{
	"id": "be593e83-3e03-45fc-af0f-357a8c74211f",
	"created_at": "2026-04-06T00:07:41.574249Z",
	"updated_at": "2026-04-10T13:11:19.18779Z",
	"deleted_at": null,
	"sha1_hash": "1e50bbad4ed5cb5108f9e03b75b42d7e80b7e3ed",
	"title": "Cisco IOS Security Command Reference: Commands D to L - ip source-track through ivrf [Support]",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 891961,
	"plain_text": "Cisco IOS Security Command Reference: Commands D to L - ip\r\nsource-track through ivrf [Support]\r\nPublished: 2025-11-27 · Archived: 2026-04-05 17:02:01 UTC\r\nip source-track through ivrf\r\nip source-track\r\nTo enable IP source tracking for a specified host, use the ip source-track command in global configuration mode.\r\nTo disable IP source tracking, use the no form of this command.\r\nip source-track ip-address\r\nno ip source-track ip-address\r\nSyntax Description\r\nip-address Destination IP address of the host that is to be tracked.\r\nCommand Default\r\nIP address tracking is not enabled.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.0(21)S This command was introduced.\r\n12.0(22)S This command was implemented on the Cisco 7500 series routers.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 1 of 238\n\nRelease Modification\r\n12.0(26)S This command was implemented on Cisco 12000 series ISE line cards.\r\n12.3(7)T This command was integrated into Cisco IOS Release 12.3(7)T.\r\n12.2(25)S This command was integrated into Cisco IOS Release 12.2(25)S.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nIP source tracking allows you to gather information about the traffic that is flowing to a host that is suspected of\r\nbeing under attack. It also allows you to easily trace a denial-of-service (DoS) attack to its entry point into the\r\nnetwork.\r\nAfter you have identified the destination that is being attacked, enable tracking for the destination address on the\r\nwhole router by entering the ip source-track command.\r\nExamples\r\nThe following example shows how to configure IP source tracking on all line cards and port adapters in the router.\r\nIn this example, each line card or port adapter collects traffic flow data to host address 100.10.0.1 for 2 minutes\r\nbefore creating an internal system log entry; packet and flow information recorded in the system log is exported\r\nfor viewing to the route processor or switch processor every 60 seconds.\r\nRouter# configure interface\r\nRouter(config)# ip source-track 10.10.0.1\r\nRouter(config)# ip source-track syslog-interval 2\r\nRouter(config)# ip source-track export-interval 60\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 2 of 238\n\nCommand Description\r\nip source-track address-limitConfigures the maximum number of destination hosts that can be simultaneously\r\ntracked at any given moment.\r\nip source-track export-intervalSets the time interval (in seconds) in which IP source tracking statistics are\r\nexported from the line card to the RP.\r\nip source-track syslog-intervalSets the time interval (in minutes) in which syslog messages are generated if IP\r\nsource tracking is enabled on a device.\r\nshow ip source-track Displays traffic flow statistics for tracked IP host addresses.\r\nshow ip source-track\r\nexport flows\r\nDisplays the last 10 packet flows that were exported from the line card to the\r\nroute processor.\r\nip source-track address-limit\r\nTo configure the maximum number of destination hosts that can be simultaneously tracked at any given moment,\r\nuse the ip source-track address-limit command in global configuration mode. To cancel this administrative limit\r\nand return to the default, use the no form of this command.\r\nip source-track address-limit number\r\nno ip source-track address-limit number\r\nSyntax Description\r\nnumber Maximum number of hosts that can be tracked.\r\nCommand Default\r\nAn unlimited number of hosts can be tracked.\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 3 of 238\n\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.0(21)S This command was introduced.\r\n12.0(22)S This command was implemented on the Cisco 7500 series routers.\r\n12.0(26)S This command was implemented on Cisco 12000 series ISE line cards.\r\n12.3(7)T This command was integrated into Cisco IOS Release 12.3(7)T.\r\n12.2(25)S This command was integrated into Cisco IOS Release 12.2(25)S.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nAfter you have configured at least one destination IP address for source tracking (via the ip source-track\r\ncommand), you can limit the number of destination IP addresses that can be tracked via the ip source-track\r\naddress-limit command.\r\nExamples\r\nThe following example shows how to configure IP source tracking for data that flows to host 100.10.1.1 and limit\r\nIP source tracking to 10 IP addresses:\r\nRouter(config)# ip source-track 100.10.0.1\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 4 of 238\n\nRouter(config)# ip source-track address-limit 10\r\nRelated Commands\r\nCommand Description\r\nip source-track Enables IP source tracking for a specified host.\r\nshow ip source-track Displays traffic flow statistics for tracked IP host addresses.\r\nip source-track export-interval\r\nTo set the time interval (in seconds) in which IP source tracking statistics are exported from the line card to the\r\nroute processor (RP), use the ip source-track export-interval command in global configuration mode. To return to\r\ndefault functionality, use the no form of this command.\r\nip source-track export-interval number\r\nno ip source-track export-interval number\r\nSyntax Description\r\nnumber Number of seconds that pass before IP source tracking statistics are exported.\r\nCommand Default\r\nTraffic flow information is exported from the line card to the RP every 30 seconds.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 5 of 238\n\nRelease Modification\r\n12.0(21)S This command was introduced.\r\n12.0(22)S This command was implemented on the Cisco 7500 series routers.\r\n12.0(26)S This command was implemented on Cisco 12000 series ISE line cards.\r\n12.3(7)T This command was integrated into Cisco IOS Release 12.3(7)T.\r\n12.2(25)S This command was integrated into Cisco IOS Release 12.2(25)S.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nUse the ip source-track export-interval command to specify the frequency in which IP source tracking information\r\nis sent to the RP for viewing.\r\nNote\r\nThis command can be issued only on distributed platforms such as the gigabit route processor (GRP)\r\nand the route switch processor (RSP).\r\nExamples\r\nThe following example shows how to configure IP source tracking on all line cards and port adapters in the router.\r\nIn this example, each line card or port adapter collects traffic flow data to host address 100.10.0.1 for 2 minutes\r\nbefore creating an internal system log entry; packet and flow information recorded in the system log is exported\r\nfor viewing to the route processor or switch processor every 60 seconds.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 6 of 238\n\nRouter# configure interface\r\nRouter(config)# ip source-track 10.10.0.1\r\nRouter(config)# ip source-track syslog-interval 2\r\nRouter(config)# ip source-track export-interval 60\r\nRelated Commands\r\nCommand Description\r\nip source-track Enables IP source tracking for a specified host.\r\nshow ip source-track export\r\nflows\r\nDisplays the last 10 packet flows that were exported from the line card to the\r\nroute processor.\r\nip source-track syslog-interval\r\nTo set the time interval (in minutes) in which syslog messages are generated if IP source tracking is enabled on a\r\ndevice, use the ip source-track syslog-interval command in global configuration mode. To cancel this setting and\r\ndisable syslog generation, use the no form of this command.\r\nip source-track syslog-interval number\r\nno ip source-track syslog-interval number\r\nSyntax Description\r\nnumber IP address of the destination that is to be tracked.\r\nCommand Default\r\nSyslog messages are not generated.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 7 of 238\n\nRelease Modification\r\n12.0(21)S This command was introduced.\r\n12.0(22)S This command was implemented on the Cisco 7500 series routers.\r\n12.0(26)S This command was implemented on Cisco 12000 series ISE line cards.\r\n12.3(7)T This command was integrated into Cisco IOS Release 12.3(7)T.\r\n12.2(25)S This command was integrated into Cisco IOS Release 12.2(25)S.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nUse the ip source-track syslog-interval command to track the source interfaces of traffic that are destined to a\r\nparticular address.\r\nExamples\r\nThe following example shows how to configure IP source tracking on all line cards and port adapters in the router.\r\nIn this example, each line card or port adapter collects traffic flow data to host address 100.10.0.1 for 2 minutes\r\nbefore creating an internal system log entry; packet and flow information recorded in the system log is exported\r\nfor viewing to the route processor or switch processor every 60 seconds.\r\nRouter# configure interface\r\nRouter(config)# ip source-track 10.10.0.1\r\nRouter(config)# ip source-track syslog-interval 2\r\nRouter(config)# ip source-track export-interval 60\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 8 of 238\n\nRelated Commands\r\nCommand Description\r\nip source-track Enables IP source tracking for a specified host.\r\nshow ip source-track Displays traffic flow statistics for tracked IP host addresses.\r\nip ssh\r\nTo configure Secure Shell (SSH) control parameters on your router, use the ip ssh command in global\r\nconfiguration mode. To restore the default value, use the no form of this command.\r\nip ssh [timeout seconds | authentication-retries integer]\r\nno ip ssh [timeout seconds | authentication-retries integer]\r\nSyntax Description\r\ntimeout\r\n(Optional) The time interval that the router waits for the SSH client to respond.\r\nThis setting applies to the SSH negotiation phase. Once the EXEC session starts, the\r\nstandard timeouts configured for the vty apply. By default, there are 5 vtys defined (0-4),\r\ntherefore 5 terminal sessions are possible. After the SSH executes a shell, the vty timeout\r\nstarts. The vty timeout defaults to 10 minutes.\r\nseconds\r\n(Optional) The number of seconds until timeout disconnects, with a maximum of 120\r\nseconds. The default is 120 seconds.\r\nauthentication-retries\r\n(Optional) The number of attempts after which the interface is reset.\r\ninteger\r\n(Optional) The number of retries, with a maximum of 5 authentication retries. The default\r\nis 3.\r\nCommand Default\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 9 of 238\n\nSSH control parameters are set to default router values.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.0(5)S This command was introduced.\r\n12.1(1)T This command was integrated into Cisco IOS Release 12.1(1) T.\r\n12.2(17a)SX This command was integrated into Cisco IOS Release 12.2(17a)SX.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\nCisco IOS XE Release 2.4 This command was implemented on the Cisco ASR 1000 series routers.\r\nUsage Guidelines\r\nBefore you configure SSH on your router, you must enable the SSH server using the crypto key generate rsa\r\ncommand.\r\nExamples\r\nThe following examples configure SSH control parameters on your router:\r\nip ssh timeout 120\r\nip ssh authentication-retries 3\r\nip ssh break-string\r\nTo configure a string that, when received from a Secure Shell (SSH) client, will cause the Cisco IOS SSH server\r\nto transmit a break signal out an asynchronous line, use the ip ssh break-string command in global configuration\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 10 of 238\n\nmode. To remove the string, use the no form of this command.\r\nip ssh break-string string\r\nno ip ssh break-string string\r\nSyntax Description\r\nstring\r\nAny sequence of characters not including embedded whitespace. Include control characters by\r\nprefixing them with ^V (control/V) or denote them using the \\000 notation (that is, a backslash\r\nfollowed by the the ASCII value of the character in three octal digits.)\r\nCommand Default\r\nBreak signal is not enabled\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(2) This command was introduced.\r\n12.3(2)T This command was integrated into Cisco IOS Release 12.3(2)T.\r\nUsage Guidelines\r\nNote\r\nThis break string is used only for SSH sessions that are outbound on physical lines using the SSH\r\nTerminal-Line Access feature. This break string is not used by the Cisco IOS SSH client, nor is it\r\nused by the Cisco IOS SSH server when the server uses a virtual terminal (VTY) line. This break\r\nstring does not provide any interoperability with the method that is described in the Internet\r\nEngineering Task Force (IETF) Internet-Draft “Session Channel Break Extension” (draft-ietf-secsh-break-02.txt).\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 11 of 238\n\nNote\r\nIn some versions of Cisco IOS, if the SSH break string is set to a single character, the Cisco IOS\r\nserver will not immediately process that character as a break signal on receipt of that character but\r\nwill delay until it has received a subsequent character. A break string of two or more characters will\r\nbe immediately processed as a break signal after the last character in the string has been received\r\nfrom the SSH client.\r\nExamples\r\nThe following example shows that the control-B character (ASCII 2) has been set as the SSH break string:\r\nRouter (config)# ip ssh break-string \\002\r\nRelated Commands\r\nCommand Description\r\nip ssh port Enables SSH access to TTY lines.\r\nip ssh client algorithm encryption\r\nTo define the order of encryption algorithms in a Cisco IOS secure shell (SSH) client, use the ip ssh {server |\r\nclient} algorithm encryption command in global configuration mode. To disable an algorithm from the configured\r\nlist, use the no form of this command. To return to the default behavior in which all encryption algorithms are\r\nenabled in the predefined order, use the default form of this command.\r\nip ssh client algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des-cbc |\r\naes192-cbc | aes256-cbc}\r\nno ip ssh client algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des-cbc |\r\naes192-cbc | aes256-cbc}\r\nSyntax Description\r\naes128-ctr\r\nConfigures Advanced Encryption Standard Counter Mode (AES-CTR) encryption for 128-bit\r\nkey length.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 12 of 238\n\naes192-ctr Configures AES-CTR encryption for 192-bit key length.\r\naes256-ctr Configures AES-CTR encryption for 256-bit key length.\r\naes128-\r\ncbc\r\nConfigures AES Cipher Block Chaining (AES-CBC) 128-bit key length.\r\n3des-cbc Configures Triple Data Encryption Standard (3DES) CBC algorithm.\r\naes192-\r\ncbc\r\nConfigures AES-CBC encryption for 192-bit key length.\r\naes256-\r\ncbc\r\nConfigures AES-CBC encryption for 256-bit key length.\r\nCommand Default\r\nSSH encryption algorithms are set to the following default order:\r\nEncryption Algorithms: aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\nCisco IOS 15.5(2)S This command was introduced.\r\nCisco IOS XE 3.15S This command was integrated into Cisco IOS XE Release 3.15S.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 13 of 238\n\nRelease Modification\r\nCisco IOS 15.5(2)T This command was integrated into Cisco IOS Release 15.5(2)T.\r\nUsage Guidelines\r\nTo start an encrypted session between an SSH client and server, the preferred mode of encryption needs to be\r\ndecided. For increased security, the preferred crypto algorithm for an SSH session is AES-CTR.\r\nSSH Version 2 (SSHv2) supports AES-CTR encryption for 128-bit, 192-bit, and 256-bit key length. From the\r\nsupported AES-CTR algorithms, the preferred algorithm is chosen based on the processing capability. The greater\r\nthe length of the key, the stronger the encryption.\r\nThe Cisco IOS SSH servers and clients support three types of crypto algorithms to encrypt data and select an\r\nencryption mode in the following order of preferred encryption:\r\n1. AES-CTR\r\n2. AES-CBC\r\n3. 3DES\r\nIf the SSH session uses a remote device that does not support AES-CTR encryption mode, the encryption mode\r\nfor the session falls back to AES-CBC mode.\r\nThe default order of the encryption algorithms are:\r\nEncryption Algorithms: aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc\r\nTo disable more than one algorithm, use the no form of the command multiple times with different algorithm\r\nnames. If you try to disable the last encryption algorithm in the configuration, the following message is displayed,\r\nand the command is rejected:\r\n% SSH command rejected: All encryption algorithms cannot be disabled\r\nExamples\r\nThe following example shows how to configure encryption algorithms on Cisco IOS SSH clients:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 14 of 238\n\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-c\r\nDevice(config)# end\r\nThe following example shows how to return to the default behavior in which all encryption algorithms are enabled\r\nin the predefined order:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# default ip ssh client algorithm encryption\r\nDevice(config)# end\r\nRelated Commands\r\nCommand Description\r\nip ssh client algorithm mac Defines the order of MAC algorithms in a Cisco IOS SSH client.\r\nip ssh server algorithm encryption Defines the order of encryption algorithms in a Cisco IOS SSH server.\r\nshow ip ssh Displays the status of SSH server connections.\r\nip ssh client algorithm mac\r\nTo define the order of Message Authentication Code (MAC) algorithms in a Cisco IOS secure shell (SSH) client,\r\nuse the ip ssh client algorithm mac command in global configuration mode. To disable an algorithm from the\r\nconfigured list, use the no form of this command. To return to the default behavior in which all MAC algorithms\r\nare enabled in the predefined order, use the default form of this command.\r\nip ssh client algorithm mac { hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com | hmac-sha2-256 | hmac-sha2-512 }\r\nno ip ssh client algorithm mac { hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com |\r\nhmac-sha2-256 | hmac-sha2-512 }\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 15 of 238\n\nSyntax Description\r\nhmac-sha2-256\r\nConfigures the HMAC algorithm of HMAC-SHA2-256 as a cryptographic\r\nalgorithm with a digest size of 256 bits and a key length of 256 bits.\r\nhmac-sha2-512\r\nConfigures the HMAC algorithm of HMAC-SHA2-512 as a cryptographic\r\nalgorithm with a digest size of 512 bits and a key length of 512 bits.\r\nhmac-sha2-256-\r\netm@openssh.com\r\nConfigures the HMAC algorithm of HMAC-SHA2-256-Encrypt-then-MAC@openssh.com as a cryptographic algorithm with a digest size of 256 bits\r\nand a key length of 256 bits.\r\nhmac-sha2-512-\r\netm@openssh.com\r\nConfigures the HMAC algorithm of HMAC-SHA2-512-Encrypt-then-MAC@openssh.com as a cryptographic algorithm with a digest size of 512 bits\r\nand a key length of 512 bits.\r\nCommand Default\r\nSSH MAC algorithms are set to the following default order:\r\nMAC Algorithms: hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\nCisco IOS\r\n15.5(2)S\r\nThis command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 16 of 238\n\nRelease Modification\r\nCisco IOS XE\r\n3.15S\r\nThis command was integrated into Cisco IOS XE Release 3.15S.\r\nCisco IOS\r\n15.5(2)T\r\nThis command was integrated into Cisco IOS Release 15.5(2)T.\r\nCisco IOS XE\r\n17.3\r\nThe hmac-sha2-256-ETM@openssh.com and hmac-sha2-512-ETM@openssh.com\r\nwere introduced.\r\nUsage Guidelines\r\nThe Cisco IOS SSH servers and clients must have at least one configured Hashed Message Authentication Code\r\n(HMAC) algorithm. The Cisco IOS SSH servers and clients support the MAC algorithms in the following order:\r\n1. hmac-sha2-256-etm@openssh.com\r\n2. hmac-sha2-512-etm@openssh.com\r\n3. hmac-sha2-256\r\n4. hmac-sha2-512\r\nThe default order of the MAC algorithms are:\r\nMAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm-etm@openssh.com, hmac-sha2-256, hmac-sha2-512\r\n@openssh.com\r\nTo disable more than one algorithm, use the no form of the command multiple times with different algorithm\r\nnames. If you try to disable the last MAC algorithm in the configuration, the following message is displayed, and\r\nthe command is rejected:\r\n% SSH command rejected: All mac algorithms cannot be disabled\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 17 of 238\n\nThe following example shows how to configure MAC algorithms on Cisco IOS SSH clients:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# ip ssh client algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha\r\nDevice(config)# end\r\nThe following example shows how to return to the default behavior in which all MAC algorithms are enabled in\r\nthe predefined order:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# default ip ssh client algorithm mac\r\nDevice(config)# end\r\nRelated Commands\r\nCommand Description\r\nip ssh client algorithm encryption Defines the order of encryption algorithms in a Cisco IOS SSH client.\r\nip ssh server algorithm mac Defines the order of MAC algorithms in a Cisco IOS SSH server.\r\nshow ip ssh Displays the status of SSH server connections.\r\nip ssh dh min size\r\nTo configure the modulus size on the IOS Secure Shell (SSH) server and client, use the ip ssh dh min size\r\ncommand in global configuration mode. To configure the default value of 2048 bits, use the no form or the default\r\nform of this command.\r\nip ssh dh min size number\r\nno ip ssh dh min size\r\ndefault ip ssh dh min size\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 18 of 238\n\nSyntax Description\r\nnumber\r\nMinimum number of bits in the key size. The available options are 2048, and 4096. The default\r\nvalue is 2048.\r\nCommand Default\r\nMinimum size of Diffie-Hellman (DH) key on IOS SSH server and client is 2048 bits.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.4(20)T This command was introduced.\r\n15.1(2)S This command was integrated into Cisco IOS Release 15.1(2)S.\r\n15.1(1)SY This command was integrated into Cisco IOS Release 15.1(1)SY.\r\nUsage Guidelines\r\nUse the ip ssh dh min size command to ensure that the CLI is successfully parsed from either the client side or the\r\nserver side.\r\nIOS SSH supports the following Diffie-Hellman (DH) key exchange methods:\r\nFixed Group Method (diffie-hellman-group14-sha1 [2048 bits])\r\nGroup Exchange Method (diffie-hellman-group-exchange-sha1 [2048 bits, 4096 bits])\r\nIn both DH key exchange methods, IOS SSH server and client negotiates and establishes connections with only\r\ngroups (ranges) whose modulus sizes are equal to or higher than the value configured in the CLI.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 19 of 238\n\nThe following example shows how to set the minimum modulus size to 2048 bits:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# ip ssh dh min size 2048\r\nRelated Commands\r\nCommand Description\r\nshow ip ssh Displays the status of SSH server connections.\r\nip ssh dscp\r\nTo specify the IP differentiated services code point (DSCP) value that can be set for a Secure Shell (SSH)\r\nconfiguration, use the ip ssh dscp command in global configuration mode. To restore the default value, use the no\r\nform of this command.\r\nip ssh dscp number\r\nno ip ssh dscp number\r\nSyntax Description\r\nnumber\r\nValue that can be set. The default value is 0 (zero).\r\nnumber --0 through 63.\r\nCommand Default\r\nThe IP DSCP value is not specified.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 20 of 238\n\nRelease Modification\r\n12.4(20)S This command was introduced.\r\n12.2SR\r\nThis command is supported in the Cisco IOS Release 12.2SR train. Support in a specific 12.2SR\r\ntrain depends on your feature set, platform, and platform hardware.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX\r\ntrain depends on your feature set, platform, and platform hardware.\r\n12.4(22)T This command was integrated into Cisco IOS Release 12.4(22)T.\r\nUsage Guidelines\r\nIP DSCP values can be configured on both the SSH client and the SSH server for SSH traffic that is generated on\r\neither end.