- subject-alt-name
- subject-name
- subnet-acl (IKEv2 profile)
- subscriber access pppoe unique-key circuit-id
- subscriber service
- svc address-pool
- svc default-domain
- svc dns-server
- svc dpd-interval
- svc dtls
- svc homepage
- svc keepalive
- svc keep-client-installed
- svc module
- svc msie-proxy
- svc msie-proxy server
- svc mtu
- svc rekey
- svc split
- svc split dns
- svc wins-server
- switchport port-security
- switchport port-security aging
- switchport port-security mac-address
- switchport port-security maximum
- switchport port-security violation
show vasi pair
To display the status of a VRF-Aware Service Infrastructure (VASI) pair, use the show vasi paircommand in privileged EXEC mode.
Examples
The following is sample output from the show vasi pair command:
Router# show vasi pair status 100 Pair name Left state Right state Pair state ------------------------------------------------------------------------------ VASIPair100 down not configured need vasiright100The table below describes the significant fields shown in the display.
show vlan group
To display the VLANs mapped to VLAN groups, use the show vlan group command in privileged EXEC mode.
Usage Guidelines
The show vlan group command displays the existing VLAN groups and lists the VLANs and VLAN ranges that are members of each VLAN group. If the group-namekeyword is entered, only the members of the VLAN group specified by the group-name argument are displayed.
show vtemplate
To display information about all configured virtual templates, use the show vtemplatecommand in privileged EXEC mode.
Command History
Release
Modification
12.0(7)DC
This command was introduced on the Cisco 6400 NRP.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.3(14)T
The show display was modified to display the interface type of the virtual template and to provide counters on a per-interface-type basis for IPsec virtual tunnel interfaces.
12.2(33)SRA
This comand was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This comand was integrated into Cisco IOS Release 12.2(33)SXH.
Examples
The following is sample output from the show vtemplate command:
Router# show vtemplate Virtual access subinterface creation is globally enabled Active Active Subint Pre-clone Pre-clone Interface Interface Subinterface Capable Available Limit Type --------- ------------ ------- --------- --------- --------- Vt1 0 0 Yes -- -- Serial Vt2 0 0 Yes -- -- Serial Vt4 0 0 Yes -- -- Serial Vt21 0 0 No -- -- Tunnel Vt22 0 0 Yes -- -- Ether Vt23 0 0 Yes -- -- Serial Vt24 0 0 Yes -- -- Serial Usage Summary Interface Subinterface --------- ------------ Current Serial in use 1 0 Current Serial free 0 3 Current Ether in use 0 0 Current Ether free 0 0 Current Tunnel in use 0 0 Current Tunnel free 0 0 Total 1 3 Cumulative created 8 4 Cumulative freed 0 4 Base virtual access interfaces: 1 Total create or clone requests: 0 Current request queue size: 0 Current free pending: 0 Maximum request duration: 0 msec Average request duration: 0 msec Last request duration: 0 msec Maximum processing duration: 0 msec Average processing duration: 0 msec Last processing duration: 0 msec Last processing duration:0 msecThe table below describes the significant fields shown in the example.
Table 2 show vtemplate Field Descriptions Field
Description
Virtual access subinterface creation is globally...
The configured setting of the virtual-templatecommand. Virtual access subinterface creation may be enabled or disabled.
Active Interface
The number of virtual access interfaces that are cloned from the specified virtual template.
Active Subinterface
The number of virtual access subinterfaces that are cloned from the specified virtual template.
Subint Capable
Specifies if the configuration of the virtual template is supported on the virtual access subinterface.
Pre-clone Available
The number of precloned virtual access interfaces currently available for use for the particular virtual template.
Pre-clone Limit
The number of precloned virtual access interfaces available for that particular virtual template.
Current in use
The number of virtual access interfaces and subinterfaces that are currently in use.
Current free
The number of virtual access interfaces and subinterfaces that are no longer in use.
Total
The total number of virtual access interfaces and subinterfaces that exist.
Cumulative created
The number of requests for a virtual access interface or subinterface that have been satisfied.
Cumulative freed
The number of times that the application using the virtual access interface or subinterface has been freed.
Base virtual-access interfaces
This field specifies the number of base virtual access interfaces. The base virtual access interface is used to create virtual access subinterfaces. There is one base virtual access interface per application that supports subinterfaces. A base virtual access interface can be identified from the output of the show interfaces virtual-access command.
Total create or clone requests
The number of requests that have been made through the asynchronous request API of the virtual template manager.
Current request queue size
The number of items in the virtual template manager work queue.
Current free pending
The number of virtual access interfaces whose final freeing is pending. These virtual access interfaces cannot currently be freed because they are still in use.
Maximum request duration
The maximum time that it took from the time that the asynchronous request was made until the application was notified that the request was done.
Average request duration
The average time that it took from the time that the asynchronous request was made until the application was notified that the request was done.
Last request duration
The time that it took from the time that the asynchronous request was made until the application was notified that the request was done for the most recent request.
Maximum processing duration
The maximum time that the virtual template manager spent satisfying the request.
Average processing duration
The average time that the virtual template manager spent satisfying the request.
Last processing duration
The time that the virtual template manager spent satisfying the request for the most recent request.
show webvpn context
To display the operational status and configuration parameters for Secure Socket Layer (SSL) virtual private network (VPN) context configurations, use the show webvpn context command in privileged EXEC mode.
Command Default
If no arguments or keywords are specified, the output displays general information about the operational status of all SSL VPN contexts.
Usage Guidelines
Entering a context name displays more detailed information, such as the operational status and specific configuration information for the named context.
Examples
The following output is an example of brief information that can be displayed for system security officer (SSO) servers configured for the SSL VPN context:
Router# show webvpn context brief Codes: AS - Admin Status, OS - Operation Status VHost - Virtual Host Context Name Gateway Domain/VHost VRF AS OS ------------ ------- ------------ ------- ---- -------- Default_context n/a n/a n/a down down con-1 gw-1 one - up up con-2 - - - down downThe table below describes the significant fields shown in the display.
Table 3 show webvpn context brief Field Descriptions Field
Description
Context Name
Displays the name of the context.
Gateway
Displays the name of the associated gateway. n/a is displayed if no gateway is associated.
Domain/VHost
Displays the SSL VPN domain or virtual hostname.
VRF
Displays the VPN routing and forwarding (VRF) instance, if configured, that is associated with the context configuration.
AS
Displays the administrative status of the SSL VPN context. The status is displayed as "up" or "down."
OS
Displays the operational status of the SSL VPN context. The status is displayed as "up" or "down."
The following is sample output from the show webvpn context command entered with the name of a specific SSL VPN context:
Router# show webvpn context 1234567891234567891second Admin Status: down Operation Status: down Error and Event Logging: Disabled CSD Status: Disabled Certificate authentication type: All attributes (like CRL) are verified AAA Authentication List not configured AAA Authorization List not configured AAA Accounting List not configured AAA Authentication Domain not configured Authentication mode: AAA authentication Default Group Policy not configured Not associated with any WebVPN Gateway Domain Name and Virtual Host not configured Maximum Users Allowed: 1000 (default) NAT Address not configured VRF Name not configured Virtual Template not configuredThe table below describes the significant fields shown in the display.
Table 4 show webvpn context (Specific WebVPN Context) Field Descriptions Field
Description
Admin Status
Administrative status of the context. The status is displayed as "up" or "down." The inservice command is used to configure this configuration parameter.
Operation Status
Displays the operational status of the SSL VPN. The status is displayed as "up" or "down." The context and the associated gateway must both be in an enabled state for the operational status to be "up."
CSD Status
Displays the status of Cisco Secure Desktop (CSD). The status is displayed as "Enabled" or "Disabled."
Certificate authentication type
Displays the certification authority (CA) type.
AAA Authentication List...
Displays the authentication list if configured.
AAA Authentication Domain...
Displays the authentication, authorization, and accounting (AAA) domain if configured.
Default Group Policy
Name of the group policy configured under the named context.
Domain Name
Domain name or virtual hostname configured under the named context.
Maximum Users Allowed
Displays the maximum number of user sessions that can be configured.
NAT Address...
Displays the Network Address Translation (NAT) address if configured.
VRF
Displays the VRF, if configured, that is associated with the context configuration.
show webvpn gateway
To display the status of a SSL VPN gateway, use the show webvpn gateway command in privileged EXEC mode.
Usage Guidelines
Entering this command without specifying a gateway name, displays general the operational status of all SSL VPN gateways. Entering a gateway name displays the IP address and CA trustpoint.
Examples
The following is sample output from the show webvpn gateway command:
Router# show webvpn gateway Gateway Name Admin Operation ------------ ----- --------- GW_1 up up GW_2 down downThe table below describes the significant fields shown in the display.
Table 5 show webvpn gateway Field Descriptions Field
Description
Gateway Name
Name of the gateway.
Admin
The administrative status of the gateway, displayed as "up" or "down." Administrative status is configured with the inservice command.
Operation
The operational status of the gateway, displayed as "up" or "down." The gateway must be "inservice" and configured with a valid IP address to be in an "up" state.
The following is sample output from the show webvpn gatewaycommand, entered with a specific SSL VPN gateway name:
Router# show webvpn gateway GW_1 Admin Status: up Operation Status: up IP: 10.1.1.1, port: 443 SSL Trustpoint: TP-self-signed-26793562The table below describes the significant fields shown in the display.
Table 6 show webvpn gateway name Field Descriptions Field
Description
Admin Status
The administrative status of the gateway, displayed as "up" or "down." Administrative status is configured with the inservice command.
Operation Status
The operational status of the gateway, displayed as "up" or "down." The gateway must be "inservice" and configured with a valid IP address to be in an "up" state.
IP: ... port: ...
The configured IP address and port number of the WebVPN gateway. The default port number 443.
SSL Trustpoint:
Configures the CA certificate trust point.
show webvpn install
To display the installation status of SVC or CSD client software packages, use the show webvpn install command in EXEC mode.
Usage Guidelines
This command is used to display information about Cisco Secure Desktop (CSD) and SSL VPN Client (SVC) software pages that are locally cached for distribution to remote SSL VPN clients. This information includes software versions and build dates.
Examples
The following is sample output from the show webvpn install command, entered with the file keyword:
Router# show webvpn install file \webvpn\stc\version.txt SSLVPN File \webvpn\stc\version.txt installed: CISCO STC win2k+ 1.0.0 1,1,0,116 Fri 06/03/2005 03:02:46.43The table below describes the significant fields shown in the display.
Table 7 show webvpn install file Field Descriptions Field
Description
SSLVPN File
The local path to the specified installation package file. File attributes, such as the name, build number, and installation date are deployed following this line.
The following is sample output from the show webvpn install command, entered with the package svckeywords:
Router# show webvpn install package svc SSLVPN Package SSL-VPN-Client installed: File: \webvpn\stc\1\binaries\detectvm.class, size: 555 File: \webvpn\stc\1\binaries\java.htm, size: 309 File: \webvpn\stc\1\binaries\main.js, size: 8049 File: \webvpn\stc\1\binaries\ocx.htm, size: 244 File: \webvpn\stc\1\binaries\setup.cab, size: 176132 File: \webvpn\stc\1\binaries\stc.exe, size: 94696 File: \webvpn\stc\1\binaries\stcjava.cab, size: 7166 File: \webvpn\stc\1\binaries\stcjava.jar, size: 4846 File: \webvpn\stc\1\binaries\stcweb.cab, size: 13678 File: \webvpn\stc\1\binaries\update.txt, size: 11 File: \webvpn\stc\1\empty.html, size: 153 File: \webvpn\stc\1\images\alert.gif, size: 2042 File: \webvpn\stc\1\images\buttons.gif, size: 1842 File: \webvpn\stc\1\images\loading.gif, size: 313 File: \webvpn\stc\1\images\title.gif, size: 2739 File: \webvpn\stc\1\index.html, size: 4725 File: \webvpn\stc\2\index.html, size: 325 File: \webvpn\stc\version.txt, size: 63 Total files: 18The table below describes the significant fields shown in the display.
Table 8 show webvpn install package Field Descriptions Field
Description
SSLVPN Package SSL-VPN-Client installed:
Displays the installation status of the CSD or SVC software package as "installed" or "NONE."
File: ... size: ...
The path, name, and size of each installation file.
Total files:
Total number in the package.
The following is sample output from the show webvpn install command, entered with the status svc keywords:
Router# show webvpn install status svc SSLVPN Package SSL-VPN-Client version installed: CISCO STC win2k+ 1.0.0 1,0,2,127 Fri 07/22/2005 12:14:45.43The table below describes the significant fields shown in the display.
show webvpn license
To display the available count and the current usage, use the show webvpn licensecommand in privileged EXEC mode.
Usage Guidelines
Use the show webvpn license command to display the available count and the current usage. To display the current license type and time period left in the case of a nonpermanent licence, use the show licensecommand.
show webvpn nbns
To display information in the NetBIOS Name Service (NBNS) cache, use the show webvpn nbns command in privileged EXEC mode.
Usage Guidelines
This command is used to display information about NBNS cache entries. The NetBIOS name, IP address of the Windows Internet Name Service (WINS) server, and associated time stamps.
Examples
The following is sample output from the show webvpn nbns command, entered with the context and all keywords:
Router# show webvpn nbns context all NetBIOS name IP Address Timestamp 0 total entries NetBIOS name IP Address Timestamp 0 total entries NetBIOS name IP Address Timestamp 0 total entriesThe table below describes the significant fields shown in the display.
show webvpn policy
To display the context configuration associated with a policy group, use the show webvpn policy command in user EXEC or privileged EXEC mode.
Syntax Description
group name
Displays information for the named policy group.
context all
Displays information for all context configurations with which the policy group is associated.
context name
Displays information for the named context configuration.
detail
(Optional) Displays detailed information about the user session.
Command History
Release
Modification
12.4(6)T
This command was introduced.
12.4(11)T
This command was modified. An output example was added for Single SignOn (SSO) server information.
15.1(1)T
This command was modified. The detail keyword was added. The output was modified to display the webvpn home page configuration.
Usage Guidelines
This command is used to display configuration settings that apply only to the policy group. This command can also be used to display all contexts for which the policy group is configured.
