-
Cisco IOS Security Command Reference: Commands S to Z
-
sa ipsec through sessions maximum
-
set aggressive-mode client-endpoint through show content-scan
-
show crypto ace redundancy through show cts sxp
-
show diameter peer through show object-group
-
show parameter-map type consent through show users
-
show vlan group through switchport port-security violation
-
tacacs-server administration through title-color
-
traffic-export through zone security
-
Index
-
Feedback
Contents
traffic-export through zone security
- track(firewall)
- tracking
- traffic-export
- transfer-encoding type
- transport port
- transport port (ldap)
- trm register
- trustpoint (tti-petitioner)
- trustpoint signing
- trusted-port (IPv6 NDP Inspection Policy)
- trusted-port (IPv6 RA Guard Policy)
- tunnel-limit (GTP)
- tunnel mode
- tunnel protection
- type echo protocol ipIcmpEcho
- udp half-open
- udp idle-time
- unmatched-action
- url (ips-auto-update)
- url rewrite
- urlfilter
- url-list
- url-profile
- validate source-mac
- url-text
- usage
- user
- user-group
- user-group (parameter-map)
- user-group logging
- username
- username (dot1x credentials)
- username (ips-autoupdate)
- username secret
- user-profile location
- variable
- view
- virtual-template (IKEv2 profile)
- virtual-template (webvpn context)
- vlan (local RADIUS server group)
- vlan group
- vpdn aaa attribute
- vrf (ca-trustpoint)
- vrf (ca-trustpool)
- vrf (isakmp profile)
- vrfname
- vrf-name
- web-agent-url
- webvpn
- webvpn-homepage
- webvpn cef
- webvpn context
- webvpn create template
- webvpn enable
- webvpn gateway
- webvpn import svc profile
- webvpn install
- webvpn sslvpn-vif nat
- whitelist
- wins
- wlccp authentication-server client
- wlccp authentication-server infrastructure
- wlccp wds priority interface
- xauth userid mode
- xsm
- xsm dvdm
- xsm edm
- xsm history vdm
- xsm history edm
- xsm privilege configuration level
- xsm privilege monitor level
- xsm vdm
- zone-member security
- zone pair security
- zone security
track(firewall)
To configure the redundancy group tracking, use the trackcommand in redundancy application group configuration mode. To remove the redundancy group tracking, use the no form of this command.
track object-number { decrement value | shutdown }
no track object-number { decrement value | shutdown }
Usage Guidelines
The redundancy group can track an object and decrease the priority value per object. Multiple objects can be tracked by the redundancy group to influence the priority appropriately. You can shut down a redundancy group if the tracked object goes down instead of changing the priority.
Examples
The following example shows how to track the redundancy group named group1 and assign a decrement value:
Router# configure terminal Router(config)# redundancy Router(config-red)# application redundancy Router(config-red-app)# group 1 Router(config-red-app-grp)# track 200 decrement 50Related Commands
Command
Description
application redundancy
Enters redundancy application configuration mode.
authentication
Configures clear text authentication and MD5 authentication for a redundancy group.
control
Configures the control interface type and number for a redundancy group.
data
Configures the data interface type and number for a redundancy group.
group(firewall)
Enters redundancy application group configuration mode.
name
Configures the redundancy group with a name.
preempt
Enables preemption on the redundancy group.
protocol
Defines a protocol instance in a redundancy group.
redundancy rii
Configures the RII for the redundancy group.
tracking
To override the default tracking policy on a port, use the trackingcommand in Neighbor Discovery (ND) inspection policy configuration mode.
tracking { enable [ reachable-lifetime { value | infinite } ] | disable [ stale-lifetime { value | infinite } ] }
Syntax Description
Usage Guidelines
The tracking command overrides the default tracking policy set by the ipv6 neighbor tracking command on the port on which this policy applies. This function is useful on trusted ports where, for example, you may not want to track entries but want an entry to stay in the binding table to prevent it from being stolen.
The reachable-lifetime keyword is the maximum time an entry will be considered reachable without proof of reachability, either directly through tracking or indirectly through ND inspection. After the reachable-lifetime value is reached, the entry is moved to stale. Use of the reachable-lifetime keyword with the tracking command overrides the global reachable lifetime configured by the ipv6 neighbor binding reachable-lifetime command.
The stale-lifetime keyword is the maximum time an entry is kept in the table before it is deleted or the entry is proven to be reachable, either directly or indirectly. Use of the stale-lifetime keyword with the tracking command overrides the global stale lifetime configured by the ipv6 neighbor binding stale-lifetime command.
Examples
The following example defines an ND policy name as policy1, places the router in ND inspection policy configuration mode, and configures an entry to stay in the binding table for an infinite length of time on a trusted port:
Router(config)# ipv6 nd inspection policy policy1 Router(config-nd-inspection)# tracking disable stale-lifetime infiniteRelated Commands
Command
Description
ipv6 nd inspection policy
Defines the ND inspection policy name and enters ND inspection policy configuration mode.
ipv6 nd raguard policy
Defines the RA guard policy name and enters RA guard policy configuration mode.
ipv6 neighbor binding
Changes the defaults of neighbor binding entries in a binding table.
ipv6 neighbor tracking
Enables tracking of entries in the binding table.
traffic-export
To control the operation of IP traffic capture mode in IP traffic export, use the traffic-export command in privileged EXEC mode.
Syntax Description
type number
Type and number of the interface over which the packets being captured travel.
start
Initiates a packet capture sequence.
stop
Halts a packet capture sequence.
clear
Clears the packet capture buffer.
copy
Copies the contents of the packet capture buffer to an external device.
memory-device
External memory device to which captured packets are transmitted. Options are flash:, tftp:, or usbflash0:.
Usage Guidelines
Use the traffic-export command to control the operation of IP traffic capture mode in IP traffic export. The operator uses CLI commands to start or stop capture of packets flowing across a monitored interface, to copy the captured packets to an external memory device, or to clear the internal buffer which holds the captured packets.
Examples
The following example illustrates the use of the traffic-export command to initiate the capture of packets on interface FastEthernet 0/0.
Router# traffic-export interface fastethernet 0/0 start %RITE-5-CAPTURE_START: Started IP traffic capture for interface FastEthernet0/0 router#The following example illustrates the use of the traffic-export command to halt the packet capture sequence on interface FastEthernet 0/0.
Router# traffic-export interface fastethernet 0/0 stop %RITE-5-CAPTURE_STOP: Stopped IP traffic capture for interface FastEthernet0/0 router#The following example illustrates the use of the traffic-export command to copy the contents of the packet capture buffer to an external memory device. The example of the interactive dialog identifies the external memory device and the remote host in which it resides.
Router# traffic-export interface fastethernet0/0 copy tftp: Address or name of remote host []? 172.18.207.15 Capture buffer filename []? atmcapture Copying capture buffer to tftp://172.18.207.15/atmcapture !! router#The following example illustrates the use of the traffic-export command to clear the packet capture buffer that is in local memory.
Router# traffic-export interface fastethernet 0/0 clear %RITE-5-CAPTURE_CLEAR: Cleared IP traffic capture buffer for interface FastEthernet0/0 router#transfer-encoding type
To permit or deny HTTP traffic according to the specified transfer-encoding of the message, use the transfer-encoding typecommand in appfw-policy-http configuration mode. To disable this inspection parameter, use the no form of this command.
transfer-encoding type { chunked | compress | deflate | gzip | identity | default } action { reset | allow } [alarm]
no transfer-encoding type { chunked | compress | deflate | gzip | identity | default } action { reset | allow } [alarm]
Syntax Description
chunked
Encoding format (specified in RFC 2616, Hypertext Transfer Protocol--HTTP/1 ) in which the body of the message is transferred in a series of chunks; each chunk contains its own size indicator.
compress
Encoding format produced by the UNIX "compress" utility.
deflate
"ZLIB" format defined in RFC 1950, ZLIB Compressed Data Format Specification version 3.3 , combined with the "deflate" compression mechanism described in RFC 1951, DEFLATE Compressed Data Format Specification version 1.3 .
gzip
Encoding format produced by the "gzip" (GNU zip) program.
identity
Default encoding, which indicates that no encoding has been performed.
default
All of the transfer encoding types.
action
Encoding types outside of the specified type are subject to the specified action (reset or allow).
reset
Sends a TCP reset notification to the client or server if the HTTP message fails the mode inspection.
allow
Forwards the packet through the firewall.
alarm
(Optional) Generates system logging (syslog) messages for the given action.
Command Default
If a given type is not specified, all transfer-encoding types are supported with the reset alarm action.
Usage Guidelines
Only encoding types specified by the transfer-encoding-typecommand are allowed through the firewall.
Examples
The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy. appfw policy-name mypolicy application http strict-http action allow alarm content-length maximum 1 action allow alarm content-type-verification match-req-rsp action allow alarm max-header-length request 1 response 1 action allow alarm max-uri-length 1 action allow alarm port-misuse default action allow alarm request-method rfc default action allow alarm request-method extension default action allow alarm transfer-encoding type default action allow alarm ! ! ! Apply the policy to an inspection rule. ip inspect name firewall appfw mypolicy ip inspect name firewall http ! ! ! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface. interface FastEthernet0/0 ip inspect firewall in ! !transport port
To configure the transport protocol for establishing a connection with the Diameter peer, use the transport portcommand in Diameter peer configuration mode. To block all sessions that are bound to the peer from using the connection, use the no form of this command.
transport port (ldap)
To configure the transport protocol for establishing a connection with the Lightweight Directory Access Protocol (LDAP) server, use the transport port command in LDAP server configuration mode. To delete all sessions that are bound to the server from using the connection, use the no form of this command.
trm register
To allow the user to manually register the platform with the Trend Router Provisioning Server (TRPS), use the trm registercommand in privileged EXEC mode.
trustpoint (tti-petitioner)
To specify the trustpoint that is to be associated with the Trusted Transitive Introduction (TTI) exchange between the Secure Device Provisioning (SDP) petitioner and the SDP registrar, use the trustpointcommand in tti-petitioner configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.
Usage Guidelines
Use the trustpoint command in tti-petitioner configuration mode to associate a trustpoint with the SDP petitioner.
Examples
The following example shows how specify the trustpoint "mytrust":
crypto wui tti petitioner trustpoint mytrustAfter the SDP exchange is complete, the petitioner will automatically enroll with the registrar and obtain a certificate. The following sample output from the show running-config command shows an automatically generated configuration which generates the default trustpoint "tti":
crypto pki trustpoint tti enrollment url http://pki1-36a.cisco.com:80 revocation-check crl rsakeypair tti 1024 auto-enroll 70trustpoint signing
To specify the trustpoint and associated certificate to be used when signing all introduction data during the Secure Device Provisioning (SDP) exchange, use the trustpoint signingcommand in tti-petitioner configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.
Command Default
If a trustpoint is not specified, any existing device certificate is used. If none is available, a self-signed certificate is generated.
Usage Guidelines
Use the trustpoint signing command in tti-petitioner configuration mode to associate a specific trustpoint with the petitioner for signing its certificate.
Examples
The following example shows how to specify the trustpoint mytrust:
crypto provisioning petitioner trustpoint signing mytrustAfter the SDP exchange is complete, the petitioner automatically enrolls with the registrar and obtains a certificate. The following sample output from the show running-config command shows an automatically generated configuration with the default trustpoint tti:
crypto pki trustpoint tti enrollment url http://pki1-36a.cisco.com:80 revocation-check crl rsakeypair tti 1024 auto-enroll 70Related Commands
Command
Description
crypto ca trustpoint
Declares the CA that your router should use.
crypto provisioning petitioner
Configures a device to become an SDP petitioner and enters tti-petitioner configuration mode.
trustpoint (tti-petitioner)
Specifies the trustpoint associated with the SDP exchange between the petitioner and the registrar.
trusted-port (IPv6 NDP Inspection Policy)
To configure a port to become a trusted port, use the trusted-port command in Neighbor Discovery Protocol ( NDP) inspection policy configuration mode . To disable this function, use the no form of this command.
Usage Guidelines
When the trusted-port command is enabled, limited or no verification is performed when messages are received on ports that have this policy. However, to protect against address spoofing, messages are analyzed so that the binding information that they carry can be used to maintain the binding table. Bindings discovered from these ports will be considered more trustworthy than bindings received from ports that are not configured to be trusted.
Use the trusted-port command after enabling NDP inspection policy configuration mode using the ipv6 nd inspection policy command.
trusted-port (IPv6 RA Guard Policy)
To configure a port to become a trusted port, use the trusted-portcommand in router advertisement (RA) guard policy configuration . To disable this function, use the no form of this command.