\r\nExamples\r\nThe following example shows that the DSCP value is set to 35:\r\nRouter(config)# ip ssh dscp 35\r\nRelated Commands\r\nCommand Description\r\nip ssh precedence Specifies the IP precedence value that may be set.\r\nip ssh logging events\r\nTo create a log statement of an ssh attempt, use the ip ssh logging events command in Global Configuration Mode.\r\nip ssh logging events\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 21 of 238\n\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nThis command is enabled by default.\r\nCommand Modes\r\nGlobal configuration mode\r\nCommand History\r\nRelease Modification\r\n12.3 T This command was introduced.\r\nCisco IOS XE Dublin 17.12.1a release This command was modified. The command is enabled by default.\r\nUsage Guidelines\r\nTo create a log statement of an ssh attempt, use the ip ssh logging events command in global configuration mode.\r\nExamples\r\nThis example shows the logging events:\r\nRouter(Config)# ip ssh logging events\r\n*Jul 19 23:15:00.822: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.232.24.222 (tty = 4) using crypto cipher\r\n*Jul 19 23:15:04.794: %SSH-5-SSH2_USERAUTH: User 'test' authentication for SSH2 Session from 10.232.24.222 (tty\r\n*Jul 19 23:16:10.898: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.232.24.222 (tty = 4) for user 'test' using crypto\r\nip ssh maxstartups\r\nIf the SSH server negotiates the establishment of too many SSH sessions at the same time, it could cause high\r\nCPU consumption. To control the maximum number of SSH sessions that can be started simultaneously, use the ip\r\nssh maxstartups command in global configuration mode.\r\nTo disable the configuration, use the no form of this command.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 22 of 238\n\nip ssh maxstartups [number]\r\nno ip ssh maxstartups [number]\r\nSyntax Description\r\nnumber\r\n(Optional) Number of connections to be accepted concurrently. The range is from 2 to 128. The\r\ndefault is 128.\r\nCommand Default\r\nThe number of maximum concurrent sessions is 128.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n15.0(1)M This command was introduced in a release earlier than Cisco IOS Release 15.0(1)M.\r\nCisco IOS XE\r\nRelease 2.1\r\nThis command was integrated into Cisco IOS XE Release 2.1 and implemented on the\r\nCisco ASR 1000 Series Aggregation Services Routers.\r\nUsage Guidelines\r\nYou must create RSA keys to enable SSH. The RSA key must be at least 768 bits for SSHv2.\r\nExamples\r\nThe following example shows how to set the maximum concurrent sessions allowed on a SSH to 100:\r\nRouter# configure terminal\r\nRouter(config)# ip ssh maxstartups 100\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 23 of 238\n\nCommand Description\r\ndebug ip ssh Displays debugging messages for SSH.\r\nip ssh Configures SSH control parameters on your router.\r\nip ssh port\r\nTo enable secure access to tty (asynchronous) lines, use the ip ssh port command in global configuration mode. To\r\ndisable this functionality, use the no form of this command.\r\nip ssh port por-tnum rotary group\r\nno ip ssh port por-tnum rotary group\r\nSyntax Description\r\nport-num Specifies the port, such as 2001, to which Secure Shell (SSH) needs to connect.\r\nrotary group Specifies the defined rotary that should search for a valid name.\r\nCommand Default\r\nThis command is disabled by default.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.2(2)T This command was introduced.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 24 of 238\n\nThe ip ssh port co mmand supports a functionality that replaces reverse Telnet with SSH. Use this command to\r\nsecurely access the devices attached to the serial ports of a router and to perform the following tasks:\r\nConnect to a router with multiple terminal lines that are connected to consoles of other devices.\r\nAllow network available modems to be securely accessed for dial-out.\r\nExamples\r\nThe following example shows how to configure the SSH Terminal-Line Access feature on a modem that is used\r\nfor dial-out on lines 1 through 200:\r\nline 1 200\r\n no exec\r\n login authentication default\r\n rotary 1\r\n transport input ssh\r\nip ssh port 2000 rotary 1\r\nThe following example shows how to configure the SSH Terminal-Line Access feature to access the console ports\r\nof various devices that are attached to the serial ports of the router. For this type of access, each line is put into its\r\nown rotary, and each rotary is used for a single port. In this example, lines 1 through 3 are used, and the port (line)\r\nmappings of the configuration are as follows: Port 2001 = Line 1, Port 2002 = Line 2, and Port 2003 = Line 3.\r\nline 1\r\n no exec\r\n login authentication default\r\n rotary 1\r\n transport input ssh\r\nline 2\r\n no exec\r\n login authentication default\r\n rotary 2\r\n transport input ssh\r\nline 3\r\n no exec\r\n login authentication default\r\n rotary 3\r\n transport input ssh\r\nip ssh port 2001 rotary 1 3\r\nFrom any UNIX or UNIX-like device, the following command is typically used to form an S SH session:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 25 of 238\n\nssh -c 3des -p 2002 router.example.com\r\nThis command will initiate an SSH session using the Triple DES cipher to the device known as\r\n“router.example.com,” which uses port 2002. This device will connect to the device on Line 2, which was\r\nassociated with port 2002. Similarly, many Windows SSH packages have related methods of selecting the cipher\r\nand the port for this access.\r\nRelated Commands\r\nCommand Description\r\ncrypto key generate\r\nrsa\r\nEnables the SSH server.\r\ndebug ip ssh Displays debugging messages for SSH.\r\nip ssh Configures SSH control variables on your router.\r\nline\r\nIdentifies a specific line for configuration and begins the command in line\r\nconfiguration mode.\r\nrotary Defines a group of lines consisting of one or more lines.\r\nssh Starts an encrypted session with a remote networking device.\r\ntransport input Defines which protocols to use to connect to a specific line of the router.\r\nip ssh precedence\r\nTo specify the IP precedence value that can be set for a Secure Shell (SSH) configuration, use the ip ssh\r\nprecedence command in global configuration mode. To restore the default value, use the no form of this\r\ncommand.\r\nip ssh precedence number\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 26 of 238\n\nno ip ssh precedence number\r\nSyntax Description\r\nnumber\r\nValue that can be set. The default value is 0 (zero).\r\nnumber --0 through 7.\r\nCommand Default\r\nThe IP precedence value is not specified.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.2(20)S This command was introduced.\r\n12.2SR\r\nThis command is supported in the Cisco IOS Release 12.2SR train. Support in a specific 12.2SR\r\ntrain depends on your feature set, platform, and platform hardware.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX\r\ntrain depends on your feature set, platform, and platform hardware.\r\n12.4(22)T This command was integrated into Cisco IOS Release 12.4(22)T.\r\nUsage Guidelines\r\nIP precedence values can be configured on both the SSH client and the SSH server for SSH traffic that is\r\ngenerated on either end.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 27 of 238\n\nThe following example shows that up to six IP precedence values can be set:\r\nRouter(config)# ip precedence value 6\r\nRelated Commands\r\nCommand Description\r\nip ssh dscp Specifies the IP DSCP value that can be set for an SSH configuration.\r\nip ssh pubkey-chain\r\nTo configure Secure Shell RSA (SSH-RSA) keys for user and server authentication on the SSH server, use the ip\r\nssh pubkey-chain command in global configuration mode. To remove SSH-RSA keys for user and server\r\nauthentication on the SSH server, use the no form of this command.\r\nip ssh pubkey-chain\r\nno ip ssh pubkey-chain\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nSSH-RSA keys are not configured.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n15.0(1)M This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 28 of 238\n\nRelease Modification\r\n15.1(1)S This command was integrated into Cisco IOS Release 15.1(1)S.\r\nUsage Guidelines\r\nUse the ip ssh pubkey-chain command to ensure SSH server and user public key authentication.\r\nExamples\r\nThe following example shows how to enable public key generation:\r\nRouter(config)# ip ssh pubkey-chain\r\n \r\nRelated Commands\r\nCommand Description\r\nip ssh stricthostkeycheck Enables strict host key checking on the SSH server.\r\nip ssh rekey\r\nTo configure a time-based rekey or a volume-based rekey for a secure shell (SSH) session, use the ip ssh rekey\r\ncommand in global configuration mode. To disable the rekey, use the no form of this command.\r\nip ssh rekey {time time | volume volume}\r\nno ip ssh rekey\r\nSyntax Description\r\ntime time Rekey time, in minutes. The range is from 10 minutes to 1440 minutes.\r\nvolume volume Amount of rekeyed data, in kilobytes. The range is from 100 KB to 4194303 KB.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 29 of 238\n\nCommand Default\r\nThe rekey time or volume is not configured.\r\nCommand Modes\r\n        Global configuration (config)\r\n      \r\nCommand History\r\nRelease Modification\r\n15.0(2)SE This command was introduced.\r\n15.1(1)SY This command was integrated into Cisco IOS Release 15.1(1)SY.\r\nUsage Guidelines\r\nSSH rekey initiation occurs when the session key negotiated at connection startup is used for an unusually long\r\ntime. A server or a client initiates a new key exchange based on the maximum number of packets transmitted or\r\nbased on a specified time. The ip ssh rekey time command enables you to specify a time for the rekey initiation.\r\nThe ip ssh rekey volume command enables you to specify a volume that is based on the maximum number of\r\npackets transmitted for the rekey initiation. When you use the no ip ssh rekey command, the configured time-based rekey or volume-based rekey is disabled.\r\nExamples\r\nThe following example shows how to configure a time-based rekey for an SSH session:\r\nDevice(config)# ip ssh rekey time 108\r\nThe following example shows how to configure a volume-based rekey for an SSH session:\r\nDevice(config)# ip ssh rekey volume 500\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 30 of 238\n\nCommand Description\r\nip ssh Configures SSH control parameters on a device.\r\nip ssh rsa keypair-name\r\nTo specify which Rivest, Shimar, and Adelman (RSA) key pair to use for a Secure Shell (SSH) connection, use the\r\nip ssh rsa keypair-name command in global configuration mode. To disable the key pair that was configured, use\r\nthe no form of this command.\r\nip ssh rsa keypair-name keypair-name\r\nno ip ssh rsa keypair-name keypair-name\r\nSyntax Description\r\nkeypair-name Name of the key pair.\r\nCommand Default\r\nIf this command is not configured, SSH will use the first RSA key pair that is enabled.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.3(4)T This command was introduced.\r\n12.3(2)XE This command was integrated into Cisco IOS Release 12.3(2)XE.\r\n12.2(25)S This command was integrated into Cisco IOS Release 12.2(25)S.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 31 of 238\n\nRelease Modification\r\n12.3(7)JA This command was integrated into Cisco IOS Release 12.3(7)JA.\r\n12.0(32)SY This command was integrated into Cisco IOS Release 12.0(32)SY.\r\n12.2(33)SXI4 This command was integrated into Cisco IOS Release 12.2(33)SXI4.\r\nUsage Guidelines\r\nUsing the ip ssh rsa keypair-name command, you can enable an SSH connection using RSA keys that you have\r\nconfigured using the keypair-name argument. Previously, SSH was tied to the first RSA keys that were generated\r\n(that is, SSH was enabled when the first RSA key pair was generated). The previous behavior still exists, but by\r\nusing the ip ssh rsa keypair-name command, you can overcome that behavior. If you configure the ip ssh rsa\r\nkeypair-name command with a key pair name, SSH is enabled if the key pair exists, or SSH will be enabled if the\r\nkey pair is generated later. If you use this command, you are not forced to configure a hostname and a domain\r\nname.\r\nNote\r\nA Cisco IOS router can have many RSA key pairs.\r\nExamples\r\nThe following example shows how to specify the RSA key pair “sshkeys” for an SSH connection:\r\nRouter# configure terminal\r\nRouter(config)# ip ssh rsa keypair-name sshkeys\r\nRelated Commands\r\nCommand Description\r\ndebug ip ssh Displays debug messages for SSH.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 32 of 238\n\nCommand Description\r\ndisconnect ssh Terminates a SSH connection on your router.\r\nip ssh Configures SSH control parameters on your router.\r\nip ssh version Specifies the version of SSH to be run on a router.\r\nshow ip ssh Displays the SSH connections of your router.\r\nip ssh server algorithm authentication\r\nTo define the order of user authentication algorithms in a Cisco IOS Secure Shell (SSH) server, use the ip ssh\r\nserver algorithm authentication command in global configuration mode. To disable an algorithm from the\r\nconfigured list, use the no form of this command. To return to the default behavior in which all user authentication\r\nalgorithms are enabled in the predefined order, use the default form of this command.\r\nip ssh server algorithm authentication {publickey | keyboard | password}\r\nno ip ssh server algorithm authentication {publickey | keyboard | password}\r\nSyntax Description\r\npublickey Enables the public-key-based authentication method.\r\nkeyboard Enables the keyboard-interactive-based authentication method.\r\npassword Enables the password-based authentication method.\r\nCommand Default\r\nSSH user authentication algorithms are set to the following default order:\r\nAuthentication methods: publickey, keyboard-interactive, password\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 33 of 238\n\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\nCisco IOS 15.5(2)S This command was introduced.\r\nCisco IOS XE 3.15S This command was integrated into Cisco IOS XE Release 3.15S.\r\nCisco IOS 15.5(2)T This command was integrated into Cisco IOS Release 15.5(2)T.\r\nUsage Guidelines\r\nTo start a session between an SSH client and server, the preferred mode of user authentication needs to be decided.\r\nThe IOS SSH server must have at least one configured user authentication algorithm.\r\nThe default order of the encryption algorithms are:\r\nAuthentication methods:publickey,keyboard-interactive,password\r\nTo disable more than one algorithm, use the no form of the command multiple times with different algorithm\r\nnames. If you try to disable the last user authentication algorithm in the configuration, the following message is\r\ndisplayed, and the command is rejected:\r\n% SSH command rejected: All authentication algorithms can not be disabled.\r\nExamples\r\nThe following example shows how to configure user authentication algorithms on Cisco IOS SSH servers:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 34 of 238\n\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# ip ssh server algorithm authentication publickey keyboard password\r\nDevice(config)# end\r\nThe following example shows how to return to the default behavior in which all user authentication algorithms are\r\nenabled in the predefined order:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# default ip ssh server algorithm authentication\r\nDevice(config)# end\r\nRelated Commands\r\nCommand Description\r\nip ssh client algorithm encryption Defines the order of encryption algorithms in a Cisco IOS SSH client.\r\nip ssh server algorithm hostkey Defines the order of host key algorithms in a Cisco IOS SSH server.\r\nip ssh server algorithm mac Defines the order of MAC algorithms in a Cisco IOS SSH server.\r\nip ssh server algorithm publickey Defines the order of public key algorithms in a Cisco IOS SSH server.\r\nshow ip ssh Displays the status of SSH server connections.\r\nip ssh server algorithm encryption\r\nTo define the order of encryption algorithms in a Cisco IOS secure shell (SSH) server, use the ip ssh server\r\nalgorithm encryption command in global configuration mode. To disable an algorithm from the configured list,\r\nuse the no form of this command. To return to the default behavior in which all encryption algorithms are enabled\r\nin the predefined order, use the default form of this command.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 35 of 238\n\nip ssh server algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des-cbc |\r\naes192-cbc | aes256-cbc}\r\nno ip ssh server algorithm encryption {aes128-ctr | aes192-ctr | aes256-ctr | aes128-cbc | 3des-cbc |\r\naes192-cbc | aes256-cbc}\r\nSyntax Description\r\naes128-ctr\r\nConfigures Advanced Encryption Standard Counter Mode (AES-CTR) encryption for 128-bit\r\nkey length.\r\naes192-ctr Configures AES-CTR encryption for 192-bit key length.\r\naes256-ctr Configures AES-CTR encryption for 256-bit key length.\r\naes128-\r\ncbc\r\nConfigures AES Cipher Block Chaining (AES-CBC) 128-bit key length.\r\n3des-cbc Configures Triple Data Encryption Standard (3DES) CBC algorithm.\r\naes192-\r\ncbc\r\nConfigures AES-CBC encryption for 192-bit key length.\r\naes256-\r\ncbc\r\nConfigures AES-CBC encryption for 256-bit key length.\r\nCommand Default\r\nSSH encryption algorithms are set to the following default order:\r\nEncryption Algorithms: aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 36 of 238\n\nRelease Modification\r\nCisco IOS 15.5(2)S This command was introduced.\r\nCisco IOS XE 3.15S This command was integrated into Cisco IOS XE Release 3.15S.\r\nCisco IOS 15.5(2)T This command was integrated into Cisco IOS Release 15.5(2)T.\r\nUsage Guidelines\r\nTo start an encrypted session between an SSH client and server, the preferred mode of encryption needs to be\r\ndecided. For increased security, the preferred crypto algorithm for an SSH session is AES-CTR.\r\nSSH Version 2 (SSHv2) supports AES-CTR encryption for 128-bit, 192-bit, and 256-bit key length. From the\r\nsupported AES-CTR algorithms, the preferred algorithm is chosen based on the processing capability. The greater\r\nthe length of the key, the stronger the encryption.\r\nThe Cisco IOS SSH servers and clients support three types of crypto algorithms to encrypt data and select an\r\nencryption mode in the following order of preferred encryption:\r\n1. AES-CTR\r\n2. AES-CBC\r\n3. 3DES\r\nIf the SSH session uses a remote device that does not support AES-CTR encryption mode, the encryption mode\r\nfor the session falls back to AES-CBC mode.\r\nThe default order of the encryption algorithms are:\r\nEncryption Algorithms: aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc\r\nTo disable more than one algorithm, use the no form of the command multiple times with different algorithm\r\nnames. If you try to disable the last encryption algorithm in the configuration, the following message is displayed,\r\nand the command is rejected:\r\n% SSH command rejected: All encryption algorithms cannot be disabled\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 37 of 238\n\nExamples\r\nThe following example shows how to configure encryption algorithms on Cisco IOS SSH servers:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-c\r\nDevice(config)# end\r\nThe following example shows how to return to the default behavior in which all encryption algorithms are enabled\r\nin the predefined order:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# default ip ssh server algorithm encryption\r\nDevice(config)# end\r\nRelated Commands\r\nCommand Description\r\nip ssh client algorithm encryption Defines the order of encryption algorithms in a Cisco IOS SSH client.\r\nip ssh server algorithm hostkey Defines the order of host key algorithms in a Cisco IOS SSH server.\r\nip ssh server algorithm mac Defines the order of MAC algorithms in a Cisco IOS SSH server.\r\nshow ip ssh Displays the status of SSH server connections.\r\nip ssh server algorithm kex\r\nTo define the order of kex algorithms in a Cisco IOS secure shell (SSH) server, use the ip ssh server algorithm kex\r\ncommand in global configuration mode. To disable an algorithm from the configured list, use the no form of this\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 38 of 238\n\ncommand. To return to the default behavior in which all kex algorithms are enabled in the predefined order, use\r\nthe default form of this command.\r\nip ssh server algorithm kex\r\nno ip ssh server algorithm kex\r\nSyntax Description\r\ndiffie-hellman-group14-sha1\r\nDH_GRP14_SHA1 diffie-hellman key exchange\r\nalgorithm\r\necdh-sha2-nistp256 ECDH_SHA2_P256 ecdh key exchange algorithm\r\necdh-sha2-nistp384 ECDH_SHA2_P384 ecdh key exchange algorithm\r\necdh-sha2-nistp521 ECDH_SHA2_P521 ecdh key exchange algorithm\r\nCommand Default\r\nSSH kex algorithms are set to the following default order:\r\nKex Algorithms: ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE 16.3 This command was introduced.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 39 of 238\n\nThe Cisco IOS SSH server and client must have at least one configured kex algorithm. The Cisco IOS SSH\r\nservers support the kex algorithms in the following order:\r\n1. ecdh-sha2-nistp256\r\n2. secdh-sha2-nistp384\r\n3. ecdh-sha2-nistp521\r\n4. diffie-hellman-group14-sha1\r\nThe default order of the kex algorithms are:\r\nKex Algorithms: ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1\r\nTo disable more than one algorithm, use the no form of the command multiple times with different algorithm\r\nnames. If you try to disable the last kex algorithm in the configuration, the following message is displayed, and\r\nthe command is rejected:\r\n% SSH command rejected: All kex algorithms cannot be disabled\r\nExamples\r\nThe following example shows how to configure kex algorithms on Cisco IOS SSH servers:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# ip ssh server algorithm kex ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hell\r\nDevice(config)# end\r\nThe following example shows how to return to the default behavior in which all kex algorithms are enabled in the\r\npredefined order:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# default ip ssh server algorithm kex\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 40 of 238\n\nDevice(config)# end\r\nRelated Commands\r\nCommand Description\r\nip ssh server algorithm hostkey Defines the order of host key algorithms in a Cisco IOS SSH server.\r\nip ssh server algorithm mac Defines the order of MAC algorithms in a Cisco IOS SSH server.\r\nip ssh server algorithm publickey Defines the order of public key algorithms in a Cisco IOS SSH server.\r\nshow ip ssh Displays the status of SSH server connections.\r\nip ssh server algorithm hostkey\r\nTo define the order of host key algorithms in a Cisco IOS secure shell (SSH) server, use the ip ssh server\r\nalgorithm hostkey command in global configuration mode. To disable an algorithm from the configured list, use\r\nthe no form of this command. To return to the default behavior in which all host key algorithms are enabled in the\r\npredefined order, use the default form of this command.\r\nip ssh server algorithm hostkey {x509v3-ssh-rsa | ssh-rsa}\r\nno ip ssh server algorithm hostkey {x509v3-ssh-rsa | ssh-rsa}\r\nSyntax Description\r\nx509v3-ssh-rsa Configures certificate-based authentication.\r\nssh-rsa Configures public key based authentication.\r\nCommand Default\r\nSSH host key algorithms are set to the following default order:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 41 of 238\n\nHostkey Algorithms: x509v3-ssh-rsa, ssh-rsa\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\nCisco IOS 15.5(1)S This command was introduced.\r\nCisco IOS XE 3.14S This command was integrated into Cisco IOS XE Release 3.14S.\r\nCisco IOS 15.5(2)T This command was integrated into Cisco IOS Release 15.5(2)T.