Examples
The following is sample output from the show webvpn policycommand:
Router# show webvpn policy group group1 context all WEBVPN: group policy = group1 ; context = context1 url list name = "web-url" cifs url list name = "cifs-url" idle timeout = 2100 sec session timeout = Disabled port forward name = "pflist" functions = file-access file-browse file-entry svc-enabled citrix disabled address pool name = "70pool" svc home page = "http://wiki-eng.cisco.com/engwiki/SSLVPNTech" webvpn home page = "http://192.0.2.0", redirection time = 10 dpd client timeout = 300 sec dpd gateway timeout = 300 sec keepalive interval = 30 sec SSLVPN Full Tunnel mtu size = 1406 bytes keep sslvpn client installed = enabled rekey interval = 3600 sec rekey method = lease duration = 43200 sec msie-proxy = auto ie proxy server = "test.com:80" split include = 209.165.200.225 255.255.255.224 split include = 209.165.200.226 255.255.255.224See the table below for the field description.
The following sample output displays information about an SSO server configured for a policy group of the SSL VPN context: Router# show webvpn policy group ONE context all WV: group policy = sso ; context = test_sso idle timeout = 2100 sec session timeout = 43200 sec sso server name = "server2 citrix disabled dpd client timeout = 300 sec dpd gateway timeout = 300 sec keep sslvpn client installed = disabled rekey interval = 3600 sec rekey method = lease duration = 43200 secThe table below describes the significant fields shown in the displays.
Table 11 show webvpn policy Field Descriptions Field
Description
group policy
Name of the policy group.
context
Name of the Secure Socket Layer (SSL) Virtual Private Network (VPN) context.
url list name
Name of the URL list.
cifs url list name
Name of the Common Internet File System (CIFS) URL list.
idle timeout
Length of time that a remote-user session can remain idle.
session timeout
Length of time that a remote-user session can remain active.
port forward name
Name of the port-forwarding list configured with the port-forward command.
citrix
Support for Citrix applications, shown as "disabled" or "enabled."
address pool name
Name of the address pool configured.
svc home page
URL of the SSL VPN Client (SVC) configured.
webvpn home page
URL of the WebVPN configured using the webvpn-homepage command.
dpd client timeout
Length of time that a session will be maintained with a nonresponsive end user (remote client).
dpd gateway timeout
Length of the time that a session will be maintained with a nonresponsive SSL VPN gateway.
keepalive interval
Keepalive interval, in seconds.
SSLVPN Full Tunnel mtu size
MTU, in bytes.
keep sslvpn client installed
Cisco AnyConnect VPN Client software installation policy on the end user (remote PC). "enabled" indicates that Cisco AnyConnect VPN Client software remains installed after the SSL VPN session is terminated. "disabled" indicates that Cisco AnyConnect VPN Client software is pushed to the end user each time a connection is established.
rekey interval
Length of time between tunnel key refresh cycles.
rekey method
Tunnel key authentication method.
lease duration
Tunnel key lifetime.
sso server name
Name of the SSO server.
show webvpn session
To display Secure Sockets Layer Virtual Private Network (SSL VPN) user session information, use the show webvpn session command in user EXEC or privileged EXEC mode.
Syntax Description
user
(Optional) Displays detailed information about the named user session.
user-name
(Optional) Name of the user.
context
Displays a list of active users for only the named context.
context-name
Name of the context.
all
Displays a list of active users sessions for all locally configured contexts.
detail
(Optional) Displays detailed information about the user session.
Usage Guidelines
This command is used to list active SSL VPN connections or to display context configuration policies that apply to the specified end user.
The show webvpn session command provides detailed information about the user session. These details include the username, assigned IP addess, group policy, login time, hash algorithms used for the session, number of clientless tunnels, and the number of full tunnels enabled for the user.
This command is applicable only for user session statistics and tunnel statistics.
Examples
The following is sample output from the show webvpn session command. The output is filtered to display user session information for only the specified context.
Router# show webvpn session context context1 WebVPN context name: context1 Client_Login_Name Client_IP_Address No_of_Connections Created Last_Used user1 192.0.2.1 2 04:47:16 00:01:26 user2 192.0.2.2 2 04:48:36 00:01:56The table below describes the significant fields shown in the display.
Table 12 show webvpn session Field Descriptions Field
Description
WebVPN context name
Name of the context.
Client_Login_Name
Login name for the end user (remote PC or device).
Client_IP_Address
IP address of the remote user.
No_of_Connections
Number of times the remote user has connected.
Created
Time, in hh:mm:ss, when the remote connection was established.
Last_Used
Time, in hh:mm:ss, that the user connection last generated network activity.
The following is sample output from the show webvpn session command. The output is filtered to display session information for a specific user.
Router# show webvpn session user user1 context all Session Type : Full Tunnel Client User-Agent : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Username : test Num Connection : 1 Public IP : 192.0.2.0 VRF Name : None Context : context1 Policy Group : default Last-Used : 00:00:42 Created : *09:50:38.191 UTC Thu Jan 21 2010 Session Timeout : Disabled Idle Timeout : 2100 DPD GW Timeout : 300 DPD CL Timeout : 300 Address Pool : varun MTU Size : 1206 Rekey Time : 3600 Rekey Method : Lease Duration : 43200 Tunnel IP : 209.165.200.225 Netmask : 255.255.255.224 Rx IP Packets : 0 Tx IP Packets : 1 CSTP Started : 00:01:42 Last-Received : 00:01:42 CSTP DPD-Req sent : 0 Virtual Access : 1 Msie-ProxyServer : None Msie-PxyPolicy : Disabled Msie-Exception : Split Include : 209.165.200.224 255.255.255.224 Client Ports : 2538 DTLS Port : 2547The table below describes the significant fields shown in the display.
Table 13 show webvpn session user context all Field Descriptions Field
Description
Session Type
Mode used to access SSL VPN.
Client User-Agent
The client user-agent header.
Username
Name of the end user.
Num Connection
Number of times the remote user has connected.
Public IP
Public IP address.
VRF Name
Name of the virtual routing and forwarding (VRF) interface.
Context
Name of the context to which user policies apply.
Policy Group
Name of the policy group to which the user belongs.
Last-Used
Time, in hh:mm:ss, that the user connection last generated network activity.
Created
Time, in hh:mm:ss, when the remote connection was established.
Session Timeout
Length of time that a remote-user session can remain active.
Idle Timeout
Length of time that a remote-user session can remain idle.
DPD GW Timeout
Length of time that a Dead Peer Detection (DPD) gateway can remain idle.
DPD CL Timeout
Length of time that a DPD client can remain idle.
Address Pool
Name of the address pool configured.
MTU Size
Size of the maximum transmission unit (MTU).
Rekey Time
Time at which the tunnel key is refreshed.
Rekey Method
Tunnel key authentication method.
Lease Duration
Tunnel key lifetime.
Tunnel IP
IP address of the SSL VPN tunnel.
Netmask
Network mask used.
Rx IP Packets
Number of IP packets sent.
Tx IP Packets
Number of IP packets received.
CSTP Started
Time at which the Cisco SSL Tunnel Protocol (CSTP) frames were sent to the client.
Last-Received
Time when the CSTP frame was received.
CSTP DPD-Req sent
Time at which the CSTP request was sent to the client.
Virtual Access
Total number of virtual access interfaces created.
Msie-ProxyServer
Number of Microsoft Internet Explorer (MSIE) proxy servers configured for policy group end users.
Msie-PxyPolicy
Status of the MSIE policy: Enabled or Disabled.
Msie-Exception
MS Proxy exceptions.
Split Include
IP address from which the traffic is resolved through the Cisco AnyConnect VPN Client tunnel.
Client Ports
Local TCP port used on the client host.
DTLS Port
Datagram Transport Layer Security (DTLS) port.
The following is sample output from the show webvpn session user context all detail command:
Router# show webvpn session user user1 context all detail Session Type : Full Tunnel Client User-Agent : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:10.0.0.1) Username : user1 Num Connection : 1 Public IP : 209.165.200.225 VRF Name : None Context : context1 Policy Group : default Last-Used : 00:00:02 Created : *09:50:38.191 UTC Thu Jan 21 2010 Session Timeout : Disabled Idle Timeout : 2100 DPD GW Timeout : 300 DPD CL Timeout : 300 Address Pool : varun MTU Size : 1206 Rekey Time : 3600 Rekey Method : Lease Duration : 43200 Tunnel IP : 209.165.200.249 Netmask : 255.255.255.224 Rx IP Packets : 0 Tx IP Packets : 2 CSTP Started : 00:02:03 Last-Received : 00:02:03 CSTP DPD-Req sent : 0 Virtual Access : 1 Msie-ProxyServer : None Msie-PxyPolicy : Disabled Msie-Exception : Split Include : 209.165.200.250 255.255.255.224 Client Ports : 2538 DTLS Port : 2547 Detail Session Statistics for User:: user1 ---------------------------------- CSTP Statistics:: Rx CSTP Frames : 4 Tx CSTP Frames : 0 Rx CSTP Bytes : 32 Tx CSTP Bytes : 0 Rx CSTP Data Fr : 0 Tx CSTP Data Fr : 0 Rx CSTP CNTL Fr : 4 Tx CSTP CNTL Fr : 0 Rx CSTP DPD Req : 0 Tx CSTP DPD Req : 0 Rx CSTP DPD Res : 0 Tx CSTP DPD Res : 0 Rx Addr Renew Req : 0 Tx Address Renew : 0 Rx CDTP Frames : 2 Tx CDTP Frames : 0 Rx CDTP Bytes : 122 Tx CDTP Bytes : 0 Rx CDTP Data Fr : 2 Tx CDTP Data Fr : 0 Rx CDTP CNTL Fr : 0 Tx CDTP CNTL Fr : 0 Rx CDTP DPD Req : 0 Tx CSTP DPD Req : 0 Rx CDTP DPD Res : 0 Tx CDTP DPD Res : 0 Rx IP Packets : 0 Tx IP Packets : 2 Rx IP Bytes : 0 Tx IP Bytes : 10 CEF Statistics:: Rx CSTP Data Fr : 0 Tx CSTP Data Fr : 0 Rx CSTP Bytes : 0 Tx CSTP Bytes : 0The table below describes the significant fields shown in the display.
Table 14 show webvpn session user context all detail Field Descriptions Field
Description
Rx CSTP Frames
Number of CSTP frames received from the client.
Rx CSTP Bytes
Number of CSTP bytes (data plus control frames) received from the client.
Rx CSTP Data Fr
Number of CSTP data frames received from the client.
Rx CSTP CNTL Fr
Number of CSTP control frames received from the client.
Rx CSTP DPD Req
Number of DPD requests received at the gateway.
Rx CSTP DPD Res
Number of times the gateway processed a CSTP DPD request frame.
Rx Addr Renew Req
Number of address renew requests received at the gateway.
Rx CDTP Frames
Number of Cisco Dynamic Trunking Protocol (CDTP) frames received from the client.
Rx CDTP Bytes
Number of CDTP bytes received from the client.
Rx CDTP Data Fr
Number of CDTP data frames received from the client.
Rx CDTP CNTL Fr
Number of CDTP control frames received from the client.
Rx CDTP DPD Req
Number of CDTP DPD requests received at the gateway.
Rx CDTP DPD Res
Number of times the gateway processed a CDTP DPD request frame.
Rx IP Packets
Total number of IP packets received.
Rx IP Bytes
Total number of IP bytes received.
Tx CSTP Frames
Number of CSTP frames transmitted to the client.
Tx CSTP Bytes
Number of CSTP bytes (data plus control frames) transmitted to the client.
Tx CSTP Data Fr
Number of CSTP data frames transmitted to the client.
Tx CSTP CNTL Fr
Number of CSTP control frames transmitted to the client.
Tx CSTP DPD Req
Number of DPD requests transmitted from the gateway.
Tx CSTP DPD Res
Number of times the gateway processed a CSTP DPD request frame.
Tx Address Renew
Number of address renew requests transmitted at the gateway.
Tx CDTP Frames
Number of CDTP frames transmitted to the client.
Tx CDTP Bytes
Number of CDTP bytes transmitted to the client.
Tx CDTP Data Fr
Number of CDTP data frames transmitted to the client.
Tx CDTP CNTL Fr
Number of CDTP control frames transmitted to the client.
Tx CDTP DPD Req
Number of CDTP DPD requests transmitted to the gateway.
Tx CDTP DPD Res
Number of times the gateway processed a CDTP DPD request frame.
Tx IP Packets
Total number of IP packets transmitted.
Tx IP Bytes
Total number of IP bytes transmitted.
CEF Statistics
Cisco Express Forwarding statistics.
show webvpn sessions
NoteEffective with Cisco IOS Release 12.4(6)T, the show webvpn sessions command is replaced by the show webvpn session command. See the show webvpn session command for more information.
To display information about WebVPN sessions, use the show webvpn sessions command in privileged EXEC mode.
Examples
The following output example displays information about a WebVPN session:
Router# show webvpn sessions WebVPN domain name: cisco.com Client Login Name Client IP Address Number of Connections webuser 172.16.163.142 4 Created 00:14:25, Last-used 00:00:10 Client Port: 2366 Client Port: 2386 Client Port: 2396 Client Port: 2486 browseruser 172.16.163.142 2 Created 00:00:09, Last-used 00:00:08 Client Port: 2431 Client Port: 2432The table below describes the significant fields shown in the display
Table 15 show webvpn sessions Field Descriptions Field
Description
Client Login Name
Username used to log in to the WebVPN gateway.
Client IP Address
IP address of the host from which the user is connecting.
Number of Connections
Number of active TCP connections by the user at this point.
Created
Provides the time that has elapsed since the user logged in (in HH:MM:SS format).
Client Port
Local TCP port used on the client host.
show webvpn statistics
NoteEffective with Cisco IOS Release 12.4(6)T, the show webvpn statistics command is replaced by the show webvpn statscommand. See the show webvpn stats command for more information.
To display WebVPN statistics, use the show webvpn statistics command in privileged EXEC mode.
Examples
The following is sample output using the show webvpn statistics command:
Router# show webvpn statistics Active user sessions: 2 Active user TCP connections: 6 Authentication failures: 3 Terminated user sessions: 0The table below describes the significant fields shown in the display.
Table 16 show webvpn statistics Field Descriptions Field
Description
Active user sessions
Number of users who are logged into the system.
Active user TCP connections
Number of TCP user connections that are used by the user session.
Authentication failures
Number of authentication failures to the gateway.
Terminated user sessions
Number of users who logged in and logged out after the statistics were cleared.
show webvpn stats
To display Secure Socket Layer Virtual Private Network (SSL VPN) application and network statistics, use the show webvpn stats command in privileged EXEC mode.
show webvpn stats [ cifs | citrix | mangle | port-forward | sso | tunnel ] [detail] [ context { all | name } ]
Syntax Description
cifs
(Optional) Displays Windows file share (Common Internet File System [CIFS]) statistics.
citrix
(Optional) Displays Citrix application statistics.
mangle
(Optional) Displays URL mangling statistics.
port-forward
(Optional) Displays port forwarding statistics.
sso
(Optional) Displays statistics for the Single SignOn (SSO) server.
tunnel
(Optional) Displays VPN tunnel statistics.
detail
(Optional) Displays detailed information.
context all | name
(Optional) Displays information for a specific context or all contexts.