Usage Guidelines
When the trusted-port command is enabled, limited or no verification is performed when messages are received on ports that have this policy. However, the device-role command takes precedence over the trusted-port command; if the device role is configured as host, messages will be dropped regardless of trusted-port command configuration.
tunnel-limit (GTP)
To specify the maximum number of General Packet Radio Service (GPRS) Tunneling Protocol (GTP) tunnels that can be configured, use the tunnel-limit command in parameter-map type inspect configuration mode. To return to the default tunnel limit, use the no form of this command.
tunnel mode
To set the encapsulation mode for the tunnel interface, use the tunnel mode command in interface configuration mode. To restore the default mode, use the no form of this command.
tunnel mode { aurp | cayman | dvmrp | eon | gre | gre multipoint | gre ip | gre ipv6 | ipip [decapsulate-any] | ipsec ipv4 | iptalk | ipv6 | ipsec ipv6 | mpls | nos | rbscp }
no tunnel mode
Syntax Description
aurp
AppleTalk Update-Based Routing Protocol.
cayman
Cayman TunnelTalk AppleTalk encapsulation.
dvmrp
Distance Vector Multicast Routing Protocol.
eon
EON compatible Connectionless Network Protocol (CLNS) tunnel.
gre
Generic routing encapsulation (GRE) protocol. This is the default.
gre multipoint
Multipoint GRE (mGRE).
gre ip
GRE tunneling using IPv4 as the delivery protocol.
gre ipv6
GRE tunneling using IPv6 as the delivery protocol.
ipip
IP-over-IP encapsulation.
decapsulate-any
(Optional) Terminates any number of IP-in-IP tunnels at one tunnel interface.
This tunnel will not carry any outbound traffic; however, any number of remote tunnel endpoints can use a tunnel configured this way as their destination.
ipsec ipv4
Tunnel mode is IPSec, and the transport is IPv4.
iptalk
Apple IPTalk encapsulation.
ipv6
Static tunnel interface configured to encapsulate IPv6 or IPv4 packets in IPv6.
ipsec ipv6
Tunnel mode is IPSec, and the transport is IPv6.
mpls
Multiprotocol Label Switching (MPLS) encapsulation.
nos
KA9Q/NOS compatible IP over IP.
rbscp
Rate Based Satellite Control Protocol (RBSCP).
Command History
Usage Guidelines
Source and Destination Address
You cannot have two tunnels that use the same encapsulation mode with exactly the same source and destination address. The workaround is to create a loopback interface and source packets off of the loopback interface.
Cayman Tunneling
Designed by Cayman Systems, Cayman tunneling implements tunneling to enable Cisco routers to interoperate with Cayman GatorBoxes. With Cayman tunneling, you can establish tunnels between two routers or between a Cisco router and a GatorBox. When using Cayman tunneling, you must not configure the tunnel with an AppleTalk network address.
DVMRP
Use DVMRP when a router connects to an mrouted (multicast) router to run DVMRP over a tunnel. You must configure Protocol Independent Multicast (PIM) and an IP address on a DVMRP tunnel.
GRE with AppleTalk
GRE tunneling can be done between Cisco routers only. When using GRE tunneling for AppleTalk, you configure the tunnel with an AppleTalk network address. Using the AppleTalk network address, you can ping the other end of the tunnel to check the connection.
Multipoint GRE
After enabling mGRE tunneling, you can enable the tunnel protection command, which allows you to associate the mGRE tunnel with an IPSec profile. Combining mGRE tunnels and IPSec encryption allows a single mGRE interface to support multiple IPSec tunnels, thereby simplifying the size and complexity of the configuration.
NoteGRE tunnel keepalives configured using the keepalive command under a GRE interface are supported only on point-to-point GRE tunnels.
RBSCP
RBSCP tunneling is designed for wireless or long-distance delay links with high error rates, such as satellite links. Using tunnels, RBSCP can improve the performance of certain IP protocols, such as TCP and IPSec, over satellite links without breaking the end-to-end model.
IPSec in IPv6 Transport
IPv6 IPSec encapsulation provides site-to-site IPSec protection of IPv6 unicast and multicast traffic. This feature allows IPv6 routers to work as a security gateway, establishes IPSec tunnels between another security gateway router, and provides crypto IPSec protection for traffic from an internal network when being transmitting across the public IPv6 Internet. IPv6 IPSec is very similar to the security gateway model using IPv4 IPsec protection.
Examples
The following example shows how to enable Cayman tunneling:
Router(config ) # interface tunnel 0 Router(config-if)# tunnel source ethernet 0 Router(config-if)# tunnel destination 10.108.164.19 Router(config-if)# tunnel mode caymanExamples
The following example shows how to enable GRE tunneling:
Router(config ) # interface tunnel 0 Router(config-if)# appletalk cable-range 4160-4160 4160.19 Router(config-if)# appletalk zone Engineering Router(config-if)# tunnel source ethernet0 Router(config-if)# tunnel destination 10.108.164.19 Router(config-if)# tunnel mode greExamples
The following example shows how to configure a tunnel using IPSec encapsulation with IPv4 as the transport mechanism:
Router(config)# crypto ipsec profile PROF
Router(config ) # set transform tset
Router(config ) # interface Tunnel0
Router(config -if) # ip address 10.1.1.1 255.255.255.0
Router(config -if) # tunnel mode ipsec ipv4
Router(config -if) # tunnel source Loopback0
Router(config -if) # tunnel destination 172.16.1.1
Router(config-if)# tunnel protection ipsec profile PROFExamples
The following example shows how to configure an IPv6 IPSec tunnel interface:
Router(config)# interface tunnel 0 Router(config-if)# ipv6 address 2001:0DB8:1111:2222::2/64 Router(config-if)# tunnel destination 10.0.0.1 Router(config-if)# tunnel source Ethernet 0/0 Router(config-if)# tunnel mode ipsec ipv6 Router(config-if)# tunnel protection ipsec profile profile1Examples
The following example shows how to enable mGRE tunneling:
interface Tunnel0 bandwidth 1000 ip address 10.0.0.1 255.255.255.0 ! Ensures longer packets are fragmented before they are encrypted; otherwise, the ! receiving router would have to do the reassembly. ip mtu 1416 ! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not ! advertise routes that are learned via the mGRE interface back out that interface. no ip split-horizon eigrp 1 no ip next-hop-self eigrp 1 delay 1000 ! Sets IPSec peer address to Ethernet interface’s public address. tunnel source Ethernet0 tunnel mode gre multipoint ! The following line must match on all nodes that want to use this mGRE tunnel. tunnel key 100000 tunnel protection ipsec profile vpnprofExamples
The following example shows how to enable RBSCP tunneling:
Router(config ) # interface tunnel 0 Router(config-if)# tunnel source ethernet 0 Router(config-if)# tunnel destination 10.108.164.19 Router(config-if)# tunnel mode rbscpRelated Commands
Command
Description
appletalk cable-range
Enables an extended AppleTalk network.
appletalk zone
Sets the zone name for the connected AppleTalk network.
tunnel destination
Specifies the destination for a tunnel interface.
tunnel protection
Associates a tunnel interface with an IPSec profile.
tunnel source
Sets the source address of a tunnel interface.
tunnel protection
To associate a tunnel interface with an IP Security (IPsec) profile, use the tunnel protection command in interface configuration mode. To disassociate a tunnel with an IPsec profile, use the no form of this command.
Syntax Description
Command History
Release
Modification
12.2(13)T
This command was introduced.
12.3(5)T
The shared keyword was added.
12.2(18)SXE
This command was integrated into Cisco IOS Release 12.2(18)SXE.
12.4(5)
The shared keyword was changed so that if it is used with the tunnel protection command, the tunnel source command must specify an interface instead of an IP address.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.(33)SRA.
Cisco IOS XE Release 2.5
This command was modified. This command was integrated into Cisco IOS XE Release 2.5.
Usage Guidelines
Use the tunnel protection command to specify that IPsec encryption will be performed after the GRE has been added to the tunnel packet. The tunnel protectioncommand can be used with multipoint GRE (mGRE) and point-to-point GRE (p-pGRE) tunnels. With p-pGRE tunnels, the tunnel destination address will be used as the IPsec peer address. With mGRE tunnels, multiple IPsec peers are possible; the corresponding Next Hop Resolution Protocol (NHRP) mapping nonbroadcast multiaccess (NBMA) destination addresses will be used as the IPsec peer addresses.
The shared Keyword
If you want to configure two Dynamic Multipoint VPN (DMVPN) mGRE and IPsec tunnels on the same router with the same local endpoint (tunnel source) configuration, you >must issue the shared keyword.
The dynamic crypto map that is created by the tunnel protection command is always different from a crypto map that is configured directly on the interface.
NoteGRE tunnel keepalives (configured with the keepalive command under the GRE interface) are not supported in combination with the tunnel protection command.
Examples
The following example shows how to associate the IPsec profile "vpnprof" with an mGRE tunnel interface. In this example, the IPsec source peer address will be the IP address from Ethernet interface 0. There is a static NHRP mapping from IP address 10.0.0.3 to IP address 172.16.2.1, so for this NHRP mapping the IPsec destination peer address will be 172.16.2.1. The IPsec proxy will be as follows: permit gre host ethernet0-ip-address host ip-address. Other NHRP mappings (static or dynamic) will automatically create additional IPsec security associations (SAs) with the same source peer address and the destination peer address from the NHRP mapping. The IPsec proxy for these NHRP mappings will be as follows: permit gre host ethernet0-ip-address host NHRP-mapping-NBMA-address.
crypto ipsec profile vpnprof set transform-set trans2 ! interface Tunnel0 bandwidth 1000 ip address 10.0.0.1 255.255.255.0 ! Ensures that longer packets are fragmented before they are encrypted; otherwise, the ! receiving router would have to do the reassembly. ip mtu 1416 ip nhrp authentication donttell ip nhrp map multicast dynamic ip nhrp network-id 99 ip nhrp holdtime 300 ! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not ! advertise routes that are learned via the mGRE interface back out that interface. no ip split-horizon eigrp 1 no ip next-hop-self eigrp 1 delay 1000 ! Sets the IPSec peer address to the Ethernet interface’s public address. tunnel source Ethernet0 tunnel mode gre multipoint ! The following line must match on all nodes that want to use this mGRE tunnel. tunnel key 100000 tunnel protection ipsec profile vpnprofThe following example shows how to associate the IPsec profile "vpnprof" with a p-pGRE tunnel interface. In this example, the IPsec source peer address will be the IP address from Ethernet interface 0. The IPsec destination peer address will be 172.16.1.10 (per the tunnel destination address command). The IPsec proxy will be as follows: permit gre host ethernet0-ip-address host ip-address.
interface Tunnel1 ip address 10.0.1.1 255.255.255.252 ! Ensures that longer packets are fragmented before they are encrypted; otherwise, the ! receiving router would have to do the reassembly. ip mtu 1420 tunnel source Ethernet0 tunnel destination 172.16.1.10 tunnel protection ipsec profile vpnprofIn the following example, the crypto sockets are shared between the Tunnel0 and Tunnel1 interfaces because the tunnel protection command on both interfaces uses the same profile and is configured with the shared keyword. Both tunnels specify the tunnel source to be an Ethernet0/0 interface.
interface Tunnel0 ip address 10.255.253.3 255.255.255.0 no ip redirects ip mtu 1436 ip nhrp authentication h1there ip nhrp map 10.255.253.1 192.168.1.1 ip nhrp map multicast 192.168.1.1 ip nhrp network-id 253 ip nhrp holdtime 600 ip nhrp nhs 10.255.253.1 ip ospf message-digest-key 1 md5 wellikey ip ospf network broadcast ip ospf cost 35 ip ospf priority 0 no ip mroute-cache tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 253 tunnel protection ipsec profile dmvpn-profile shared interface Tunnel1 ip address 10.255.254.3 255.255.255.0 no ip redirects ip mtu 1436 ip nhrp authentication h1there ip nhrp map multicast 192.168.1.3 ip nhrp map 10.255.254.1 192.168.1.3 ip nhrp network-id 254 ip nhrp holdtime 600 ip nhrp nhs 10.255.254.1 ip ospf message-digest-key 1 md5 wellikey ip ospf network broadcast ip ospf priority 0 no ip mroute-cache tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 254 tunnel protection ipsec profile dmvpn-profile sharedRelated Commands
Command
Description
crypto ipsec profile
Defines the IPsec parameters that are to be used for IPsec encryption between two IPsec routers.
interface
Configures an interface type and enters interface configuration mode.
keepalive (tunnel interfaces)
Enables keepalive packets and specifies the number of times that the Cisco IOS software tries to send keepalive packets without a response before bringing the tunnel protocol down for a specific interface.
permit
Sets conditions for a named IP access list.
tunnel source
Sets the source address for a tunnel interface.
type echo protocol ipIcmpEcho
NoteEffective with Cisco IOS Release 12.4(4)T, 12.2(33)SRB, 12.2(33)SB, and 12.2(33)SXI, the type echo protocol ipIcmpEchocommand is replaced by the icmp-echo command. See the icmp- echo command for more information.