\r\nUsage Guidelines\r\nThe IOS SSH server and client must have at least one configured host key algorithm. The Cisco IOS SSH servers\r\nsupport the host key algorithms in the following order:\r\n1. x509v3-ssh-rsa\r\n2. ssh-rsa\r\nThe default order of the host key algorithms are:\r\nHostkey Algorithms: x509v3-ssh-rsa, ssh-rsa\r\nTo disable more than one algorithm, use the no form of the command multiple times with different algorithm\r\nnames. If you try to disable the last host key algorithm in the configuration, the following message is displayed,\r\nand the command is rejected:\r\n% SSH command rejected: All hostkey algorithms cannot be disabled\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 42 of 238\n\nExamples\r\nThe following example shows how to configure host key algorithms on Cisco IOS SSH servers:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# ip ssh server algorithm hostkey x509v3-ssh-rsa ssh-rsa\r\nDevice(config)# end\r\nThe following example shows how to return to the default behavior in which all host key algorithms are enabled\r\nin the predefined order:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# default ip ssh server algorithm hostkey\r\nDevice(config)# end\r\nRelated Commands\r\nCommand Description\r\nip ssh server algorithm encryption Defines the order of encryption algorithms in a Cisco IOS SSH server.\r\nip ssh server algorithm mac Defines the order of MAC algorithms in a Cisco IOS SSH server.\r\nip ssh server algorithm publickey Defines the order of public key algorithms in a Cisco IOS SSH server.\r\nshow ip ssh Displays the status of SSH server connections.\r\nip ssh server algorithm mac\r\nTo define the order of Message Authentication Code (MAC) algorithms in a Cisco IOS secure shell (SSH) server\r\nand client, use the ip ssh server algorithm mac command in global configuration mode. To disable an algorithm\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 43 of 238\n\nfrom the configured list, use the no form of this command. To return to the default behavior in which all MAC\r\nalgorithms are enabled in the predefined order, use the default form of this command.\r\nip ssh server algorithm mac { hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com | hmac-sha2-256 | hmac-sha2-512 }\r\nno ip ssh server algorithm mac { hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com |\r\nhmac-sha2-256 | hmac-sha2-512 }\r\nSyntax Description\r\nhmac-sha2-256\r\nConfigures the HMAC algorithm of HMAC-SHA2-256 as a cryptographic\r\nalgorithm with a digest size of 256 bits and a key length of 256 bits.\r\nhmac-sha2-512\r\nConfigures the HMAC algorithm of HMAC-SHA2-512 as a cryptographic\r\nalgorithm with a digest size of 512 bits and a key length of 512 bits.\r\nhmac-sha2-256-\r\netm@openssh.com\r\nConfigures the HMAC algorithm of HMAC-SHA2-256-Encrypt-then-MAC@openssh.com as a cryptographic algorithm with a digest size of 256 bits\r\nand a key length of 256 bits.\r\nhmac-sha2-512-\r\netm@openssh.com\r\nConfigures the HMAC algorithm of HMAC-SHA2-512-Encrypt-then-MAC@openssh.com as a cryptographic algorithm with a digest size of 512 bits\r\nand a key length of 512 bits.\r\nCommand Default\r\nSSH MAC algorithms are set to the following default order:\r\nMAC Algorithms: hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 44 of 238\n\nRelease Modification\r\nCisco IOS 15.5(2)S This command was introduced.\r\nCisco IOS XE 3.15S This command was integrated into Cisco IOS XE Release 3.15S.\r\nCisco IOS 15.5(2)T This command was integrated into Cisco IOS Release 15.5(2)T.\r\nCisco IOS XE Everest\r\n16.5.1b\r\nThe Hmac-SHA2 mac algorithm for SSH was introduced.\r\nCisco IOS XE\r\nAmsterdam 17.3\r\nThe Hmac-SHA2-256ETM@openssh.com and Hmac-SHA2-\r\n512ETM@openssh.com mac algorithm for SSH were introduced.\r\nUsage Guidelines\r\nThe Cisco IOS SSH servers and clients must have at least one configured Hashed Message Authentication Code\r\n(HMAC) algorithm and can have more than one HMAC algorithm configured. The Cisco IOS SSH servers and\r\nclients support the MAC algorithms in the following order:\r\n1. hmac-sha2-256-etm@openssh.com\r\n2. hmac-sha2-512-etm@openssh.com\r\n3. hmac-sha2-256\r\n4. hmac-sha2-512\r\nThe default order of the MAC algorithms are:\r\nMAC Algorithms: hmac-sha2-256, hmac-sha2-512, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com\r\nTo disable more than one algorithm, use the no form of the command multiple times with different algorithm\r\nnames. If you try to disable the last MAC algorithm in the configuration, the following message is displayed, and\r\nthe command is rejected:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 45 of 238\n\n% SSH command rejected: All mac algorithms cannot be disabled\r\nExamples\r\nThe following example shows how to configure MAC algorithms on Cisco IOS SSH servers:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# ip ssh server algorithm mac hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha\r\nDevice(config)# end\r\nThe following example shows how to return to the default behavior in which all MAC algorithms are enabled in\r\nthe predefined order:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# default ip ssh server algorithm mac\r\nDevice(config)# end\r\nRelated Commands\r\nCommand Description\r\nip ssh client algorithm mac Defines the order of MAC algorithms in a Cisco IOS SSH client.\r\nip ssh server algorithm encryption Defines the order of encryption algorithms in a Cisco IOS SSH server.\r\nip ssh server algorithm hostkey Defines the order of host key algorithms in a Cisco IOS SSH server.\r\nshow ip ssh Displays the status of SSH server connections.\r\nip ssh server algorithm publickey\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 46 of 238\n\nTo define the order of public key algorithms in a Cisco IOS secure shell (SSH) server for user authentication, use\r\nthe ip ssh server algorithm publickey command in global configuration mode. To disable an algorithm from the\r\nconfigured list, use the no form of this command. To return to the default behavior in which all public key\r\nalgorithms are enabled in the predefined order, use the default form of this command.\r\nip ssh server algorithm publickey {x509v3-ssh-rsa | ssh-rsa}\r\nno ip ssh server algorithm publickey {x509v3-ssh-rsa | ssh-rsa}\r\nSyntax Description\r\nx509v3-ssh-rsa Configures certificate-based authentication.\r\nssh-rsa Configures public key based authentication.\r\nCommand Default\r\nSSH public key algorithms are set to the following default order:\r\nAuthentication Publickey Algorithms: x509v3-ssh-rsa, ssh-rsa\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\nCisco IOS 15.5(1)S This command was introduced.\r\nCisco IOS XE 3.14S This command was integrated into Cisco IOS XE Release 3.14S.\r\nCisco IOS 15.5(2)T This command was integrated into Cisco IOS Release 15.5(2)T.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 47 of 238\n\nUsage Guidelines\r\nThe IOS SSH server and client must have at least one configured public key algorithm. The Cisco IOS SSH\r\nservers support the public key algorithms in the following order:\r\n1. x509v3-ssh-rsa\r\n2. ssh-rsa\r\nThe default order of the host key algorithms are:\r\nAuthentication Publickey Algorithms: x509v3-ssh-rsa, ssh-rsa\r\nTo disable more than one algorithm, use the no form of the command multiple times with different algorithm\r\nnames. If you try to disable the last public key algorithm in the configuration, the following message is displayed,\r\nand the command is rejected:\r\n% SSH command rejected: All publickey algorithms cannot be disabled.\r\nExamples\r\nThe following example shows how to configure public key algorithms on Cisco IOS SSH servers:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# ip ssh server algorithm publickey x509v3-ssh-rsa ssh-rsa\r\nDevice(config)# end\r\nThe following example shows how to return to the default behavior in which all public key algorithms are enabled\r\nin the predefined order:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# default ip ssh server algorithm publickey\r\nDevice(config)# end\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 48 of 238\n\nCommand Description\r\nip ssh client algorithm encryption Defines the order of encryption algorithms in a Cisco IOS SSH client.\r\nip ssh client algorithm mac Defines the order of MAC algorithms in a Cisco IOS SSH client.\r\nip ssh server algorithm encryption Defines the order of encryption algorithms in a Cisco IOS SSH server.\r\nip ssh server algorithm hostkey Defines the order of host key algorithms in a Cisco IOS SSH server.\r\nip ssh server algorithm mac Defines the order of MAC algorithms in a Cisco IOS SSH server.\r\nshow ip ssh Displays the status of SSH server connections.\r\nip ssh server authenticate user\r\nTo enable the user authentication methods available in a Cisco IOS Secure Shell (SSH) server, use the ip ssh\r\nserver authenticate user command in global configuration mode. To disable the user authentication methods\r\navailable in a Cisco IOS SSH server, use the no form of this command. To return to the default behavior in which\r\nall user authentication methods are enabled in the predefined order, use the default form of this command.\r\nip ssh server authenticate user {publickey | keyboard | password}\r\nno ip ssh server authenticate user {publickey | keyboard | password}\r\ndefault ip ssh server authenticate user\r\nSyntax Description\r\npublickey Enables the public-key-based authentication method.\r\nkeyboard Enables the keyboard-interactive-based authentication method.\r\npassword Enables the password-based authentication method.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 49 of 238\n\nCommand Default\r\nAll three user authentication methods are enabled in the following predefined order:\r\nPublic-key authentication method\r\nKeyboard-interactive authentication method\r\nPassword authentication method\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n15.3(3)M This command was introduced.\r\nCisco IOS XE Release 3.10S This command was integrated into Cisco IOS XE Release 3.10S.\r\nUsage Guidelines\r\nThe no ip ssh authenticate user {publickey | keyboard | pasword } command enables the SSH server to choose a\r\npreferred user authentication method by disabling any of the other supported user authentication methods. By\r\ndefault, all user authentication methods are enabled on the SSH server in the following predefined order:\r\nPublic-key authentication method\r\nKeyboard-interactive authentication method\r\nPassword authentication method\r\nThe following messages are displayed during specific scenarios:\r\nIf the public-key-based authentication method is disabled using the no ip ssh server authenticate user\r\npublickey command, the RFC 4252 (The Secure Shell (SSH) Authentication Protocol) behavior in which\r\npublic-key authentication is mandatory is overridden and the following warning message is displayed:\r\n%SSH: Publickey disabled. Overriding RFC\r\nIf all three authentication methods are disabled, the following warning message is displayed:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 50 of 238\n\n%SSH: No auth method configured. Incoming connection will be dropped\r\nIn the event of an incoming SSH session request from the SSH client when all three user authentication\r\nmethods are disabled on the SSH server, the connection request is dropped at the SSH server and a system\r\nlog message is available in the following format:\r\n%SSH-3-NO_USERAUTH: No auth method configured for SSH Server. Incoming connection from \u003cip address\u003e (tty\r\nExamples\r\nThe following example shows how to disable the public-key-based authentication and keyboard-interactive-based\r\nauthentication methods, allowing the SSH client to connect to the SSH server using password-based\r\nauthentication:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# no ip ssh server authenticate user publickey\r\n%SSH: Publickey disabled. Overriding RFC\r\nDevice(config)# no ip ssh server authenticate user keyboard\r\nDevice(config)# exit\r\nThe following example shows how to enable the public-key-based authentication and keyboard-interactive-based\r\nauthentication methods:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# ip ssh server authenticate user publickey\r\nDevice(config)# ip ssh server authenticate user keyboard\r\nDevice(config)# exit\r\nThe following example shows how to return to the default behavior in which all user authentication methods are\r\nenabled in the predefined order:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# default ip ssh server authenticate user\r\nDevice(config)# exit\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 51 of 238\n\nCommand Description\r\nshow ip ssh Displays the version and configuration data for SSH.\r\nip ssh source-interface\r\nTo specify the IP address of an interface as the source address for a Secure Shell (SSH) client device, use the ip\r\nssh source-interface command in global configuration mode. To remove the IP address as the source address, use\r\nthe no form of this command.\r\nip ssh source-interface interface\r\nno ip ssh source-interface interface\r\nSyntax Description\r\ninterface The interface whose address is used as the source address for the SSH client.\r\nCommand Default\r\nThe address of the closest interface to the destination is used as the source address (the closest interface is the\r\noutput interface through which the SSH packet is sent).\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.2(8)T This command was introduced.\r\nUsage Guidelines\r\nBy specifying this command, you can force the SSH client to use the IP address of the source interface as the\r\nsource address.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 52 of 238\n\nExamples\r\nIn the following example, the IP address assigned to Ethernet interface 0 will be used as the source address for the\r\nSSH client:\r\nip ssh source-interface ethernet0\r\nip ssh stricthostkeycheck\r\nTo enable strict host key checking on the Secure Shell (SSH) server, use the ip ssh stricthostcheck command in\r\nglobal configuration mode. To disable strict host key checking, use the no form of this command.\r\nip ssh stricthostkeycheck\r\nno ip ssh stricthostkeycheck\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nStrict host key checking on the SSH server is not enabled.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n15.0(1)M This command was introduced.\r\n15.1(1)S This command was integrated into Cisco IOS Release 15.1(1)S.\r\nUsage Guidelines\r\nUse the ip ssh stricthostkeycheck command to ensure SSH server side strict checking. Configuring the ip ssh\r\nstricthostkeycheck command authenticates all servers.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 53 of 238\n\nNote\r\nThis command is not available on SSH Version 1.\r\nIf the ip ssh pubkey-chain command is not configured, the ip ssh stricthostkeycheck command will lead to\r\nconnection failure in SSH Version 2.\r\nExamples\r\nThe following example shows how to enable strict host key checking:\r\nRouter(config)# ip ssh stricthostkeycheck\r\nRelated Commands\r\nCommand Description\r\nip ssh pubkey-chain Configures SSH-RSA keys for user and server authentication on the SSH server.\r\nip ssh version\r\nTo specify the version of Secure Shell (SSH) to be run on a router, use the ip ssh version command in global\r\nconfiguration mode. To disable the version of SSH that was configured and to return to compatibility mode, use\r\nthe no form of this command.\r\nip ssh version [1 | 2]\r\nno ip ssh version [1 | 2]\r\nSyntax Description\r\n1 (Optional) Router runs only SSH Version 1.\r\n2 (Optional) Router runs only SSH Version 2.\r\nCommand Default\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 54 of 238\n\nIf this command is not configured, SSH operates in compatibility mode, that is, Version 1 and Version 2 are both\r\nsupported.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(4)T This command was introduced.\r\n12.3(2)XE This command was integrated into Cisco IOS Release 12.3(2)XE.\r\n12.2(25)S This command was integrated into Cisco IOS Release 12.2(25)S.\r\n12.3(7)JA This command was integrated into Cisco IOS Release 12.3(7)JA.\r\n12.0(32)SY This command was integrated into Cisco IOS Release 12.0(32)SY.\r\n12.4(20)T This command was integrated into Cisco IOS Release 12.4(20)T.\r\n15.2(2)SA2 This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.\r\nUsage Guidelines\r\nYou can use this command with the 2 keyword to ensure that your router will not inadvertently establish a weaker\r\nSSH Version 1 connection.\r\nExamples\r\nThe following example shows that only SSH Version 1 support is configured:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 55 of 238\n\nRouter (config)# ip ssh version 1\r\nThe following example shows that only SSH Version 2 is configured:\r\nRouter (config)# ip ssh version 2\r\nThe following example shows that SSH Versions 1 and 2 are configured:\r\nRouter (config)# no ip ssh version\r\nRelated Commands\r\nCommand Description\r\ndebug ip ssh Displays debug messages for SSH.\r\ndisconnect ssh Terminates a SSH connection on your router.\r\nip ssh Configures SSH control parameters on your router.\r\nip ssh rsa keypair-name Specifies which RSA key pair to use for a SSH connection.\r\nshow ip ssh Displays the SSH connections of your router.\r\nip tacacs source-interface\r\nTo use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface\r\ncommand in global configuration or server-group configuration mode. To disable use of the specified interface IP\r\naddress, use the no form of this command.\r\nip tacacs source-interface subinterface-name vrf vrf-name\r\nno ip tacacs source-interface\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 56 of 238\n\nSyntax Description\r\nsubinterface-name Name of the interface that TACACS+ uses for all of its outgoing packets.\r\nvrf vrf-name VPN routing/forwarding parameter name.\r\nCommand Default\r\nNone\r\nCommand Modes\r\nGlobal configuration (config)\r\nServer-group configuration (server-group)\r\nCommand History\r\nRelease Modification\r\n10.0 This command was introduced.\r\n12.3(7)T This command was introduced in server-group configuration mode.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a\r\nspecific 12.2SX release of this train depends on your feature set, platform, and platform\r\nhardware.\r\n12.2(33)SXH This command was integrated into Cisco IOS Release 12.2(33)SXH.\r\n12.2(33)SXI This command was integrated into Cisco IOS Release 12.2(33)SXI.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 57 of 238\n\nRelease Modification\r\n12.2(54)SG This command was integrated into Cisco IOS Release 12.2(54)SG.\r\nCisco IOS XE Fuji\r\n16.9.1\r\nThe vrf vrf-name keyword-argument pair was added.\r\nUsage Guidelines\r\nUse this command to set the IP address of a subinterface for all outgoing TACACS+ packets. This address is used\r\nas long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated\r\nwith the network access client instead of maintaining a list of all IP addresses.\r\nThis command is especially useful in cases where the router has many interfaces and you want to ensure that all\r\nTACACS+ packets from a particular router have the same IP address.\r\nThe specified sub-interface should have a valid IP address and should be in the up state for a valid configuration.\r\nIf the specified sub-interface does not have a valid IP address or is in the down state, TACACS+ enforces the\r\nsource-interface configuration. In case the interface has no IP address, a null IP address is sent. To avoid this, add\r\na valid IP address to the sub-interface or bring the sub-interface to the up state.\r\nNote\r\nThis command can be configured globally or in server-group configuration mode. If this command is\r\nconfigured in the server-group configuration mode, the IP address of the specified interface is used\r\nfor packets that are going only to servers that are defined in that server group. If this command is not\r\nconfigured in server-group configuration mode, the global configuration applies.\r\nExamples\r\nThe following example makes TACACS+ use the IP address of subinterface “s2” for all outgoing TACACS+\r\npackets:\r\nip tacacs source-interface s2\r\nIn the following example, TACACS+ is to use the IP address of Loopback0 for packets that are going only to\r\nserver 10.1.1.1:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 58 of 238\n\naaa group server tacacs+ tacacs1\r\n server-private 10.1.1.1 port 19 key cisco\r\n ip vrf forwarding cisco\r\n ip tacacs source-interface Loopback0\r\n ip vrf cisco\r\n rd 100:1\r\n interface Loopback0\r\n ip address 10.0.0.2 255.0.0.0\r\n ip vrf forwarding cisco\r\nRelated Commands\r\nCommand Description\r\nip radius source-interface\r\nForces RADIUS to use the IP address of a specified interface for all outgoing\r\nRADIUS packets.\r\nip telnet source-interface\r\nAllows a user to select an address of an interface as the source address for Telnet\r\nconnections.\r\nip tftp source-interface\r\nAllows a user to select the interface whose address will be used as the source\r\naddress for TFTP connections.\r\nip vrf forwarding (server-group)\r\nConfigures the VRF reference of an AAA RADIUS or TACACS+ server group.\r\nserver-private\r\nConfigures the IP address of the private RADIUS or TACACS+ server for the\r\ngroup server.\r\nip tcp intercept connection-timeout\r\nTo change how long a TCP connection will be managed by the TCP intercept after no activity, use the ip tcp\r\nintercept connection-timeout command in global configuration mode. To restore the default, use the no form of\r\nthis command.\r\nip tcp intercept connection-timeout seconds\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 59 of 238\n\nno ip tcp intercept connection-timeout [seconds]\r\nSyntax Description\r\nseconds\r\nTime (in seconds) that the software will still manage the connection after no activity. The\r\nminimum value is 1 second. The default is 86,400 seconds (24 hours).\r\nCommand Default\r\n86,400 seconds (24 hours)\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n11.2 F This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nUse the ip tcp intercept connection-timeout command to change how long a TCP connection will be managed by\r\nthe TCP intercept after a period of inactivity.\r\nExamples\r\nThe following example sets the software to manage the connection for 12 hours (43,200 seconds) after no activity:\r\nip tcp intercept connection-timeout 43200\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 60 of 238\n\nip tcp intercept drop-mode\r\nTo set the TCP intercept drop mode, use the ip tcp intercept drop-mode command in g lobal configuration mode .\r\nTo restore the default, use the no form of this command.\r\nip tcp intercept drop-mode [oldest | random]\r\nno ip tcp intercept drop-mode [oldest | random]\r\nSyntax Description\r\noldest (Optional) S oftware drops the oldest partial connection. This is the default.\r\nrandom (Optional) Software drops a randomly selected partial connection.\r\nCommand Default\r\noldest\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n11.2 F This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 61 of 238\n\nIf the number of incomplete connections exceeds 1100 or the number of connections arriving in the last 1 minute\r\nexceeds 1100, the TCP intercept feature becomes more aggressive. When this happens, each new arriving\r\nconnection causes the oldest partial connection to be deleted, and the initial retransmission timeout is reduced by\r\nhalf to 0.5 seconds (and so the total time trying to establish the connection will be cut in half).\r\nNote that the 1100 thresholds can be configured with the ip tcp intercept max-incomplete high and ip tcp intercept\r\none-minute high commands.\r\nUse the ip tcp intercept drop-mode command to change the dropping strategy from oldest to a random drop.\r\nExamples\r\nThe following example sets the drop mode to random:\r\nip tcp intercept drop-mode random\r\nRelated Commands\r\nCommand Description\r\nip tcp intercept max-incomplete highDefines the maximum number of incomplete connections allowed before the\r\nsoftware enters aggressive mode.\r\nip tcp intercept max-incomplete lowDefines the number of incomplete connections below which the software leaves\r\naggressive mode.\r\nip tcp intercept one-minute highDefines the number of connection requests received in the last one-minute\r\nsample period before the software enters aggressive mode.\r\nip tcp intercept one-minute lowDefines the number of connection requests below which the software leaves\r\naggressive mode.