Usage Guidelines
This command is used to display SSL VPN application, authentication, and network statistics and counters.
Examples
The following is sample output from the show webvpn stats command entered with the detail and context keywords:
Router# show webvpn stats detail context context1 WebVPN context name : context1 User session statistics: Active user sessions : 0 AAA pending reqs : 0 Peak user sessions : 0 Peak time : never Active user TCP conns : 0 Terminated user sessions : 0 Session alloc failures : 0 Authentication failures : 0 VPN session timeout : 0 VPN idle timeout : 0 User cleared VPN sessions: 0 Exceeded ctx user limit : 0 CEF switched packets - client: 0 , server: 0 CEF punted packets - client: 0 , server: 0 Mangling statistics: Relative urls : 0 Absolute urls : 0 Non-http(s) absolute urls: 0 Non-standard path urls : 0 Interesting tags : 0 Uninteresting tags : 0 Interesting attributes : 0 Uninteresting attributes : 0 Embedded script statement: 0 Embedded style statement : 0 Inline scripts : 0 Inline styles : 0 HTML comments : 0 HTTP/1.0 requests : 0 HTTP/1.1 requests : 0 Unknown HTTP version : 0 GET requests : 0 POST requests : 0 CONNECT requests : 0 Other request methods : 0 Through requests : 0 Gateway requests : 0 Pipelined requests : 0 Req with header size >1K : 0 Processed req hdr bytes : 0 Processed req body bytes : 0 HTTP/1.0 responses : 0 HTTP/1.1 responses : 0 HTML responses : 0 CSS responses : 0 XML responses : 0 JS responses : 0 Other content type resp : 0 Chunked encoding resp : 0 Resp with encoded content: 0 Resp with content length : 0 Close after response : 0 Resp with header size >1K: 0 Processed resp hdr size : 0 Processed resp body bytes: 0 Backend https response : 0 Chunked encoding requests: 0 CIFS statistics: SMB related Per Context: TCP VC's : 0 UDP VC's : 0 Active VC's : 0 Active Contexts : 0 Aborted Conns : 0 NetBIOS related Per Context: Name Queries : 0 Name Replies : 0 NB DGM Requests : 0 NB DGM Replies : 0 NB TCP Connect Fails : 0 NB Name Resolution Fails : 0 HTTP related Per Context: Requests : 0 Request Bytes RX : 0 Request Packets RX : 0 Response Bytes TX : 0 Response Packets TX : 0 Active Connections : 0 Active CIFS context : 0 Requests Dropped : 0 Socket statistics: Sockets in use : 0 Sock Usr Blocks in use : 0 Sock Data Buffers in use : 0 Sock Buf desc in use : 0 Select timers in use : 0 Sock Select Timeouts : 0 Sock Tx Blocked : 0 Sock Tx Unblocked : 0 Sock Rx Blocked : 0 Sock Rx Unblocked : 0 Sock UDP Connects : 0 Sock UDP Disconnects : 0 Sock Premature Close : 0 Sock Pipe Errors : 0 Sock Select Timeout Errs : 0 Port Forward statistics: Connections serviced : 0 Server Aborts (idle) : 0 Client Server in pkts : 0 out pkts : 0 in bytes : 0 out bytes : 0 out pkts : 0 in pkts : 0 out bytes : 0 in bytes : 0 WEBVPN Citrix statistics: Connections serviced : 0 Server Client Packets in : 0 0 Packets out : 0 0 Bytes in : 0 0 Bytes out : 0 0 Tunnel Statistics: Active connections : 0 Peak connections : 0 Peak time : never Connect succeed : 0 Connect failed : 0 Reconnect succeed : 0 Reconnect failed : 0 SVCIP install IOS succeed: 0 SVCIP install IOS failed : 0 SVCIP clear IOS succeed : 0 SVCIP clear IOS failed : 0 SVCIP install TCP succeed: 0 SVCIP install TCP failed : 0 DPD timeout : 0 Client Server in CSTP frames : 0 out IP pkts : 0 in CSTP data : 0 out stitched pkts : 0 in CSTP control : 0 out copied pkts : 0 in CSTP Addr Reqs : 0 out bad pkts : 0 in CSTP DPD Reqs : 0 out filtered pkts : 0 in CSTP DPD Resps : 0 out non fwded pkts : 0 in CSTP Msg Reqs : 0 out forwarded pkts : 0 in CSTP bytes : 0 out IP bytes : 0 out CSTP frames : 0 in IP pkts : 0 out CSTP data : 0 in invalid pkts : 0 out CSTP control : 0 in congested pkts : 0 out CSTP Addr Resps : 0 in bad pkts : 0 out CSTP DPD Reqs : 0 in nonfwded pkts : 0 out CSTP DPD Resps : 0 in forwarded pkts : 0 out CSTP Msg Reqs : 0 out CSTP bytes : 0 in IP bytes : 0The table below describes significant fields in the show webvpn stats detail contextdisplay.
The following example displays SSO statistics:
Router# show webvpn stats sso Auth Requests : 4 Pending Auth Requests : 0 Successful Requests : 1 Failed Requests : 3 Retranmissions : 0 DNS Errors : 0 Connection Errors : 0 Request Timeouts : 0 Unknown Responses : 0The table below describes significant fields in the show webvpn stats ssodisplay.
Table 18 show webvpn stats sso Field Descriptions Field
Description
Auth Requests
Number of SSO authentication requests.
Successful Requests
Number of SSO authentication requests that passed successfully.
Retransmissions
Total number of times authentication requests were resent for authentication. The resending occurs when the SSO timer expires and no response is received from the SSO server for authentication requests.
Connection Errors
Number of failures to sign on to the SSO server.
Unknown Responses
Number of times an SSO authentication request yielded results other than failure or success (includes errors, such as access control list [ACL] errors).
Pending Auth Requests
Total number of SSO authentication requests pending to be processed for authentication.
Failed Requests
Number of times SSO authentication failed.
DNS Errors
Number of times an SSO server could not be resolved.
Request Timeouts
Number of times an SSO authentication request timed out.
The following example displays information about CEF:
Router# show webvpn stats User session statistics: Active user sessions : 1 AAA pending reqs : 0 Peak user sessions : 1 Peak time : 00:12:01 Active user TCP conns : 1 Terminated user sessions : 1 Session alloc failures : 0 Authentication failures : 0 VPN session timeout : 0 VPN idle timeout : 0 User cleared VPN sessions: 0 Exceeded ctx user limit : 0 Exceeded total user limit: 0 Client process rcvd pkts : 37 Server process rcvd pkts : 0 Client process sent pkts : 1052 Server process sent pkts : 0 Client CEF received pkts : 69 Server CEF received pkts : 0 Client CEF rcv punt pkts : 1 Server CEF rcv punt pkts : 0 Client CEF sent pkts : 1102 Server CEF sent pkts : 0 Client CEF sent punt pkts: 448 Server CEF sent punt pkts: 0 SSLVPN appl bufs inuse : 0 SSLVPN eng bufs inuse : 0 Active server TCP conns : 0The table below describes fields in the show webvpn stats display.
show wlccp wds
To display information either about the wireless domain services (WDS) device or about client devices, use the show wlccp wdscommand in privileged EXEC mode.
Syntax Description
ap
(Optional) Displays access points participating in Cisco Centralized Key Management.
mn
(Optional) Displays cached information about client devices, also called mobile nodes.
detail
(Optional) Displays the lifetime of the client, the service set identifier (SSID), and the virtual VLAN ID.
mac-addr
(Optional) Displays information about a specific client device.
mac-address
Client’s MAC address.
Command Default
If you do not enter any options with the show wlccp wds command, this command displays the IP address of the WDS device, the MAC address, the priority, and the interface state. If the interface state is backup, the command also displays the IP address of the current WDS device, the MAC address, and the priority.
Usage Guidelines
To show information about the WDS device, do not enter any keywords with this command.
Examples
The following command entry displays information about the WDS device:
Router# show wlccp wds apThe following command entry displays cached information, including details, about the client device with the specified MAC address:
Router# show wlccp wds mn detail mac-addr 00-05-C2-00-01-F5The following is sample output from the show wlccp wds command:
Router# show wlccp wds MAC:0001.28e0.a400, IP-ADDR:10.0.0.1 , Priority:255 Interface Vlan1, State:Administratively StandAlone - ACTIVE AP Count:1 , MN Count:0 , MAX AP Count:50The table below describes the significant fields shown in the display.
Table 20 show wlccp wds Field Descriptions Field
Description
MAC
MAC address of the interface on which the WDS is configured.
IP-ADDR
IP address of the interface on which the WDS is configured.
Priority
Priority of the WDS.
Interface
Interface on which the WDS is configured.
State
State of the WDS. The state can be INITIALIZATION, BACKUP, or ACTIVE.
AP Count
Number of access points registered to the WDS.
MN Count
Number of mobile nodes registered to the WDS.
MAX AP Count
Maximum number of access points that can be registered.
Related Commands
Command
Description
debug wlccp packet
Displays packet traffic to and from the WDS router.
debug wlccp wds
Displays either WDS debug state or WDS statistics messages.
wlccp authentication-server client
Configures the list of servers to be used for 802.1X authentication.
wlccp authentication-server infrastructure
Configures the list of servers to be used for 802.1X authentication for the wireless infrastructure devices.
wlccp wds priority interface
Enables a wireless device such as an access point or a wireless-aware router to be a WDS candidate.
show xsm status
To display information and subscription status of the XML Subscription Manager (XSM) server and clients (such as VPN Device Manager [VDM]), and to display a list of XML data from the XSM server, use the show xsm statuscommand in privileged EXEC mode.
Command History
Release
Modification
12.1(6)E
This command was introduced.
12.2(9)YE
This command was integrated into Cisco IOS Release 12.2(9)YE.
12.2(9)YO1
This command was integrated into Cisco IOS Release 12.2(9)YO1.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
Use this command to display the following information: which subsystems and histories are enabled or disabled (XSM, Embedded Device Manager [EDM], VDM), XSM client version, number of XSM sessions, duration of XSM session, session IDs, client version and IP address, configuration and monitor privilege levels, and list of subscribed XML Request Descriptors (XRDs).
Examples
The following example shows one XSM session (Session ID = 2) active on the Cisco device for the XSM client at IP address 172.17.129.134, and how long this session has been connected to the XSM server (Session 2: Connected since 22:47:07 UTC Mon Jan 8 2001). The output shows that the XSM, VDM, and EDM subsystems, and EDM and VDM history collecting are enabled. XSM configuration privilege level is set at 15, with XSM monitor privilege level set at 1.
This output also shows the active XRDs (and their version) for Session 2:
Router# show xsm status XSM subsystem is Enabled. VDM subsystem is Enabled. EDM subsystem is Enabled. EDM History is Enabled. VDM History is Enabled. XSM privilege configuration level 15. XSM privilege monitor level 1. Number of XSM Sessions : 1. Session ID = 2. XSM Client v0.0(0.0)- @ 172.17.129.134 Connected since 22:47:07 UTC Mon Jan 8 2001 List of subscribed xrds: 0 ) device-about v1.0 1 ) ios-image v1.0 2 ) if-list v1.0 3 ) device-health v1.0 4 ) ike-stats v1.0 5 ) ike v1.0 6 ) ipsec-topn-tunnels-by-traffic v1.0 7 ) ipsec-topn-tunnels-by-duration v1.0 8 ) ipsec-stats v1.0 9 ) crypto-maps v1.0 10) ipsec v1.0The table below describes the significant fields shown in the display. (See documention of the show xsm xrd-list command for a full description of subscribed XRDs).
Table 21 show xsm status Field Descriptions Field
Description
XSM privilege configuration level
XSM configuration privilege level.
XSM privilege monitor level
XSM monitor privilege level.
Number of XSM Sessions
Total number of concurrent XSM sessions.
Session ID
Specific XSM session number.
XSM Client
Version and IP address of the XSM client.
Connected since
Start time for each session connection to the XSM server.
List of subscribed xrds
Details XRDs available from the XSM server (see show xsm xrd-list command for complete list of XRDs).
Related Commands
Command
Description
clear xsm
Clears XSM client sessions.
show xsm xrd-list
Displays all XRDs for clients subscribed to the XSM server.
xsm
Enables XSM client access to the router.
xsm privilege configuration level
Enables configuration privilege level to subscribe to XRDs.
xsm privilege monitor level
Enables monitor privilege level to subscribe to XRDs.
show xsm xrd-list
To display all XML Request Descriptors (XRDs) for XML Subscription Manager (XSM) clients (such as the VPN Device Manager [VDM]) made available by subscription to the XSM server and to identify the required privilege levels, use the show xsm xrd-list command in privileged EXEC mode.
Command History
Release
Modification
12.1(6)E
This command was introduced.
12.2(9)YE
This command was integrated into Cisco IOS Release 12.2(9)YE.
12.2(9)YO1
This command was integrated into Cisco IOS Release 12.2(9)YO1.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
Use this command to display the XRD version and minimum privilege level and type (configuration or monitor) required to view each XRD.
Examples
The following example shows some active XRDs on the XSM server. The end of each line displays the following:
- XRD version number.
- XRD privilege type (configuration or monitor), indicating the privilege level required.
This example displays all available XRDs because both relevant commands (xsm edm and xsm vdm) have been configured. However, if one command is not configured, only an abbreviated XRD list will appear.
Router# show xsm xrd-list List of all available xrds: 0 ) vlan-db v1.0 privilege=configuration 1 ) entity v1.0 privilege=configuration 2 ) ip v1.0 privilege=configuration 3 ) ios-users v1.0 privilege=configuration 4 ) device-about v1.0 privilege=monitor 5 ) ios-image v1.0 privilege=configuration 6 ) if-stats v1.0 privilege=monitor 7 ) if-list v1.0 privilege=configuration 8 ) device-health v1.0 privilege=monitor 9 ) time v1.0 privilege=monitor 10) access-lists v1.0 privilege=configuration 11) ike-topn-tunnels-by-traffic v1.0 privilege=monitor 12) ike-topn-tunnels-by-errors v1.0 privilege=monitor 13) ike-topn-tunnels-by-duration v1.0 privilege=monitor 14) ike-stats v1.0 privilege=monitor 15) ike v1.0 privilege=configuration 16) certificate-authorities v1.0 privilege=configuration 17) ipsec-topn-tunnels-by-traffic v1.0 privilege=monitor 18) ipsec-topn-tunnels-by-errors v1.0 privilege=monitor 19) ipsec-topn-tunnels-by-duration v1.0 privilege=monitor 20) ipsec-stats v1.0 privilege=monitor 21) crypto-maps v1.0 privilege=configuration 22) ipsec v1.0 privilege=configuration 23) vdm-history v1.0 privilege=configuration 24) gre-tunnels v1.0 privilege=monitor end list.The table below describes (in alphabetical order) typical XRDs shown in the display.