To configure an IP Service Level Agreements (SLAs) Internet Control Message Protocol (ICMP) echo operation, use the type echo protocol ipIcmpEchocommand in IP SLA monitor configuration mode.
type echo protocol ipIcmpEcho { destination-ip-address | destination-hostname } [ source-ipaddr { ip-address | hostname } | source-interface interface-name ]
Syntax Description
destination-ip-address | destination-hostname
Destination IP address or hostname for the operation.
source-ipaddr {ip-address | hostname}
(Optional) Specifies the source IP address or hostname . When a source IP address or hostname is not specified, IP SLAs chooses the IP address nearest to the destination.
source-interface interface-name
(Optional) Specifies the source interface for the operation.
Command History
Release
Modification
11.2
This command was introduced.
12.0(5)T
The following keyword and arguments were added:
- source-ipaddr {ip-address | hostname
12.3(7)XR
The source-interface keyword and interface-name argument were added.
12.3(11)T
The source-interface keyword and interface-name argument were added.
12.4(4)T
This command was replaced by the icmp-echo command.
12.2(33)SRB
This command was replaced by the icmp-echo command.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.2(33)SB
This command was replaced by the icmp-echo command.
12.2(33)SXI
This command was replaced by the icmp-echo command.
Usage Guidelines
The default request packet data size for an ICMP echo operation is 28 bytes. Use the request-data-size command to modify this value. This data size is the payload portion of the ICMP packet, which makes a 64-byte IP packet.
You must configure the type of IP SLAs operation (such as User Datagram Protocol [UDP] jitter or Internet Control Message Protocol [ICMP] echo) before you can configure any of the other parameters of the operation. To change the operation type of an existing IP SLAs operation, you must first delete the IP SLAs operation (using the no ip sla monitor global configuration command) and then reconfigure the operation with the new operation type.
udp half-open
To configure timeout values for UDP half-opened sessions, use the udp half-open command in parameter-map type inspect configuration mode. To disable the timeout values for UDP half-opened sessions, use the no form of this command.
Syntax Description
idle-time
Specifies the idle timeout for UDP half-opened sessions going through the firewall.
milliseconds
Amount of time, in milliseconds, during which a UDP session will continue to be managed while there is no activity. Valid values are from 1 to 2147483.
ageout-time milliseconds
(Optional) Specifies the aggressive aging time for UDP half-opened sessions. Valid values are from 1 to 2147483.
Usage Guidelines
You must configure the parameter-map type inspect command before you can configure the udp half-open command.
An UDP half-opened session is when only one UDP packet is detected in the UDP flow.
udp idle-time
To configure the idle timeout for UDP sessions, use the udp idle-time command in parameter-map type inspect configuration mode. To disable the timeout, use the no form of this command.
Usage Guidelines
When you configure an inspect parameter map, you can enter the udp idle-time command after you enter the parameter-map type inspect command.
When the software detects a valid UDP packet, it establishes state information for a new UDP session. Because UDP is a connectionless service, there are no actual sessions, and the software examines the information in the packet and determines if the packet is similar to other UDP packets (for example, it has similar source or destination addresses and if the packet was detected soon after another similar UDP packet).
If the software detects no UDP packets for the UDP session for the period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session.
For detailed information about creating a parameter map, see the parameter-map type inspect command.
Examples
The following example shows that there is no activity and the UDP session will continue to be managed for 75 seconds:
Router(config)# parameter-map type inspect eng-network-profile Router(config-profile)# udp idle-time 75 Router(config-profile)# endThe following example shows how to configure the aging out time for UDP sessions:
Router(config)# parameter-map type inspect eng-network-profile Router(config-profile)# udp idle-time 75 ageout-time 50 Router(config-profile)# endRelated Commands
Command
Description
ip inspect udp idle-time
Specifies the UDP idle timeout (the length of time for which a UDP session will still be managed while there is no activity).
parameter-map type inspect
Configures an inspect parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.
unmatched-action
To define the action when the user request does not match the IP address or host site configuration, use the unmatched-action command in URL rewrite configuration mode. To disable the action, use the no form of this command.
url (ips-auto-update)
To define a location in which to retrieve the Cisco IOS Intrusion Prevention System (IPS) signature configuration files, use the urlcommand in IPS-auto-update configuration mode.
Usage Guidelines
Automatic signature updates allow users to override the existing IPS configuration and automatically keep signatures up to date on the basis of a preset time, which can be configured to a preferred setting.
Examples
In this example, the signature package file is pulled from the TFTP server at the start of every hour or every day, Sunday through Thursday. (Note that adjustments are made for months without 31 days and daylight savings time.)
Router# show ip ips auto-update IPS Auto Update Configuration URL : tftp://192.168.0.2/jdoe/ips-auto-update/IOS_reqSeq-dw.xml Username : not configured Password : not configured Auto Update Intervals minutes (0-59) : 0 hours (0-23) : 0-23 days of month (1-31) : 1-31 days of week: (0-6) : 1-5url rewrite
To mangle selective URL requests on a Secure Socket Layer virtual private network (SSL VPN) gateway and enter URL rewrite mode, use the url rewrite command in webvpn context configuration mode. To disable selected URL requests, use the no form of this command.
Usage Guidelines
Configuring the url rewrite command enters the url rewrite submode, in which selected IP addresses or hosts are defined for mangling.
Examples
The following example shows that selective URL mangling has been configured for IP address 10.1.1.0 255.255.0.0:
Router (config)# webvpn context Router (config-webvpn-context)# url rewrite Router (config-webvpn-url-rewrite)# ip 10.1.0.0 255.255.0.0Related Commands
Command
Description
host (webvpn url rewrite)
Selects the name of the host site to be mangled on an SSL VPN gateway.
ip (webvpn url rewrite)
Configures the IP address of the site to be mangled on an SSL VPN gateway.
unmatched-action (webvpn url rewrite)
Defines the action when the user request does not match the IP address or host site configuration.
urlfilter
To enable Cisco IOS URL filtering, use the urlfilter command in policy-map-class configuration mode. To disable URL filtering, use the no form of this command.
Usage Guidelines
You can use this command only after entering the policy-map type inspect, class type inspect, and parameter-map type inspect commands.
url-list
To enter webvpn URL list configuration mode to configure a list of URLs to which a user has access on the portal page of a Secure Sockets Layer Virtual Private Network (SSL VPN) and to attach the URL list to a policy group, use the url-list command in webvpn context configuration and webvpn group policy configuration mode, respectively. To remove the URL list from the SSL VPN context configuration and from the policy group, use the no form of this command.
Command Default
Webvpn URL list configuration mode is not entered, and a list of URLs to which a user has access on the portal page of a SSL VPN website is not configured. If the command is not used to attach a URL list to a policy group, then a URL list is not attached to a group policy.
Usage Guidelines
Entering this command places the router in SSL VPN URL list configuration mode. In this mode, the list of URLs is configured. A URL list can be configured under the SSL VPN context configuration and then separately for each individual policy group configuration. Individual URL list configurations must have unique names.
Examples
The following example creates a URL list:
Router(config)# webvpn context context1 Router(config-webvpn-context)# url-list ACCESS Router(config-webvpn-url)# heading "Quick Links" Router(config-webvpn-url)# url-text "Human Resources" url-value hr.mycompany.com Router(config-webvpn-url)# url-text Engineering url-value eng.mycompany.com Router(config-webvpn-url)# url-text "Sales and Marketing" products.mycompany.comThe following example attaches a URL list to a policy group configuration:
Router(config)# webvpn context context1 Router(config-webvpn-context)# url-list ACCESS Router(config-webvpn-url)# heading "Quick Links" Router(config-webvpn-url)# url-text "Human Resources" url-value hr.mycompany.com Router(config-webvpn-url)# url-text Engineering url-value eng.mycompany.com Router(config-webvpn-url)# url-text "Sales and Marketing" products.mycompany.com Router(config-webvpn-url)# exit Router(config-webvpn-context)# policy group ONE Router(config-webvpn-group)# url-list ACCESSRelated Commands
Command
Description
heading
Configures the heading that is displayed above URLs listed on the portal page of a SSL VPN website.
policy group
Attaches a URL list to policy group configuration.
url-list
Enters webvpn URL list configuration mode to configure the list of URLs to which a user has access on the portal page of a SSL VPN website.
url-text
Adds an entry to a URL list.
webvpn context
Enters webvpn context configuration mode to configure the SSL VPN context.
url-profile
To specify a URL profile that configures the SDP registrar to run HTTPS, use the url-profilecommand in tti-registrar configuration mode. To remove this configuration, use the no form of this command.
url-profile { start profile-name | intro profile-name }
nourl-profile { start profile-name | intro profile-name }
Usage Guidelines
The SDP Registrar is enabled to run HTTPs. It is recommended that the ip http secure-server command is issued to enable the HTTPS web server. If a secure server is enabled, then the ip http secure-trustpoint command should also be issued. Disable standard HTTP server through the no ip http server command (if the standard server is enabled). The specified trustpoint is a registrar local trustpoint appropriate for HTTPS communication between the registrar and the iPhone’s browser.
The url-profile command can use the same or a different URL profile forthe Introduction and Start SDP deployment phases.
Examples
The following example configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network from global configuration mode:
Router(config)# crypto provisioning registrar Router(tti-registrar)# url-profile start START Router(tti-registrar)# url-profile intro INTRO Router(tti-registrar)# match url /sdp/intro Router(tti-registrar)# match authentication trustpoint apple-tp Router(tti-registrar)# match certificate cat 10 Router(tti-registrar)# mime-type application/x-apple-aspen-config Router(tti-registrar)# template location flash:intro.mobileconfig Router(tti-registrar)# template variable p iphone-vpnRelated Commands
Command
Description
crypto provisioning registrar
Configures a device to become a registrar for the SDP exchange and enters tti-registrar configuration mode.
match url
Specifies the URL to be associated with the URL profile.
match authentication trustpoint
Enters the trustpoint name that should be used to authenticate the peer’s certificate.
match certificate
Enters the name of the certificate map used to authorize the peer’s certificate.
mime-type
Specifies the MIME type that the SDP registrar should use to respond to a request received through the URL profile.
template location
Specifies the location of the template that the SDP Registrar should use while responding to a request received through the URL profile.
template variable p
Specifies the value that goes into the OU field of the subject name in the certificate to be issued.
validate source-mac
To check the source media access control (MAC) address against the link-layer address, use the validate source-maccommand in Neighbor Discovery ( ND) inspection policy configuration mode .
Command Modes
ND inspection policy configuration (config-nd-inspection)
RA guard policy configuration
(config-ra-guard)Usage Guidelines
When the router receives an ND message that contains a link-layer address, the source MAC address is checked against the link-layer address. Use the validate source-mac command to drop the packet if the link-layer address and the MAC addresses are different from each other.
url-text
To add an entry to a URL list, use the url-text command in webvpn URL list configuration mode. To remove the entry from a URL list, use the no form of this command.
Examples
The following example configures a heading for a URL list:
Router(config)# webvpn context context1 Router(config-webvpn-context)# url-list ACCESS Router(config-webvpn-url)# heading "Quick Links" Router(config-webvpn-url)# url-text "Human Resources" url-value hr.mycompany.com Router(config-webvpn-url)# url-text Engineering url-value eng.mycompany.com Router(config-webvpn-url)# url-text "Sales and Marketing" products.mycompany.comusage
To specify the intended use for the certificate, use the usage command in ca-trustpoint configuration mode. To restore the default behavior, use the no form of this command.
Usage Guidelines
Before you can issue the usage command, you must enable the crypto ca trustpointcommand, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.
This command may be used as a hint to set or clear key usage or other attributes in the certificate request.