\r\nip tcp intercept finrst-timeout\r\nTo chang e how long after receipt of a reset or FIN-exchange the software ceases to manage the connection, use\r\nthe ip tcp intercept finrst-timeout command in global configuration mode. To restore the default, use the no form\r\nof this command.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 62 of 238\n\nip tcp intercept finrst-timeout seconds\r\nno ip tcp intercept finrst-timeout [seconds]\r\nSyntax Description\r\nseconds\r\nTime (in seconds) after receiving a reset or FIN-exchange that the software ceases to manage the\r\nconnection. The minimum value is 1 second. The default is 5 seconds.\r\nCommand Default\r\n5 seconds\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n11.2 F This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nEven after the two ends of the connection are joined, the software intercepts packets being sent back and forth.\r\nUse this command if you need to adjust how soon after receiving a reset or FIN-exchange the software stops\r\nintercepting packets.\r\nExamples\r\nThe following example sets the software to wait for 10 seconds before it leaves intercept mode:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 63 of 238\n\nip tcp intercept finrst-timeout 10\r\nip tcp intercept list\r\nTo e nable TCP intercept, use the ip tcp intercept list command in globa l configuration mode . To disable TCP\r\nintercept, use the no form of this command.\r\nip tcp intercept list access-list-number\r\nno ip tcp intercept list access-list-number\r\nSyntax Description\r\naccess-list-number E xtended access list number in the range from 100 to 199.\r\nCommand Default\r\nDisabled\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n11.2 F This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 64 of 238\n\nThe TCP intercept feature intercepts TCP connection attempts and shields servers from TCP SYN-flood attacks,\r\nalso known as denial-of-service attacks.\r\nTCP packets matching the access list are presented to the TCP intercept code for processing, as determined by the\r\nip tcp intercept mode command. The TCP intercept code either intercepts or watches the connections.\r\nTo have all TCP connection attempts submitted to the TCP intercept code, have the access list match everything.\r\nExamples\r\nThe following example configuration defines access list 101, causing the software to intercept packets for all TCP\r\nservers on the 192.168.1.0/24 subnet:\r\nip tcp intercept list 101\r\n!\r\naccess-list 101 permit tcp any 192.168.1.0 0.0.0.255\r\nRelated Commands\r\nCommand Description\r\naccess-list (IP extended) Defines an extended IP access list.\r\nip tcp intercept mode Changes the TCP intercept mode.\r\nshow tcp intercept connections Displays TCP incomplete and established connections.\r\nshow tcp intercept statistics Displays TCP intercept statistics.\r\nip tcp intercept max-incomplete\r\nTo define either the number of incomplete connections below which the software leaves aggressive mode or the\r\nmaximum number of incomplete connections allowed before the software enters aggressive mode, use the ip tcp\r\nintercept max-incomplete command in global configuration mode . To restore the default, use the no form of this\r\ncommand.\r\nip tcp intercept max-incomplete low number high number\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 65 of 238\n\nno ip tcp intercept max-incomplete [low number high number]\r\nSyntax Description\r\nlow\r\nnumber\r\nDefines the number of incomplete connections below which the software leaves aggressive\r\nmode. The range is 1 to 2147483647. The default is 900\r\nhigh\r\nnumber\r\nDefines the number of incomplete connections allowed, above which the software enters\r\naggressive mode. The range is from 1 to 2147483647. The default is 1100.\r\nCommand Default\r\nThe number of incomplete connections below which the software leaves aggressive mode is 900.\r\nThe maximum number of incomplete connections allowed before the software enters aggressive mode is 1100.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.4(15)T\r\nThis command was introduced in Cisco IOS Release 12.4(15)T. This command replaces the\r\nip tcp intercept max-incomplete low and the ip tcp intercept max-incomplete high\r\ncommands.\r\n12.2(33)SXH This command was integrated into Cisco IOS Release 12.2(33)SXH.\r\nUsage Guidelines\r\nThere are two factors that determine aggressive mode: connection requests and incomplete connections.\r\nBy default, if both the number of connection requests and the number of incomplete connections is 900 or lower,\r\naggressive mode ends.\r\nBy default, if either the number of connection requests or the number of incomplete connections is 1100 or\r\ngreater, aggressive mode begins.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 66 of 238\n\nThe number of connection requests may be defined by the ip tcp intercept one-minute command and the number\r\nof incomplete connections may be defined by the ip tcp intercept max-incomplete command.\r\nCharacteristics of Aggressive Mode\r\nThe following are the characteristics of aggressive mode:\r\nEach new arriving connection causes the oldest partial connection to be deleted.\r\nThe initial retransmission timeout, the total time the router attempts to establish the connection, is reduced\r\nfrom 1 second to 0.5 seconds.\r\nThe watch-timeout period is reduced from 30 seconds to 15 seconds.\r\nExamples\r\nThe following example sets the software to leave aggressive mode when the number of incomplete connections\r\nfalls below 1000 and allows 1500 incomplete connections before the software enters aggressive mode. The\r\nrunning configuration is also shown.\r\nRouter(config)# ip tcp intercept max-incomplete low 1000 high 1500\r\nRouter(config)# show running config | i ip tcp\r\n ip tcp intercept one-minute low 1000 high 1400\r\nRelated Commands\r\nCommand Description\r\nip tcp intercept\r\ndrop-mode\r\nSets the TCP intercept drop mode.\r\nip tcp intercept\r\none-minute\r\nDefines the number of connection requests below which the software leaves aggressive\r\nmode and the number of connection requests received before the software enters\r\naggressive mode.\r\nip tcp intercept max-incomplete high\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 67 of 238\n\nNote\r\nEffective with Cisco IOS Release 12.2(33)SXH and Cisco IOS Release 12.4(15)T, the ip tcp intercept\r\nmax-incomplete high command is replaced by the ip tcp intercept max-incomplete command. See the\r\nip tcp intercept max-incomplete command for more information.\r\nTo define the maximum number of incomplete connections allowed before the software enters aggressive mode,\r\nuse the ip tcp intercept max-incomplete high command in global configuration mode . To restore the default, use\r\nthe no form of this command.\r\nip tcp intercept max-incomplete high number\r\nno ip tcp intercept max-incomplete high [number]\r\nSyntax Description\r\nnumber\r\nDefines the number of incomplete connections allowed, above which the software enters\r\naggressive mode. The range is from 1 to 2147483647. The default is 1100.\r\nCommand Default\r\n1100 incomplete connections\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n11.2 F This command was introduced.\r\n12.4(15)T This command was replaced by the ip tcp intercept max-incomplete command.\r\n12.2(33)SXH This command was replaced by the ip tcp intercept max-incomplete command.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 68 of 238\n\nNote\r\nIf you are running Cisco IOS Release 12.2(33)SXH or Cisco IOS Release 12.4(15)T and issue the ip\r\ntcp intercept max-incomplete high command, it will be accepted by the router, but a message will be\r\ndisplayed stating that the ip tcp intercept max-incomplete high command has been replaced by the ip\r\ntcp intercept max-incomplete command.\r\nIf the number of incomplete connections exceeds the number configured, the TCP intercept feature becomes\r\naggressive. The following are the characteristics of aggressive mode:\r\nEach new arriving connection causes the oldest partial connection to be deleted.\r\nThe initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish\r\nthe connection is cut in half).\r\nThe watch-timeout is cut in half (from 30 seconds to 15 seconds).\r\nYou can change the drop strategy from the oldest connection to a random connection with the ip tcp intercept\r\ndrop-mode command.\r\nNote\r\nThe two factors that determine aggressive mode (connection requests and incomplete connections)\r\nare related and work together. When the value of eitherip tcp intercept one-minute high or ip tcp\r\nintercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests\r\nand incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp\r\nintercept max-incomplete low , aggressive mode ends.\r\nThe software will back off from its aggressive mode when the number of incomplete connections falls below the\r\nnumber specified by the ip tcp intercept max-incomplete low command.\r\nExamples\r\nThe following example allows 1500 incomplete connections before the software enters aggressive mode:\r\nip tcp intercept max-incomplete high 1500\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 69 of 238\n\nCommand Description\r\nip tcp intercept drop-mode\r\nSets the TCP intercept drop mode.\r\nip tcp intercept max-incomplete lowDefines the number of incomplete connections below which the software leaves\r\naggressive mode.\r\nip tcp intercept one-minute highDefines the number of connection requests received in the last one-minutes\r\nsample period before the software enters aggressive mode.\r\nip tcp intercept one-minute lowDefines the number of connection requests below which the software leaves\r\naggressive mode.\r\nip tcp intercept max-incomplete low\r\nNote\r\nEffective with Cisco IOS Release 12.2(33)SXH and Cisco IOS Release 12.4(15)T, the ip tcp intercept\r\nmax-incomplete low command is replaced by the ip tcp intercept max-incomplete command. See the\r\nip tcp intercept max-incomplete command for more information.\r\nTo define the number of incomplete connections below which the software leaves aggressive mode, use the ip tcp\r\nintercept max-incomplete low command in global configuration mode . To restore the default, use the no form of\r\nthis command.\r\nip tcp intercept max-incomplete low number\r\nno ip tcp intercept max-incomplete low [number]\r\nSyntax Description\r\nnumber\r\nDefines the number of incomplete connections below which the software leaves aggressive mode.\r\nThe range is 1 to 2147483647. The default is 900.\r\nCommand Default\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 70 of 238\n\n900 incomplete connections\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n11.2 F This command was introduced.\r\n12.4(15)T This command was replaced by the ip tcp intercept max-incomplete command.\r\n12.2(33)SXH This command was replaced by the ip tcp intercept max-incomplete command.\r\nUsage Guidelines\r\nNote\r\nIf you are running Cisco IOS Release 12.2(33)SXH, or Cisco IOS Release 12.4(15)T and issue the ip\r\ntcp intercept max-incomplete low command, it will be accepted by the router, but a message will be\r\ndisplayed stating that the ip tcp intercept max-incomplete high command has been replaced by the ip\r\ntcp intercept max-incomplete command.\r\nWhen both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute\r\nlow and ip tcp intercept max-incomplete low , the TCP intercept feature leaves aggressive mode.\r\nNote\r\nThe two factors that determine aggressive mode (connection requests and incomplete connections)\r\nare related and work together. When the value of eitherip tcp intercept one-minute high or ip tcp\r\nintercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests\r\nand incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp\r\nintercept max-incomplete low , aggressive mode ends.\r\nSee the ip tcp intercept max-incomplete high command for a description of aggressive mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 71 of 238\n\nExamples\r\nThe following example sets the software to leave aggressive mode when the number of incomplete connections\r\nfalls below 1000:\r\nip tcp intercept max-incomplete low 1000\r\nRelated Commands\r\nCommand Description\r\nip tcp intercept drop-mode\r\nSets the TCP intercept drop mode.\r\nip tcp intercept max-incomplete highDefines the maximum number of incomplete connections allowed before the\r\nsoftware enters aggressive mode.\r\nip tcp intercept one-minute highDefines the number of connection requests received in the last one-minutes\r\nsample period before the software enters aggressive mode.\r\nip tcp intercept one-minute lowDefines the number of connection requests below which the software leaves\r\naggressive mode.\r\nip tcp intercept mode\r\nTo c hange the TCP intercept mode, use the ip tcp intercept mode command in global configuration mode. To\r\nrestore the default, use the no form of this command.\r\nip tcp intercept mode {intercept | watch}\r\nno ip tcp intercept mode [intercept | watch]\r\nSyntax Description\r\nintercept\r\nActive mode in which the TCP intercept software intercepts TCP packets from clients to servers\r\nthat match the configured access list and performs intercept duties. This is the default.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 72 of 238\n\nwatch\r\nMonitoring mode in which the software allows connection attempts to pass through the router and\r\nwatches them until they are established.\r\nCommand Default\r\nintercept\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n11.2 F This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nWhen TCP intercept is enabled, it operates in intercept mode by default. In intercept mode, the software actively\r\nintercepts TCP SYN packets from clients to servers that match the specified access list. For each SYN, the\r\nsoftware responds on behalf of the server with an ACK and SYN, and waits for an ACK of the SYN from the\r\nclient. When that ACK is received, the original SYN is sent to the server, and the code then performs a three-way\r\nhandshake with the server. Then the two half-connections are joined.\r\nIn watch mode, the software allows connection attempts to pass through the router, but watches them until they\r\nbecome established. If they fail to become established in 30 seconds (or the value set by the ip tcp intercept watch-timeout command), a Reset is sent to the server to clear its state.\r\nExamples\r\nThe following example sets the mode to watch mode:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 73 of 238\n\nip tcp intercept mode watch\r\nRelated Commands\r\nCommand Description\r\nip tcp intercept\r\nwatch-timeout\r\nDefines how long the software will wait for a watched TCP intercept connection to\r\nreach established state before sending a reset to the server.\r\nip tcp intercept one-minute\r\nTo define both the number of connection requests below which the software leaves aggressive mode and the\r\nnumber of connection requests that can be received before the software enters aggressive mode, use the ip tcp\r\nintercept one-minute command in gl obal configuration mode . To restore the default connection request settings,\r\nuse the no form of this command.\r\nip tcp intercept one-minute low number high number\r\nno ip tcp intercept one-minute [low number high number]\r\nSyntax Description\r\nlow\r\nnumber\r\nSpecifies the number of connection requests in the last one-minute sample period below which\r\nthe software leaves aggressive mode. The range is from 1 to 2147483647. The default is 900.\r\nhigh\r\nnumber\r\nSpecifies the number of connection requests that can be received in the last one-minute sample\r\nperiod before the software enters aggressive mode. The range is 1 to 2147483647. The default is\r\n1100.\r\nCommand Default\r\nThe default number of connection requests below which the software leaves aggressive mode is 900.\r\nThe default number of connection requests received before the software enters aggressive mode is 1100.\r\nCommand Modes\r\nGlobal configuration\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 74 of 238\n\nCommand History\r\nRelease Modification\r\n12.4(15)T\r\nThis command was introduced in Cisco IOS Release 12.4(15)T. This command replaces the\r\nip tcp intercept one-minute low and the ip tcp intercept one-minute high commands.\r\n12.2(33)SXH This command was integrated into Cisco IOS Release 12.2(33)SXH.\r\nUsage Guidelines\r\nThere are two factors that determine aggressive mode: connection requests and incomplete connections.\r\nBy default, if both the number of connection requests and the number of incomplete connections is 900 or lower,\r\naggressive mode ends.\r\nBy default, if either the number of connection requests or the number of incomplete connections is 1100 or\r\ngreater, aggressive mode begins.\r\nThe number of connection requests may be defined by the ip tcp intercept one-minute command and the number\r\nof incomplete connections may be defined by the ip tcp intercept max-incomplete command. The default number\r\nof connection requests\r\nCharacteristics of Aggressive Mode\r\nThe following are the characteristics of aggressive mode:\r\nEach new arriving connection causes the oldest partial connection to be deleted.\r\nThe initial retransmission timeout, the total time the router attempts to establish the connection, is reduced\r\nfrom 1 second to 0.5 seconds.\r\nThe watch-timeout period is reduced from 30 seconds to 15 seconds.\r\nExamples\r\nThe following example sets the software to leave aggressive mode when the number of connection requests falls\r\nbelow 1000 and allows 1400 connection requests before the software enters aggressive mode. The the running\r\nconfiguration is then shown.\r\nRouter(config)# ip tcp intercept one-minute low 1000 high 1400\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 75 of 238\n\nRouter(config)# show running configuration | i ip tcp\r\n ip tcp intercept one-minute low 1000 high 1400\r\nRelated Commands\r\nCommand Description\r\nip tcp intercept\r\ndrop-mode\r\nSets the TCP intercept drop mode.\r\nip tcp intercept\r\nmax-incomplete\r\nDefines the number of incomplete connections below which the software leaves\r\naggressive mode or the maximum number of incomplete connections allowed before\r\nthe software enters aggressive mode.\r\nip tcp intercept one-minute high\r\nNote\r\nEffective with Cisco IOS Release 12.2(33)SXH and Cisco IOS Release 12.4(15)T the ip tcp intercept\r\none-minute high command is replaced by the ip tcp intercept one-minute command. See the ip tcp\r\nintercept one-minute command for more information.\r\nTo define the number of connection requests received in the last one-minutes sample period before the software\r\nenters aggressive mode, use the ip tcp intercept one-minute high command in global configuration mode. To\r\nrestore the default, use the no form of this command.\r\nip tcp intercept one-minute high number\r\nno ip tcp intercept one-minute high [number]\r\nSyntax Description\r\nnumber\r\nSpecifies the number of connection requests that can be received in the last one-minute sample\r\nperiod before the software enters aggressive mode. The range is 1 to 2147483647. The default is\r\n1100.\r\nCommand Default\r\n1100 connection requests\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 76 of 238\n\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n11.2 F This command was introduced.\r\n12.4(15)T This command was replaced by the ip tcp intercept one-minute command.\r\n12.2(33)SXH This command was replaced by the ip tcp intercept one-minute command.\r\nUsage Guidelines\r\nNote\r\nIf you are running Cisco IOS Release 12.2(33)SXH or Cisco IOS Release 12.4(15)T and issue the ip\r\ntcp intercept one-minute high command, it will be accepted by the router, but a message will be\r\ndisplayed stating that the ip tcp intercept one-minute high command has been replaced by the ip tcp\r\nintercept one-minute command.\r\nIf the number of connection requests exceeds the number value configured, the TCP intercept feature becomes\r\naggressive. The following are the characteristics of aggressive mode:\r\nEach new arriving connection causes the oldest partial connection to be deleted.\r\nThe initial retransmission timeout is reduced by half to 0.5 seconds (and so the total time trying to establish\r\nthe connection is cut in half).\r\nThe watch-timeout is cut in half (from 30 seconds to 15 seconds).\r\nYou can change the drop strategy from the oldest connection to a random connection with the ip tcp intercept\r\ndrop-mode command.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 77 of 238\n\nNote\r\nThe two factors that determine aggressive mode (connection requests and incomplete connections)\r\nare related and work together. When the value of eitherip tcp intercept one-minute high or ip tcp\r\nintercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests\r\nand incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp\r\nintercept max-incomplete low , aggressive mode ends.\r\nExamples\r\nThe following example allows 1400 connection requests before the software enters aggressive mode:\r\nip tcp intercept one-minute high 1400\r\nRelated Commands\r\nCommand Description\r\nip tcp intercept drop-mode Sets the TCP intercept drop mode.\r\nip tcp intercept max-incomplete highDefines the maximum number of incomplete connections allowed before the\r\nsoftware enters aggressive mode.\r\nip tcp intercept max-incomplete lowDefines the number of incomplete connections below which the software\r\nleaves aggressive mode.\r\nip tcp intercept one-minute\r\nlow\r\nDefines the number of connection requests below which the software leaves\r\naggressive mode.\r\nip tcp intercept one-minute low\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 78 of 238\n\nNote\r\nEffective with Cisco IOS Release 12.2(33)SXH and Cisco IOS Release 12.4(15)T, the ip tcp intercept\r\none-minute low command is replaced by the ip tcp intercept one-minute command. See the ip tcp\r\nintercept one-minute command for more information.\r\nTo define the number of connection requests below which the software leaves aggressive mode, use the ip tcp\r\nintercept one-minute low command in gl obal configuration mode . To restore the default, use the no form of this\r\ncommand.\r\nip tcp intercept one-minute low number\r\nno ip tcp intercept one-minute low [number]\r\nSyntax Description\r\nnumber\r\nDefines the number of connection requests in the last one-minute sample period below which the\r\nsoftware leaves aggressive mode. The range is from 1 to 2147483647. The default is 900.\r\nCommand Default\r\n900 connection requests\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n11.2 F This command was introduced.\r\n12.4(15)T This command was replaced by the ip tcp intercept one-minute command.\r\n12.2(33)SXH This command was replaced by the ip tcp intercept one-minute command.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 79 of 238\n\nNote\r\nIf you are running Cisco IOS Release 12.2(33)SXH or Cisco IOS Release 12.4(15)T and issue the ip\r\ntcp intercept one-minute low command, it will be accepted by the router, but a message will be\r\ndisplayed stating that the ip tcp intercept one-minute low command has been replaced by the ip tcp\r\nintercept one-minute command.\r\nWhen both connection requests and incomplete connections fall below the values of ip tcp intercept one-minute\r\nlow and ip tcp intercept max-incomplete low , the TCP intercept feature leaves aggressive mode.\r\nNote\r\nThe two factors that determine aggressive mode (connection requests and incomplete connections)\r\nare related and work together. When the value of either ip tcp intercept one-minute high or ip tcp\r\nintercept max-incomplete high is exceeded, aggressive mode begins. When both connection requests\r\nand incomplete connections fall below the values of ip tcp intercept one-minute low and ip tcp\r\nintercept max-incomplete low , aggressive mode ends.\r\nSee the ip tcp intercept one-minute high command for a description of aggressive mode.\r\nExamples\r\nThe following example sets the software to leave aggressive mode when the number of connection requests falls\r\nbelow 1000:\r\nip tcp intercept one-minute low 1000\r\nRelated Commands\r\nCommand Description\r\nip tcp intercept drop-mode\r\nSets the TCP intercept drop mode.\r\nip tcp intercept max-incomplete highDefines the maximum number of incomplete connections allowed before the\r\nsoftware enters aggressive mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 80 of 238\n\nCommand Description\r\nip tcp intercept max-incomplete lowDefines the number of incomplete connections below which the software leaves\r\naggressive mode.