Table 22 show xsm xrd-list Field Descriptions Field
Descriptions
access-lists
IOS access control list (ACL) configuration.
certificate-authorities
IOS certificate authority (CA) configuration.
crypto-maps
IOS Crypto Map configuration.
device-about
General network device information.
device-health
General network device health statistics.
edm-history
Selected, historical statistics related to general embedded device management. (This field is not shown in the example above.)
entity
Summary of all physical and logical entities within a device.
gre-tunnels
All current GRE tunnels and respective statistics.
if-list
List of all interfaces and their respective IOS configurations.
if-stats
Statistics for all interfaces and their respective IOS configurations.
ike
IOS Internet Key Exchange (IKE) configuration.
ike-stats
Statistics related to IKE.
ike-topn-tunnels-by-duration
Top 10 IKE tunnels by duration (time).
ike-topn-tunnels-by-errors
Top 10 IKE tunnels by errors.
ike-topn-tunnels-by-traffic
Top 10 IKE tunnels by traffic volume.
ios-image
Information about the current running IOS image.
ios-users
Local IOS user configuration.
ip
IOS IP configuration statistics.
ipsec
IOS IPSec configuration.
ipsec-stats
Interface name and IPSec input and output statistics including: number of packets, dropped packets, octets and errors.
ipsec-topn-tunnels-by-duration
Top 10 IPSec tunnels by duration.
ipsec-topn-tunnels-by-errors
Top 10 IPSec tunnels by errors.
ipsec-topn-tunnels-by-traffic
Top 10 IPSec tunnels by traffic.
time
Device’s clock reading in UTC.
vdm-history
Selected, historical VPN-related statistics.
vlan-db
VLAN database configuration (switches only).
xsm-session
Status of the current XSM session and related subscriptions. (This field is not shown in the example above.)
Related Commands
Command
Description
clear xsm
Clears XSM client sessions.
show xsm status
Displays information and status about clients subscribed to the XSM server.
xsm
Enables XSM client access to the router.
xsm privilege configuration level
Enables configuration privilege level to subscribe to XRDs.
xsm privilege monitor level
Enables monitor privilege level to subscribe to XRDs.
show zone security
show zone-pair security
To display the source zone, destination zone, and policy attached to the zone-pair, use the show zone-pair security command in privileged EXEC mode. To disable the display, use the no form of this command.
show zone-pair security [ source source-zone-name ] [ destination destination-zone-name ]
no show zone-pair security [ source source-zone-name ] [ destination destination-zone-name ]
Command Default
If you do not specify a source or destination zone, the system displays all the zone-pairs for the source, destination, and the associated policy.
Examples
The following example displays the source zone, destination zone, and policy attached to the zone-pair:
Router# show zone-pair security source z1 destination z2 zone-pair name zp Source-Zone z1 Destination-Zone z2 service-policy p1The table below describes the significant fields shown in the display.
shutdown (firewall)
To shut down a group manually, use the shutdowncommand in redundancy application group configuration mode. To enable a redundancy group, use the no form of this command.
Usage Guidelines
When a group is shut down, it does not participate in the role negotiation. The group remains in the shutdown state until you execute the no shutdowncommand.
shutdown (cs-server)
To allow a certificate server to be disabled without removing the configuration, use the shutdowncommand in certificate server configuration mode. To reenable the certificate server, use the no form of this command.
Usage Guidelines
You must configure the crypto pki server command with the name of the certificate server in order to enter certificate server configuration mode and configure this command.
You should issue the no shutdown command only after you have completely configured your certificate server.
The shutdown command disables the certificate server. If you prefer to disable simple certificate enrollment protocol (SCEP) but still want the certificate server for manual certificate enrollment, use the no ip http server command.
Examples
To ensure that the specified URL is working correctly, configure the database url command before you issue the no shutdown command on the certificate server for the first time. If the URL is broken, you will see output as follows:
Router(config)# crypto pki server mycs Router(cs-server)# database url ftp://myftpserver Router(cs-server)# no shutdown % Once you start the server, you can no longer change some of % the configuration. Are you sure you want to do this? [yes/no]: yes Translating "myftpserver" % Failed to generate CA certificate - 0xFFFFFFFF % The Certificate Server has been disabled.Related Commands
Command
Description
auto-rollover
Enables the automated CA certificate rollover functionality.
cdp-url
Specifies a CDP to be used in certificates that are issued by the certificate server.
crl (cs-server)
Specifies the CRL PKI CS.
crypto pki server
Enables a CS and enters certificate server configuration mode, or immediately generates shadow CA credentials
database archive
Specifies the CA certificate and CA key archive format--and the password--to encrypt this CA certificate and CA key archive file.
database level
Controls what type of data is stored in the certificate enrollment database.
database url
Specifies the location where database entries for the CS is stored or published.
database username
Specifies the requirement of a username or password to be issued when accessing the primary database location.
default (cs-server)
Resets the value of the CS configuration command to its default.
grant auto rollover
Enables automatic granting of certificate reenrollment requests for a Cisco IOS subordinate CA server or RA mode CA.
grant auto trustpoint
Specifies the CA trustpoint of another vendor from which the Cisco IOS certificate server automatically grants certificate enrollment requests.
grant none
Specifies all certificate requests to be rejected.
grant ra-auto
Specifies that all enrollment requests from an RA be granted automatically.
hash (cs-server)
Specifies the cryptographic hash function the Cisco IOS certificate server uses to sign certificates issued by the CA.
issuer-name
Specifies the DN as the CA issuer name for the CS.
lifetime (cs-server)
Specifies the lifetime of the CA or a certificate.
mode ra
Enters the PKI server into RA certificate server mode.
mode sub-cs
Enters the PKI server into sub-certificate server mode
redundancy (cs-server)
Specifies that the active CS is synchronized to the standby CS.
serial-number (cs-server)
Specifies whether the router serial number should be included in the certificate request.
show (cs-server)
Displays the PKI CS configuration.
single-connection
To enable all TACACS packets to be sent to the same server using a single TCP connection, use the single-connectioncommand in TACACS+ server configuration mode. To disable this feature, use the no form of this command.
Usage Guidelines
Use the single-connection command to multiplex all TACACS packets to the same server over a single TCP connection.
signature
To specify a signature for which the command-line interface (CLI) user tunings will be changed, use the signature command in signature-definition-signature (config-sigdef-sig) configuration mode. To remove the CLI user tunings and revert to the default values, use the no version of this command.
Usage Guidelines
Use the signature command to specify a signature whose CLI user tunings are to be customized. Thereafter, you can begin to specify which signature parameters (user tunings) are to be changed.
Examples
The following example shows how to modify signature 5081/0 to "produce alert" and "reset tcp connection":
Router(config)# ip ips signature-definition Router(config-sigdef-sig)# signature 5081 0 Router(config-sigdef-action)# engine Router(config-sigdef-action-engine)# event-action produce-alert reset-tcp-connection Router(config-sigdef-action-engine)# ^Z Do you want to accept these changes:[confirmm]yslave (IKEv2 cluster)
To define settings for slave gateways in an Internet Key Exchange Version 2 (IKEv2) cluster, use the slave command in IKEv2 cluster configuration mode. To restore the default settings, use the no form of this command.
slave { hello milliseconds | max-session number | priority number | update milliseconds }
no slave { hello | max-session | priority | update }
Syntax Description
hello milliseconds
Specifies the hello interval, in milliseconds, for a slave gateway. The range is from 100 to 30000. The default is 1000.
max-session number
priority number
Specifies the priority of the slave. The range is from 1 to 100. The default is 100.
update milliseconds
Specifies the interval, in milliseconds, between two update messages for a slave gateway. The range is from 100 to 60000. The default is 3000.
Usage Guidelines
You must enable the crypto ikev2 cluster command before enabling the slave command.
smart-tunnel list
To configure the smart tunnel list and enable it within a policy group, use the smart-tunnel list command in WebVPN context configuration mode or WebVPN group policy configuration mode. To disable the smart tunnel configuration, use the no form of this command.
Command Modes
WebVPN context configuration mode (config-webvpn-context)
WebVPN group policy configuration mode (config-webvpn-group)Usage Guidelines
Before a smart tunnel list can be enabled within a group policy, it must be created. Applications that are to be directed to the smart tunnel then must be specified within the list. This list must later be applied to the group policy.
NoteTo remove a smart tunnel list, first use the no smart-tunnel list command in WebVPN group policy configuration mode, and then use the no smart-tunnel listcommand in WebVPN context configuration mode.
Examples
The following example shows how to create a smart tunnel list named "st1" and configure the applications for smart tunneling:
Router(config)# webvpn context sslgw Router(config-webvpn-context)# smart-tunnel list st1 Router(config-webvpn-smart-tunnel)# appl ie ieexplore.exe windows Router(config-webvpn-smart-tunnel)# appl telnet telnet.exe windowsThe following example shows how to enable the smart tunnel list "st1" within a group policy:
Router(config)# webvpn context sslgw Router(config-webvpn-context)# policy group new Router(config-webvpn-group)# smart-tunnel list st1smartcard-removal-disconnect
To terminate a session on removing the smart card, use the smarcard-removal-disconnect command in IKEv2 authorization policy configuration mode. To disable session termination, use the no form of this command.
Usage Guidelines
Before using this command, you must first configure the crypto ikev2 authorization policy command. The parameter set by this command is sent to the client via the nonstandard Cisco unity configuration attribute. This command specifies that the client should terminate the session on removing the smart card.
snmp-server enable traps gdoi
To enable Group Domain of Interpretation (GDOI ) Simple Network Management Protocol (SNMP) notifications for Cisco Group Encrypted Transport VPN (GET VPN), use the snmp-server enable traps gdoi command in global configuration mode. To disable GDOI SNMP notifications, use the no form of this command.
snmp-server enable traps gdoi [notification-type]
no snmp-server enable traps gdoi [notification-type]
Syntax Description
Usage Guidelines
This command configures notifications for RFC 3547, The Group Domain of Interpretation; it supports only the objects related to the GDOI MIB IETF standard.
The GDOI MIB consists of objects and notifications that include information about GDOI groups, GM and KS peers, and the policies that are created or downloaded. Only “get” operations are supported by the GDOI MIB.
The command configures two kinds of notifications—those generated by the KS and those generated by each GM.
For more information about GDOI MIB support for GET VPN, see the Cisco Group Encrypted Transport VPN Configuration Guide..
For a complete description of the notification types and additional MIB functions, refer to the CISCO-GDOI-MIB.my file.
Examples
The following example shows how to enable GDOI MIB notifications for when a GM begins the reregistration process with a KS and when a GM completes registration to a KS:
Device(config)# snmp-server enable traps gdoi gm-re-register gm-registration-completeThe following example shows how to enable the GDOI MIB notification for when a GM sends an error notification because it cannot process and install a rekey:
Device(config)# snmp-server enable traps gdoi gm-rekey-failThe following example shows how to enable GDOI MIB notifications for when a KS first receives a registration request from a GM and a group member completes registration to the KS:
Device(config)# snmp-server enable traps gdoi ks-new-registration ks-reg-completeThe following example shows how to enable the GDOI MIB notification for when an error is received from the KS because of missing RSA keys:
Device(config)# snmp-server enable traps gdoi ks-no-rsa-keyssnmp-server enable traps ipsec
To enable the router to send IP Security (IPSec) Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps ipseccommand in global configuration mode. To disable IPSec SNMP notifications, use the noform of this command.
snmp-server enable traps ipsec [ cryptomap [ add | delete | attach | detach ] | tunnel [ start | stop ] | too-many-sas ]
no snmp-server enable traps ipsec [ cryptomap [ add | delete | attach | detach ] | tunnel [ start | stop ] | too-many-sas ]
Syntax Description
cryptomap add
(Optional) Notifications for cipsCryptomapAdded { cipsMIBNotifications 3 } events are generated, as defined in the CISCO-IPSEC-MIB. These notifications are generated when a new cryptomap is added to the specified cryptomap set.
cryptomap delete
(Optional) Notifications for cipsCryptomapDeleted { cipsMIBNotifications 4 } events are generated, as defined in the CISCO-IPSEC-MIB. These notifications are generated when a cryptomap is removed from the specified cryptomap set.
cryptomap attach
(Optional) Notifications for cipsCryptomapSetAttached { cipsMIBNotifications 5 } events are generated, as defined in the CISCO-IPSEC-MIB. These notifications are generated when a cryptomap set is attached to an active interface of the managed entity.
cryptomap detach
(Optional) Notifications for cipsCryptomapSetDetached { cipsMIBNotifications 6 } events are generated, as defined in the CISCO-IPSEC-MIB. These notifications are generated when a cryptomap set is detached from an interface to which it was previously bound.
tunnel start
(Optional) Notifications for cipSecTunnelStart { cipSecMIBNotifications 7 } events are generated, as defined in the CISCO-IPSEC-FLOW-MONITOR-MIB. These notifications are generated when an IPsec Phase-2 Tunnel becomes active.
tunnel stop
(Optional) Notifications for cipSecTunnelStop { cipSecMIBNotifications 8 } events are generated, as defined in the CISCO-IPSEC-FLOW-MONITOR-MIB. These notifications are generated when an IPsec Phase-2 Tunnel becomes inactive.
too-many-sas
(Optional) Notifications for cipsTooManySAs { cipsMIBNotifications 7 } events are generated, as defined in the CISCO-IPSEC-MIB.my. These notifications are generated when an attempt to make a new security association (SA) is made but there is insufficient memory on the device.
Command History
Release
Modification
12.2(8)T
This command was introduced.
12.1(11b)E
This command was integrated into Cisco IOS Release 12.1(11b)E.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests.
A cryptomap is a table that maps an IPSec Phase-2 tunnel to the corresponding IPSec Policy element.