Examples
The following example shows how to specify the certificate named "frog" for Internet Key Exchange (IKE):
crypto ca trustpoint frog enrollment url http://frog.phoobin.com/ subject-name OU=Spiral Dept., O=tiedye.com ip-address ethernet-0 usage ike auto-enroll regenerate password revokeme rsa-key frog 2048user
To enter the names of users that are allowed to authenticate using the local authentication server, use the usercommand in local RADIUS server configuration mode. To remove the username and password from the local RADIUS server, use the no form of this command.
user username { password | nthash } password [ group group-name | mac-auth-only ]
no user username { password | nthash } password [ group group-name | mac-auth-only ]
Syntax Description
username
Name of the user that is allowed to authenticate using the local authentication server.
password
Indicates that the user password will be entered.
nthash
Indicates that the NT value of the password will be entered.
password
User password.
group group-name
(Optional) Name of group to which the user will be added.
mac-auth-only
(Optional) Specifies that the user is allowed to authenticate using only MAC authentication.
Command Default
If no group name is entered, the user is not assigned to a VLAN and is never required to reauthenticate.
Command History
Release
Modification
12.2(11)JA
This command was introduced on the Cisco Aironet Access Point 1100 and the Cisco Aironet Access Point 1200.
12.2(15)JA
This command was modified to support MAC address authentication on the local authenticator.
12.3(2)JA
This command was modified to support EAP-FAST authentication on the local authenticator.
12.3(11)T
This command was integrated into Cisco IOS Release 12.3(11)T and implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.
Usage Guidelines
This command is not supported on bridges.
If you do not know the user password, look up the NT value of the password in the authentication server database, and enter the NT hash as a hexadecimal string.
Examples
The following example shows that the user named "user1" has been allowed to authenticate using the local authentication server (using the password "userisok"). This user will be added to the group named "team1".
Router(config-radsrv)# user user1 password userisok group team1The following example shows how to add a user to the list of clients allowed to authenticate using MAC-based authentication on the local authenticator.
AP(config-radsrv)# user 00074218d01b password 00074218d01b group cashiersRelated Commands
Command
Description
block count
Configures the parameters for locking out members of a group to help protect against unauthorized attacks.
clear radius local-server
Clears the statistics display or unblocks a user.
debug radius local-server
Displays the debug information for the local server.
group
Enters user group configuration mode and configures shared setting for a user group.
nas
Adds an access point or router to the list of devices that use the local authentication server.
radius-server host
Specifies the remote RADIUS server host.
radius-server local
Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
reauthentication time
Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
show radius local-server statistics
Displays statistics for a local network access server.
ssid
Specifies up to 20 SSIDs to be used by a user group.
vlan
Specifies a VLAN to be used by members of a user group.
user-group
To define a user group for dynamically authenticating and enforcing security policies on a per user basis, use the user-groupcommand in identity policy configuration mode. To delete the user-group, use the no form of this command.
Usage Guidelines
The user-group command is used if the Tag and Template method of user-group support is used. The Tag and Template method associates IP addresses with user-groups using locally defined policies. A tag is received from the access control server (ACS), and this tag matches a template (identity policy with defined user-group) on the network access device (NAD).
To use the user-group command, you must first enter identity policy configuration mode by using the identity policycommand. The identity policy defines one or more user-groups, to which source IP addresses are associated.
NoteAnother method of user-group association is available. User-group support can be achieved by configuring the supplicant-group attribute on the ACS.
user-group (parameter-map)
To configure the user group associations for content scanning, use the user-group command in parameter-map type inspect configuration mode. To disable the user group association, use the no form of this command.
user-group { group-name [ username ] | exclude | include } username
no user-group { name [ username ] | exclude | include } username
Usage Guidelines
Use the group-name argument to have the same content scanning policy for all users in a branch office. A prefix of LDAP:// is attached the group-name argument when this information is sent to ScanSafe to match the configured directory groups.
The username keyword is the global username that is sent to ScanSafe when there is no content scanning session specific to the configured username.
By default, all the configured user groups of a user are sent to ScanSafe. You can use the user-group command to allow the administrator to filter the user groups sent to ScanSafe by configuring the include or the exclude keywords. When you configure the include keyword, only user groups that are in the include list are sent to ScanSafe. User groups in the exclude list are filtered from the list of user groups that is sent to ScanSafe. The default value for the include list is everything and the exclude list is empty. You can configure multiple instances of include and exclude user groups.
You can configure only one group on an interface. The static user group that is configured on the interface takes precedence over the group name configured in the content-scan parameter map.
user-group logging
To enable user-group syslogs, use the user-group loggingcommand in global configuration mode. To disable user-group syslogs, use the no form of this command.
username
To establish a username-based authentication system, use the username command in global configuration mode. To remove an established username-based authentication, use the no form of this command.
username name [ aaa attribute list aaa-list-name ]
username name [ access-class access-list-number ]
username name [ autocommand command ]
username name [ callback-dialstring telephone-number ]
username name [ callback-line [tty] line-number [ending-line-number] ]
username name [ callback-rotary rotary-group-number ]
username name [dnis]
username name [mac]
username name [nocallback-verify]
username name [noescape]
username name [nohangup]
username name [ nopassword | password password | password encryption-type encrypted-password ]
username name [ one-time { password { 0 | 7 | password } | secret { 0 | 5 | password } } ]
username name [ password secret ]
username name [ privilege level ]
username name [ secret { 0 | 5 | password } ]
username name [ user-maxlinks number ]
username [lawful-intercept] name [ privilege privilege-level | view view-name ] password password
no username name
Syntax Description
name
Hostname, server name, user ID, or command name. The name argument can be only one word. Blank spaces and quotation marks are not allowed.
aaa attribute list aaa-list-name
Uses the specified authentication, authorization, and accounting (AAA) method list.
access-class access-list-number
(Optional) Specifies an outgoing access list that overrides the access list specified in the access-class command available in line configuration mode. It is used for the duration of the user’s session.
autocommand command
(Optional) Causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
callback-dialstring telephone-number
(Optional) For asynchronous callback only: permits you to specify a telephone number to pass to the DCE device.
callback-line line-number
(Optional) For asynchronous callback only: relative number of the terminal line (or the first line in a contiguous group) on which you enable a specific username for callback. Numbering begins with zero.
ending-line-number
(Optional) Relative number of the last line in a contiguous group on which you want to enable a specific username for callback. If you omit the keyword (such as tty), then line-number and ending-line-number are absolute rather than relative line numbers.
tty
(Optional) For asynchronous callback only: standard asynchronous line.
callback-rotary rotary-group-number
(Optional) For asynchronous callback only: permits you to specify a rotary group number on which you want to enable a specific username for callback. The next available line in the rotary group is selected. Range: 1 to 100.
dnis
Does not require a password when obtained via Dialed Number Identification Service (DNIS).
mac
Allows a MAC address to be used as the username for MAC filtering done locally.
nocallback-verify
(Optional) Specifies that the authentication is not required for EXEC callback on the specified line.
noescape
(Optional) Prevents a user from using an escape character on the host to which that user is connected.
nohangup
(Optional) Prevents Cisco IOS software from disconnecting the user after an automatic command (set up with the autocommand keyword) has completed. Instead, the user gets another EXEC prompt.
nopassword
No password is required for this user to log in. This is usually the most useful keyword to use in combination with the autocommand keyword.
password
Specifies the password to access the name argument. A password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.
password
Password that a user enters.
encryption-type
Single-digit number that defines whether the text immediately following is encrypted and if so, what type of encryption is used. Defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco-defined encryption algorithm.
encrypted-password
Encrypted password that a user enters.
one-time
Specifies that the username and password is valid for only one time. This configuration is used to prevent default credentials from remaining in user configurations.
0
Specifies that an unencrypted password or secret (depending on the configuration) follows.
7
Specifies that a hidden password follows.
5
Specifies that a hidden secret follows.
secret
Specifies a secret for the user.
secret
For Challenge Handshake Authentication Protocol (CHAP) authentication: specifies the secret for the local router or the remote device. The secret is encrypted when it is stored on the local router. The secret can consist of any string of up to 11 ASCII characters. There is no limit to the number of username and password combinations that can be specified, allowing any number of remote devices to be authenticated.
privilege privilege-level
(Optional) Sets the privilege level for the user. Range: 1 to 15.
user-maxlinks number
Maximum number of inbound links allowed for a user.
lawful-intercept
(Optional) Configures lawful intercept users on a Cisco device.
name
Hostname, server name, user ID, or command name. The name argument can be only one word. Blank spaces and quotation marks are not allowed.
view view-name
(Optional) For CLI view only: associates a CLI view name, which is specified with the parser view command, with the local AAA database.
password password
Password to access the CLI view.
Command History
Release
Modification
10.0
This command was introduced.
11.1
This command was modified. The following keywords and arguments were added:
12.3(7)T
This command was modified. The following keywords and arguments were added:
12.2(33)SRB
This command was modified. The following keywords and arguments were integrated into Cisco IOS Release 12.2(33)SRB:
12.2(33)SB
This command was modified. The following keywords and arguments were integrated into Cisco IOS Release 12.2(33)SB:
Cisco IOS XE Release 2.1
This command was integrated into Cisco IOS XE Release 2.1.
12.2(33)SXI
This command was integrated into Cisco IOS Release 12.2(33)SXI.
12.4
This command was modified. The following keywords were integrated into Cisco IOS Release 12.4:
15.1(1)S
This command was modified. Support for the nohangup keyword was removed from Secure Shell (SSH).
Cisco IOS XE Release 3.2SE
This command was modified. The mac keyword was added.
Usage Guidelines
The username command provides username or password authentication, or both, for login purposes only.
Multiple username commands can be used to specify options for a single user.
Add a username entry for each remote system with which the local router communicates and from which it requires authentication. The remote device must have a username entry for the local router. This entry must have the same password as the local router’s entry for that remote device.
This command can be useful for defining usernames that get special treatment. For example, you can use this command to define an "info" username that does not require a password but connects the user to a general purpose information service.
The username command is required as part of the configuration for CHAP. Add a username entry for each remote system from which the local router requires authentication.
NoteTo enable the local router to respond to remote CHAP challenges, one username name entry must be the same as the hostname entry that has already been assigned to the other router.
- To avoid the situation of a privilege level 1 user entering into a higher privilege level, configure a per-user privilege level other than 1 (for example, 0 or 2 through 15).
- Per-user privilege levels override virtual terminal privilege levels.
In Cisco IOS Release 15.1(1)S and later releases, the nohangup keyword is not supported with SSH. If the username user autocommand command-name command is configured and SSH is used, the session disconnects after executing the configured command once. This behavior with SSH is opposite to the Telnet behavior, where Telnet continuously asks for authentication and keeps executing the command until the user exits Telnet manually.
CLI and Lawful Intercept Views
Both CLI views and lawful intercept views restrict access to specified commands and configuration information. A lawful intercept view allows a user to secure access to lawful intercept commands that are held within the TAP-MIB, which is a special set of Simple Network Management Protocol (SNMP) commands that stores information about calls and users.
Users who are specified via the lawful-intercept keyword are placed in the lawful-intercept view, by default, if no other privilege level or view name has been explicitly specified.
If no value is specified for the secret argument and the debug serial-interface command is enabled, an error is displayed when a link is established and the CHAP challenge is not implemented. The CHAP debugging information is available using the debug ppp negotiation , debug serial-interface , and debug serial-packet commands. For more information about debug commands, refer to the Cisco IOS Debug Command Reference .
Examples
The following example shows how to implement a service similar to the UNIX who command, which can be entered at the login prompt and lists the current users of the router:
username who nopassword nohangup autocommand show usersThe following example shows how to implement an information service that does not require a password to be used. The command takes the following form:
username info nopassword noescape autocommand telnet nic.ddn.milThe following example shows how to implement an ID that works even if all the TACACS+ servers break. The command takes the following form:
username superuser password superpasswordThe following example shows how to enable CHAP on interface serial 0 of "server_l." It also defines a password for a remote server named "server_r."
hostname server_l username server_r password theirsystem interface serial 0 encapsulation ppp ppp authentication chapThe following is output from the show running-config command displaying the passwords that are encrypted:
hostname server_l username server_r password 7 121F0A18 interface serial 0 encapsulation ppp ppp authentication chapIn the following example, a privilege level 1 user is denied access to privilege levels higher than 1:
username user privilege 0 password 0 cisco username user2 privilege 2 password 0 ciscoThe following example shows how to remove the username-based authentication for user2:
no username user2Related Commands
Command
Description
arap callback
Enables an ARA client to request a callback from an ARA client.
callback forced-wait
Forces the Cisco IOS software to wait before initiating a callback to a requesting client.
debug ppp negotiation
Displays PPP packets sent during PPP startup, where PPP options are negotiated.
debug serial-interface
Displays information about a serial connection failure.
debug serial-packet
Displays more detailed serial interface debugging information than you can obtain using debug serial interface command.
ppp callback (DDR)
Enables a dialer interface that is not a DTR interface to function either as a callback client that requests callback or as a callback server that accepts callback requests.
ppp callback (PPP client)
Enables a PPP client to dial into an asynchronous interface and request a callback.
show users
Displays information about the active lines on the router.
username (dot1x credentials)
To specify the username for an 802.1X credentials profile, use the username command in dot1x credentials configuration mode. To remove the username, use the no form of this command.