\r\nip tcp intercept one-minute highDefines the number of connection requests received in the last one-minutes\r\nsample period before the software enters aggressive mode.\r\nip tcp intercept watch-timeout\r\nTo define how long the software will wait for a watched TCP intercept connection to reach established state before\r\nsending a reset to the server, use the ip tcp intercept watch-timeout command in global configuration mode. To\r\nrestore the default, use the no form of this command.\r\nip tcp intercept watch-timeout seconds\r\nno ip tcp intercept watch-timeout [seconds]\r\nSyntax Description\r\nseconds\r\nTime (in seconds) that the software waits for a watched connection to reach established state\r\nbefore sending a Reset to the server. The minimum value is 1 second. The default is 30 seconds.\r\nCommand Default\r\n30 seconds\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n11.2 F This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 81 of 238\n\nRelease Modification\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nUse this command if you have set the TCP intercept to passive watch mode and you want to change the default\r\ntime the connection is watched. During aggressive mode, the watch timeout time is cut in half.\r\nExamples\r\nThe following example sets the software to wait 60 seconds for a watched connection to reach established state\r\nbefore sending a Reset to the server:\r\nip tcp intercept watch-timeout 60\r\nRelated Commands\r\nCommand Description\r\nip tcp intercept mode Changes the TCP intercept mode.\r\nip traffic-export apply\r\nTo apply an IP traffic export profile or an IP traffic capture profile to a specific interface, use the ip traffic-export\r\napply command in interface configuration mode. To remove an IP traffic export profile or an IP traffic capture\r\nprofile from an interface, use the no form of this command.\r\nip traffic-export apply profile-name\r\nno ip traffic-export apply profile-name\r\nCisco 1841, Cisco 2800 Series, and Cisco 3800 Series\r\nip traffic-export apply profile-name size size\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 82 of 238\n\nno ip traffic-export apply profile-name\r\nSyntax Description\r\nprofile-name\r\nName of the profile that is to be applied to a specified interface.\r\nThe profile-name argument must match a name that was specified in the ip traffic-export\r\nprofile command.\r\nsize Optional. Used in IP traffic capture mode to set up a local capture buffer.\r\nsize Optional. Specifies the size of the local capture buffer, in bytes.\r\nCommand Default\r\nIf you do not use this command, a sucessfully configured profile is not active.\r\nCommand Modes\r\nInterface configuration\r\nCommand History\r\nRelease Modification\r\n12.3(4)T This command was introduced.\r\n12.2(25)S This command was integrated into Cisco IOS Release 12.2(25)S.\r\n12.4(11)T\r\nThis command was updated to incorporate the size keyword and size argument for IP traffic\r\ncapture mode on the Cisco 1841, Cisco 2800 series, and Cisco 3800 series routers.\r\nUsage Guidelines\r\nAfter you configure at least one export profile, use the ip traffic-export apply command to activate IP traffic\r\nexport on the specified ingress interface.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 83 of 238\n\nAfter you configure a capture profile, use the ip traffic-export apply command to activate IP traffic capture on the\r\nspecified ingress interface, and to specify the size of the local capture buffer.\r\nExamples\r\nThe following example shows how to apply the export profile “corp1” to interface Fast Ethernet 0/0.\r\nRouter(config)# ip traffic-export profile corp1\r\nRouter(config-rite)# interface FastEthernet 0/1\r\nRouter(config-rite)# bidirectional\r\nRouter(config-rite)# mac-address 00a.8aab.90a0\r\nRouter(config-rite)# outgoing sample one-in-every 50\r\nRouter(config-rite)# incoming access-list spam_acl\r\nRouter(config-rite)# exit\r\nRouter(config)# interface FastEthernet 0/0\r\nRouter(config-if)# ip traffic-export apply corp1\r\nThe following example shows how to apply the capture profile “corp2” to interface Fast Ethernet 0/0, and specify\r\na capture buffer of 10,000,000 bytes.\r\nRouter(config)# ip traffic-export profile corp2 mode_capture\r\nRouter(config-rite)# bidirectional\r\nRouter(config-rite)# outgoing sample one-in-every 50\r\nRouter(config-rite)# incoming access-list ham_acl\r\nRouter(config-rite)# length 512\r\nRouter(config-rite)# exit\r\nRouter(config)# interface FastEthernet 0/0\r\nRouter(config-if)# ip traffic-export apply corp2 size 10000000\r\nAfter a profile is activated on the interface, a logging message such as the following will appear:\r\n%RITE-5-ACTIVATE: Activated IP traffic export on interface FastEthernet 0/0.\r\nAfter a profile is removed from the interface, a logging message such as the following will appear:\r\n%RITE-5-DEACTIVATE: Deactivated IP traffic export on interface FastEthernet 0/0.\r\nIf you attempt to apply an incomplete profile to an interface, you will receive the following message:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 84 of 238\n\nRouter(config-if)# ip traffic-export apply newone\r\nRITE: profile newone has missing outgoing interface\r\nRelated Commands\r\nCommand Description\r\nip traffic-export\r\nprofile\r\nCreates or edits an IP traffic export profile and enables the profile on an ingress\r\ninterface.\r\ntraffic-export Controls the operation of IP traffic capture mode.\r\nip traffic-export profile\r\nTo create or edit an IP traffic export profile or an IP traffic capture profile and enable the profile on an ingress\r\ninterface, use the ip traffic-export profile command in global configuration mode. To remove an IP traffic export\r\nprofile from your router configuration, use the no form of this command.\r\nip traffic-export profile profile-name\r\nno ip traffic-export profile profile-name\r\nCisco 1841, Cisco 2800 Series, and Cisco 3800 Series Routers\r\nip traffic-export profile profile-name mode {capture | export}\r\nno ip traffic-export profile profile-name\r\nSyntax Description\r\nprofile-name IP traffic export profile name.\r\nmode {capture | export}\r\nSpecifies either capture or export mode.\r\ncapture --Captures data to memory.\r\nexport --Exports data to an interface.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 85 of 238\n\nCommand Default\r\nA profile does not exist.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(4)T This command was introduced.\r\n12.2(25)S This command was integrated into Cisco IOS Release 12.2(25)S.\r\n12.4(11)T\r\nThis command was updated to incorporate the mode, capture, and export keywords on the Cisco\r\n1841, Cisco 2800 series, and Cisco 3800 series routers.\r\nUsage Guidelines\r\nThe ip traffic-export profile command allows you to begin a profile that can be configured to capture or export IP\r\npackets as they arrive on or leave from a selected router ingress interface.\r\nWhen exporting IP packets, a designated egress interface exports IP packets out of the router. So, the router can\r\nexport unaltered IP packets to a directly connected device.\r\nWhen capturing IP packets, the packets are stored in local router memory. They may then be dumped to an\r\nexternal device.\r\nIP Traffic Export Profiles\r\nAll exported IP traffic configurations are specified by profiles, which consist of RITE-related command-line\r\ninterface (CLI) commands that control various attributes of both incoming and outgoing IP traffic. You can\r\nconfigure a router with multiple profiles. (Each profile must have a different name.) You can apply different\r\nprofiles on different interfaces.\r\nThe two profiles to configure are:\r\nGlobal configuration profile, which you configure using the ip traffic-export profile command.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 86 of 238\n\nSubmode configuration profile, which you configure using any of the following RITE commands--\r\nbidirectional , incoming , interface , mac-address , and outgoing .\r\nUse interface and mac-address commands to successfully create a profile. If you do not issue these commands, the\r\nuser will receive a profile incomplete messages such as the following:\r\nip traffic-export profile newone\r\n! No outgoing interface configured\r\n! No destination mac-address configured\r\nAfter you configure your profiles, you can apply the profiles to an interface with the ip traffic-export apply profile\r\ncommand, which will activate it.\r\nIP Traffic Capture Profiles\r\nOn the Cisco 1841, Cisco 2800 series, and Cisco 3800 series routers, you can also configure IP traffic capture. A\r\ncaptured IP traffic configuration is specified by a profile, which consists of RITE-related command-line interface\r\n(CLI) commands that control various attributes of both incoming and outgoing IP traffic.\r\nThe two profiles that you should configure are:\r\nGlobal configuration profile, which you configure using the ip traffic-export profile mode capture\r\ncommand.\r\nSubmode configuration profile, which you configure using any of the following RITE commands--\r\nbidirectional , incoming , length , and outgoing .\r\nAfter you configure your profiles, you can apply the profiles to an interface with the ip traffic-export apply profile\r\ncommand, which will activate it.\r\nWhen the IP traffic capture profile is applied to an interface, use the traffic-export command to control the capture\r\nof the traffic.\r\nNote\r\nCisco IOS Release 12.4(9)T and 12.4(15)T cannot capture outgoing router-generated Internet Control\r\nMessage Protocol (ICMP) or IPsec traffic.\r\nExamples\r\nThe following example shows how to configure the profile \"corp1,\" which sends captured IP traffic to host\r\n\"00a.8aab.90a0\" at the interface \"FastEthernet 0/1.\" This profile is also configured to export 1 in every 50 packets\r\nand to allow incoming traffic only from the access control list (ACL) \"ham_ACL.\"\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 87 of 238\n\nRouter(config)# ip traffic-export profile corp1\r\nRouter(config-rite)# interface FastEthernet 0/1\r\nRouter(config-rite)# bidirectional\r\nRouter(config-rite)# mac-address 00a.8aab.90a0\r\nRouter(config-rite)# outgoing sample one-in-every 50\r\nRouter(config-rite)# incoming access-list ham_acl\r\nRouter(config-rite)# exit\r\nRouter(config)# interface FastEthernet 0/0\r\nRouter(config-if)# ip traffic-export apply corp1\r\nThe following example shows how to configure the profile \"corp2,\" which captures IP traffic and stores it in a\r\nlocal router memory buffer of 10,000,000 bytes. This profile also captures 1 in every 50 packets and allows\r\nincoming traffic only from the access control list (ACL) \"ham_ACL.\"\r\nRouter(config)# ip traffic-export profile corp2 mode capture\r\nRouter(config-rite)# bidirectional\r\nRouter(config-rite)# outgoing sample one-in-every 50\r\nRouter(config-rite)# incoming access-list ham_acl\r\nRouter(config-rite)# length 512\r\nRouter(config-rite)# exit\r\nRouter(config)# interface FastEthernet 0/0\r\nRouter(config-if)# ip traffic-export apply corp2 size 10000000\r\nRelated Commands\r\nCommand Description\r\nbidirectional\r\nEnables incoming and outgoing IP traffic to be exported or captured across a\r\nmonitored interface.\r\nincoming Configures filtering for incoming export or capture traffic.\r\ninterface (RITE) Specifies the outgoing interface for exporting traffic\r\nip traffic-export apply\r\nprofile\r\nApplies an IP traffic export or IP traffic capture profile to a specific interface.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 88 of 238\n\nCommand Description\r\nlength Specifies the length of the packet in capture mode.\r\nmac-address Specifies the Ethernet address of the destination host in traffic export.\r\noutgoing Configures filtering for outgoing export or capture traffic.\r\ntraffic-export interface Controls the operation of IP traffic capture mode.\r\nip trigger-authentication (global)\r\nTo enable the automated part of double authentication at a device, use the ip trigger-authentication command in\r\nglobal configuration mode. To disable the automated part of double authentication, use the no form of this\r\ncommand.\r\nip trigger-authentication [timeout seconds] [port number]\r\nno ip trigger-authentication\r\nSyntax Description\r\ntimeout\r\nseconds\r\n(Optional) Specifies how frequently the local device sends a User Datagram Protocol (UDP)\r\npacket to the remote host to request the user’s username and password (or PIN). The default is\r\n90 seconds. See “The Timeout Keyword” in the Usage Guidelines section for details.\r\nport\r\nnumber\r\n(Optional) Specifies the UDP port to which the local router should send the UPD packet\r\nrequesting the user’s username and password (or PIN). The default is port 7500. See “The Port\r\nKeyword” in the Usage Guidelines section for details.\r\nCommand Default\r\nThe default timeout is 90 seconds, and the default port number is 7500.\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 89 of 238\n\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n11.3 T This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nConfigure this command on the local device (router or network access server) that remote users dial in to. Use this\r\ncommand only if the local device has already been configured to provide double authentication; this command\r\nenables automation of the second authentication of double authentication.\r\nThe timeout Keyword\r\nDuring the second authentication stage of double authentication--when the remote user is authenticated--the\r\nremote user must send a username and password (or PIN) to the local device. With automated double\r\nauthentication, the local device sends a UDP packet to the remote user’s host during the second user-authentication stage. This UDP packet triggers the remote host to launch a dialog box requesting a username and\r\npassword (or PIN).\r\nIf the local device does not receive a valid response to the UDP packet within a timeout period, the local device\r\nwill send another UDP packet. The device will continue to send UDP packets at the timeout intervals until it\r\nreceives a response and can authenticate the user.\r\nBy default, the UDP packet timeout interval is 90 seconds. Use the timeout keyword to specify a different interval.\r\n(This timeout also applies to how long entries will remain in the remote host table; see the show ip trigger-authentication command for details.)\r\nThe port Keyword\r\nAs described in the previous section, the local device sends a UDP packet to the remote user’s host to request the\r\nuser’s username and password (or PIN). This UDP packet is sent to UDP port 7500 by default. (The remote host\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 90 of 238\n\nclient software listens to UDP port 7500 by default.) If you need to change the port number because port 7500 is\r\nused by another application, you should change the port number using the port keyword. If you change the port\r\nnumber you need to change it in both places--both on the local device and in the remote host client software.\r\nExamples\r\nThe following example globally enables automated double authentication and sets the timeout to 120 seconds:\r\nip trigger-authentication timeout 120\r\nRelated Commands\r\nCommand Description\r\nip trigger-authentication\r\n(interface)\r\nSpecifies automated double authentication at an interface.\r\nshow ip trigger-authentication\r\nDisplays the list of remote hosts for which automated double authentication\r\nhas been attempted.\r\nip trigger-authentication (interface)\r\nTo specify automated double authentication at an interface, use the ip trigger-authentication command in interface\r\nconfiguration mode. To turn off automated double authentication at an interface, use the no form of this command.\r\nip trigger-authentication\r\nno ip trigger-authentication\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nAutomated double authentication is not enabled for specific interfaces.\r\nCommand Modes\r\nInterface configuration\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 91 of 238\n\nCommand History\r\nRelease Modification\r\n11.3 T This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nConfigure this command on the local router or network access server that remote users dial into. Use this\r\ncommand only if the local device has already been configured to provide double authentication and if automated\r\ndouble authentication has been enabled with the ip trigger-authentication (global) command.\r\nThis command causes double authentication to occur automatically when users dial into the interface.\r\nExamples\r\nThe following example turns on automated double authentication at the ISDN BRI interface BRI0:\r\ninterface BRI0\r\n ip trigger-authentication\r\n encapsulation ppp\r\n ppp authentication chap\r\nRelated Commands\r\nCommand Description\r\nip trigger-authentication (global) Enables the automated part of double authentication at a device.\r\nip urlfilter alert\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 92 of 238\n\nTo enable URL filtering system alert messages, use the ip urlfilter alert command in global configuration mode.\r\nTo disable the system alert, use the no form of this command.\r\nip urlfilter alert [vrf vrf-name]\r\nno ip urlfilter alert\r\nSyntax Description\r\nvrf vrf-name(Optional) Enables URL filtering system alert messages only for the specified Virtual Routing\r\nand Forwarding (VRF) interface.\r\nCommand Default\r\nURL filtering messages are enabled.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.2(11)YU This command was introduced.\r\n12.2(15)T This command was integrated into Cisco IOS Release 12.2(15)T.\r\n12.3(14)T The vrf vrf-name keyword/argument pair was added.\r\nUsage Guidelines\r\nUse the ip urlfilter alert command to display system messages, such as a server entering allow mode, a server\r\ngoing down, or a URL that is too long for the lookup request.\r\nExamples\r\nThe following example shows how to enable URL filtering alert messages:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 93 of 238\n\nip inspect name test http urlfilter\r\nip urlfilter cache 5\r\nip urlfilter exclusive-domain permit .weapons.com\r\nip urlfilter exclusive-domain deny .nbc.com\r\nip urlfilter exclusive-domain permit www.cisco.com\r\nip urlfilter audit-trail\r\nip urlfilter alert\r\nip urlfilter server vendor websense 192.168.3.1\r\nAfterward, system alert messages such as the following are displayed:\r\n%URLF-3-SERVER_DOWN:Connection to the URL filter server 10.92.0.9 is down\r\nThis level three LOG_ERR-type message is displayed when a configured URL filter server (UFS) goes down.\r\nWhen this happens, the firewall will mark the configured server as secondary and try to bring up one of the other\r\nsecondary servers and mark that server as the primary server. If there is no other server configured, the firewall\r\nwill enter into allow mode and display the URLF-3-ALLOW_MODE message described.\r\n%URLF-3-ALLOW_MODE:Connection to all URL filter servers are down and ALLOW MODE is OFF\r\nThis LOG_ERR type message is displayed when all UFSs are down and the system enters into allow mode.\r\nNote\r\nWhenever the system goes into allow mode (all filter servers are down), a periodic keepalive timer\r\nwill be triggered that will try to bring up a server by opening a TCP connection.\r\n%URLF-5-SERVER_UP:Connection to an URL filter server 10.92.0.9 is made, the system is returning from ALLOW MODE\r\nThis LOG_NOTICE-type message is displayed when the UFSs are detected as being up and the system is\r\nreturning from allow mode.\r\n%URLF-4-URL_TOO_LONG:URL too long (more than 3072 bytes), possibly a fake packet?\r\nThis LOG_WARNING-type message is displayed when the URL in a lookup request is too long; any URL longer\r\nthan 3K will be dropped.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 94 of 238\n\n%URLF-4-MAX_REQ:The number of pending request exceeds the maximum limit \u003c1000\u003e\r\nThis LOG_WARNING-type message is displayed when the number of pending requests in the system exceeds the\r\nmaximum limit and all further requests are dropped.\r\nip urlfilter allowmode\r\nTo turn on the default mode (allow mode) of the filtering algorithm, use the ip urlfilter allowmode command in\r\nglobal configuration mode. To disable the default mode, use the no form of this command.\r\nip urlfilter allowmode [on | off] [vrf vrf-name]\r\nno ip urlfilter allowmode [on | off]\r\nSyntax Description\r\non (Optional) Allow mode is on.\r\noff (Optional) Allow mode is off.\r\nvrf vrf-name(Optional) Turns on the default mode of the filtering algorithm only for the specified Virtual\r\nRouting and Forwarding (VRF) interface.\r\nCommand Default\r\nAllow mode is off.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.2(11)YU This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 95 of 238\n\nRelease Modification\r\n12.2(15)T This command was integrated into Cisco IOS Release 12.2(15)T.\r\n12.3(14)T The vrf vrf-name keyword and argument pair was added.\r\nUsage Guidelines\r\nThe system will go into allow mode when connections to all vendor servers (Websense or N2H2) are down. The\r\nsystem will return to normal mode when a connection to at least one web vendor server is up. Allow mode directs\r\nyour system to forward or drop all packets on the basis of the configurable allow mode setting: if allow mode is on\r\nand the vendor servers are down, the HTTP requests will be allowed to pass; if allow mode is off and the vendor\r\nservers are down, the HTTP requests will be forbidden.\r\nExamples\r\nThe following example shows how to enable allow mode on your system:\r\nip urlfilter allowmode on\r\nAfterward, the following alert message will be displayed when the system goes into allow mode:\r\n%URLF-3-ALLOW_MODE: Connection to all URL filter servers are down and ALLOW MODE if OFF\r\nThe following alert message will be displayed when the system returns from allow mode:\r\n%URLF-5-SERVER_UP: Connection to an URL filter server 12.0.0.3 is made, the system is returning from allow mode\r\nip urlfilter audit-trail\r\nTo log messages into the syslog server or router, use the ip urlfilter audit-trail command in global configuration\r\nmode. To disable this functionality, use the no form of this command.\r\nip urlfilter audit-trail [vrf vrf-name]\r\nno ip urlfilter audit-trail\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 96 of 238\n\nSyntax Description\r\nvrf vrf-name(Optional) Logs messages into the syslog server or router only for the specified Virtual Routing\r\nand Forwarding (VRF) interface.\r\nCommand Default\r\nThis command is disabled.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.2(11)YU This command was introduced.\r\n12.2(15)T This command was integrated into Cisco IOS Release 12.2(15)T.\r\n12.3(14)T The vrf vrf-name keyword and argument pair was added.\r\nUsage Guidelines\r\nUse the ip urlfilter audit-trail command to log messages such as URL request status (allow or deny) into your\r\nsyslog server.\r\nExamples\r\nThe following example shows how to enable syslog message logging:\r\nip inspect name test http urlfilter\r\nip urlfilter cache 5\r\nip urlfilter exclusive-domain permit .weapons.com\r\nip urlfilter exclusive-domain deny .nbc.com\r\nip urlfilter exclusive-domain permit www.cisco.com\r\nip urlfilter audit-trail\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 97 of 238\n\nip urlfilter alert\r\nip urlfilter server vendor websense 209.165.202.130\r\nAfterward, audit trail messages such as the following are displayed and logged into the log server:\r\n%URLF-6-SITE_ALLOWED:Client 209.165.201.15:12543 accessed server 10.76.82.21:8080\r\nThis message is logged for each request whose destination IP address is found in the cache. It includes the source\r\nIP address, source port number, destination IP address, and destination port number. The URL is not logged in this\r\ncase because the IP address of the request is found in the cache; thus, parsing the request and extracting the URL\r\nis a waste of time.\r\n%URLF-4-SITE-BLOCKED: Access denied for the site ‘www.sports.com’; client 209.165.200.230:34557 server 209.165.2\r\nThis message is logged when a request finds a match against one of the blocked domains in the exclusive-domain\r\nlist or the corresponding entry in the IP cache.