For a complete description of the notification types and additional MIB functions, refer to the CISCO-IP-SEC.my and CISCO-IPSEC-FLOW-MONITOR-MIB.my files, available on Cisco.com through:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
The snmp-server enable traps ipsec command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
snmp-server enable traps isakmp
To enable the router to send IP Security (IPSec) Internet Security Association and Key Exchange Protocol (ISAKMP) Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps isakmpcommand in global configuration mode. To disable ISAKMP IPSec SNMP notifications, use the noform of this command.
snmp-server enable traps isakmp [ policy { add | delete } | tunnel { start | stop } ]
no snmp-server enable traps isakmp [ policy { add | delete } | tunnel { start | stop } ]
Syntax Description
policy add
(Optional) Notifcations for cipsIsakmpPolicyAdded { cipsMIBNotifications 1 } events are generated, as defined in the CISCO-IPSEC-MIB. These notifications are generated when a new ISAKMP policy element is defined on the managed entity. The context of the event includes the updated number of ISAKMP policy elements currently available.
policy delete
(Optional) Notifcations for cipsIsakmpPolicyDeleted { cipsMIBNotifications 2 } events are generated, as defined in the CISCO-IPSEC-MIB. These notifications are generated when an existing ISAKMP policy element is deleted on the managed entity. The context of the event includes the updated number of ISAKMP policy elements currently available.
tunnel start
(Optional) Notifications for cikeTunnelStart { cipSecMIBNotifications 1 } events are generated, as defined by in the CISCO-IPSEC-FLOW-MONITOR-MIB.my. These notifications are generated when an IPsec Phase-1 IKE Tunnel becomes active.
tunnel stop
(Optional) Notifications for cikeTunnelStop { cipSecMIBNotifications 2 } events are generated, as defined by in the CISCO-IPSEC-FLOW-MONITOR-MIB.my. These notifications are generated when an IPsec Phase-1 IKE Tunnel becomes inactive.
Command Default
SNMP notifications are disabled by default.
If no keywords are specified, all available ISAKMP traps are enabled (or disabled if the no form is used).
Command History
Release
Modification
12.2(8)T
This command was introduced.
12.1(11b)E
This command was integrated into Cisco IOS Release 12.1(11b)E
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both ISAKMP trap and inform requests.
For a complete description of these notifications and additional MIB functions, refer to the CISCO-IPSEC-MIB.myand CISCO-IPSEC-FLOW-MONITOR-MIB.my files, available on Cisco.com through:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
The snmp-server enable traps isakmp command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
snmp-server enable traps nhrp
To enable Simple Network Management Protocol (SNMP) notifications for the Next Hop Resolution Protocol (NHRP), use the snmp-server enable traps nhrp command in global configuration mode. To disable SNMP NHRP notifications, use the no form of this command.
snmp-server enable traps nhrp [ nhc [ down | up ] | nhp [ down | up ] | nhs [ down | up ] | quota-exceeded ]
no snmp-server enable traps nhrp [ nhc [ down | up ] | nhp [ down | up ] | nhs [ down | up ] | quota-exceeded ]
Syntax Description
nhc
(Optional) Enables Next Hop Client (NHC) notifications.
down
(Optional) Enables notifications for when the client, peer, or server interface is declared ‘down’.
up
(Optional) Enables notifications for when the client, peer, or server interface is declared ‘up’.
nhp
(Optional) Enables Next Hop Peer (NHP) notifications.
nhs
(Optional) Enables Next Hop Server (NHS) notifications.
quota-exceeded
(Optional) Enables notifications for when the rate limit set on NHRP packets is exceeded on the interface.
Usage Guidelines
By default all notifications (traps) are disabled. You must explicitly enable any notifications that you need in your system. After you enable traps in your system, you can use the snmp-server host traps command to control which traps are sent to a particular trap receiver.
The snmp-server host traps nhrp command enables the default NHRP traps only (it does not enable all NHRP traps). The default traps include the NHS, NHC, and quota-exceeded traps.
Examples
The following example shows how to enable the default NHRP traps, and how to send these NHRP traps to the notification receiver with the IP address 192.40.3.130 using the community string public:
Router(config)# snmp-server enable traps nhrp Router(config)# snmp-server host 192.40.3.130 traps version 2c public nhrpThe following example shows how to disable NHC traps and enable rate limit traps:
Router(config)# no snmp-server enable traps nhrp nhc Router(config)# snmp-server enable traps nhrp quota-exceededsnmp trap ip verify drop-rate
To configure the router to send a Simple Network Management Protocol (SNMP) notification when the Unicast Reverse Path Forwarding (RPF) drop rate exceeds the configured threshold, use the snmp trap ip verify drop-ratecommand in interface configuration mode. To disable SNMP notification, use the no form of this command.
Usage Guidelines
This command enables cipUrpfIfDropRateNotify notification. This notification is sent when the Unicast RPF drop rate exceeds the threshold.
Examples
The following example shows how to configure SNMP notification for the Unicast RPF drop rate on Ethernet interface 3/0:
Router> enable Router# configure terminal Router(config)# interface ethernet 3/0 Router(config-if)# snmp trap ip verify drop-rateRelated Commands
Command
Description
ip verify drop-rate compute window
Configures the interval of time over which the Unicast RPF drop count used in the drop rate computation is collected.
ip verify unicast notification threshold
Configures the Unicast RPF drop count threshold which, when exceeded, triggers a notification.
source
To sequentially number the source address, use the source command in IKEv2 FlexVPN client profile configuration mode. To remove the sequence, use the no form of this command.
Usage Guidelines
Before you enable this command, you must configure the crypto ikev2 client flexvpn command.
The source address is the one with the lowest sequence number for which track object is in the UP state only if the source IP address is available in the tunnel VRF of the tunnel interface. If a session is UP for a source, the source is said to be a "Current active source".
NoteAny changes to this command terminates the active session.
source interface
To specify the address of an interface to be used as the source address for all outgoing TCP connections associated with a trustpoint, use the source interface command in ca-trustpoint configuration mode. To disable the interface that was specified, use the no form of this command.
Usage Guidelines
This command must be used following the crypto ca trustpoint command. If this command is used and the address of the outgoing interface is specified, the router uses the specified address (or address of the specified interface) as the source address for any datagrams that are sent to the certification authority (CA) server or Lightweight Directory Access Protocol (LDAP) server during authentication, enrollment, and if appropriate, when obtaining certificate revocation lists (CRLs).
Examples
In the following example, the router is located in a branch office. The router uses IP Security (IPSec) to communicate with the main office. Ethernet 1 is the "outside" interface that connects to the Internet Service Provider (ISP). Ethernet 0 is the interface connected to the LAN of the branch office. To access the CA server located in the main office the router needs to send its IP datagrams out interface Ethernet 1 (address 10.2.2.205) using the IPSec tunnel. Address 10.2.2.205 is assigned by the ISP. Address 10.2.2.205 is not a part of the branch office or main office.
The CA cannot access any address outside the company because of a firewall. The CA sees a message coming from 10.2.2.205 and cannot respond (that is, it does not know that the router is located in a branch office at address 10.1.1.1, which it is able to reach).
Adding the source interface command tells the router to use address 10.1.1.1 as the source address of the IP datagram that it sends to the CA. The CA is able to respond to 10.1.1.1.
This scenario is configured using the source interface command and the interface addresses as described above.
crypto ca trustpoint ms-ca enrollment url http://yourname:80/certsrv/mscep/mscep.dll source interface ethernet0 ! interface ethernet 0 description inside interface ip address 10.1.1.1 255.255.255.0 ! interface ethernet 1 description outside interface ip address 10.2.2.205 255.255.255.0 crypto map main-officesource interface (ca-trustpool)
To specify the source interface to be used for certificate revocation list (CRL) retrieval, online certificate status protocol (OCSP) status, or the downloading of a certificate authority (CA) certificate bundle for the public key infrastructure (PKI) trustpool, use the source interface command in ca-trustpool configuration mode. To disable the interface that was specified, use the no form of this command.
Usage Guidelines
Before you can configure this command, you must enable the crypto pki trustpool policy command, which enters ca-trustpool configuration mode.
Examples
Router(config)# crypto pki trustpool policy Router(ca-trustpool)# source interface tunnel 1Related Commands
Command
Description
cabundle url
Configures the URL from which the PKI trustpool CA bundle is downloaded.
chain-validation
Enables chain validation from the peer's certificate to the root CA certificate in the PKI trustpool.
crl
Specifes the CRL query and cache options for the PKI trustpool.
crypto pki trustpool import
Manually imports (downloads) the CA certificate bundle into the PKI trustpool to update or replace the existing CA bundle.
crypto pki trustpool policy
Configures PKI trustpool policy parameters.
default
Resets the value of a ca-trustpool configuration command to its default.
match
Enables the use of certificate maps for the PKI trustpool.
ocsp
Specifies OCSP settings for the PKI trustpool.
revocation-check
Disables revocation checking when the PKI trustpool policy is being used.
show
Displays the PKI trustpool policy of the router in ca-trustpool configuration mode.
show crypto pki trustpool
Displays the PKI trustpool certificates of the router and optionally shows the PKI trustpool policy.
source interface
Specifies the source interface to be used for CRL retrieval, OCSP status, or the downloading of a CA certificate bundle for the PKI trustpool.
storage
Specifies a file system location where PKI trustpool certificates are stored on the router.
vrf
Specifies the VRF instance to be used for CRL retrieval.
source interface (Diameter peer)
To configure the interface to be used for the Diameter peer connection, use the source interface command in Diameter peer configuration mode. To disable the interface configuration, use the no form of this command.
Usage Guidelines
The Diameter client uses the configured source address and port to initiate a TCP connection to the Diameter peer.
source-interface (URL parameter-map)
To specify the interface whose IP address will be used as the source IP address while making a TCP connection to the URL filter server, use the source-interface command in URL parameter-map configuration mode. To stop using the IP address of the specified interface, use the no form of this command.
Usage Guidelines
When you are creating or modifying a URL parameter map, you can enter the source-interface subcommand after you enter the parameter-map type urlfilter command.
source (parameter-map)
To configure the source for content scan redirection, use the source command in parameter-map type inspect configuration mode. To disable the source for content scan redirection, use the no form of this command.
Syntax Description
address
Specifies the source address.
ipv4 address
Specifies the IPv4 address of the source.
interface
Specifies the interface.
type
Interface type. For more information, use the question mark (?) online help function.
number
Interface or subinterface number. For more information about the numbering syntax for your networking device, use the question mark (?) online help function.
Usage Guidelines
The source command configures an interface or an IP address as the source from which packets to ScanSafe will originate from the router. The IP address that is configured in this command must be the IP addresses that is associated with the interface on which content-scan out command is configured.
split-dns
To specify a domain name that must be tunneled or resolved to the private network, use the split-dns command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode or IKEv2 authorization policy configuration mode. To remove a domain name, use the no form of this command.
Command Modes
ISAKMP group configuration (config-isakmp-group)
IKEv2 authorization policy configuration (config-ikev2-author-policy)
Command History
Release
Modification
12.3(4)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
Usage Guidelines
If you configure the split-dns command, the split-dns attribute will be added to the policy group. The attribute will include the list of domain names that you configured. All other names will be resolved via the public DNS server.
You must enable the crypto isakmp client configuration group or crypto ikev2 authorization policy command, which specifies group policy information that needs to be defined or changed, before enabling the split-dns command.
NoteIf you have to configure more than one domain name, you have to add a split-dns command line for each.
Examples
The following example shows that the domain names "green.com" and "acme.org" will be added to the policy group:
Router (config)# crypto isakmp client configuration group cisco Router (config-isakmp-group)# key cisco Router (config-isakmp-group)# dns 10.2.2.2 10.2.2.3 Router (config-isakmp-group)# wins 10.6.6.6 Router (config-isakmp-group)# domain cisco.com Router (config-isakmp-group)# pool green Router (config-isakmp-group)# acl 199 Router (config-isakmp-group)# split-dns green.com Router (config-isakmp-group)# split-dns acme.orgssh
To start an encrypted session with a remote networking device, use the ssh command in user EXEC or privileged EXEC mode.
ssh [ -v { 1 | 2 } | -c { aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des-cbc | aes192-cbc | aes256-cbc } | -l user-id | -l user-id : vrf-name number ip-address ip-address | -l user-id : rotary number ip-address | -m { hmac-md5 | hmac-md5-96 | hmac-sha1 | hmac-sha1-96 } | -o numberofpasswordprompts n { hmac-md5 | hmac-md5-96 | hmac-sha1 | hmac-sha1-96 } | -p port-num ] { ip-addr | hostname [ command | -vrf ]
Syntax Description
Command History
Release
Modification
12.1(3)T
This command was introduced.
12.2(8)T
This command was modified. Support for IPv6 addresses was added.
12.0(21)ST
This command was modified. IPv6 address support was integrated into Cisco IOS Release 12.0(21)ST.
12.0(22)S
This command was modified. IPv6 address support was integrated into Cisco IOS Release 12.0(22)S.
12.2(14)S
This command was modified. IPv6 address support was integrated into Cisco IOS Release 12.2(14)S.
12.2(17a)SX
This command was integrated into Cisco IOS Release 12.2(17a)SX.
12.3(7)T
This command was modified to include Secure Shell Version 2 support. The -c keyword was expanded to include support for the following cryptic algorithms: aes128-cbc, aes192-cbc, and aes256-cbc. The -m keyword was added, with the following algorithms: hmac-md5, hmac-md5-96, hmac-sha1, and hmac-sha1-96. The -vkeyword and 1 and 2 arguments were added.
12.2(25)S
This command was integrated into Cisco IOS Release 12.2(25)S.
12.3(11)T
The -l userid:number ip-address and -l userid:rotary number ip-address keyword and argument options were added.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.3(7)JA
This command was integrated into Cisco IOS Release 12.3(7)JA.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.0(32)SY
This command was integrated into Cisco IOS Release 12.0(32)SY.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
12.4(20)T
The-l userid:vrfname number ip-address keyword and argument options were added
Cisco IOS XE Release 2.4
This command was integrated into Cisco IOS XE Release 2.4.
15.3(2)S
This command was modified. SSH version 2 supports counter-based AES encryption for 128-, 192-, and 256-bit key length.
Cisco IOS XE Release 3.9S
This command was modified. SSH version 2 supports counter-based AES encryption for 128-, 192-, and 256-bit key length.
15.2(2)SA2
This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.
Usage Guidelines
The ssh command enables a Cisco device to make a secure, encrypted connection to another Cisco device running an SSH Version 1 or Version 2 server. This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.
NoteSSH Version 1 is supported on DES (56-bit) and 3DES (168-bit) data encryption software images only. In DES software images, DES is the only encryption algorithm available. In 3DES software images, both DES and 3DES encryption algorithms are available.