Usage Guidelines
Before using this command, the dot1x credentials command must have been configured.
Examples
The following example shows which credentials profile should be used when configuring a supplicant:
dot1x credentials basic-user username router password secret description This credentials profile should be used for most configured portsThe credentials structure can be applied to an interface, along with the dot1x pae supplicant command and keyword, to enable supplicant functionality on that interface.
interface fastethernet 0/1 dot1x credentials basic-user dot1x pae supplicantusername (ips-autoupdate)
To define a username and password in which to access signature files from the server, use the usernamecommand in IPS-auto-update configuration mode.
Usage Guidelines
Automatic signature updates allow users to override the existing Intrusion Prevention System (IPS) configuration and automatically keep signatures up to date on the basis of a preset time, which can be configured to a preferred setting.
Use the ip ips auto-update command to enable Cisco IOS IPS to automatically update the signature file on the system. Thereafter, you can optionally issue the username command to specify a username and password to access signature files.
Examples
The following example shows how to configure automatic signature updates and issue the show ip ips auto-update command to verify the configuration:
Router# clock set ? hh:mm:ss Current Time Router# clock set 10:38:00 20 apr 2006 Router# *Apr 20 17:38:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:37:55 MST Thu Apr 20 2006 to 10:38:00 MST Thu Apr 20 2006, configured from console by cisco on console. Router(config)# ip ips auto-update Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5 Router(config-ips-auto-update)# $s-auto-update/IOS_reqSeq-dw.xml Router(config-ips-auto-update)#^Z Router# *May 4 2006 15:50:28 MST: IPS Auto Update: setting update timer for next update: 0 hrs 10 min *May 4 2006 15:50:28 MST: %SYS-5-CONFIG_I: Configured from console by cisco on console Router# Router# show ip ips auto-update IPS Auto Update Configuration URL : tftp://192.168.0.2/jdoe/ips-auto-update/IOS_reqSeq-dw.xml Username : not configured Password : not configured Auto Update Intervals minutes (0-59) : 0 hours (0-23) : 0-23 days of month (1-31) : 1-31 days of week: (0-6) : 1-5username secret
To encrypt a user password with irreversible encryption, use the username secret command in global configuration mode.
Syntax Description
name
Username.
0
Specifies an unencrypted secret.
password
Clear-text password.
5 secret-string
message digest alogrithm5 (MD5) encrypted secret text string, which is stored as the encrypted user password.
4 secret-string
SHA256 encrypted secret text string, which is stored as the encrypted user password.
Command History
Release
Modification
12.0(18)S
This command was introduced.
12.1(8a)E
This command was integrated into Cisco IOS Release 12.1(8a)E.
12.2(8)T
This command was integrated into Cisco IOS Release 12.2(8)T.
12.2(14)SX
Support for this command was introduced on the Supervisor Engine 720.
12.2(17d)SXB
Support for this command on the Supervisor Engine 2 was extended to Cisco IOS Release 12.2(17d)SXB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
15.0(1)S
This command was integrated into Cisco IOS Release 15.0(1)S. Encryption types 0, 4, and 5 were added.
15.1(1)SY
This command was integrated into Cisco IOS Release 15.1(1)SY.
Usage Guidelines
Use the username secret command to configure a username and MD5-encrypted user password. MD5 encryption is a strong encryption method that is not retrievable; thus, you cannot use MD5 encryption with protocols that require clear-text passwords, such as Challenge Handshake Authentication Protocol (CHAP).
The username secret command provides an additional layer of security over the username password. It also provides better security by encrypting the password using non reversible MD5 encryption and storing the encrypted text. The added layer of MD5 encryption is useful in environments in which the password crosses the network or is stored on a TFTP server.
Use MD5 as the encryption type if you paste into this command an encrypted password that you copied from a router configuration file.
Use this command to enable Enhanced Password Security for the specified, unretrievable username. This command enables MD5 encryption on the password. MD5 encryption is a strong encryption method. You cannot use MD5 encryption with protocols, such as CHAP, that require clear-text passwords.
This command can be useful for defining usernames that get special treatment. For example, you can use this command to define an "info" username that does not require a password but connects the user to a general-purpose information service.
The username command provides username or secret authentication for login purposes only. The name argument can be one word only. Spaces and quotation marks are not allowed. You can use multiple username commands to specify options for a single user.
Examples
The following example shows how to configure username "abc" and enable MD5 encryption on the clear-text password "xyz":
username abc secret 0 xyzThe following example shows how to configure username "cde" and enter an MD5 encrypted text string that is stored as the username password:
username cde secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0The following example shows how to configure username "xyz" and enter an MD5 encrypted text string that is stored as the username password:
username xyz secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0user-profile location
To store user bookmarks in a directory on a device, use the user-profile location command in webvpn context configuration mode. To remove a directory that has been configured, use the no form of this command.
Usage Guidelines
The table below lists accept storage locations.
Table 1 Type of Storage Location Type of Storage Location
Description
archive
Archived file system.
Bootflash
Bootflash memory.
disk0
On Disk 0.
disk1
On Disk 1.
Flash
Flash memory.
FTP
FTP network server.
HTTP
HTTP file server.
HTTPS
HTTP secure server.
null
Null destination for copies. You can copy a remote file to null to determine its size.
NVRAM
Storage location is in NVRAM.
PRAM
Phase-change memory (PRAM)--type of nonvolatile computer memory.
RCP
Remote copy protocol network server.
SCP
Secure Copy--A means of securely transferring computer files between a local and a remote host or between two remote hosts using the Secure Shell (SSH) protocol.
slot0
On Slot 0.
slot1
On Slot 1.
system
System memory, including the running configuration.
tmpsys
Temporary system in a file system.
variable
To define the next-hop variable in a mitigation parameter map for Transitory Messaging Services (TMS), use the variable command in parameter-map configuration mode. To remove the next-hop variable from the mitigation parameter map, use the no form of this command.
NoteEffective with Cisco IOS Release 12.4(20)T, the variable command is not available in Cisco IOS software.
Usage Guidelines
The variable command is configured to set the next-hop variable in a mitigation type parameter map. The next hop can be configured to route to a null 0 interface (black hole) or route to a specific interface for collection and analysis.
NoteIf the next hop is defined in a threat file and as a variable by configuring this command, the next-hop value defined in the threat file will have precedence over the parameter map variable.
Examples
The following example configures a variable that routes all priority 5 traffic to the null0 interface:
Router(config)# class-map type control mitigation match-all MIT_CLASS_2 Router(config-cmap)# match primitive any Router(config-cmap)# match priority 5 Router(config-cmap)# exit Router(config)# parameter-map type mitigation MIT_PAR_2 Router(config-profile)# variable RTBH null0 Router(config-profile)# exit Router(config)# policy-map type control mitigation MIT_POL_2 Router(config-pmap)# class MIT_CLASS_2 Router(config-pmap-c)# redirect route $RTBH Router(config-pmap-c)# source parameter MIT_PAR_2 Router(config-pmap-c)# exit Router(config-pmap)# exitRelated Commands
Command
Description
acl drop
Configures an ACL drop enforcement action in a TMS Rules Engine configuration.
class-map type control mitigation
Configures a mitigation type class map.
ignore (TMS)
Configures the TMS Rules Engine to ignore a mitigation enforcement action.
match primitive
Configures a primitive match in a mitigation type class map.
match priority
Configures the match priority level for a mitigation enforcement action.
parameter-map type mitigation
Configures a mitigation type parameter map.
policy-map type control tms
Configures a TMS type policy map.
redirect route
Configures a redirect enforcement action in a mitigation type policy map.
source parameter
Attaches a mitigation type parameter map to a policy-map class configuration.
tms-class
Associates an interface with an ACL drop enforcement action.
view
To add a normal command-line interface (CLI) view to a superview, use the view command in view configuration mode. To remove a CLI view from a superview, use the no form of this command.
Usage Guidelines
Before you can use this command to add normal views to a superview, ensure that the following steps have been taken:
- A password has been configured for the superview (via the secret 5 command).
- The normal views that are to be added to the superview are valid views in the system; that is, the views have been successfully created via the parser view command.
Examples
The following sample output from the show running-config command shows that "view_one" and "view_two" have been added to superview "su_view1," and "view_three" and "view_four" have been added to superview "su_view2":
! parser view su_view1 superview secret 5 <encoded password> view view_one view view_two ! parser view su_view2 superview secret 5 <encoded password> view view_three view view_four !virtual-template (IKEv2 profile)
To configure an Internet Key Exchange (IKEv2) profile with a virtual template to be used for cloning the virtual access interfaces, use the virtual-template command in IKEv2 profile configuration mode. To remove the virtual template from IKEv2 profile, use the no form of this command.
Usage Guidelines
Use this command to specify the virtual template for cloning a virtual access interface.
virtual-template (webvpn context)
To associate a virtual template with a Secure Socket Layer Virtual Private Network (SSL VPN) context, use the virtual-template command in webvpn context configuration mode. To disable the configuration, use the no form of this command.
Usage Guidelines
You can configure the desired IP features in the virtual template and then use the virtual-template command to apply the configuration on a per-context or per-tunnel basis. The per-context configuration applies the IP features to all the users connecting to that WebVPN context and the per-tunnel configuration applies the IP features for each SSL VPN full tunnel established in the WebVPN context.
vlan (local RADIUS server group)
To specify a VLAN to be used by members of the user group, use the vlan command in local RADIUS server group configuration mode. To reset the parameter to the default value, use the no form of this command.
Command History
Release
Modification
12.2(11)JA
This command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200.
12.3(11)T
This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.
Usage Guidelines
The access point or router moves group members into the VLAN that you specify, overriding any other VLAN assignments. You can assign only one VLAN to a user group.
Examples
The following example shows that VLAN "225" is to be used by members of the user group:
vlan 225Related Commands
Command
Description
block count
Configures the parameters for locking out members of a group to help protect against unauthorized attacks.
clear radius local-server
Clears the statistics display or unblocks a user.
debug radius local-server
Displays the debug information for the local server.
group
Enters user group configuration mode and configures shared setting for a user group.
nas
Adds an access point or router to the list of devices that use the local authentication server.
radius-server host
Specifies the remote RADIUS server host.
radius-server local
Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
reauthentication time
Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
show radius local-server statistics
Displays statistics for a local network access server.
ssid
Specifies up to 20 SSIDs to be used by a user group.
user
Authorizes a user to authenticate using the local authentication server.
vlan group
To create or modify a VLAN group, use the vlan group command in global configuration mode. To remove a VLAN list from the VLAN group, use the no form of this command.
Usage Guidelines
The VLAN group name may contain up to 32 characters and must begin with a letter.
The vlan-list argument can be a single VLAN ID, a list of VLAN IDs, or VLAN ID ranges (vlan-id-vlan-id). Multiple entries are separated by a hyphen (-) or a comma (,).
If the named VLAN group does not exist, the vlan group command creates the group and maps the specified VLAN list to the group. If the named VLAN group exists, the specified VLAN list is mapped to the group.
The no form of the vlan group command removes the specified VLAN list from the VLAN group. When you remove the last VLAN from the VLAN group, the VLAN group is deleted.
A maximum of 100 VLAN groups can be configured, and a maximum of 4094 VLANs can be mapped to a VLAN group.
vpdn aaa attribute
To enable reporting of network access server (NAS) authentication, authorization, and accounting (AAA) attributes related to a virtual private dialup network (VPDN) to the AAA server, use the vpdn aaa attributecommand in global configuration mode. To disable reporting of AAA attributes related to VPDN, use the no form of this command.
vpdn aaa attribute { nas-ip-address { vpdn-nas | vpdn-tunnel-client } | nas-port { physical-channel-id | vpdn-nas } }
no vpdn aaa attribute { nas-ip-address { vpdn-nas | vpdn-tunnel-client } | nas-port }
Syntax Description
nas-ip-address vpdn-nas
Enables reporting of the VPDN NAS IP address to the AAA server.
nas-ip-address vpdn-tunnel-client
Enables reporting of the VPDN tunnel client IP address to the AAA server.
nas-port vpdn-nas
Enables reporting of the VPDN NAS port to the AAA server.
nas-port physical-channel-id
Enables reporting of the VPDN NAS port physical channel identifier to the AAA server.