\r\n%URLF-6-URL_ALLOWED:Access allowed for URL http://www.N2H2.com/; client 209.165.200.230:54123 server 192.168.0.\r\nThis message is logged for each URL request that is allowed by the vendor server (Websense or N2H2). It\r\nincludes the allowed URL, source IP address, source port number, destination IP address, and destination port\r\nnumber. Longer URLs will be truncated to 300 bytes and then logged.\r\n%URLF-6-URL_BLOCKED:Access denied URL http://www.google.com; client 209.165.200.230:54678 server 209.165.201.2:8\r\nThis message is logged for each URL request that is blocked by the vendor server. It includes the blocked URL,\r\nsource IP address, source port number, destination IP address, and destination port number. Longer URLs will be\r\ntruncated to 300 bytes and then logged.\r\nip urlfilter cache\r\nTo configure cache parameters, use the ip urlfilter cache command in global configuration mode. To clear the\r\nconfiguration, use the no form of this command.\r\nip urlfilter cache number [vrf vrf-name]\r\nno ip urlfilter cache number\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 98 of 238\n\nnumber\r\nMaximum number of destination IP addresses that can be cached into the cache table. The\r\ndefault value is 5000.\r\nvrf vrf-name(Optional) Configures cache parameters only for the specified Virtual Routing and Forwarding\r\n(VRF) interface.\r\nCommand Default\r\nMaximum number of destination IP addresses is 5000.\r\nThe cache table is cleared out every 12 hours.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.2(11)YU This command was introduced.\r\n12.2(15)T This command was integrated into Cisco IOS Release 12.2(15)T.\r\n12.3(14)T The vrf vrf-name keyword and argument pair was added.\r\nUsage Guidelines\r\nThe cache table consists of the most recently requested IP addresses and respective authorization status for each IP\r\naddress.\r\nThe caching algorithm involves three parameters--the maximum number of IP addresses that can be cached, an\r\nidle time, and an absolute time. The algorithm also involves two timers--idle timer and absolute timer. The idle\r\ntimer is a small periodic timer (1 minute) that checks to see whether the number of cached IP addresses in the\r\ncache table exceeds 80 percent of the maximum limit. If the cached IP addresses have exceeded 80 percent, it will\r\nstart removing idle entries; if it has not exceeded 80 percent, it will quit and wait for the next cycle. The absolute\r\ntimer is a large periodic timer (1 hour) that is used to remove all of the elapsed entries. (The age of an elapsed\r\nentry is greater than the absolute time.) An elapsed entry will also be removed during cache lookup.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 99 of 238\n\nThe idle time value is fixed at 10 minutes. The absolute time value is taken from the vendor server look-up\r\nresponse, which is often greater than 15 hours. The absolute value for cache entries made out of exclusive-domains is 12 hours. The maximum number of cache entries is configurable by enabling the ip urlfilter cache\r\ncommand.\r\nNote\r\nThe vendor server is not able to inform the Cisco IOS firewall of filtering policy changes in the\r\ndatabase.\r\nExamples\r\nThe following example shows how to configure the cache table to hold a maximum of five destination IP\r\naddresses:\r\nip inspect name test http urlfilter\r\nip urlfilter cache 5\r\nip urlfilter exclusive-domain permit .weapons.com\r\nip urlfilter exclusive-domain deny .nbc.com\r\nip urlfilter exclusive-domain permit www.cisco.com\r\nip urlfilter audit-trail\r\nip urlfilter alert\r\nip urlfilter server vendor websense 192.168.3.1\r\nRelated Commands\r\nCommand Description\r\nclear ip urlfilter cache Clears the cache table.\r\nshow ip urlfilter cache Displays the destination IP addresses that are cached into the cache table.\r\nip urlfilter exclusive-domain\r\nTo add or remove a domain name to or from the exclusive domain list so that the firewall does not have to send\r\nlookup requests to the vendor server, use the ip urlfilter exclusive-domain command in global configuration mode.\r\nTo remove a domain name from the exclusive domain name list, use the no form of this command.\r\nip urlfilter exclusive-domain {permit | deny} domain-name [vrf vrf-name]\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 100 of 238\n\nno ip urlfilter exclusive-domain {permit | deny} domain-name\r\nSyntax Description\r\npermit Permits all traffic destined for the specified domain name.\r\ndeny Blocks all traffic destined for the specified domain name.\r\ndomain-nameDomain name that is added or removed from the exclusive domain name list; for example,\r\nwww.cisco.com .\r\nvrf vrf-name\r\n(Optional) Adds or removes a domain name only for the specified Virtual Routing and\r\nForwarding (VRF) interface.\r\nCommand Default\r\nThis command is not enabled.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.2(11)YU This command was introduced.\r\n12.2(15)T This command was integrated into Cisco IOS Release 12.2(15)T.\r\n12.3(14)T The vrf vrf-name keyword and argument pair was added.\r\nUsage Guidelines\r\nThe ip urlfilter exclusive-domain command allows you to specify a list of domain names (exclusive domains) so\r\nthat the firewall will not create a lookup request for the HTTP traffic that is destined for one of the domains in the\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 101 of 238\n\nexclusive list. Thus, you can avoid sending look-up requests to the web server for HTTP traffic that is destined for\r\na host that is completely allowed to all users.\r\nFlexibility when entering domain names is also provided; that is, the user can enter the complete domain name or\r\na partial domain name.\r\nComplete Domain Name\r\nIf the user adds a complete domain name, such as “www.cisco.com,” to the exclusive domain list, all HTTP traffic\r\nwhose URLs are destined for this domain (such as www.cisco.com/news and www.cisco.com/index) will be\r\nexcluded from the URL filtering policies of the vendor server (Websense or N2H2), and on the basis of the\r\nconfiguration, the URLs will be permitted or blocked (denied).\r\nPartial Domain Name\r\nIf the user adds only a partial domain name to the exclusive domain list, such as “.cisco.com,” all URLs whose\r\ndomain names end with this partial domain name (such as www.cisco.com/products and www.cisco.com/eng) will\r\nbe excluded from the URL filtering policies of the vendor server (Websense or N2H2), and on the basis of the\r\nconfiguration, the URLs will be permitted or blocked (denied).\r\nExamples\r\nThe following example shows how to add the complete domain name “www. cisco.com ” to the exclusive domain\r\nname list. This configuration will block all traffic destined to the www.cisco.com domain.\r\nip urlfilter exclusive-domain deny www.cisco.com\r\nThe following example shows how to add the partial domain name “. cisco.com ” to the exclusive domain name\r\nlist. This configuration will permit all traffic destined to domains that end with .cisco.com.\r\nip urlfilter exclusive-domain permit .cisco.com\r\n \r\n \r\nip urlfilter max-request\r\nTo set the maximum number of outstanding requests that can exist at any given time, use the ip urlfilter max-request command in global configuration mode. To disable this function, use the no form of this command.\r\nip urlfilter max-request number [vrf vrf-name]\r\nno ip urlfilter max-request number\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 102 of 238\n\nSyntax Description\r\nnumber Maximum number of outstanding requests. The default value is 1000.\r\nvrf vrf-name(Optional) Sets the maximum number of outstanding requests only for the specified Virtual\r\nRouting and Forwarding (VRF) interface.\r\nCommand Default\r\nMaximum number of requests is 1000.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.2(11)YU This command was introduced.\r\n12.2(15)T This command was integrated into Cisco IOS Release 12.2(15)T.\r\n12.3(14)T The vrf vrf-name keyword and argument pair was added.\r\nUsage Guidelines\r\nIf the specified maximum number of outstanding requests is exceeded, new requests will be dropped.\r\nNote\r\nAllow mode is not considered because it should be used only when servers are down.\r\nExamples\r\nThe following example shows how to configure the maximum number of outstanding requests to 950:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 103 of 238\n\nip inspect name url_filter http\r\nip urlfilter max-request 950\r\nRelated Commands\r\nCommand Description\r\nip inspect name Defines a set of inspection rules.\r\nip urlfilter server vendor Configures a vendor server for URL filtering.\r\nip urlfilter max-resp-pak\r\nTo configure the maximum number of HTTP responses that the firewall can keep in its packet buffer, use the ip\r\nurlfilter max-resp-pak command in global configuration mode. To return to the default, use the no form of this\r\ncommand.\r\nip urlfilter max-resp-pak number [vrf vrf-name]\r\nno ip urlfilter max-resp-pak number\r\nSyntax Description\r\nnumber\r\nMaximum number of HTTP responses that can be stored in the packet buffer of the firewall.\r\nAfter the maximum number has been reached, the firewall will drop further responses. The\r\ndefault, and absolute maximum, value is 200.\r\nvrf vrf-name(Optional) Sets the maximum number of HTTP responses only for the specified Virtual Routing\r\nand Forwarding (VRF) interface.\r\nCommand Default\r\n200 HTTP responses\r\nCommand Modes\r\nGlobal configuration\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 104 of 238\n\nCommand History\r\nRelease Modification\r\n12.2(11)YU This command was introduced.\r\n12.2(15)T This command was integrated into Cisco IOS Release 12.2(15)T.\r\n12.3(14)T The vrf vrf-name keyword and argument pair was added.\r\nUsage Guidelines\r\nWhen an HTTP request arrives at a Cisco IOS firewall, the firewall forwards the request to the web server while\r\nsimultaneously sending a URL look-up request to the vendor server (Websense or N2H2). If the vendor server\r\nreply arrives before the HTTP response, the firewall will know whether to permit or block the HTTP response; if\r\nthe HTTP response arrives before the vendor server reply, the firewall will not know whether to allow or block the\r\nresponse, so the firewall will drop the response until it hears from the vendor server. The ip urlfilter max-resp-pak\r\ncommand allows you to configure your firewall to store the HTTP responses in a buffer, which allows your\r\nfirewall to store a maximum of 200 HTTP responses. Each response will remain in the buffer until an allow or\r\ndeny message is received from the vendor server. If the vendor server reply allows the URL, the firewall will\r\nrelease the HTTP response from the buffer to the end user; if the vendor server reply denies the URL, the firewall\r\nwill discard the HTTP response from the buffer and close the connection to both ends.\r\nExamples\r\nThe following example shows how to configure your firewall to hold 150 HTTP responses:\r\nip urlfilter max-resp-pak 150\r\nip urlfilter server vendor\r\nEffective with Cisco IOS Release 15.4(3)M, the ip urlfilter server vendor command is not available in Cisco IOS\r\nsoftware.\r\nTo configure a vendor server for URL filtering, use the ip urlfilter server vendor command in global configuration\r\nmode. To remove a server from your configuration, use the no form of this command.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 105 of 238\n\nip urlfilter server vendor {websense | n2h2} ip-address [port port-number] [timeout seconds] [retransmit\r\nnumber] [outside] [vrf vrf-name]\r\nno ip urlfilter server vendor {websense | n2h2} ip-address [port port-number] [timeout seconds] [retransmit\r\nnumber] [outside]\r\nSyntax Description\r\nwebsense Websense server will be used.\r\nn2h2 N2H2 server will be used.\r\nip-address IP address of the vendor server.\r\nport port-number\r\n(Optional) Port number that the vendor server listens on. The default port number is 15868.\r\ntimeout\r\nseconds\r\n(Optional) Length of time, in seconds, that the Cisco IOS firewall will wait for a response\r\nfrom the vendor server. The default timeout is 5 seconds.\r\nretransmit\r\nnumber\r\n(Optional) Number of times the Cisco IOS firewall will retransmit the request when a\r\nresponse does not arrive for the request. The default value is two times.\r\noutside (Optional) Vendor server will be deployed on the outside network.\r\nvrf vrf-name\r\n(Optional) Configures a vendor server for URL filtering only for the specified Virtual\r\nRouting and Forwarding (VRF) interface.\r\nCommand Default\r\nA vendor server is not configured.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 106 of 238\n\nRelease Modification\r\n12.2(11)YU This command was introduced.\r\n12.2(15)T This command was integrated into Cisco IOS Release 12.2(15)T.\r\n12.3(2)T The outside keyword was added.\r\n12.3(14)T The vrf vrf-name keyword and argument pair was added.\r\n15.4(3)M This command was removed.\r\nUsage Guidelines\r\nUse the ip urlfilter server vendor command to configure a Websense or N2H2 server, which will interact with the\r\nCisco IOS Firewall to filter HTTP requests on the basis of a specified policy-- global filtering, user- or group-based filtering, keyword-based filtering, category-based filtering, or customized filtering.\r\nIf the firewall has not received a response from the vendor server within the time specified in the timeout seconds\r\nkeyword and argument, the firewall will check the retransmit number keyword and argument configured for the\r\nvendor server. If the firewall has not exceeded the maximum retransmit tries allowed, it will resend the HTTP\r\nlookup request. If the firewall has exceeded the maximum retransmit tries allowed, it will delete the outstanding\r\nrequest from the queue and check the status of the allow mode value. The firewall will forward the request if the\r\nallow mode is on; otherwise, it will drop the request.\r\nBy default, URL lookup requests that are made to the vendor server contain non-natted client IP addresses because\r\nthe vendor server is deployed on the inside network. The outside keyword allows the vendor server to be deployed\r\non the outside network, thereby, allowing Cisco IOS software to send the natted IP address of the client in the\r\nURL lookup request.\r\nPrimary and Secondary Servers\r\nWhen users configure multiple vendor servers, the firewall will use only one server at a time--the primary server;\r\nall other servers are called secondary servers. When the primary server becomes unavailable for any reason, it\r\nbecomes a secondary server and one of the secondary servers becomes the primary server.\r\nA firewall marks a primary server as down when sending a request to or receiving a response from the server fails.\r\nWhen a primary server goes down, the system will go to the beginning of the configured servers list and try to\r\nactivate the first server on the list. If the first server on the list is unavailable, it will try the second server on the\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 107 of 238\n\nlist; the system will keep trying to activate a server until it is successful or until it reaches the end of the server list.\r\nIf the system reaches the end of the server list, it will set a flag indicating that all of the servers are down, and it\r\nwill enter allow mode.\r\nExamples\r\nThe following example shows how to configure the Websense server for URL filtering:\r\nip inspect name test http urlfilter\r\nip urlfilter cache 5\r\nip urlfilter exclusive-domain permit .weapons.com\r\nip urlfilter exclusive-domain deny .nbc.com\r\nip urlfilter exclusive-domain permit www.cisco.com\r\nip urlfilter audit-trail\r\nip urlfilter alert\r\nip urlfilter server vendor websense 192.168.3.1\r\nRelated Commands\r\nCommand Description\r\nip urlfilter allowmode Turns on the default mode (allow mode) of the filtering algorithm.\r\nip urlfilter max-request Sets the maximum number of outstanding requests that can exist at any given time.\r\nip urlfilter source-interface\r\nTo allow the URL filter to specify the interface whose IP address is used as the source IP address while a TCP\r\nconnection is made to the URL filter server (Websense or N2H2), use the ip urlfilter source-interface command in\r\nglobal configuration mode. To disable the option, use the no form of this command.\r\nip urlfilter source-interface interface-type [vrf vrf-name]\r\nno ip urlfilter source-interface [vrf vrf-name]\r\nSyntax Description\r\ninterface-type The interface type that is used as the source IP address.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 108 of 238\n\nvrf vrf-name (Optional) Specifies the Virtual Routing and Forwarding (VRF) interface.\r\nCommand Default\r\nThe URL filter to specify a source interface for TCP is not defined.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\nUsage Guidelines\r\nThe ip urlfilter source-interface command is used to define the source interface from which the URL filter request\r\nis sent. This command is recommended to be configured if the URL filter server can only be routed through\r\ncertain interfaces on the router.\r\nExamples\r\nThe following example shows that the URL filtering server is routed to the Ethernet interface type:\r\nRouter(config)# ip urlfilter source-interface ethernet\r\nRelated Commands\r\nCommand Description\r\ndebug ip urlfilter Enables debug information of URL filter subsystems.\r\nip urlfilter truncate\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 109 of 238\n\nTo allow the URL filter to truncate long URLs to the server, use the ip urlfilter truncate command in global\r\nconfiguration mode. To disable the truncating option, use the no form of this command.\r\nip urlfilter truncate {script-parameters | hostname} [vrf vrf-name]\r\nno ip urlfilter truncate {script-parameters | hostname} [vrf vrf-name]\r\nSyntax Description\r\nscript-parameters\r\nSpecifies that only the URL up to the script options is sent.\r\nFor example, if the entire URL is http://www.cisco.com/dev/xxx.cgi?when=now, only\r\nthe URL through http://www.cisco.com/dev/xxx.cgi is sent (if the maximum supported\r\nURL length is not exceeded).\r\nhostname\r\nSpecifies that only the hostname is sent.\r\nFor example, if the entire URL is http://www.cisco.com/dev/xxx.cgi?when=now, only\r\nhttp://www.cisco.com is sent.\r\nvrf vrf-name (Optional) Specifies the Virtual Routing and Forwarding (VRF) interface.\r\nCommand Default\r\nURLs that are longer than the maximum supported length are not truncated, and the HTTP request is rejected.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\nUsage Guidelines\r\nIf both the script-parameters and hostname keywords are configured, the script-parameters keyword takes\r\nprecedence over the hostname keyword. If both the keywords are configured and the script parameters URL is\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 110 of 238\n\ntruncated and the maximum supported URL length is exceeded, the URL is truncated up to the hostname.\r\nNote\r\nIf both script-parameters and hostname keywords are configured, they must be on separate lines as\r\nshown in the “Examples” section. They cannot be combined in one line.\r\nExamples\r\nThe following example shows that the URL is to be truncated up to the script options:\r\nip urlfilter truncate script-parameters\r\nThe following example shows that the URL is to be truncated up to the hostname:\r\nip urlfilter truncate hostname\r\nRelated Commands\r\nCommand Description\r\ndebug ip urlfilter Enables debug information of URL filter subsystems.\r\nip urlfilter urlf-server-log\r\nEffective with Cisco IOS Release 15.4(3)M, the ip urlfilter urlf-server-log command is not available in Cisco IOS\r\nsoftware.\r\nTo enable the logging of system messages on the URL filtering server, use the ip urlfilter urlf-server-log command\r\nin global configuration mode. To disable the logging of system messages, use the no form of this command.\r\nip urlfilter urlf-server-log [vrf vrf-name]\r\nno ip urlfilter urlf-server-log\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 111 of 238\n\nvrf vrf-name\r\n(Optional) Enables the logging of system messages on the URL filtering server only for the\r\nspecified Virtual Routing and Forwarding (VRF) interface.\r\nCommand Default\r\nThis command is disabled.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.2(11)YU This command was introduced.\r\n12.2(15)T This command was integrated into Cisco IOS Release 12.2(15)T.\r\n12.3(14)T The vrf vrf-name keyword and argument pair was added.\r\n15.4(3)M This command was removed.\r\nUsage Guidelines\r\nUse the ip urlfilter urlf-server-log command to enable Cisco IOS to send a log request immediately after the URL\r\nlookup request. The firewall will not make a URL lookup request if the destination IP address is in the cache, but\r\nit will still make a log request to the server. (The log request contains the URL, hostname, source IP address, and\r\nthe destination IP address.) The server records the log request into its own log server so your can view this\r\ninformation as necessary.\r\nExamples\r\nThe following example shows how to enable system message logging on the URL filter server:\r\nip urlfilter urlf-server-log\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 112 of 238\n\nip verify drop-rate compute interval\r\nTo configure the interval of time between Unicast Reverse Path Forwarding (RPF) drop rate computations, use the\r\nip verify drop-rate compute interval command in global configuration mode. To reset the interval to the default\r\nvalue, use the no form of this command.\r\nip verify drop-rate compute interval seconds\r\nno ip verify drop-rate compute interval\r\nSyntax Description\r\nseconds\r\nInterval, in seconds, between Unicast RPF drop rate computations. The range is from 30 to 300.\r\nThe default is 30.\r\nCommand Default\r\nThe drop rate is not computed.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.2(31)SB2 This command was introduced.\r\n12.2(33)SRC This command was integrated into Cisco IOS Release 12.2(33)SRC.\r\n12.4(20)T This command was integrated into Cisco IOS Release 12.4(20)T.\r\n12.2(33)SXI2 This command was integrated into Cisco IOS Release 12.2(33)SXI2.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 113 of 238\n\nUsage Guidelines\r\nThe configured value applies for the computation of all Unicast RPF drop rates (global and per interface).\r\nThe value for the compute interval must be less than or equal to the value configured using the ip verify drop-rate\r\ncompute window command. If you configure the no form of the ip verify drop-rate compute interval command\r\nwhile the cipUrpfDropRateWindow value is configured to be less than the default compute interval value, the\r\nfollowing message appears on the console:\r\n“urpf drop rate window \u003c interval”\r\nThis error message means the command was not executed. The compute interval remains at the configured value\r\nrather than changing to the default value.\r\nExamples\r\nThe following example shows how to configure a compute interval of 45 seconds:\r\nRouter\u003e enable\r\nRouter# configure terminal\r\nRouter(config)# ip verify drop-rate compute interval 45\r\nRelated Commands\r\nCommand Description\r\nip verify drop-rate compute\r\nwindow\r\nConfigures the interval of time during which the Unicast RPF drop count is\r\ncollected for the drop rate computation.\r\nip verify drop-rate notify\r\nhold-down\r\nConfigures the minimum time between Unicast RPF drop rate notifications.\r\nip verify unicast notification\r\nthreshold\r\nConfigures the threshold value used to determine whether to send a Unicast\r\nRPF drop rate notification.\r\nip verify drop-rate compute window\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 114 of 238\n\nTo configure the interval of time during which the Unicast Reverse Path Forwarding (RPF) drop count is collected\r\nfor the drop rate computation, use the ip verify drop-rate compute window command in global configuration\r\nmode. To reset the window to the default value, use the no form of this command.\r\nip verify drop-rate compute window seconds\r\nno ip verify drop-rate compute window\r\nSyntax Description\r\nseconds\r\nInterval, in seconds, during which the Unicast RPF drop count is accumulated for the drop rate\r\ncomputation. The range is from 30 to 300. The default is 300.