Examples
The following example illustrates the initiation of a secure session between the local device and the remote host HQhost to run the show users command. The result of the show users command is a list of valid users who are logged in to HQhost. The remote host will prompt for the adminHQ password to authenticate the user adminHQ. If the authentication step is successful, the remote host will return the result of the show users command to the local device and will then close the session.
Device# ssh -l adminHQ HQhost "show users"The following example illustrates the initiation of a secure session between the local device and the edge device HQedge to run the show ip route command. In this example, the edge device prompts for the adminHQ password to authenticate the user. If the authentication step is successful, the edge device will return the result of the show ip route command to the local device.
Device#ssh -l adminHQ HQedge "show ip route"The following example shows the SSH client using 3DES to initiate a secure remote command connection with the HQedge device. The SSH server running on HQedge authenticates the session for the admin7 user on the HQedge device using standard authentication methods. The HQedge device must have SSH enabled for authentication to work.
Device# ssh -l admin7 -c 3des -o numberofpasswordprompts 5 HQedgeThe following example shows a secure session between the local device and a remote IPv6 device with the address 2001:DB8:0000:FFFF:FFFF:FFFF:FFFF:FFFF to run the show running-config command. In this example, the remote IPv6 device prompts for the adminHQ password to authenticate the user. If the authentication step is successful, the remote IPv6 device will return the result of the show running-config command to the local device and will then close the session.
Device# ssh -l adminHQ 2001:DB8:0000:FFFF:FFFF:FFFF:FFFF:FFFF "show running-config"The following example shows an SSH Version 2 session using the crypto algorithm aes256-ctr and an HMAC of hmac-sha1-96. The user ID is user2 and the IP address is 10.76.82.24.
Device# ssh -v 2 -c aes256-ctr -m hmac-sha1-96 -1 user2 10.76.82.24The following example shows how to configure reverse SSH on the SSH client:
Device# ssh -l lab:1 device.example.comThe following command shows how to connect reverse SSH to the first free line in the rotary group:
Device# ssh -l lab:rotary1 device.example.comRelated Commands
Command
Description
ip ssh
Configures SSH server control parameters on the device.
show ip route
Displays the contents of the routing table.
show ip ssh
Displays the version and configuration data for SSH.
show running-config
Displays the contents of the running configuration file.
show ssh
Displays the status of SSH server connections.
show users
Displays information about the active lines on a device.
ssid (local RADIUS server group)
To assign up to 20 service set identifiers (SSIDs) to a user group, use the ssidcommand in local RADIUS server group configuration mode. To instruct the access point (AP) to not check if the client has come in on a list of specified SSIDs, use the no form of this command.
Command History
Release
Modification
12.2(11)JA
This command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200.
12.3(11)T
This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.
Examples
The following example shows that the SSID "green" has been added to the local user group:
ssid greenRelated Commands
Command
Description
block count
Configures the parameters for locking out members of a group to help protect against unauthorized attacks.
clear radius local-server
Clears the statistics display or unblocks a user.
debug radius local-server
Displays the debug information for the local server.
group
Enters user group configuration mode and configures shared setting for a user group.
nas
Adds an access point or router to the list of devices that use the local authentication server.
radius-server host
Specifies the remote RADIUS server host.
radius-server local
Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
reauthentication time
Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
show radius local-server statistics
Displays statistics for a local network access server.
user
Authorizes a user to authenticate using the local authentication server.
vlan
Specifies a VLAN to be used by members of a user group.
ssl encryption
To specify the encryption algorithm that the Secure Sockets Layer (SSL) protocol uses for SSL Virtual Private Network (SSL VPN) connections, use the ssl encryptioncommand in webvpn gateway configuration mode. To remove an algorithm from the SSL VPN gateway, use the no form of this command.
Usage Guidelines
The SSL VPN provides remote-access connectivity from almost any Internet-enabled location using only a Web browser and its native SSL encryption. Configuring this command allows you to restrict the encryption algorithms that SSL uses in Cisco IOS software. The ordering of the algorithms specifies the preference. If you specify this command after you have specified an algorithm, the previous setting is overridden.
ssl-proxy module allowed-vlan
To add the VLANs allowed over the trunk to the Secure Socket Layer (SSL) Services Module, enter the ssl-proxy module allowed-vlan command in global configuration mode. To remove the SSL Services Module from the specified VLAN, use the no form of this command.
Usage Guidelines
This command is supported on Cisco 7600 series routers that are configured with a Wireless LAN Services Module (WLSM) only.
One of the allowed VLANs must be the administrative VLAN.
To verify the configuration, enter the show spanning-tree vlan command.
To display the spanning-tree state for the specified VLAN, enter the show ssl-proxy module state command.
Examples
This example shows how to add an SSL Services Module installed in slot 6 to a specific VLAN:
Router (config)# ssl-proxy module 6 allowed-vlan 100 Router (config)#This example shows how to remove the SSL Services Module from the specified VLAN:
Router (config)# no ssl-proxy module 6 allowed-vlan 100 Router (config)#ssl truspoint
To configure the certificate trustpoint on a SSL VPN gateway, use the ssl trustpointcommand in webvpn gateway configuration mode. To remove the trustpoint association, use the no form of this command.
Usage Guidelines
You can configure a persistent self-signed certificate or an external CA server to generate a valid trustpoint.
sso-server
To create a Single SignOn (SSO) server name under a Secure Sockets Layer Virtual Private Network (SSL VPN) context and to enter webvpn sso server configuration mode--and to attach an SSO server to a policy group--use the sso-server command in webvpn sso server configuration and group policy configuration modes, respectively. To remove an SSO server name, use the no form of this command.
Usage Guidelines
The SSO server name is configured under the SSL VPN context in webvpn context configuration mode. All SSO server-related parameters, such as web agent URL and policy server secret key, are configured under the SSO server name. The SSO server name is attached to the policy group in webvpn group policy configuration mode.
Examples
The following example shows that the SSO server "test-sso-server" is created under the SSL VPN context and attached to a policy group named "ONE":
webvpn context context1 sso-server "test-sso-server" web-agent-url "http://webagent.example.com" secret-key "12345" retries 3 timeout 15 policy group ONE sso-server "test-sso-server"standby-group
To specify a Hot Standby Router Protocol (HSRP) group to be used by a cluster, use the standby-group command in IKEv2 cluster configuration mode. To remove a HSRP group, use the no form of this command.
Usage Guidelines
You must enable the crypto ikev2 cluster command before enabling the standby-group command.
You must specify the same name that you specified in the group-name argument of the standby name command.
status
To enter the signature-definition-status configuration mode, which allows you to change the enabled or retired status of an individual signature, use the statuscommand in signature-definition-action configuration mode. To return to the default action, use the no form of this command.
Usage Guidelines
Before issuing the status command, you must specify at least one signature via the signature command.
strict-http
To allow HTTP messages to pass through the firewall or to reset the TCP connection when HTTP noncompliant traffic is detected, use the strict-httpcommand in appfw-policy-http configuration mode. To disable configured settings, use the no form of this command.
Syntax Description
action
HTTP messages are subject to the specified action (reset or allow).
reset
Sends a TCP reset notification to the client or server if the HTTP message fails the mode inspection.
allow
Forwards the packet through the firewall.
alarm
(Optional) Generates system logging (syslog) messages for the given action.
Examples
The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy. appfw policy-name mypolicy application http strict-http action allow alarm content-length maximum 1 action allow alarm content-type-verification match-req-rsp action allow alarm max-header-length request 1 response 1 action allow alarm max-uri-length 1 action allow alarm port-misuse default action allow alarm request-method rfc default action allow alarm request-method extension default action allow alarm transfer-encoding type default action allow alarm ! ! ! Apply the policy to an inspection rule. ip inspect name firewall appfw mypolicy ip inspect name firewall http ! ! ! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface. interface FastEthernet0/0 ip inspect firewall in ! !storage
To specify a file system location where public key infrastructure (PKI) trustpool certificates are stored on the router, use the storage command in CA-trustpool configuration mode. To remove the file system location that was specified, use the no form of this command.
Usage Guidelines
Before you can configure this command, you must enable the crypto pki trustpool policy command, which enters ca-trustpool configuration mode.
Previously stored certificates cannot be moved with this command.
The location argument specifies the file system storage location. The table below lists the available file system locations:
Table 24 File System Locations File System
Description
disk0:
Stores the PKI trustpool in the disc0 file system.
disk1:
Stores the PKI trustpool in the disc1 file system.
nvram:
Stores the PKI trustpool in the NVRAM file system.
unix:
Stores the PKI trustpool in the the UNIX file system.
file-system-name =
The named file system that is stored in the PKI trustpool.
Examples
Router(config)# crypto pki trustpool policy Router(ca-trustpool)# storage disk0:crca2048.crlRelated Commands
Command
Description
cabundle url
Configures the URL from which the PKI trustpool CA bundle is downloaded.
chain-validation
Enables chain validation from the peer's certificate to the root CA certificate in the PKI trustpool.
crl
Specifes the certificate revocation list (CRL) query and cache options for the PKI trustpool.
crypto pki trustpool import
Manually imports (downloads) the CA certificate bundle into the PKI trustpool to update or replace the existing CA bundle.
crypto pki trustpool policy
Configures PKI trustpool policy parameters.
default
Resets the value of a ca-trustpool configuration command to its default.
match
Enables the use of certificate maps for the PKI trustpool.
ocsp
Specifies OCSP settings for the PKI trustpool.
revocation-check
Disables revocation checking when the PKI trustpool policy is being used.
show
Displays the PKI trustpool policy of the router in ca-trustpool configuration mode.
show crypto pki trustpool
Displays the PKI trustpool certificates of the router and optionally shows the PKI trustpool policy.
source interface
Specifies the source interface to be used for CRL retrieval, OCSP status, or the downloading of a CA certificate bundle for the PKI trustpool.
vrf
Specifies the VRF instance to be used for CRL retrieval.
subject-alt-name
To specify the trustpoint certificate name in the Subject Alternative Name (subjectAltName) field in the X.509 certificate, which is contained in the trustpoint certificate, use the subject-alt-namein ca-trustpoint configuration mode. To remove this configuration, use the no form of this command.
Usage Guidelines
The subject-alt-namecommand is used to create a self-signed trustpoint certificate for the router that contains the trustpoint name in the Subject Alternative Name (subjectAltName) field. This Subject Alternative Name can be used only when the trustpoint enrollment option is specified for self-signed enrollment in the trustpoint policy.
NoteThe Subject Alternative Name field in the X.509 certificate is defined in RFC 2511.
Examples
The following example shows how to create a self-signed trustpoint certificate for the router that contains the trustpoint name in the Subject Alternative Name (subjectAltName) field:
Router> enable Router# configure terminal Router(config)# crypto pki trustpoint TESTCA Router(ca-trustpoint)# enrollment selfsigned Router(ca-trustpoint)# subject-alt-name TESTCA Router (ca-trustpoint)# exit Router(config)# cypto pki enroll TESTCA % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created Router(config)# exitThe following certificate is created:
Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: CN=TESTCA/unstructuredName=r1.cisco.com Validity Not Before: Mar 22 20:26:20 2010 GMT Not After : Jan 1 00:00:00 2020 GMT Subject: CN=TESTCA/unstructuredName=r1.cisco.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:8d:71:2e:3b:eb:a2:e2:f3:44:d9:bc:a9:85:88: f4:a9:bd:c9:7f:f0:69:f5:e7:75:8f:00:f2:8e:3e: 2f:ca:5e:c5:08:43:95:8c:a2:6a:ae:ce:a0:ae:82: 61:61:ff:4e:8c:8f:89:d1:56:d8:35:34:b7:95:93: 1a:72:03:71:fb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Alternative Name: DNS:TESTCA X509v3 Authority Key Identifier: keyid:F9:A4:95:87:5F:A4:CA:7D:65:FA:BE:38:20:55:18:F9:4C:6C:D5:F3 X509v3 Subject Key Identifier: F9:A4:95:87:5F:A4:CA:7D:65:FA:BE:38:20:55:18:F9:4C:6C:D5:F3 Signature Algorithm: md5WithRSAEncryption 6d:92:e7:a8:a5:1a:5a:ef:13:58:02:1b:79:17:93:41:37:c9: 2d:9f:1a:a3:f5:3a:73:05:cd:d1:02:84:43:7e:e0:84:07:46: 55:f9:45:59:51:ba:25:48:6f:d8:e1:0d:35:44:07:5c:16:17: 35:45:99:e2:80:6e:53:e5:35:76 -----BEGIN CERTIFICATE----- MIIBszCCAV2gAwIBAgIBAjANBgkqhkiG9w0BAQQFADAuMQ8wDQYDVQQDEwZURVNU Q0ExGzAZBgkqhkiG9w0BCQIWDHIxLmNpc2NvLmNvbTAeFw0xMDAzMjIyMDI2MjBa Fw0yMDAxMDEwMDAwMDBaMC4xDzANBgNVBAMTBlRFU1RDQTEbMBkGCSqGSIb3DQEJ AhYMcjEuY2lzY28uY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAI1xLjvrouLz RNm8qYWI9Km9yX/wafXndY8A8o4+L8pexQhDlYyiaq7OoK6CYWH/ToyPidFW2DU0 t5WTGnIDcfsCAwEAAaNmMGQwDwYDVR0TAQH/BAUwAwEB/zARBgNVHREECjAIggZU RVNUQ0EwHwYDVR0jBBgwFoAU+aSVh1+kyn1l+r44IFUY+Uxs1fMwHQYDVR0OBBYE FPmklYdfpMp9Zfq+OCBVGPlMbNXzMA0GCSqGSIb3DQEBBAUAA0EAbZLnqKUaWu8T WAIbeReTQTfJLZ8ao/U6cwXN0QKEQ37ghAdGVflFWVG6JUhv2OENNUQHXBYXNUWZ 4oBuU+U1dg== -----END CERTIFICATE-----subject-name
To specify the subject name in the certificate request, use the subject-name command in ca-trustpoint configuration mode. To clear any subject name from the configuration, use the no form of this command.
Command Default
If the x-500-name argument is not specified, the fully qualified domain name (FQDN), which is the default subject name, will be used.
Usage Guidelines
Before you can issue the subject-name command, you must enable the crypto ca trustpointcommand, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.
The subject-name command is an attribute that can be set for autoenrollment; thus, issuing this command prevents you from being prompted for a subject name during enrollment.
subnet-acl (IKEv2 profile)
To configure split tunneling, use the subnet-acl command in IKEv2 authorization policy configuration mode. To remove this command from your configuration and restore the default value, use the no form of this command.