Command History
Release
Modification
11.3NA
This command was introduced.
11.3(8.1)T
This command was integrated into Cisco IOS Release 11.3(8.1)T.
12.1(5)T
This command was modified to support the PPP extended NAS-Port format.
12.2(13)T
The physical-channel-id keyword was added
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.4(24)T
The vpdn-tunnel-client keyword was added.
12.2(33)XND
The vpdn-tunnel-client keyword was added.
12.2(33)SRE
The vpdn-tunnel-client keyword was added.
Cisco IOS XE Release 2.5
The vpdn-tunnel-client keyword was added.
Usage Guidelines
This command can be used with RADIUS or TACACS+, and is applicable only on the VPDN tunnel server.
The PPP extended NAS-Port format enables the NAS-Port and NAS-Port-Type attributes to provide port details to a RADIUS server when one of the following protocols is configured:
- PPP over ATM
- PPP over Ethernet (PPPoE) over ATM
- PPPoE over 802.1Q VLANs
Before PPP extended NAS-Port format attributes can be reported to the RADIUS server, the radius-server attribute nas-port format command with the dkeyword must be configured on both the tunnel server and the NAS, and the tunnel server and the NAS must both be Cisco routers.
When you configure the vpdn aaa attribute nas-ip-address vpdn-nas command, the L2TP network server (LNS) reports the IP address of the last multihop node for multihop over Layer 2 Forwarding (L2F). For multihop over Layer 2 Tunneling Protocol (L2TP), the IP address of the originating NAS is reported.
When you configure the vpdn aaa attribute nas-ip-address vpdn-tunnel-client command, the LNS reports the IP address of the last multihop node in the RADIUS NAS-IP-Address attribute for the L2TP multihop. This eases the migration for customers moving from L2F to L2TP.
NoteReporting of NAS AAA attributes related to a VPDN on a AAA server is not supported for Point-to-Point Tunneling Protocol (PPTP) sessions with multihop deployment.
Examples
The following example configures VPDN on a tunnel server and enables reporting of VPDN AAA attributes to the AAA server:
vpdn enable vpdn-group 1 accept-dialin protocol any virtual-template 1 ! terminate-from hostname nas1 local name ts1 ! vpdn aaa attribute nas-ip-address vpdn-nas vpdn aaa attribute nas-port vpdn-nas vpdn aaa attribute nas-port physical-channel-idThe following example configures the tunnel server for VPDN, enables AAA, configures a RADIUS AAA server, and enables reporting of PPP extended NAS-Port format values to the RADIUS server. PPP extended NAS-Port format must also be configured on the NAS for this configuration to be effective.
vpdn enable vpdn-group L2TP-tunnel accept-dialin protocol l2tp virtual-template 1 ! terminate-from hostname nas1 local name ts1 ! aaa new-model aaa authentication ppp default local group radius aaa authorization network default local group radius aaa accounting network default start-stop group radius ! radius-server host 172.16.79.76 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server attribute nas-port format d radius-server key ts123 ! vpdn aaa attribute nas-port vpdn-nasvrf (ca-trustpoint)
To specify the VRF instance in the public key infrastructure (PKI) trustpoint to be used for enrollment, certificate revocation list (CRL) retrieval, and online certificate status protocol (OCSP) status, use the vrf command in ca-trustpoint configuration mode. To remove the VRF instance that was specified, use the no form of this command.
vrf (ca-trustpool)
To specify the VRF instance in the public key infrastructure (PKI) trustpool to be used for enrolment, certificate revocation list (CRL) retrieval, and online certificate status protocol (OCSP) status, use the vrf command in ca-trustpool configuration mode. To remove the VRF instance that was specified, use the no form of this command.
Usage Guidelines
Before you can configure this command, you must enable the crypto pki trustpool policy command, which enters ca-trustpool configuration mode.
Related Commands
Command
Description
cabundle url
Configures the URL from which the PKI trustpool CA bundle is downloaded.
chain-validation
Enables chain validation from the peer's certificate to the root CA certificate in the PKI trustpool.
crypto pki trustpool import
Manually imports (downloads) the CA certificate bundle into the PKI trustpool to update or replace the existing CA bundle.
crypto pki trustpool policy
Configures PKI trustpool policy parameters.
default
Resets the value of a ca-trustpool configuration command to its default.
match
Enables the use of certificate maps for the PKI trustpool.
ocsp
Specifies OCSP settings for the PKI trustpool.
revocation-check
Disables revocation checking when the PKI trustpool policy is being used.
show
Displays the PKI trustpool policy of the router in ca-trustpool configuration mode.
show crypto pki trustpool
Displays the PKI trustpool certificates of the router and optionally shows the PKI trustpool policy.
source interface
Specifies the source interface to be used for CRL retrieval, OCSP status, or the downloading of a CA certificate bundle for the PKI trustpool.
storage
Specifies a file system location where PKI trustpool certificates are stored on the router.
vrf (isakmp profile)
To define the virtual routing and forwarding (VRF) value to which the IP Security (IPSec) tunnel will be mapped, use the vrfcommand in Internet Security Association Key Management (ISAKMP) profile configuration mode. To disable the VRF that was defined, use the no form of this command.
Usage Guidelines
Use this command to map IPSec tunnels that terminate on a global interface to a specific Virtual Private Network (VPN).
If traffic from the router to a certification authority (CA) (for authentication, enrollment, or for obtaining a certificate revocation list [CRL]) or to a Lightweight Directory Access Protocol (LDAP) server (for obtaining a CRL) needs to be routed via a VRF, the vrf command must be added to the trustpoint. Otherwise, such traffic will use the default routing table.
If a profile does not specify one or more trustpoints, all trustpoints in the router will be used to attempt to validate the certificate of the peer (Internet Key Exchange [IKE] main mode or signature authentication). If one or more trustpoints are specified, only those trustpoints will be used.
Examples
The following example shows that two IPSec tunnels to VPN 1 and VPN 2 are terminated:
crypto isakmp profile vpn1 vrf vpn1 keyring vpn1 match identity address 172.16.1.1 255.255.255.255 crypto isakmp profile vpn2 vrf vpn2 keyring vpn2 match identity address 10.1.1.1 255.255.255.255 crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac crypto ipsec transform-set vpn2 esp-3des esp-md5-hmac ! crypto map crypmap 1 ipsec-isakmp set peer 172.16.1.1 set transform-set vpn1 set isakmp-profile vpn1 match address 101 crypto map crypmap 3 ipsec-isakmp set peer 10.1.1.1 set transform-set vpn2 set isakmp-profile vpn2 match address 102 ! ! interface Ethernet1/2 ip address 172.26.1.1 255.255.255.0 duplex half no keepalive no cdp enable crypto map crypmapvrfname
To associate a Virtual Private Network (VPN) front-door routing and forwarding instance (FVRF) with a SSL VPN gateway, use the vrfname command in webvpn gateway configuration mode. To disassociate the FVRF from the SSL VPN gateway, use the no form of this command.
vrf-name
To associate a Virtual Private Network (VPN) routing and forwarding instance (VRF) with a SSL VPN context, use the vrf-name command in webvpn context configuration mode. To remove the VRF from the WebVPN context configuration, use the no form of this command.
Usage Guidelines
The VRF is first defined in global configuration mode. Only one VRF can be associated with each SSL VPN context configuration.
web-agent-url
To configure the Netegrity agent URL to which Single SignOn (SSO) authentication requests will be dispatched, use the web-agent-url command in webvpn sso server configuration mode. To remove the Netegrity agent URL, use the no form of this command.
Usage Guidelines
NoteA web agent URL and policy server secret key are required for a SSO server configuration. If they are not configured, a warning message is displayed. (See the warning message information in the Examples section below.)
Examples
The following example shows that SSO authentication requests will be dispatched to the URL http://www.example.com/webvpn/:
webvpn context context1 sso-server test-sso-server web-agent-url http://www.example.com/webvpn/Examples
If a web agent URL and policy server secret key are not configured, a message similar to the following is received:
Warning: must configure web agent URL for sso-server "example" Warning: must configure SSO policy server secret key for sso-server "example" Warning: invalid configuration. SSO for "example" being disabledwebvpn
NoteEffective with Cisco IOS Release 12.4(6)T, the webvpncommand is replaced by the webvpn context and webvpn gateway commands. See the these commands for more information.
To enter Web VPN configuration mode, use the webvpn command in global configuration mode. To remove all commands that were entered in Web VPN configuration mode, use the no form of this command.
webvpn-homepage
To specify the WebVPN home page URL, use the webvpn-homepage command in WebVPN group policy configuration mode. To disable the configuration, use the no form of this command.
Usage Guidelines
You can use the webvpn-homepage command to specify the WebVPN home page URL and apply the WebVPN redirection time to a particular policy group users. This command helps you to customize and have your own portal page.
The portal page is not displayed if you configure the webvpn-homepage command and set the redirection time to 0. If the redirection time is greater than 0, then the portal page is displayed for the time the redirection time is configured and then redirects you to the home page.
If the configuration is not successful, an appropriate error message is displayed.
Examples
The following example shows how to specify the home page URL "http://192.0.2.0" with the redirection time of 12 seconds:
Router# configure terminal Router(config)# webvpn context context1 Router(config-webvpn-context)# policy group policy1 Router(config-webvpn-group)# webvpn-homepage http://192.0.2.0 redirection-time 12webvpn cef
To enable Secure Socket Layer virtual private network (SSL VPN) full-tunnel Cisco Express Forwarding (CEF) support, use the webvpn cef command in global configuration mode. To disable full-tunnel CEF support, use the no form of this command.
webvpn context
To enter webvpn context configuration mode to configure the Secure Sockets Layer Virtual Private Network (SSL VPN) context, use the webvpn contextcommand in global configuration mode. To remove the SSL VPN configuration from the router configuration file, use the no form of this command.
Command Default
Webvpn context configuration mode is not entered, and a SSL VPN context is not configured.
Usage Guidelines
The SSL VPN context defines the central configuration of the SSL VPN. Entering the webvpn context command places the router in webvpn context configuration mode.
NoteThe ssl authenticate verify all command is enabled by default when a context configuration is created. The context cannot be removed from the router configuration while a SSL VPN gateway is in an enabled state (in service).
Examples
The following example configures and activates the SSL VPN context configuration:
Router(config)# webvpn context context1 Router(config-webvpn-context)# inserviceRelated Commands
Command
Description
aaa authentication (WebVPN)
Configures AAA authentication for SSL VPN sessions.
csd enable
Enables CSD support for SSL VPN sessions.
default-group-policy
Specifies a default group policy for SSL VPN sessions.
gateway (WebVPN)
Specifies the gateway for SSL VPN sessions.
inservice
Enables a SSL VPN gateway or context process.
login-message
Configures a message for a user login text box on the login page.
logo
Configures a custom logo to be displayed on the login and portal pages of a SSL VPN website.
max-users (WebVPN)
Limits the number of connections to a SSL VPN that will be permitted
nbns-list
Enters webvpn NBNS list configuration mode to configure a NBNS server list for CIFS name resolution.
policy group
Enters a webvpn group policy configuration mode to configure a group policy.
port-forward
Enters webvpn port-forward list configuration mode to configure a port-forwarding list.
secondary-color
Configures the color of the secondary title bars on the login and portal pages of a SSL VPN website.
secondary-text-color
Configures the color of the text on the secondary bars of a SSL VPN website.
title
Configures the HTML title string that is shown in the browser title and on the title bar of a SSL VPN website.
title-color
Configures the color of the title bars on the login and portal pages of a SSL VPN website.
url-list
Enters webvpn URL list configuration mode to configure the list of URLs to which a user has access on the portal page of a SSL VPN website.
vrf-name
Associates a VRF with a SSL VPN context.
webvpn create template
To create templates for multilanguage support for messages initiated by the head-end in a Secure Socket Layer Virtual Private Network (SSL VPN), configure the webvpn create template command in user EXEC or privileged EXEC mode.
Usage Guidelines
After template files have been created, they can be copied to a PC for editing and then reimported to the storage device.