\r\nCommand Default\r\nThe drop rate is not calculated.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.2(31)SB2 This command was introduced.\r\n12.2(33)SRC This command was integrated into Cisco IOS Release 12.2(33)SRC.\r\n12.4(20)T This command was integrated into Cisco IOS Release 12.4(20)T.\r\n12.2(33)SXI2 This command was integrated into Cisco IOS Release 12.2(33)SXI2.\r\nUsage Guidelines\r\nThis command configures the sliding window that begins the configured number of seconds prior to the\r\ncomputation and ends with the Unicast RPF drop rate computation. The configured value applies for the\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 115 of 238\n\ncomputation of all Unicast RPF drop rates (global and per interface).\r\nThe value configured for the “compute window” must be greater than or equal to the value configured using the ip\r\nverify drop-rate compute interval command. If you configure the no form of the ip verify drop-rate compute\r\nwindow command while the cipUrpfDropRateInterval value is configured to be greater than the default compute\r\nwindow value, the following message appears on the console:\r\n“urpf drop rate window \u003c interval”\r\nThis error message means that the command was not executed. The compute window remains at the configured\r\nvalue rather than changing to the default value.\r\nExamples\r\nThe following example shows how to configure a compute window of 60 seconds:\r\nRouter\u003e enable\r\nRouter# configure terminal\r\nRouter(config)# ip verify drop-rate compute window 60\r\nRelated Commands\r\nCommand Description\r\nip verify drop-rate compute\r\ninterval\r\nConfigures the interval between Unicast RPF drop rate computations.\r\nip verify drop-rate notify\r\nhold-down\r\nConfigures the minimum time between Unicast RPF drop rate notifications.\r\nip verify unicast notification\r\nthreshold\r\nConfigures the threshold value used to determine whether to send a Unicast\r\nRPF drop rate notification.\r\nip verify drop-rate notify hold-down\r\nTo configure the minimum time between Unicast Reverse Path Forwarding (RPF) drop rate notifications, use the\r\nip verify drop-rate notify hold-down command in global configuration mode. To reset the hold-down time to the\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 116 of 238\n\ndefault value, use the no form of this command.\r\nip verify drop-rate notify hold-down seconds\r\nno ip verify drop-rate notify hold-down\r\nSyntax Description\r\nseconds\r\nMinimum time, in seconds, between Unicast RPF drop rate notifications. The range is from 30 to\r\n300. The default is 300.\r\nCommand Default\r\nNo notifications are sent.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.2(31)SB2 This command was introduced.\r\n12.2(33)SRC This command was integrated into Cisco IOS Release 12.2(33)SRC.\r\n12.4(20)T This command was integrated into Cisco IOS Release 12.4(20)T.\r\n12.2(33)SXI2 This command was integrated into Cisco IOS Release 12.2(33)SXI2.\r\nUsage Guidelines\r\nThe configured value applies for the computation of all Unicast RPF drop rates (global and per interface).\r\nExamples\r\nThe following example shows how to configure a notify hold-down time of 40 seconds:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 117 of 238\n\nRouter\u003e enable\r\nRouter# configure terminal\r\nRouter(config)# ip verify drop-rate notify hold-down 40\r\nRelated Commands\r\nCommand Description\r\nip verify drop-rate compute\r\ninterval\r\nConfigures the interval of time between Unicast RPF drop rate computations.\r\nip verify drop-rate compute\r\nwindow\r\nConfigures the interval of time over which the Unicast RPF drop count used in\r\nthe drop rate computation is collected.\r\nip verify unicast\r\nnotification threshold\r\nConfigures the threshold value used to determine whether to send a Unicast\r\nRPF drop rate notification.\r\nip verify unicast notification threshold\r\nTo configure the threshold value used to determine whether to send a Unicast Reverse Path Forwarding (RPF)\r\ndrop rate notification, use the ip verify unicast notification threshold command in interface configuration mode. To\r\nset the notification threshold back to the default value, use the no form of this command.\r\nip verify unicast notification threshold packets-per-second\r\nno ip verify unicast notification threshold\r\nSyntax Description\r\npackets-per-secondThreshold value, in packets per second, used to determine whether to send a Unicast RPF\r\ndrop rate notification. The range is from 0 to 4294967295. The default is 1000.\r\nCommand Default\r\nNo notifications are sent.\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 118 of 238\n\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\n12.2(31)SB2 This command was introduced.\r\n12.2(33)SRC This command was integrated into Cisco IOS Release 12.2(33)SRC.\r\n12.4(20)T This command was integrated into Cisco IOS Release 12.4(20)T.\r\n12.2(33)SXI2 This command was integrated into Cisco IOS Release 12.2(33)SXI2.\r\nUsage Guidelines\r\nThis command configures the threshold Unicast RPF drop rate which, when exceeded, triggers a notification.\r\nConfiguring a value of 0 means that any Unicast RPF packet drop triggers a notification.\r\nExamples\r\nThe following example shows how to configure a notification threshold value of 900 on Ethernet interface 3/0:\r\nRouter\u003e enable\r\nRouter# configure terminal\r\nRouter(config# interface ethernet 3/0\r\nRouter(config-if)# ip verify unicast notification threshold 900\r\nRelated Commands\r\nCommand Description\r\nip verify drop-rate compute\r\ninterval\r\nConfigures the interval of time between Unicast RPF drop rate computations.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 119 of 238\n\nCommand Description\r\nip verify drop-rate compute\r\nwindow\r\nConfigures the interval of time during which the Unicast RPF drop count is\r\ncollected for the drop rate computation.\r\ni p verify drop-rate notify\r\nhold-down\r\nConfigures the minimum time between Unicast RPF drop rate notifications.\r\nip verify unicast reverse-path\r\nNote\r\nThis command was replaced by the ip verify unicast source reachable-via command effective with\r\nCisco IOS Release 12.0(15)S. The ip verify unicast source reachable-via command allows for more\r\nflexibility and functionality, such as supporting asymmetric routing, and should be used for any\r\nReverse Path Forward implementation. The ip verify unicast reverse-path command is still supported.\r\nTo enable Unicast Reverse Path Forwarding (Unicast RPF), use the ip verify unicast reverse-path command in\r\ninterface configuration mode. To disable Unicast RPF, use the no form of this command.\r\nip verify unicast reverse-path [list]\r\nno ip verify unicast reverse-path [list]\r\nSyntax Description\r\nlist\r\n(Optional) Specifies a numbered access control list (ACL) in the following ranges:\r\n1 to 99 (IP standard access list)\r\n100 to 199 (IP extended access list)\r\n1300 to 1999 (IP standard access list, expanded range)\r\n2000 to 2699 (IP extended access list, expanded range)\r\nCommand Default\r\nUnicast RPF is disabled.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 120 of 238\n\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\n11.1(CC)\r\n12.0\r\nThis command was introduced. This command\r\nwas not included in Cisco IOS Release 11.2 or\r\n11.3\r\n12.1(2)T\r\nAdded ACL support using\r\nthe list argument. Added\r\nper-interface statistics on\r\ndropped or suppressed\r\npackets.\r\n12.0(15)S\r\nThe ip verify unicast source reachable-via\r\ncommand replaced this command, and the\r\nfollowing keywords were added to the ip verify\r\nunicast source reachable-via command: allow-default, allow-self-ping , rx , and any .\r\n12.1(8a)E\r\nThe ip verify unicast reverse-path command was\r\nintegrated into Cisco IOS Release 12.1(8a)E.\r\n12.2(14)S\r\nThe ip verify unicast reverse-path command was\r\nintegrated into Cisco IOS Release 12.2(14)S.\r\n12.2(14)SX\r\nThe ip verify unicast reverse-path command was\r\nintegrated into Cisco IOS Release 12.2(14)SX.\r\n12.2(33)SRA\r\nThe ip verify unicast reverse-path command was\r\nintegrated into Cisco IOS Release 12.2(33)SRA.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 121 of 238\n\nUse the ip verify unicast reverse-path interface command to mitigate problems caused by malformed or forged\r\n(spoofed) IP source addresses that are received by a router. Malformed or forged source addresses can indicate\r\ndenial of service (DoS) attacks on the basis of source IP address spoofing.\r\nWhen Unicast RPF is enabled on an interface, the router examines all packets that are received on that interface.\r\nThe router checks to ensure that the source address appears in the Forwarding Information Base (FIB) and that it\r\nmatches the interface on which the packet was received. This \"look backwards\" ability is available only when\r\nCisco Express Forwarding is enabled on the router because the lookup relies on the presence of the FIB. Cisco\r\nExpress Forwarding generates the FIB as part of its operation.\r\nTo use Unicast RPF, enable Cisco Express Forwarding switching or distributed Cisco Express Forwarding\r\nswitching in the router. There is no need to configure the input interface for Cisco Express Forwarding switching.\r\nAs long as Cisco Express Forwarding is running on the router, individual interfaces can be configured with other\r\nswitching modes.\r\nNote\r\nIt is very important for Cisco Express Forwarding to be configured globally in the router. Unicast\r\nRPF will not work without Cisco Express Forwarding.\r\nNote\r\nUnicast RPF is an input function and is applied on the interface of a router only in the ingress\r\ndirection.\r\nThe Unicast Reverse Path Forwarding feature checks to determine whether any packet that is received at a router\r\ninterface arrives on one of the best return paths to the source of the packet. The feature does this by doing a\r\nreverse lookup in the Cisco Express Forwarding table. If Unicast RPF does not find a reverse path for the packet,\r\nUnicast RPF can drop or forward the packet, depending on whether an ACL is specified in the Unicast Reverse\r\nPath Forwarding command. If an ACL is specified in the command, then when (and only when) a packet fails the\r\nUnicast RPF check, the ACL is checked to determine whether the packet should be dropped (using a deny\r\nstatement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or\r\nforwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface\r\nstatistics for Unicast RPF.\r\nIf no ACL is specified in the Unicast Reverse Path Forwarding command, the router drops the forged or\r\nmalformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are\r\nupdated.\r\nUnicast RPF events can be logged by specifying the logging option for the ACL entries used by the Unicast\r\nReverse Path Forwarding command. Log information can be used to gather information about the attack, such as\r\nsource address, time, and so on.\r\nWhere to Use RPF in Your Network\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 122 of 238\n\nUnicast RPF may be used on interfaces in which only one path allows packets from valid source networks\r\n(networks contained in the FIB). Unicast RPF may also be used in cases for which a router has multiple paths to a\r\ngiven network, as long as the valid networks are switched via the incoming interfaces. Packets for invalid\r\nnetworks will be dropped. For example, routers at the edge of the network of an Internet service provider (ISP) are\r\nlikely to have symmetrical reverse paths. Unicast RPF may still be applicable in certain multi-homed situations,\r\nprovided that optional Border Gateway Protocol (BGP) attributes such as weight and local preference are used to\r\nachieve symmetric routing.\r\nWith Unicast RPF, all equal-cost \"best\" return paths are considered valid. This means that Unicast RPF works in\r\ncases where multiple return paths exist, provided that each path is equal to the others in terms of the routing cost\r\n(number of hops, weights, and so on) and as long as the route is in the FIB. Unicast RPF also functions where\r\nEnhanced Internet Gateway Routing Protocol (EIGRP) variants are being used and unequal candidate paths back\r\nto the source IP address exist.\r\nFor example, routers at the edge of the network of an ISP are more likely to have symmetrical reverse paths than\r\nrouters that are in the core of the ISP network. Routers that are in the core of the ISP network have no guarantee\r\nthat the best forwarding path out of the router will be the path selected for packets returning to the router. In this\r\nscenario, you should use the new form of the command, ip verify unicast source reachable-via , if there is a chance\r\nof asymmetrical routing.\r\nExamples\r\nThe following example shows that the Unicast Reverse Path Forwarding feature has been enabled on a serial\r\ninterface:\r\nip cef\r\n! or \"ip cef distributed\" for RSP+VIP based routers\r\n!\r\ninterface serial 5/0/0\r\n ip verify unicast reverse-path\r\nThe following example uses a very simple single-homed ISP to demonstrate the concepts of ingress and egress\r\nfilters used in conjunction with Unicast RPF. The example illustrates an ISP-allocated classless interdomain\r\nrouting (CIDR) block 192.168.202.128/28 that has both inbound and outbound filters on the upstream interface.\r\nBe aware that ISPs are usually not single-homed. Hence, provisions for asymmetrical flows (when outbound\r\ntraffic goes out one link and returns via a different link) need to be designed into the filters on the border routers\r\nof the ISP.\r\nip cef distributed\r\n!\r\ninterface Serial 5/0/0\r\n description Connection to Upstream ISP\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 123 of 238\n\nip address 192.168.200.225 255.255.255.255\r\n no ip redirects\r\n no ip directed-broadcast\r\n no ip proxy-arp\r\n ip verify unicast reverse-path\r\n ip access-group 111 in\r\n ip access-group 110 out\r\n!\r\naccess-list 110 permit ip 192.168.202.128 10.0.0.31 any\r\naccess-list 110 deny ip any any log\r\naccess-list 111 deny ip host 10.0.0.0 any log\r\naccess-list 111 deny ip 172.16.0.0 255.255.255.255 any log\r\naccess-list 111 deny ip 10.0.0.0 255.255.255.255 any log\r\naccess-list 111 deny ip 172.16.0.0 255.255.255.255 any log\r\naccess-list 111 deny ip 192.168.0.0 255.255.255.255 any log\r\naccess-list 111 deny ip 209.165.202.129 10.0.0.31 any log\r\naccess-list 111 permit ip any any\r\nThe following example demonstrates the use of ACLs and logging with Unicast RPF. In this example, extended\r\nACL 197 provides entries that deny or permit network traffic for specific address ranges. Unicast RPF is\r\nconfigured on Ethernet interface 0 to check packets arriving at that interface.\r\nFor example, packets with a source address of 192.168.201.10 arriving at Ethernet interface 0 are dropped because\r\nof the deny statement in ACL 197. In this case, the ACL information is logged (the logging option is turned on for\r\nthe ACL entry) and dropped packets are counted per-interface and globally. Packets with a source address of\r\n192.168.201.100 arriving at Ethernet interface 0 are forwarded because of the permit statement in ACL 197. ACL\r\ninformation about dropped or suppressed packets is logged (the logging option is turned on for the ACL entry) to\r\nthe log server.\r\nip cef distributed\r\n!\r\nint eth0/1/1\r\n ip address 192.168.200.1 255.255.255.255\r\n ip verify unicast reverse-path 197\r\n!\r\nint eth0/1/2\r\n ip address 192.168.201.1 255.255.255.255\r\n!\r\naccess-list 197 deny ip 192.168.201.0 10.0.0.63 any log-input\r\naccess-list 197 permit ip 192.168.201.64 10.0.0.63 any log-input\r\naccess-list 197 deny ip 192.168.201.128 10.0.0.63 any log-input\r\naccess-list 197 permit ip 192.168.201.192 10.0.0.63 any log-input\r\naccess-list 197 deny ip host 10.0.0.0 any log-input\r\naccess-list 197 deny ip 172.16.0.0 255.255.255.255 any log-input\r\naccess-list 197 deny ip 10.0.0.0 255.255.255.255 any log-input\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 124 of 238\n\naccess-list 197 deny ip 172.16.0.0 255.255.255.255 any log-input\r\naccess-list 197 deny ip 192.168.0.0 255.255.255.255 any log-input\r\nRelated Commands\r\nCommand Description\r\nip cef Enables Cisco Express Forwarding on the route processor card.\r\nip verify unicast source reachable-via\r\nTo enable Unicast Reverse Path Forwarding (Unicast RPF), use the ip verify unicast source reachable-via\r\ncommand in interface configuration mode. To disable Unicast RPF, use the no form of this command.\r\nip verify unicast source reachable-via {any | rx [l2-src]} [allow-default] [allow-self-ping] [access-list]\r\nno ip verify unicast source reachable-via\r\nSyntax Description\r\nany\r\nExamines incoming packets to determine whether the source address is in the Forwarding\r\nInformation Base (FIB) and permits the packet if the source is reachable through any interface\r\n(sometimes referred to as loose mode).\r\nrx\r\nExamines incoming packets to determine whether the source address is in the FIB and permits\r\nthe packet only if the source is reachable through the interface on which the packet was received\r\n(sometimes referred to as strict mode).\r\nl2-src (Optional) Enables source IPv4 and source MAC address binding.\r\nallow-default\r\n(Optional) Allows the use of the default route for RPF verification.\r\nallow-self-ping(Optional) Allows a router to ping its own interface or interfaces.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 125 of 238\n\nCaution\r\n \r\nUse caution when enabling the allow-self-ping keyword. This keyword opens a\r\ndenial-of-service (DoS) hole.\r\naccess-list\r\n(Optional) Specifies a numbered access control list (ACL) in the following ranges:\r\n1 to 99 (IP standard access list)\r\n100 to 199 (IP extended access list)\r\n1300 to 1999 (IP standard access list, expanded range)\r\n2000 to 2699 (IP extended access list, expanded range)\r\nCommand Default\r\nUnicast RPF is disabled.\r\nSource IPv4 and source MAC address binding is disabled.\r\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\n11.1(CC),\r\n12.0\r\nThis command was introduced. This command was not included in Cisco IOS Release 11.2\r\nor 11.3.\r\n12.1(2)T\r\nAdded access control list (ACL) support using the access-list argument. Added per-interface\r\nstatistics on dropped or suppressed packets.\r\n12.0(15)S\r\nThis command replaced the ip verify unicast reverse-path command, and the following\r\nkeywords were added: allow-default , allow-self-ping , rx , and any .\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 126 of 238\n\nRelease Modification\r\n12.1(8a)E This command was integrated into Cisco IOS Release 12.1(8a)E.\r\n12.2(14)S This command was integrated into Cisco IOS Release 12.2(14)S.\r\n12.2(14)SX Support for this command was introduced on the Supervisor Engine 720.\r\n12.2(17d)SXB Support for this command was introduced on the Supervisor Engine 2.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2(33)SRC\r\nThis command was modified. The l2-src keyword was added to support the source IPv4 and\r\nsource MAC address binding feature on platforms that support the Cisco Express\r\nForwarding software switching path.\r\n15.0(1)M This command was integrated into Cisco IOS Release 15.0(1)M.\r\nUsage Guidelines\r\nUse the ip verify unicast source reachable-via interface command to mitigate problems caused by malformed or\r\nforged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can\r\nindicate DoS attacks based on source IP address spoofing.\r\nTo use Unicast RPF, enable Cisco Express Forwarding or distributed Cisco Express Forwarding in the router.\r\nThere is no need to configure the input interface for Cisco Express Forwarding. As long as Cisco Express\r\nForwarding is running on the router, individual interfaces can be configured with other switching modes.\r\nNote\r\nIt is important for Cisco Express Forwarding to be configured globally on the router. Unicast RPF\r\ndoes not work without Cisco Express Forwarding.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 127 of 238\n\nNote\r\nUnicast RPF is an input function and is applied on the interface of a router only in the ingress\r\ndirection.\r\nWhen Unicast RPF is enabled on an interface, the router examines all packets that are received on that interface.\r\nThe router checks to make sure that the source address appears in the FIB. If the rx keyword is selected, the source\r\naddress must match the interface on which the packet was received. If the any keyword is selected, the source\r\naddress must be present only in the FIB. This ability to “look backwards” is available only when Cisco Express\r\nForwarding is enabled on the router because the lookup relies on the presence of the FIB. Cisco Express\r\nForwarding generates the FIB as part of its operation.\r\nNote\r\nIf the source address of an incoming packet is resolved to a null adjacency, the packet will be\r\ndropped. The null interface is treated as an invalid interface by the new form of the Unicast RPF\r\ncommand. The older form of the command syntax did not exhibit this behavior.\r\nUnicast RPF checks to determine whether any packet that is received at a router interface arrives on one of the\r\nbest return paths to the source of the packet. If a reverse path for the packet is not found, Unicast RPF can drop or\r\nforward the packet, depending on whether an ACL is specified in the Unicast RPF command. If an ACL is\r\nspecified in the command, when (and only when) a packet fails the Unicast RPF check, the ACL is checked to\r\ndetermine whether the packet should be dropped (using a deny statement in the ACL) or forwarded (using a\r\npermit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP\r\ntraffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF.\r\nIf no ACL is specified in the ip verify unicast source reachable-via command, the router drops the forged or\r\nmalformed packet immediately, and no ACL logging occurs. The router and interface Unicast RPF counters are\r\nupdated.\r\nUnicast RPF events can be logged by specifying the logging option for the ACL entries that are used by the ip\r\nverify unicast source reachable-via command. Log information can be used to gather information about the attack,\r\nsuch as source address, time, and so on.\r\nStrict Mode RPF\r\nIf the source address is in the FIB and reachable only through the interface on which the packet was received, the\r\npacket is passed. The syntax for this method is ip verify unicast source reachable-via rx .\r\nExists-Only (or Loose Mode) RPF\r\nIf the source address is in the FIB and reachable through any interface on the router, the packet is passed. The\r\nsyntax for this method is ip verify unicast source reachable-via any .\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 128 of 238\n\nBecause this Unicast RPF option passes packets regardless of which interface the packet enters, it is often used on\r\nInternet service provider (ISP) routers that are “peered” with other ISP routers (where asymmetrical routing\r\ntypically occurs). Packets using source addresses that have not been allocated on the Internet, which are often used\r\nfor spoofed source addresses, are dropped by this Unicast RPF option. All other packets that have an entry in the\r\nFIB are passed.\r\nallow-default\r\nNormally, sources found in the FIB but only by way of the default route will be dropped. Specifying the allow-default keyword option will override this behavior. You must specify the allow-default keyword in the command\r\nto permit Unicast RPF to successfully match on prefixes that are known through the default route to pass these\r\npackets.\r\nallow-self-ping\r\nThis keyword allows the router to ping its own interface or interfaces. By default, when Unicast RPF is enabled,\r\npackets that are generated by the router and destined to the router are dropped, thereby, making certain\r\ntroubleshooting and management tasks difficult to accomplish. Issue the allow-self-ping keyword to enable self-pinging.\r\nCaution\r\nCaution should be used when enabling the allow-self-ping keyword because this option opens a\r\npotential DoS hole.