Usage Guidelines
Use the subnet-acl command to specify that the groups of ACLs represent protected subnets for split tunneling. Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet.
You must enable the crypto ikev2 authorization policy command, which specifies local group policy group authorization parameters that have to be defined or changed, before enabling the subnet-acl command.
Examples
The following example shows how to apply split tunneling for the group name "cisco." In this example, all traffic sourced from the client and destined to the subnet 192.168.1.0 will be sent through the VPN tunnel.
crypto ikev2 client configuration group cisco key cisco dns 10.2.2.2 10.3.2.3 pool dog subnet-acl 199 ! access-list 199 permit ip 192.168.1.0 0.0.0.255 anysubscriber access pppoe unique-key circuit-id
To specify a unique circuit ID tag for a PPP over Ethernet (PPPoE) user session to be tapped on the router, use the subscriber access pppoe unique-key circuit-idcommand in global configuration mode. To restore the default value, use the no form of this command.
Usage Guidelines
In Cisco IOS XE Release 2.6, a user session is tapped based on the unique PPPoE circuit ID tag. This circuit ID tag serves as a unique parameter for the PPPoE user session on the device. The tapped user session is provisioned through SNMP, and user session data packets and RADIUS authentication data packets are tapped. This command is used in conjunction with the Lawful Intercept feature.
subscriber service
To enable per-subscriber services, use the subscriber service command in global configuration mode. To disable per-subscriber services, use the no form of this command.
subscriber service { accounting interim-interval minutes | coa-rfc-compliant | ignore | multiple-accept | password | police | session-accounting | shaper | target-atm-vc | vc-ignore-cos }
no subscriber service { accounting interim-interval minutes | coa-rfc-compliant | ignore | multiple-accept | password | police | session-accounting | shaper | target-atm-vc | vc-ignore-cos }
Syntax Description
accounting interim-interval minutes
Enables the generation of interim service accounting records at periodic intervals for subscribers. The minutes argument indicates the number of periodic intervals to send accounting update records from 1 to 71582 minutes.
coa-rfc-compliant
Sends RFC 3576 compliant change of authorization (CoA) NAK messages.
ignore
Ignores any of per-subscriber services.
multiple-accept
Allows multiple services on access-accept.
password
Password to use when downloading services.
police
Quality of service (QoS) RADIUS service police command.
session-accounting
Enables the inclusion of activated services in a session accounting start message.
shaper
QoS RADIUS service shaper command.
target-atm-vc
Enables the QoS service on the target ATM virtual circuit (VC).
vc-ignore-cos
Ignores the set Layer 2 class of service (set-cos) value on the target ATM VC.
Usage Guidelines
The subscriber service session-accounting command enables the router to include all activated services in a single accounting Session-Start message for a session.
RADIUS can activate a service using the RADIUS Access-Accept message. When RADIUS activates a service on the router after the router sends the accounting Session-Start message, the router generates an accounting session update that includes all activated services.
When a session stops, all currently active services are included in the accounting session stop record.
The subscriber service accounting interim-intervalcommand enables the router to generate interim service accounting records at periodic intervals for subscribers. RADIUS Attribute 85 in the user service profile always takes precedence over the configured interim-interval value. RADIUS Attribute 85 must be in the user service profile. See the RADIUS Attributes Overview and RADIUS IETF Attributes feature document for more information.
NoteIf RADIUS Attribute 85 is not in the user service profile, then the interim-interval value is used for service interim accounting records. The interim-interval value is configured by either using the aaa accounting update command in global configuration mode or the action-type command in accounting method list configuration mode. See the Configuring Accounting feature document for more information.
svc address-pool
To configure a pool of IP addresses to be assigned to end users in a policy group, use the svc address-pool command in webvpn group policy configuration mode. To remove the address pool from the policy group configuration, use the no form of this command.
Usage Guidelines
Before configuring the svc address-pool command, use the ip local pool command to define the address pool. The standard configuration assumes that the IP addresses in the pool are reachable from a directly connected network.
Configuring Address Pools for Networks That Are Not Directly Connected
If you need to configure an address pool for IP addresses from a network that is not directly connected, perform the following steps:
- Create a local loopback interface and configure it with an IP address and subnet mask from the address pool.
- Configure the address pool with the ip local pool command. The range of addresses must fall under the subnet mask configured in Step 1.
- Configure the svc address-pool command with the address pool name configured in Step 2.
See the “Examples” section for an example of how to configure a pool of IP addresses to assign to end users in a policy group.
NoteThe Switched Virtual Circuits (SVC) software or the Secure Sockets Layer VPN (SSL VPN) client is the predecessor of the Cisco AnyConnect VPN Client software.
Examples
The following example shows how to configure the 192.168.1/24 network as an address pool:
Router(config)# ip local pool ADDRESSES 192.168.1.1 192.168.1.254 Router(config)# webvpn context context1 Router(config-webvpn-context)# policy group ONE Router(config-webvpn-group)# svc address-pool ADDRESSES netmask 255.255.255.0 Router(config-webvpn-group)# endExamples
The following example shows how to configure the 172.16.1/24 network as an address pool. Because the network is not directly connected, a local loopback is configured.
Router(config)# interface loopback 0 Router(config-if)# ip address 172.16.1.128 255.255.255.0 Router(config-if)# no shutdown Router(config-if)# exit Router(config)# ip local pool ADDRESSES 172.16.1.1 172.16.1.254 Router(config)# webvpn context context1 Router(config-webvpn-context)# policy group ONE Router(config-webvpn-group)# svc address-pool ADDRESSES netmask 255.255.255.0Related Commands
Command
Description
ip local pool
Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.
policy group
Enters webvpn group policy configuration mode to configure a policy group.
webvpn context
Enters webvpn context configuration mode to configure the SSL VPN context.
svc default-domain
To configure the Cisco AnyConnect VPN Client domain for a policy group, use the svc default-domain command in webvpn group policy configuration mode. To remove the domain from the policy group configuration, use the no form of this command.
Usage Guidelines
NoteSVC software, or Secure Sockets Layer Virtual Private Network (SSL VPN) Client, is the predecessor of Cisco AnyConnect VPN Client software.
svc dns-server
To configure Domain Name System (DNS) servers for policy group end users, use the svc dns-server command in webvpn group policy configuration mode. To remove a DNS server from the policy group configuration, use the no form of this command.
Usage Guidelines
NoteSVC software, or Secure Sockets Layer Virtual Private Network (SSL VPN) Client, is the predecessor of Cisco AnyConnect VPN Client software.
Examples
The following example configures primary and secondary DNS servers for the policy group:
Router(config)# webvpn context context1 Router(config-webvpn-context)# policy group ONE Router(config-webvpn-group)# svc dns-server primary 192.168.3.1 Router(config-webvpn-group)# svc dns-server secondary 192.168.4.1svc dpd-interval
To configure the dead peer detection (DPD) timer value for the gateway or client, use the svc dpd-intervalcommand in webvpn group policy configuration mode. To remove a DPD timer value from the policy group configuration, use the no form of this command.
Command Default
The DPD timer is reset every time a packet is received over the Secure Sockets Layer Virtual Private Network (SSL VPN) tunnel from the gateway or end user.
Usage Guidelines
NoteSVC software, or Secure Sockets Layer Virtual Private Network (SSL VPN) Client, is the predecessor of Cisco AnyConnect VPN Client software.
Examples
The following example sets the DPD timer to 30 seconds for a SSL VPN gateway and to 5 minutes for end users (remote PC or device):
Router(config)# webvpn context context1 Router(config-webvpn-context)# policy group ONE Router(config-webvpn-group)# svc dpd-interval gateway 30 Router(config-webvpn-group)# svc dpd-interval client 300 Router(config-webvpn-group)#svc dtls
To enable Datagram Transport Layer Security (DTLS) support on the Cisco IOS Secure Socket Layer Virtual Private Network (SSL VPN), use the svc dtls command in WebVPN group policy configuration mode. To disable the configuration, use the no form of this command.
Command Default
DTLS is enabled by default on the Cisco ISR G2 series routers (3900, 2900, 1900, 890, and 880) and is disabled on other routers.
Usage Guidelines
The DTLS Support for IOS SSL VPN feature enables DTLS as a transport protocol for the traffic tunneled through SSL VPN. The DTLS Support for IOS SSL VPN feature is enabled by default on the Cisco IOS SSL VPN. You can use the no svc dtls command to disable DTLS support on the SSL VPN.
svc homepage
To configure the URL of the web page that is displayed upon successful user login, use the svc homepagecommand in webvpn group policy configuration mode. To remove the URL from the policy group configuration, use the no form of this command.
Usage Guidelines
NoteSVC software, or Secure Sockets Layer Virtual Private Network (SSL VPN) Client, is the predecessor of Cisco AnyConnect VPN Client software.
svc keepalive
To specify the Secure Socket Layer Virtual Private Network Client (SVC) keepalive value, use the svc keepalivecommand in webvpn group policy configuration mode. To return the svc keepalive command to its default, use the no form of this command.
Command Default
The SVC is enabled to send keepalive messages by default with a frequency of 30 seconds.
Usage Guidelines
You can adjust the frequency of keepalive messages to ensure that an SVC connection through a proxy, IOS firewall, or Network Address Translation (NAT) device remains active, even if the device limits the time that the connection can be idle. Adjusting the frequency also ensures that the SVC does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.
If the svc keepalive command is configured with a value of 0 seconds, then the keepalive function is disabled.
NoteSVC is the predecessor of Cisco AnyConnect VPN Client software.
Examples
In the following example, the security appliance is configured to enable the SVC to send keepalive messages with a frequency of 300 seconds (5 minutes), for the existing group-policy group "ONE":
Router(config)# webvpn context context1 Router(config-webvpn-context)# policy group ONE Router(config-webvpn-group)# svc keepalive 300svc keep-client-installed
To configure the end user to keep Cisco AnyConnect VPN Client software installed when the SSL VPN connection is not enabled, use the svc keep-client-installedcommand in webvpn group policy configuration mode. To remove the software installation requirement from the policy group configuration, use the no form of this command.
Usage Guidelines
The configuration of this command removes the overhead of pushing the Cisco AnyConnect VPN Client software to the end user on each connection attempt.
NoteSVC, or Secure Sockets Layer Virtual Private Network (SSL VPN) Client, is the predecessor of Cisco AnyConnect VPN Client software.
svc module
To configure Start Before Logon (SBL) functionality support for a Cisco IOS Secure Sockets Layer Virtual Private Network (SSL VPN) headend, use the svc module command in webvpn group policy configuration mode. To disable the configuration, use the no form of this command.
Usage Guidelines
The SBL functionality connects the client PC to the enterprise network even before the users log in to the PC. This functionality allows the administrator to run the logon scripts even if the user is not connected to the enterprise network.
Use the svc module command to configure the SBL functionality support for the Cisco IOS SSL VPN headend. This command sets the module in the WebVPN cookie for the AnyConnect client, and thereby helps in downloading the SBL components to the client from the SSL VPN headend.
svc msie-proxy
To configure Microsoft Internet Explorer (MSIE) browser proxy settings for policy group end users, use the svc msie-proxycommand in webvpn group policy configuration mode. To remove a MSIE proxy setting from the policy group configuration, use the no form of this command.
svc msie-proxy { server host | exception host | option { auto | bypass-local | none } }
no svc msie-proxy { server host | exception host | option { auto | bypass-local | none } }
Syntax Description
server host
Specifies a MSIE proxy server for policy group end users. The host argument specifies the location of the MSIE server. The host argument is configured as an IPv4 address or fully qualified domain name, followed by a colon and port number.
exception host
Configures the browser not to send traffic for a single Domain Name System (DNS) hostname or IP address through the proxy.
option auto
Configures the browser to automatically detect proxy settings.
option bypass-local
Configures the browser to bypass proxy settings that are configured on the remote user.
option none
Configures the browser to use no proxy settings.
Usage Guidelines
The configuration of this command is applied to end users that use a MSIE browser. The configuration of this command has no effect on any other browser type.
NoteSVC, or Secure Sockets Layer Virtual Private Network (SSL VPN) Client, is the predecessor of Cisco AnyConnect VPN Client software.
Examples
The following example configures automatic detection of MSIE proxy settings and configures proxy exceptions for traffic from www.example.com and the 10.20.20.1 host:
Router(config)# webvpn context context1 Router(config-webvpn-context)# policy group ONE Router(config-webvpn-group)# svc msie-proxy option auto Router(config-webvpn-group)# svc msie-proxy exception www.example.com Router(config-webvpn-group)# svc msie-proxy exception 10.20.20.1The following example configures a connection to an MSIE proxy server through a fully qualified domain name (FQDN) and a port number:
Router(config)# webvpn context context1 Router(config-webvpn-context)# policy group ONE Router(config-webvpn-group)# svc msie-proxy server www.example.com:80The following example configures a connection to an MSIE proxy server through an IP address and port number:
Router(config)# webvpn context context1 Router(config-webvpn-context)# policy group ONE Router(config-webvpn-group)# svc msie-proxy server 10.10.10.1:80svc msie-proxy server
To specify a Microsoft Internet Explorer (MSIE) proxy server for policy group end users, use the svc msie-proxy servercommand in SSLVPN group policy configuration mode. To remove the proxy server from the policy group configuration, use the no form of this command.
Examples
The following example configures a connection to an MSIE proxy server through a fully qualified domain name and a port number:
Router(config)# webvpn context SSLVPN Router(config-webvpn-context)# policy group ONE Router(config-webvpn-group)# svc msie-proxy server www.cisco.com:80 Router(config-webvpn-group)#The following example configures a connection to an MSIE proxy server through an IP address and port number:
Router(config)# webvpn context SSLVPN Router(config-webvpn-context)# policy group ONE Router(config-webvpn-group)# svc msie-proxy server 10.10.10.1:80 Router(config-webvpn-group)#svc mtu
To configure the MTU size for a policy group at the client end, use the svc mtu command in webvpn group policy configuration mode. To set the MTU size to its default, use the no form of this command.
Usage Guidelines
The maximum size of prefragmented packets that is supported by the adapter is only 1406 bytes. Sending packets larger than 1406 bytes could cause potential problems; as a result, there is a size restriction.
svc rekey
To configure the time and method that a tunnel key is refreshed for policy group end users, use the svc rekeycommand in webvpn group policy configuration mode. To remove the tunnel key configuration from the policy group configuration, use the no form of this command.
svc rekey { method { new-tunnel | ssl } | time seconds }
no svc rekey { method { new-tunnel | ssl } | time seconds }
Syntax Description
method new-tunnel
Refreshes the tunnel key by creating a new tunnel connection to the end user.
method ssl
Refreshes the tunnel key by renegotiating the Secure Sockets Layer (SSL) session.
time seconds
Configures the time interval, in seconds, at which the tunnel key is refreshed. A number from 0 through 43200 seconds is entered.