Examples
The following example shows that a browser-attribute template file is to be created in flash:
Router# webvpn create template browser-attribute flash:The following example shows that the language file is to be created in flash:
Router# webvpn create template language flash:The following example shows that a URL list template is to be created in flash:
Router# webvpn create template url-list flash:Related Commands
Command
Description
browser-attribute import
Imports user-defined browser attributes into a webvpn context.
import
Imports a user-defined URL list into a webvpn context.
language
Specifies the language to be used in a webvpn context.
url-list
Enters webvpn URL list configuration mode to configure a list of URLs to which a user has access on the portal page of a SSL VPN and attaches the URL list to a policy group.
webvpn enable
NoteEffective with Cisco IOS Release 12.4(6)T, the webvpn enablecommand is replaced by the inservicecommand. See the inservice command for more information.
To enable WebVPN in the system, use the webvpn enablecommand in global configuration mode. To disable WebVPN in the system, use the no form of this command.
webvpn gateway
To enter webvpn gateway configuration mode to configure a SSL VPN gateway, use the webvpn gateway command in global configuration mode. To remove the SSL VPN gateway from the router configuration file, use the no form of this command.
Command Default
Webvpn gateway configuration mode is not entered, and a SSL VPN gateway is not configured.
Usage Guidelines
Entering the webvpn gateway command places the router in webvpn gateway configuration mode. Configuration settings specific to the SSL VPN gateway are entered in this configuration mode.
The SSL VPN gateway acts as a proxy for connections to protected resources. Protected resources are accessed through a secure encrypted connection between the gateway and a web-enabled browser on a remote device, such as a personal computer.
The gateway is configured using an IP address at which SSL VPN remote-user sessions terminate. The gateway is not active until the inservice command has been entered in SSL VPN gateway configuration mode. Only one gateway can be configured in a SSL VPN-enabled network.
Examples
The following example creates and enables a SSL VPN gateway process named SSL_GATEWAY:
Router(config)# webvpn gateway SSL_GATEWAY Router(config-webvpn-gateway)# ip address 10.1.1.1 port 443 Router(config-webvpn-gateway)# ssl trustpoint SSLVPN Router(config-webvpn-gateway)# http-redirect 80 Router(config-webvpn-gateway)# inserviceRelated Commands
Command
Description
hostname (WebVPN)
Configures a SSL VPN hostname.
http-redirect
Configures HTTP traffic to be carried over HTTPS.
inservice
Enables a SSL VPN gateway or context process.
ip address (WebVPN)
Configures a proxy IP address on a SSL VPN gateway.
ssl encryption
Configures the specify the encryption algorithms that the SSL protocol will use for an SSL VPN.
ssl trustpoint
Configures the certificate trust point on a SSL VPN gateway.
webvpn import svc profile
To enable an AnyConnect profile to be imported from a router, use the webvpn import svc profile command in global configuration mode. To disable the configuration, use the no form of this command.
Usage Guidelines
You can use the webvpn import svc profile command to import the AnyConnect profile to the Cisco IOS headend. In order to import the AnyConnect profile to the Cisco IOS headend, the administrator must download the AnyConnect profile from an AnyConnect client (this profile comes by default with AnyConnect), update the profile file to enable the AnyConnect support, and then import the modified profile into the Cisco IOS software.
webvpn install
To install a Cisco Secure Desktop (CSD) or Cisco AnyConnect VPN Client package file to a Secure Socket Layer virtual private network (SSL VPN) gateway for distribution to end users, use the webvpn install command in global configuration mode. To remove a package file from the SSL VPN gateway, use the no form of this command.
webvpn install [ csd location-name | svc location-name [ sequence sequence-number ] ]
no webvpn install [ csd location-name | svc location-name [ sequence sequence-number ] ]
Syntax Description
csd location-name
(Optional) Installs the CSD client software package. The filename and path are entered.
svc location-name
(Optional) Installs the Cisco AnyConnect VPN Client software package. The filename and path are entered.
sequence sequence-number
(Optional) Allows for multiple packages to be installed to one gateway. If the sequencekeyword and the sequence-numberargument are not configured, a sequence number of 1 is applied to the package.
Command Default
Neither a CSD nor a Cisco AnyConnect VPN Client package file is installed to a WebVPN gateway.
Usage Guidelines
The installation packages must first be copied to a local file system, such as disk, flash or USB flash. The CSD and Cisco AnyConnect VPN Client software packages are pushed to end users as access is needed. The end user must have administrative privileges, and the Java Runtime Environment (JRE) for Windows version 1.4 or a later version must be installed before a CSD or Cisco AnyConnect VPN Client package can be installed.
NoteSecure Sockets Layer Virtual Private Network (SSL VPN) Client (SVC) is the predecessor of Cisco AnyConnect VPN Client software.
If you have not entered the sequence keyword and the sequence-number argument and you want to install another package, you can remove the previous package (using the no form of the command) or you can provide another sequence number.
If you try to install a package with a sequence number that is being used, you will get an error message.
Examples
The following example shows how to install the Cisco AnyConnect VPN Client package to an SSL VPN gateway. The package is being copied to a flash file system.
Router(config)# webvpn install svc flash:/webvpn/svc.pkg SSLVPN Package SSL-VPN-Client : installed successfullyThe following example shows how to install the CSD package to an SSL VPN gateway. The package is being copied to a flash file system.
Router(config)# webvpn install csd flash:/securedesktop_3_1_0_9.pkg SSLVPN Package Cisco-Secure-Desktop : installed successfullyThe following example shows how to install Cisco AnyConnect VPN Client package to an SSL VPN gateway. The file is being copied to a USB file system.
Router(config)# webvpn install csd usbflash0:securedesktop-ios-3.1.1.45-k9.pkg SSLVPN Package Cisco-Secure-Desktop : installed successfullywebvpn sslvpn-vif nat
To enable Network Address Translation (NAT) on the WebVPN virtual interface, use the webvpn sslvpn-vif natcommand in global configuration mode. To disable NAT on the WebVPN virtual interface, use the no form of this command.
webvpn sslvpn-vif nat { enable | inside | outside }
no webvpn sslvpn-vif nat { enable | inside | outside }
whitelist
To configure whitelisting of traffic based on the access control list (ACL) and the HTTP header whose header matches the configured regular expression, use the whitelist command in content-scan whitelisting configuration mode. To disable whitelisting of traffic, use the no form of this command.
whitelist { acl { acl-list | extended-acl-list | acl-name } | header { host | user-agent } regex regex-host | notify-tower }
no whitelist { acl { acl-list | extended-acl-list | acl-name } | header { host | user-agent } regex regex-host | notify-tower }
Syntax Description
acl
Specifies the ACL.
acl-list
Access list to whitelist the content scanning traffic. Valid values are from 1 to 199.
extended-acl-list
Extended access list to whitelist content-scan traffic. Valid values are from 1300 to 2699.
acl-name
Access list name.
header
Specifies the whitelist using the HTTP header.
host
Specifies the whitelist using the host header field.
user-agent
Specifies the whitelist using the user agent header field.
regex
Specifies the HTTP header host regular expression (regex).
regex-host
Name of the host regular expression.
notify-tower
Specifies the whitelist to notify ScanSafe.
Usage Guidelines
A whitelist is an approved list that contains entities that are provided a particular privilege, service, mobility, access, or recognition. Whitelisting means to grant access. The web traffic that is whitelisted is not sent for content scanning to ScanSafe.
The header keyword specifies the whitelisting attribute on the HTTP header that matches the configured regular expression.
The notify-tower keyword specifies whether ScanSafe need to be notified about whitelisting.
wins
To specify the primary and secondary Windows Internet Naming Service (WINS) servers, use the winscommand in ISAKMP group configuration mode or IKEv2 client group configuration mode. To remove this command from your configuration, use the no form of this command.
Command Modes
ISAKMP group configuration (config-isakmp-group)
IKEv2 client group configuration (config-ikev2-client-config-group)Command History
Release
Modification
12.2(8)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
Cisco IOS XE Release 3.3S
This command was integrated into Cisco IOS XE Release 3.3S.
Usage Guidelines
Use this command to specify the primary and secondary WINS server for the remote access client. You must enable the following commands before enabling the wins command:
- crypto isakmp client configuration group --Specifies the group policy information that has to be defined or changed.
- crypto ikev2 authorization policy --Specifies the local group policy authorization parameters.
wlccp authentication-server client
To configure the list of servers to be used for 802.1X authentication, use the wlccp authentication-server client command in global configuration mode. To disable the server list, use the noform of this command.
wlccp authentication-server client { any | eap | leap | mac } list
no wlccp authentication-server client { any | eap | leap | mac } list
Syntax Description
any
Specifies client devices that use any authentication.
eap
Specifies client devices that use Extensible Authentication Protocol (EAP) authentication.
leap
Specifies client devices that use Light Extensible Authentication Protocol (LEAP) authentication.
mac
Specifies client devices that use MAC-based authentication.
list
List of client devices.
Usage Guidelines
You can specify a list of client devices that use any type of authentication, or you can specify a list of client devices that use a certain type of authentication (such as EAP, LEAP, or MAC-based authentication).
Examples
The following example shows how to configure the server list for LEAP authentication for client devices:
Router (config)# wlccp authentication-server client leap leap-list1Related Commands
Command
Description
debug wlccp packet
Displays packet traffic to and from the WDS router.
debug wlccp wds
Displays either WDS debug state or WDS statistics messages.
show wlccp wds
Shows information about access points and client devices on the WDS router.
wlccp authentication-server infrastructure
Configures the list of servers to be used for 802.1X authentication for the wireless infrastructure devices.
wlccp wds priority interface
Enables a wireless device such as an access point or a wireless-aware router to be a WDS candidate.
wlccp authentication-server infrastructure
To configure the list of servers to be used for 802.1X authentication for the wireless infrastructure devices, use the wlccp authentication-server infrastructure command in global configuration mode. To disable the server list, use the noform of this command.
Examples
This example shows how to configure the server list for 802.1X authentication for infrastructure devices participating in Cisco Centralized Key Management:
Router (config)# wlccp authentication-server infrastructure wlan-list1Related Commands
Command
Description
debug wlccp packet
Displays packet traffic to and from the WDS router.
debug wlccp wds
Displays either WDS debug state or WDS statistics messages.
show wlccp wds
Shows information about access points and client devices on the WDS router.
wlccp authentication-server client
Configures the list of servers to be used for 802.1X authentication.
wlccp wds priority interface
Enables a wireless device such as an access point or a wireless-aware router to be a WDS candidate.
wlccp wds priority interface
To configure the router or access point to provide WDS, use the wlccp wds priority interfacecommand in global configuration mode. To remove the WDS configuration from the router or access point, use the no form of the command .
Syntax Description
priority
Priority of this WDS candidate. The valid range is from 1 to 255. The greater the priority value, the higher the priority.
interface
Interface on which the router sends out WDS advertisements. Supported interface types are as follows:
- For access points--bvi
- For wireless-aware routers--bvi, svi, Fast Ethernet, and Gigabit Ethernet.
Examples
This example shows how to configure the priority for an access point as a candidate to provide WDS with priority 200:
Router (config)# wlccp wds priority 200 interface bvi 1Related Commands
Command
Description
debug wlccp packet
Displays packet traffic to and from the WDS router.
debug wlccp wds
Displays either WDS debug state or WDS statistics messages.
show wlccp wds
Shows information about access points and client devices on the WDS router.
wlccp authentication-server client
Configures the list of servers to be used for 802.1X authentication.
wlccp authentication-server infrastructure
Configures the list of servers to be used for 802.1X authentication for the wireless infrastructure devices.
xauth userid mode
To specify how the Easy VPN client handles extended authentication (Xauth) requests, use the xauth userid modecommand in Cisco IOS Easy VPN remote configuration mode. To remove the setting, use the no form of this command.
xauth userid mode { http-intercept | interactive | local }
no xauth userid mode { http-intercept | interactive | local }
Syntax Description
http-intercept
HTTP connections are intercepted from the user through the inside interface and the prompt.
interactive
To authenticate, the user must use the command-line interface (CLI) prompts on the console. Interactive is the default behavior.
local
The saved username or password is used in the configuration.
Command History
Release
Modification
12.3(14)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
Usage Guidelines
If you want to be prompted by the console, use the interactive keyword.
If you want to use a saved username or password, use the localkeyword. If a local username or password is defined, the mode changes to that username or password.
Examples
The following example shows that HTTP connections will be intercepted from the user and that the user can authenticate using web-based activation:
crypto ipsec client ezvpn tunnel22 connect manual group tunnel22 key 22tunnel mode client peer 192.168.0.1 xauth userid mode http-intercept ! ! interface Ethernet0 ip address 10.4.23.15 255.0.0.0 crypto ipsec client ezvpn tunnel22 inside ! interface Ethernet1 ip address 192.168.0.13 255.255.255.128 duplex auto crypto ipsec client ezvpn catch22 !Related Commands
Command
Description
crypto ipsec client ezvpn
Creates a Cisco Easy VPN remote configuration.
debug crypto ipsec client ezvpn
Displays information about voice control messages that have been captured by the Voice DSP Control Message Logger.
debug ip auth-proxy ezvpn
Displays information related to proxy authentication behavior for web-based activation.
show crypto ipsec client ezvpn
Displays the Cisco Easy VPN Remote configuration.
show ip auth-proxy
Displays the authentication proxy entries or the running authentication proxy configuration.
xsm
To enable XML Subscription Manager (XSM) client access to the device, use the xsm command in global configuration mode. To disable XSM client access to the device, use the no form of this command.
Command History
Release
Modification
12.1(6)E
This command was introduced.
12.2(9)YE
This command was integrated into Cisco IOS Release 12.2(9)YE.
12.2(9)YO1
This command was integrated into Cisco IOS Release 12.2(9)YO1.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
This command requires that the ip http server command is enabled. Enabling the xsm command also enables the xsm vdm and xsm edm commands. This command must be enabled for the XSM client (such as VPN Device Manager [VDM]) to operate.
Examples
In the following example, access by remote XSM clients to XSM data on the device is disabled:
Router# no xsmRelated Commands
Command
Description
ip http server
Enables a device to be reconfigured through the Cisco browser interface.
show xsm status
Displays information and status about clients subscribed to the XSM server.
show xsm xrd-list
Displays all XRDs for clients subscribed to the XSM server.
xsm dvdm
Grants access to switch operations.
xsm edm
Grants access to EDM monitoring and configuration data.
xsm vdm
Grants access to VPN-specific monitoring and configuration data.
xsm dvdm
To enable switch-specific configuration data (for example, configuring switch ports and VLANs) when running VPN Device Manager (VDM) on a switch, use the xsm dvdmcommand in global configuration mode. To disable switch-specific configuration data for VDM, use the no form of this command.
Usage Guidelines
Access to switch-specific configuration data (dVDM) is enabled by default when XSM is enabled.
The no xsm dvdm command allows you to disable only switch-specific XSM data. Note however that disabling dVDM will prevent the VDM application from communicating properly with the device (switch). There is minimal performance impact associated with leaving dVDM enabled.
xsm edm
To grant access to Embedded Device Manager (EDM) monitoring and configuration data, use the xsm edmcommand in global configuration mode. To cancel access to EDM monitoring and configuration data, use the no form of this command.
Command Default
Access to EDM monitoring and configuration data is granted by default if XSM is enabled.
Command History
Release
Modification
12.1(6)E
This command was introduced.
12.2(9)YE
This command was integrated into Cisco IOS Release 12.2(9)YE.
12.2(9)YO1
This command was integrated into Cisco IOS Release 12.2(9)YO1.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
This command exists to allow you to disable EDM using the no xsm edm form of the command. EDM is enabled by default when XSM is enabled.
EDM provides the following generic information to the VPN Device Manager (VDM):
Note that disabling EDM prevents XSM clients (such as VDM) from working properly and also disables the xsm history edmcommand. There is minimal performance impact associated with leaving EDM enabled.
xsm history vdm
To enable specific VPN statistics collection on the XML Subscription Manager (XSM) server, use the xsm history vdm command in global configuration mode. To disable collection of specific selected VPN statistics on the XSM server, use the no form of this command.
Command History
Release
Modification
12.1(6)E
This command was introduced.
12.2(9)YE
This command was integrated into Cisco IOS Release 12.2(9)YE.
12.2(9)YO1
This command was integrated into Cisco IOS Release 12.2(9)YO1.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
With this command enabled, you can save up to five days of data. Historical information on items such as the number of active IKE tunnels, IPSec tunnels, total crypto throughput, and total throughput is gathered and made available, thus enabling XSM clients (such as VPN Device Manager [VDM]) to display charts and data. Use of this command consumes resources on the device. Disabling this command clears all your historical data. The XSM server does not save history data across reloads.
xsm history edm
To enable statistics collection for the Embedded Device Manager (EDM) on the XML Subscription Manager (XSM) server, use the xsm history edmcommand in global configuration mode. To disable statistics collection for the EDM on the XSM server, use the no form of this command.
Command History
Release
Modification
12.1(6)E
This command was introduced.
12.2(9)YE
This command was integrated into Cisco IOS Release 12.2(9)YE.
12.2(9)YO1
This command was integrated into Cisco IOS Release 12.2(9)YO1.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
Use this command to save up to five days of data. Historical information on items such as RAM and CPU utilization is gathered and made available, thus enabling XSM clients (such as VPN Device Manager [VDM]) to display charts and data. Use of this command consumes resources on the device. Disabling this command clears all your historical data, as the XSM server does not save this data between reloads.
xsm privilege configuration level
To enable the XML Subscription Manager (XSM) configuration privilege level required to subscribe to XML Request Descriptors (XRDs), use the xsm privilege configuration level command in global configuration mode. To remove a previously configured XSM configuration privilege level, use the no form of this command.
Command History
Release
Modification
12.1(6)E
This command was introduced.
12.2(9)YE
This command was integrated into Cisco IOS Release 12.2(9)YE.
12.2(9)YO1
This command was integrated into Cisco IOS Release 12.2(9)YO1.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
The privilege level for the xsm privilege configuration levelcommand must be greater than or equal to the privilege level for the xsm privilege monitor level command. For example, if the xsm privilege configuration 7command is enabled, you need a minimum privilege level of 7 to subscribe to configuration XRDs. The higher the number the higher the privilege level. Trying to set a conflicting range of privilege settings will force the Cisco device to display the following message:
Attempt to set monitor privilege greater than configuration. Privilege denied.You can check the XSM privilege level settings by using the show xsm status command. Use the show xsm xrd-list command to check which privilege level is required for each XRD.
NoteThe initial login set by your system administrator determines whether you have the necessary IOS privilege level for actually configuring the Cisco router. Ask your system administrator for more information about privilege levels.
Examples
The following example shows how to set a configuration privilege level of 15, and a monitor privilege level of 11 for subscription to XRDs. Users with a privilege level below 11 are denied access.
Router(config)# xsm privilege configuration level 15 Router(config)# xsm privilege monitor level 11xsm privilege monitor level
To enable the XML Subscription Manager (XSM) monitoring privilege level required to subscribe to XML Request Descriptors (XRDs), use the xsm privilege monitor level command in global configuration mode. To remove a previously configured XSM monitoring privilege level, use the no form of this command.
Command History
Release
Modification
12.1(6)E
This command was introduced.
12.2(9)YE
This command was integrated into Cisco IOS Release 12.2(9)YE.
12.2(9)YO1
This command was integrated into Cisco IOS Release 12.2(9)YO1.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
The privilege level for the xsm privilege monitor levelcommand must be less than or equal to the privilege level for the xsm privilege configuration level command. For example, if the xsm privilege monitor 7command is enabled, you need a minimum privilege level of 7 to subscribe to monitor XRDs. The higher the number the higher the privilege level. Trying to set a conflicting range of privilege settings will force the Cisco device to display the following message:
Attempt to set monitor privilege greater than configuration. Privilege denied.You can check the XSM privilege level settings by using the show xsm status command. Use the show xsm xrd-list command to check which privilege level is required for each XRD.
NoteThe initial login set by your system administrator determines whether you have the necessary IOS privilege level for actually configuring the Cisco router. Ask your system administrator for more information about privilege levels.
Examples
The following example shows how to set a configuration privilege level of 15 and a monitor privilege level of 11 for subscription to XRDs. Users with a privilege level below 11 are denied access.
Router(config)# xsm privilege configuration level 15 Router(config)# xsm privilege monitor level 11xsm vdm
To grant access to VPN-specific monitoring and configuration data for the VPN Device Manager (VDM), use the xsm vdmcommand in global configuration mode. To cancel access to VPN-specific monitoring and configuration data for VDM, use the no form of this command.
Command Default
Enabled (Access to VPN-specific monitoring and configuration data for the VDM is granted when XSM is enabled.)
Command History
Release
Modification
12.1(6)E
This command was introduced.
12.2(9)YE
This command was integrated into Cisco IOS Release 12.2(9)YE.
12.2(9)YO1
This command was integrated into Cisco IOS Release 12.2(9)YO1.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
This command enables access to the following VPN-specific information:
If XSM is enabled, this command is enabled by default. Access to VPN-specific monitoring and configuration data within XSM can be disabled by using the no form of the command. However, disabling this command will prevent VDM from working properly and will also disable the xsm history vdmcommand. Leaving this command enabled has minimal performance impact.
zone-member security
To attach an interface to a security zone, use the zone-member security command in interface configuration mode. To detach the interface from a zone, use the no form of this command.
Usage Guidelines
The zone-member security command puts an interface into a security zone. When an interface is in a security zone, all traffic to and from that interface (except traffic going to the router or initiated by the router) is dropped by default. To permit traffic through an interface that is a zone member, you must make that zone part of a zone-pair to which you apply a policy. If the policy permits traffic (via inspect or pass actions), traffic can flow through the interface.
zone pair security
To create a zone pair, use the zone-pair security command in global configuration mode. To delete a zone pair, use the no form of this command.
zone-pair security zone-pair-name source { source-zone-name | self | default } destination { destination-zone-name | self | default }
no zone-pair security zone-pair-name source { source-zone-name | self | default } destination { destination-zone-name | self | default }
Syntax Description
zone-pair-name
Name of the zone being attached to an interface.
source source-zone-name
Specifies the name of the router from which traffic is originating.
default
Specifies the name of the default security zone. Interfaces without configured zones belong to the default zone.
destination destination-zone-name
Specifies the name of the device to which traffic is bound.
self
Specifies the system-defined zone. Indicates whether traffic will be going to or from a device.
Command History
Release
Modification
12.4(6)T
This command was introduced.
Cisco IOS XE Release 2.6S
This command was modified. The default keyword was added.
15.1(2)T
This command was modified. Support for IPv6 was added.
Cisco IOS XE Release 3.9S
This command was modified to define a zone pair and attach a service policy to the zone pair.
Usage Guidelines
This command creates a zone pair, which permits a unidirectional firewall policy between a pair of security zones. After you enter this command, you can enter the service-policy type inspect command.
If you created only one zone, you can use the system-defined default zone (self) as part of a zone pair. Such a zone pair and its associated policy applies to traffic directed to the router or generated by the router. It does not affect traffic through the router.
You can specify the self keyword for the source or destination, but not for both. You cannot modify or remove configuration from the self zone. You can specify the default keyword to include all the interfaces that are not configured with any other zones. However, the default zone needs to be defined before it can be used in a zone pair.
Examples
The following example shows how to create zones z1 and z2, identify them, and create a zone pair where z1 is the source and z2 is the destination:
zone security z1 description finance department networks zone security z2 description engineering services network zone-pair security zp source z1 destination z2 zone-pair securityThe following example shows how to define zone pair z1-z2 and attach the service policy p1 to the zone pair:
zone-pair security zp source z1 destination z2 service-policy type inspect p1The following example shows how to define a zone pair z1 and z2 and attach the service policy gtp_l4p to the zone pair:
zone-pair security clt2srv1 source z1 destination z2 service-policy type inspect gtp_l4p interface GigabitEthernet0/0/0 ip address 172.168.0.1 255.255.255.0 zone-member security z1 interface GigabitEthernet0/0/2 ip address 172.168.0.1 255.255.255.0 zone-member security z2The following example shows how the zone pair is configured between system-defined and default zones:
zone security default class-map type inspect match-all tcp-traffic match protocol tcp match access-group 199 policy-map type inspect p1 class type inspect tcp-traffic zone-pair security self-default-zp source self destination default service-policy type inspect p1zone security
To create a security zone, use the zone security command in global configuration mode. To delete a security zone, use the no form of this command.
Usage Guidelines
We recommend that you create at least two security zones so that you can create a zone pair. If you create only one zone, you can use the default system-defined self zone. The self zone cannot be used for traffic going through a router. You can specify the defaultkeyword to include all the interfaces that are not configured with any other zones.
To configure an interface to be a member of a security zone, use the zone-member security command.