Usage Guidelines
NoteSVC, or Secure Sockets Layer Virtual Private Network (SSL VPN) Client, is the predecessor of Cisco AnyConnect VPN Client software.
Examples
The following example configures the tunnel key to be refreshed by initiating a new tunnel connection once an hour:
Router(config)# webvpn context context1 Router(config-webvpn-context)# policy group ONE Router(config-webvpn-group)# svc rekey method new-tunnel Router(config-webvpn-group)# svc rekey time 3600svc split
To enable split tunneling for Cisco AnyConnect VPN Client tunnel clients, use the svc splitcommand in webvpn group policy configuration mode. To remove the split tunneling configuration from the policy group configuration, use the no form of this command.
svc split { include | exclude [local-lans] } { ip-address mask | acl { access-list-number | access-list-name } }
no svc split { include | exclude [local-lans] } { ip-address mask | acl }
Syntax Description
include
Specifies the traffic to be sent over Secure Sockets Layer Virtual Private Network (SSL VPN) tunnel. Traffic from the specified IP address and mask is resolved through the Cisco AnyConnect VPN Client tunnel.
exclude
Specifies the traffic not to be sent over SSL VPN tunnel. Traffic from the specified IP address and mask is not resolved through the Cisco AnyConnect VPN Client tunnel.
local-lans
Specifies the traffic for local LANs not to be sent over SSL VPN tunnel.
ip-address mask
Destination network prefix.
acl
Specifies access-list identifier for classifying the tunnel traffic.
access-list-number
Standard IP access-list number. Range is from 1 to 99.
access-list-name
Access-list name.
Usage Guidelines
Split tunnel support allows you to configure a policy that permits specific traffic to be carried outside the Cisco AnyConnect VPN Client tunnel. Traffic is either included (resolved in tunnel) or excluded (resolved through the Internet service provider [ISP] or WAN connection). Tunnel resolution configuration is mutually exclusive. An IP address cannot be both included and excluded at the same time. Entering the local-lans keyword permits the remote user to access resources on a local LAN, such as a network printer.
NoteSwitched Virtual Circuits (SVC), or the Secure Sockets Layer Virtual Private Network (SSL VPN) client, is the predecessor of Cisco AnyConnect VPN Client software.
Examples
The following example shows how to configure a list of IP addresses to be resolved over the tunnel (included) and a list to be resolved outside of the tunnel (excluded):
Router(config-webvpn-group)# svc split exclude 192.168.1.0 255.255.255.0 Router(config-webvpn-group)# svc split include 172.16.1.0 255.255.255.0svc split dns
To configure the Secure Sockets Layers Virtual Private Network (SSL VPN) gateway to resolve the specified fully qualified Domain Name System (DNS) names through the Cisco AnyConnect VPN Client tunnel, use the svc split dnscommand in webvpn group policy configuration mode. To remove the split DNS statement from the policy group configuration, use the no form of this command.
Command Default
The SSL VPN gateway is not configured to resolve the specified fully qualified DNS names through the Cisco AnyConnect VPN Client tunnel.
Usage Guidelines
Entering this command configures the SSL VPN gateway to resolve the specified DNS suffixes (domains) through the tunnel. The gateway automatically incudes the default domain into the list of domains that are resolved through the tunnel. Up to 10 DNS statements can be configured.
NoteSVC, or Secure Sockets Layer Virtual Private Network (SSL VPN) Client, is the predecessor of Cisco AnyConnect VPN Client software.
svc wins-server
To configure Windows Internet Name Service (WINS) servers for policy group end users, use the svc wins-servercommand in webvpn group policy configuration mode. To remove a WINS server from the policy group configuration, use the no form of this command.
Usage Guidelines
NoteSVC, or Secure Sockets Layer Virtual Private Network (SSL VPN) Client, is the predecessor of Cisco AnyConnect VPN Client software.
Examples
The following example configures primary and secondary WINS servers for the policy group:
Router(config)# webvpn context context1 Router(config-webvpn-context)# policy group ONE Router(config-webvpn-group)# svc wins-server primary 172.31.1.1 Router(config-webvpn-group)# svc wins-server secondary 172.31.2.1switchport port-security
To enable port security on an interface, use the switchport port-security command in i nterface configuration mode . To disable port security, use the no form of this command.
Command History
Release
Modification
12.2(14)SX
Support for this command was introduced on the Supervisor Engine 720.
12.2(17d)SXB
Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.
12.2(18)SXE
This command was changed as follows on the Supervisor Engine 720:
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
Follow these guidelines when configuring port security:
- With Release 12.2(18)SXE and later releases, port security is supported on trunks.
- With releases earlier than Release 12.2(18)SXE, port security is not supported on trunks.
- With Release 12.2(18)SXE and later releases, port security is supported on 802.1Q tunnel ports.
- With releases earlier than Release 12.2(18)SXE, port security is not supported on 802.1Q tunnel ports.
- A secure port cannot be a destination port for a Switch Port Analyzer (SPAN).
- A secure port cannot belong to an EtherChannel.
- A secure port cannot be a trunk port.
- A secure port cannot be an 802.1X port. If you try to enable 802.1X on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to a secure port, an error message appears, and the security settings are not changed.
switchport port-security aging
To configure the port security aging , use the switchport port-security aging time command in interface configuration mode . To disable aging, use the no form of this command.
switchport port-security aging { time time | type { absolute | inactivity } }
no switchport port-security aging
Syntax Description
time time
Sets the duration for which all addresses are secured; valid values are from 1 to 1440 minutes.
type
Specifies the type of aging.
absolute
Specifies absolute aging; see the "Usage Guidelines" section for more information.
inactivity
Specifies that the timer starts to run only when there is no traffic; see the "Usage Guidelines" section for more information.
Command History
Release
Modification
12.2(14)SX
Support for this command was introduced on the Supervisor Engine 720.
12.2(17d)SXB
Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.
12.2(18)SXE
This command was changed as follows on the Supervisor Engine 720:
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
Follow these guidelines when configuring port security:
- With Release 12.2(18)SXE and later releases, port security is supported on trunks. With releases earlier than Release 12.2(18)SXE, port security is not supported on trunks.
- With Release 12.2(18)SXE and later releases, port security is supported on 802.1Q tunnel ports. With releases earlier than Release 12.2(18)SXE, port security is not supported on 802.1Q tunnel ports.
You can apply one of two types of aging for automatically learned addresses on a secure port:
- Absolute aging times out the MAC address after the age-time has been exceeded, regardless of the traffic pattern. This default is for any secured port, and the age-time is set to 0.
- Inactivity aging times out the MAC address only after the age_time of inactivity from the corresponding host has been exceeded.
Examples
This example shows how to set the aging time as 2 hours:
Router(config-if)# switchport port-security aging time 120This example shows how to set the aging time as 2 minutes:
Router(config-if)# switchport port-security aging time 2This example shows how to set the aging type on a port to absolute aging:
Router(config-if) switchport port-security aging type absoluteThis example shows how to set the aging type on a port to inactivity aging:
Router(config-if) switchport port-security aging type inactivityswitchport port-security mac-address
To add a MAC address to the list of secure MAC addresses, use the switchport port-security mac-address command. To remove a MAC address from the list of secure MAC addresses, use the no form of this command.
switchport port-security mac-address { mac-addr | sticky [mac-addr] [ vlan vlan [voice] | vlan-list ] }
no switchport port-security mac-address { mac-addr | sticky [mac-addr] [ vlan vlan [voice] | vlan-list ] }
Command History
Release
Modification
12.2(14)SX
Support for this command was introduced on the Supervisor Engine 720.
12.2(17d)SXB
Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.
12.2(18)SXE
This command was changed as follows on the Supervisor Engine 720:
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
If you configure fewer secure MAC addresses than the maximum number of secure MAC addresses on all interfaces, the remaining MAC addresses are dynamically learned.
To clear multiple MAC addresses, you must enter the no form of this command once for each MAC address to be cleared.
The vlan-list argument is visible only if the port has been configured and is operational as a trunk. Enter the switchport mode trunk command and then enter the switchport nonegotiate command.
The sticky keyword configures the dynamic MAC addresses as sticky on an interface. Sticky MAC addresses configure the static Layer 2 entry to stay sticky to a particular interface. This feature can prevent MAC moves or prevent the entry from being learned on a different interface.
You can configure the sticky feature even when the port security feature is not enabled on the interface. It becomes operational once port security is enabled on the interface.
NoteYou can enter the switchport port-security mac-address sticky command only if sticky is enabled on the interface.
When port security is enabled, disabling the sticky feature causes all configured and learned sticky addresses to be deleted from the configuration and converted into dynamic secure addresses.
When port security is disabled, disabling the sticky feature causes all configured and learned sticky addresses to be deleted from the configuration.
For trunk ports, if you enter the no switchport port-security mac-address sticky command, a search is conducted for the MAC address in the native VLAN. An error message is displayed if the MAC address is not found in the native VLAN. You must specify the VLAN in the no form of the switchport port-security mac-address sticky command to remove the MAC address.
For voice ports, you must specify the vlan voice keywords in the no form of the command.
Examples
This example shows how to configure a secure MAC address:
Router(config-if)# switchport port-security mac-address 1000.2000.3000This example shows how to delete a secure MAC address from the address table:
Router(config-if)# no switchport port-security mac-address 1000.2000.3000This example shows how to enable the sticky feature on an interface:
Router(config-if)# switchport port-security mac-address stickyThis example shows how to disable the sticky feature on an interface:
Router(config-if)# no switchport port-security mac-address stickyThis example shows how to make a specific MAC address as a sticky address:
Router(config-if)# switchport port-security mac-address sticky 0000.0000.0001This example shows how to delete a specific sticky address:
Router(config-if)# no switchport port-security mac-address sticky 0000.0000.0001This example shows how to delete all sticky and static addresses that are configured on an interface:
Router(config-if)# no switchport port-security mac-addressThe following example shows how to configure a VLAN in the voice port:
Router(config-if)# switch port-security mac-address 0.0.1 vlan voiceTo remove the MAC address 0.0.1 from the voice port, use the following command:
Router(config-if)# no switchport port-security mac-address 0.0.1 vlan voiceRelated Commands
Command
Description
clear port-security
Deletes configured secure MAC addresses and sticky MAC addresses from the MAC address table.
show port-security
Displays information about the port-security setting.
switchport mode trunk
Configures the port as a trunk member.
switchport nonegotiate
Configures the LAN port into permanent trunking mode.
switchport port-security maximum
To set the maximum number of secure MAC addresses on a port, use the switchport port-security maximumcommand in interface configuration mode. To return to the default settings, use the no form of this command.
switchport port-security maximum maximum [ vlan vlan | vlan-list ]
no switchport port-security maximum
Command History
Release
Modification
12.2(14)SX
Support for this command was introduced on the Supervisor Engine 720.
12.2(17d)SXB
Support for this command on the Supervisor Engine 2 was extended to the Release 12.2(17d)SXB.
12.2(18)SXE
This command was changed as follows on the Supervisor Engine 720 only:
- The maximum number of secure MAC addresses was changed from 1024 to 4097.
- The vlan vlan | vlan-listkeyword and arguments were added.
- With Release 12.2(18)SXE and later releases, port security is supported on trunks.
- With Release 12.2(18)SXE and later releases, port security is supported on 802.1Q tunnel ports.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
If you enter this command more than once, subsequent use of this command overrides the previous value of maximum. If the new maximumargument is larger than the current number of the secured addresses on this port, there is no effect except to increase the value of the maximum.
If the new maximum is smaller than the old maximum and there are more secure addresses on the old maximum, the command is rejected.
If you configure fewer secure MAC addresses than the maximum number of secure MAC addresses on the port, the remaining MAC addresses are dynamically learned.
Once the maximum number of secure MAC addresses for the port is reached, no more addresses are learned on that port even if the per-VLAN port maximum is different from the aggregate maximum number.
You can override the maximum number of secure MAC addresses for the port for a specific VLAN or VLANs by entering the switchport port-security maximum maximum vlan vlan | vlan-listcommand.
The vlan-list argument allows you to enter ranges, commas, and delimited entries such as 1,7,9-15,17.
The vlan-list argument is visible only if the port has been configured and is operational as a trunk. Enter the switchport mode trunk command and then enter the switchport nonegotiate command.
Examples
This example shows how to set the maximum number of secure MAC addresses that are allowed on this port:
Router(config-if)# switchport port-security maximum 5This command shows how to override the maximum set for a specific VLAN:
Router(config-if)# switchport port-security maximum 3 vlan 102switchport port-security violation
To set the action to be taken when a security violation is detected, use the switchport port-security violation command in interface configuration mode. To return to the default settings, use the no form of this command.
switchport port-security violation { shutdown | restrict | protect }
no switchport port-security violation { shutdown | restrict | protect }
Syntax Description
shutdown
Shuts down the port if there is a security violation.
restrict
Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count.
protect
Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count.
Command History
Release
Modification
12.2(14)SX
Support for this command was introduced on the Supervisor Engine 720.
12.2(17d)SXB
Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.
12.2(18)SXE
This command was changed as follows on the Supervisor Engine 720:
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(14)SXH
Platform port-security disable traps was introduced as part of protect violation mode.
Usage Guidelines
When a security violation is detected, one of the following actions occurs:
- Protect--When the number of port-secure MAC addresses reaches the maximum limit that is allowed on the port, the packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses. Platform port-security disable traps is configurable only when the violation mode is set to protect. When this option is configured, drop entries will not be installed into hardware for violating addresses, thus allowing traffic to continue to flow to violating address from legitimate ports. To protect switch CPU against overload when this option is enabled, we recommend that you configure the port-security rate-limiter to 2000 packets per second with a burst rate of 10.
NoteThis feature also permits traffic to legitimate ports from insecure MAC addresses.
- Restrict--A port-security violation restricts data and causes the security-violation counter to increment.
- Shutdown--The interface is error disabled when a security violation occurs.
NoteWhen a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually reenable it by entering the shutdown and no shutdown commands in interface-configuration mode.
Examples
This example shows how to set the action to be taken when a security violation is detected:
Router(config-if)# switchport port-security violation restrictThis example allows the traffic to a secured MAC address on one port to flow even in the presence of violations on other ports while in protect mode.
Router(config-if)# switchport port-security violation protect Router(config-if)# platform port-security disable traps