\r\nUsing RPF in Your Network\r\nUse Unicast RPF strict mode on interfaces where only one path allows packets from valid source networks\r\n(networks contained in the FIB). Also, use Unicast RPF strict mode when a router has multiple paths to a given\r\nnetwork, as long as the valid networks are switched through the incoming interfaces. Packets for invalid networks\r\nwill be dropped. For example, routers at the edge of the network of an ISP are likely to have symmetrical reverse\r\npaths. Unicast RPF strict mode is applicable in certain multihomed situations, provided that optional Border\r\nGateway Protocol (BGP) attributes, such as weight and local preference, are used to achieve symmetric routing.\r\nNote\r\nWith Unicast RPF, all equal-cost “best” return paths are considered valid. This means that Unicast\r\nRPF works in cases where multiple return paths exist, provided that each path is equal to the others in\r\nterms of the routing cost (number of hops, weights, and so on) and as long as the route is in the FIB.\r\nUnicast RPF also functions where Enhanced Internet Gateway Routing Protocol (EIGRP) variants are\r\nbeing used and unequal candidate paths back to the source IP address exist.\r\nUse Unicast RPF loose mode on interfaces where asymmetric paths allow packets from valid source networks\r\n(networks contained in the FIB). Routers that are in the core of the ISP network have no guarantee that the best\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 129 of 238\n\nforwarding path out of the router will be the path selected for packets returning to the router.\r\nIP and MAC Address Spoof Prevention\r\nIn Release 15.0(1)M and later, you can use the l2-src keyword to enable source IPv4 and source MAC address\r\nbinding. To disable source IPv4 and source MAC address binding, use the no form of the ip verify unicast source\r\nreachable-via command.\r\nIf an inbound packet fails this security check, it will be dropped and the Unicast RPF dropped-packet counter will\r\nbe incremented. The only exception occurs if a numbered access control list has been specified as part of the\r\nUnicast RPF command in strict mode, and the ACL permits the packet. In this case the packet will be forwarded\r\nand the Unicast RPF suppressed-drops counter will be incremented.\r\nNote\r\nThe l2-src keyword cannot be used with the loose uRPF command, ip verify unicast source\r\nreachable-via any command.\r\nNot all platforms support the l2-src keyword. Therefore, not all the possible keyword combinations for strict\r\nUnicast RPF in the following list will apply to your platform:\r\nPossible keyword combinations for strict Unicast RPF include the following:\r\nallow-default\r\nallow-self-ping\r\nl2-src\r\n\u003cACL-number \u003e\r\nallow-default allow-self-ping\r\nallow-default l2-src\r\nallow-default \u003cACL-number \u003e\r\nallow-self-ping l2-src\r\nallow-self-ping \u003cACL-number \u003e\r\nl2-src \u003cACL-number \u003e\r\nallow-default allow-self-ping l2-src\r\nallow-default allow-self-ping \u003cACL-number \u003e\r\nallow-default l2-src \u003cACL-number \u003e\r\nallow-self-ping l2-src \u003cACL-number \u003e\r\nallow-default allow-self-ping l2-src \u003cACL-number \u003e\r\nExamples\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 130 of 238\n\nThe following example uses a very simple single-homed ISP connection to demonstrate the concept of Unicast\r\nRPF. In this example, an ISP peering router is connected through a single serial interface to one upstream ISP.\r\nHence, traffic flows into and out of the ISP will be symmetric. Because traffic flows will be symmetric, a Unicast\r\nRPF strict-mode deployment can be configured.\r\nip cef\r\n! or “ip cef distributed” for Route Switch Processor+Versatile Interface Processor-\r\n(RSP+VIP-) based routers.\r\n!\r\ninterface Serial5/0/0\r\n description - link to upstream ISP (single-homed)\r\n ip address 192.168.200.225 255.255.255.252\r\n no ip redirects\r\n no ip directed-broadcasts\r\n no ip proxy-arp\r\n ip verify unicast source reachable-via\r\nExamples\r\nThe following example demonstrates the use of ACLs and logging with Unicast RPF. In this example, extended\r\nACL 197 provides entries that deny or permit network traffic for specific address ranges. Unicast RPF is\r\nconfigured on interface Ethernet 0/1/1 to check packets arriving at that interface.\r\nFor example, packets with a source address of 192.168.201.10 arriving at interface Ethernet 0/1/1 are dropped\r\nbecause of the deny statement in ACL 197. In this case, the ACL information is logged (the logging option is\r\nturned on for the ACL entry) and dropped packets are counted per-interface and globally. Packets with a source\r\naddress of 192.168.201.100 arriving at interface Ethernet 0/1/2 are forwarded because of the permit statement in\r\nACL 197. ACL information about dropped or suppressed packets is logged (the logging option is turned on for the\r\nACL entry) to the log server.\r\nip cef distributed\r\n!\r\nint eth0/1/1\r\n ip address 192.168.200.1 255.255.255.0\r\n ip verify unicast source reachable-via rx 197\r\n!\r\nint eth0/1/2\r\n ip address 192.168.201.1 255.255.255.0\r\n!\r\naccess-list 197 deny ip 192.168.201.0 0.0.0.63 any log-input\r\naccess-list 197 permit ip 192.168.201.64 0.0.0.63 any log-input\r\naccess-list 197 deny ip 192.168.201.128 0.0.0.63 any log-input\r\naccess-list 197 permit ip 192.168.201.192 0.0.0.63 any log-input\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 131 of 238\n\naccess-list 197 deny ip host 0.0.0.0 any log-input\r\naccess-list 197 deny ip 172.16.0.0 0.255.255.255 any log-input\r\naccess-list 197 deny ip 10.0.0.0 0.255.255.255 any log-input\r\naccess-list 197 deny ip 172.16.0.0 0.15.255.255 any log-input\r\naccess-list 197 deny ip 192.168.0.0 0.0.255.255 any log-input\r\nExamples\r\nThe following example shows how to enable source IPv4 and source MAC address binding on Ethernet 0/0:\r\nRouter# configure terminal\r\nRouter(config)# interface Ethernet0/0\r\nRouter(config-if)# ip address 10.0.0.1 255.255.255.0\r\nRouter(config-if)# ip verify unicast source reachable-via rx l2-src\r\nRelated Commands\r\nCommand Description\r\nip cef Enables Cisco Express Forwarding on the route processor card.\r\nip cef distributed Enables Cisco Express Forwarding on the line card.\r\nip virtual-reassembly\r\nTo enable virtual fragment reassembly (VFR) on an interface, use the ip virtual-reassembly command in interface\r\nconfiguration mode. To disable VFR on an interface, use the no form of this command.\r\nip virtual-reassembly [max-reassemblies number] [max-fragments number] [timeout seconds] [drop-fragments]\r\nno ip virtual-reassembly [max-reassemblies number] [max-fragments number] [timeout seconds] [drop-fragments]\r\nSyntax Description\r\nmax-reassemblies\r\nnumber\r\n(Optional) Maximum number of IP datagrams that can be reassembled at any given\r\ntime. Default value: 16.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 132 of 238\n\nIf the maximum value is reached, all fragments within the following fragment set is\r\ndropped and an alert message is logged to the syslog server.\r\nmax-fragments\r\nnumber\r\n(Optional) Maximum number of fragments that are allowed per IP datagram (fragment\r\nset). Default value: 32.\r\nIf an IP datagram that is being reassembled receives more than the maximum allowed\r\nfragments, the IP datagram is dropped and an alert message is logged to the syslog\r\nserver.\r\ntimeout seconds\r\n(Optional) Timeout value, from 0 to 60 seconds, for an IP datagram that is being\r\nreassembled. Default value: 3 seconds.\r\nIf an IP datagram does not receive all of the fragments within the specified time, the IP\r\ndatagram (and all of its fragments) are dropped.\r\ndrop-fragments\r\n(Optional) Enables the VFR to drop all fragments that arrive on the configured\r\ninterface. By default, this function is disabled.\r\nCommand Default\r\nVFR is not enabled.\r\nCommand Modes\r\nInterface configuration\r\nCommand History\r\nRelease Modification\r\n12.3(8)T This command was introduced.\r\nIOS XE 3.2S This command was introduced in Cisco IOS XE Release 3.2S.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 133 of 238\n\nA buffer overflow attack can occur when an attacker continuously sends a large number of incomplete IP\r\nfragments, causing the firewall to lose time and memory while trying to reassemble the fake packets.\r\nThe max-reassemblies number option and the max-fragments number option allow you to configure maximum\r\nthreshold values to avoid a buffer overflow attack and to control memory usage.\r\nIn addition to configuring the maximum threshold values, each IP datagram is associated with a managed timer. If\r\nthe IP datagram does not receive all of the fragments within the specified time (which can be configured through\r\nthe timeout seconds option), the timer expires and the IP datagram (and all of its fragments) is dropped.\r\nNote\r\nIf you are upgrading to Cisco IOS XE Release 3.4 or later and the configured timeout was set to more\r\nthan 60 seconds, then your configured timeout value is cleared and reset to the default value of 3\r\nseconds.\r\nAutomatically Enabling or Disabling VFR\r\nVFR is designed to work with any feature that requires fragment reassembly (such as Cisco IOS Firewall and\r\nNAT). Currently, NAT enables and disables VFR internally; that is, when NAT is enabled on an interface, VFR is\r\nautomatically enabled on that interface.\r\nIf more than one feature attempts to automatically enable VFR on an interface, then the VFR maintains a reference\r\ncount to keep track of the number of features that have enabled VFR. When the reference count is reduced to zero,\r\nVFR is automatically disabled\r\nExamples\r\nThe following example shows how to configure VFR on interfaces ethernet2/1, ethernet2/2, and serial3/0 to\r\nfacilitate the firewall that is enabled in the outbound direction on interface serial3/0. In this example, the firewall\r\nrules that specify the list of LAN1 and LAN2 originating protocols (FTP, HTTP and SMTP) are to be inspected.\r\nip inspect name INTERNET-FW ftp\r\nip inspect name INTERNET-FW http\r\nip inspect name INTERNET-FW smtp!\r\n!\r\ninterface Loopback0\r\n ip address 10.0.1.1 255.255.255.255\r\n!\r\ninterface Ethernet2/0\r\n ip address 10.4.21.9 255.255.0.0\r\n no ip proxy-arp\r\n no ip mroute-cache\r\n duplex half\r\n no cdp enable\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 134 of 238\n\n!\r\ninterface Ethernet2/1\r\n description LAN1\r\n ip address 10.4.0.2 255.255.255.0\r\n ip virtual-reassembly\r\n duplex half\r\n!\r\ninterface Ethernet2/2\r\n description LAN2\r\n ip address 10.15.0.2 255.255.255.0\r\n ip virtual-reassembly\r\n duplex half\r\n!\r\ninterface Ethernet2/3\r\n no ip address\r\n no ip mroute-cache\r\n shutdown\r\n duplex half\r\n!\r\ninterface Serial3/0\r\n description Internet\r\n ip unnumbered Loopback0\r\n encapsulation ppp\r\n ip access-group 102 in\r\n ip inspect INTERNET-FW out\r\n ip virtual-reassembly\r\n serial restart-delay 0\r\nRelated Commands\r\nCommand Description\r\nshow ip virtual-reassemblyDisplays the configuration and statistical information of the VFR on a given\r\ninterface.\r\nip virtual-reassembly-out\r\nTo enable virtual fragment reassembly (VFR) on outbound interface traffic after it was disabled by the no ip\r\nvirtual-reassembly command, use the ip virtual-reassembly-out command in interface configuration mode. To\r\ndisable VFR on outbound interface traffic, use the no form of this command.\r\nip virtual-reassembly-out [max-reassemblies number] [max-fragments number] [timeout seconds] [drop-fragments]\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 135 of 238\n\nno ip virtual-reassembly-out [max-reassemblies number] [max-fragments number] [timeout seconds] [drop-fragments]\r\nSyntax Description\r\nmax-reassemblies\r\nnumber\r\n(Optional) Specifies the maximum number of IP datagrams that can be reassembled at\r\nany given time. Default value: 16.\r\nIf the maximum value is reached, all fragments within the following fragment set will be\r\ndropped and an alert message will be logged to the syslog server.\r\nmax-fragments\r\nnumber\r\n(Optional) Specifies the maximum number of fragments that are allowed per IP\r\ndatagram (fragment set). Default value: 32.\r\nIf an IP datagram that is being reassembled receives more than the maximum number of\r\nallowed fragments, the IP datagram will be dropped and an alert message will be logged\r\nto the syslog server.\r\ntimeout seconds\r\n(Optional) Specifies the timeout value, in seconds, for an IP datagram that is being\r\nreassembled. Default value: 3.\r\nIf an IP datagram does not receive all of the fragments within the specified time, the IP\r\ndatagram (and all of its fragments) will be dropped.\r\ndrop-fragments\r\n(Optional) Enables the VFR to drop all fragments that arrive on the configured interface.\r\nBy default, this function is disabled.\r\nCommand Default\r\nVFR on outbound interface traffic is not enabled.\r\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 136 of 238\n\nRelease Modification\r\nCisco IOS Release XE 3.2S This command was introduced.\r\nUsage Guidelines\r\nYou can use this command to reenable VFR on outbound interface traffic after it was disabled by the no ip virtual-reassembly command. If VFR is enabled on both inbound and outbound interface traffic, you can use the no ip\r\nvirtual-reassembly-out command to disable it on only the outbound interface traffic.\r\nExamples\r\nThe following example shows how to manually enable VFR on outbound traffic on interfaces\r\nGigabitEthernet0/0/1, GigabitEthernet0/0/0.773, and Serial 3/0:\r\ninterface Loopback 0\r\nip address 10.0.1.1 255.255.255.255\r\n!\r\ninterface GigabitEthernet0/0/1\r\ndescription LAN1\r\nip address 10.4.0.2 255.255.255.0\r\nip virtual-reassembly-out\r\n!\r\ninterface GigabitEthernet0/0/0.773\r\nencapsulation dot1Q 773\r\ndescription LAN2\r\nip address 10.15.0.2 255.255.255.0\r\nip virtual-reassembly-out\r\n!\r\ninterface Serial 3/0\r\ndescription Internet\r\nip unnumbered Loopback0\r\nencapsulation ppp\r\nip virtual-reassembly-out\r\nserial restart-delay 0\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 137 of 238\n\nCommand Description\r\nip virtual-reassembly Enables VFR on an interface.\r\nshow ip virtual-reassemblyDisplays the configuration and statistical information of the VFR on a given\r\ninterface.\r\nip vrf\r\nTo define a VPN routing and forwarding (VRF) instance and to enter VRF configuration mode, use the ip vrf\r\ncommand in global configuration mode. To remove a VRF instance, use the no form of this command.\r\nip vrf vrf-name\r\nno ip vrf vrf-name\r\nSyntax Description\r\nvrf-name Name assigned to a VRF.\r\nCommand Default\r\nNo VRFs are defined. No import or export lists are associated with a VRF. No route maps are associated with a\r\nVRF.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.0(5)T This command was introduced.\r\n12.0(21)ST This command was integrated into Cisco IOS Release 12.0(21)ST.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 138 of 238\n\nRelease Modification\r\n12.0(22)S This command was integrated into Cisco IOS Release 12.0(22)S.\r\n12.2(14)S This command was integrated into Cisco IOS 12.2(14)S.\r\n12.2(28)SB This command was integrated into Cisco IOS Release 12.2(28)SB.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2(33)SXH This command was integrated into Cisco IOS Release 12.2(33)SXH.\r\nCisco IOS XE Release\r\n2.1\r\nThis command was integrated into Cisco IOS XE Release 2.1.\r\n15.1(1)SY This command was integrated into Cisco IOS Release 15.1(1)SY.\r\nCisco IOS XE 3.3SE This command was implemented in Cisco IOS XE Release 3.3SE.\r\n15.4(3)S\r\nThis command was implemented on the Cisco ASR 901 Series Aggregation\r\nServices Router.\r\nUsage Guidelines\r\nThe ip vrf vrf-name command creates a VRF instance named vrf-name . To make the VRF functional, a route\r\ndistinguisher (RD) must be created using the rd route-distinguisher command in VRF configuration mode. The rd\r\nroute-distinguisher command creates the routing and forwarding tables and associates the RD with the VRF\r\ninstance named vrf-name .\r\nThe ip vrf default command can be used to configure a VRF instance that is a NULL value until a default VRF\r\nname can be configured. This is typically before any VRF related AAA commands are configured.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 139 of 238\n\nThe following example shows how to import a route map to a VRF instance named VPN1:\r\nRouter(config)# ip vrf vpn1\r\nRouter(config-vrf)# rd 100:2\r\nRouter(config-vrf)# route-target both 100:2\r\nRouter(config-vrf)# route-target import 100:1\r\nRelated Commands\r\nCommand Description\r\nip vrf forwarding (interface\r\nconfiguration)\r\nAssociates a VRF with an interface or subinterface.\r\nrd\r\nCreates routing and forwarding tables for a VRF and specifies the default\r\nroute distinguisher for a VPN.\r\nip vrf forwarding\r\nTo associate a Virtual Private Network (VPN) routing and forwarding (VRF) instance with a Diameter peer, use\r\nthe ip vrf forwarding command in Diameter peer configuration mode. To enable Diameter peers to use the global\r\n(default) routing table, use the no form of this command.\r\nip vrf forwarding name\r\nno ip vrf forwarding name\r\nSyntax Description\r\nname Name assigned to a VRF.\r\nCommand Default\r\nDiameter peers use the global routing table.\r\nCommand Modes\r\nDiameter peer configuration (config-dia-peer)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 140 of 238\n\nCommand History\r\nRelease Modification\r\n12.4(9)T This command was introduced.\r\n12.2(54)SG This command was integrated into Cisco IOS Release 12.2(54)SG.\r\nUsage Guidelines\r\nUse the ip vrf forwarding command to specify a VRF for a Diameter peer. If a VRF name is not configured for a\r\nDiameter server, the global routing table will be used.\r\nIf the VRF associated with the specified name has not been configured, the command will have no effect and this\r\nerror message will appear: No VRF found with the name name .\r\nExamples\r\nThe following example shows how to configure the VRF for a Diameter peer:\r\nRouter (config-dia-peer)# ip vrf forwarding\r\n diam_peer_1\r\nRelated Commands\r\nCommand Description\r\ndiameter peer\r\nConfigures a Diameter peer and enters Diameter peer configuration\r\nsubmode.\r\nip vrf forwarding (server-group)Configures the VRF reference of an AAA RADIUS or TACACS+ server\r\ngroup.\r\nip vrf forwarding (server-group)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 141 of 238\n\nTo configure the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an authentication,\r\nauthorization, and accounting (AAA) RADIUS or TACACS+ server group, use the ip vrf forwarding command in\r\nserver-group configuration mode. To enable server groups to use the global (default) routing table, use the no form\r\nof this command.\r\nip vrf forwarding vrf-name\r\nno ip vrf forwarding vrf-name\r\nSyntax Description\r\nvrf-name Name assigned to a VRF.\r\nCommand Default\r\nServer groups use the global routing table.\r\nCommand Modes\r\nServer-group configuration (server-group)\r\nCommand History\r\nRelease Modification\r\n12.2(2)DD This command was introduced on the Cisco 7200 series and Cisco 7401ASR.\r\n12.2(4)B This command was integrated into Cisco IOS Release 12.2(4)B.\r\n12.2(13)T This command was integrated into Cisco IOS Release 12.2(13)T.\r\n12.3(7)T Functionality was added for TACACS+ servers.\r\n12.2(28)SB This command was integrated into Cisco IOS Release 12.2(28)SB.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 142 of 238\n\nRelease Modification\r\n12.2(33)SRA1 This command was integrated into Cisco IOS Release 12.2(33)SRA1.\r\n12.2(33)SXH This command was integrated into Cisco IOS Release 12.2(33)SXH.\r\n12.2(33)SXI This command was integrated into Cisco IOS Release 12.2(33)SXI.\r\nUsage Guidelines\r\nUse the ip vrf forwarding command to specify a VRF for a AAA RADIUS or TACACS+ server group. This\r\ncommand enables dial users to utilize AAA servers in different routing domains.\r\nExamples\r\nThe following example shows how to configure the VRF user to reference the RADIUS server in a different VRF\r\nserver group:\r\naaa group server radius sg_global\r\n server-private 172.16.0.0 timeout 5 retransmit 3\r\n!\r\naaa group server radius sg_water\r\n server-private 10.10.0.0 timeout 5 retransmit 3 key water\r\n ip vrf forwarding water\r\nThe following example shows how to configure the VRF user to reference the TACACS+ server in the server\r\ngroup tacacs1:\r\naaa group server tacacs+tacacs1\r\n server-private 10.1.1.1 port 19 key cisco\r\n ip vrf forwarding cisco\r\n ip tacacs source-interface Loopback0\r\n ip vrf cisco\r\n rd 100:1\r\n interface Loopback0\r\n ip address 10.0.0.2 255.0.0.0\r\n ip vrf forwarding cisco\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 143 of 238\n\nRelated Commands\r\nCommand Description\r\naaa group server radius\r\nGroups different RADIUS server hosts into distinct lists and distinct\r\nmethods.\r\nip tacacs source-interface\r\nUses the IP address of a specified interface for all outgoing TACACS+\r\npackets.\r\nip vrf forwarding (server-group)Configures the VRF reference of an AAA RADIUS or TACACS+ server\r\ngroup.\r\nserver-private\r\nConfigures the IP address of the private RADIUS server for the group\r\nserver.\r\nip wccp web-cache accelerated\r\nTo enable the hardware acceleration for WCCP version 1, use the ip wccp web-cache accelerated command in\r\nglobal configuration mode. To disable hardware acceleration, use the no form of this command.\r\nip wccp web-cache accelerated [group-address group-address] | [redirect-list access-list] | [group-list access-list] | [ [password password]]\r\nno ip wccp web-cache accelerated\r\nSyntax Description\r\ngroup-address\r\ngroup-address\r\n(Optional) Directs the router to use a specified multicast IP address for communication\r\nwith the WCCP service group. See the “Usage Guidelines” section for additional\r\ninformation.\r\nredirect-list\r\naccess-list\r\n(Optional) Directs the router to use an access list to control traffic that is redirected to this\r\nservice group. See the “Usage Guidelines” section for additional information.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 144 of 238\n\ngroup-list\r\naccess-list\r\n(Optional) Directs the router to use an access list to determine which cache engines are\r\nallowed to participate in the service group. See the “Usage Guidelines” section for\r\nadditional information.\r\npassword\r\npassword\r\n(Optional) Specifies a string that directs the router to apply MD5 authentication to\r\nmessages received from the service group specified by the service name given. See the\r\n“Usage Guidelines” section for additional information.\r\nCommand Default\r\nWhen this command is not configured, hardware acceleration for WCCPv1 is not enabled.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.2(17d)SXB\r\nSupport for this command on the Supervisor Engine 2 was extended to Cisco IOS Release\r\n12.2(17d)SXB.\r\n12.2(18)SXD1 This command was changed to support the Supervisor Engine 720.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nUsage Guidelines\r\nThe group-address group-address option requires a multicast address that is used by the router to determine which\r\ncache engine should receive redirected messages. This option instructs the router to use the specified multicast IP\r\naddress to coalesce the “I See You” responses for the “Here I Am” messages that it has received on this group\r\naddress. In addition, the response is sent to the group address. The default is for no group-address to be\r\nconfigured, so that all “Here I Am” messages are responded to with a unicast reply.\r\nThe redirect-list access-list option instructs the router to use an access list to control the traffic that is redirected to\r\nthe cache engines of the service group that is specified by the service-name given. The access-list argument\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 145 of 238\n\nspecifies either a number from 1 to 99 to represent a standard or extended access list number, or a name to\r\nrepresent a named standard or extended access list. The access list itself specifies the traffic that is permitted to be\r\nredirected. The default is for no redirect-list to be configured (all traffic is redirected).\r\nThe group-list access-list option instructs the router to use an access list to control the cache engines that are\r\nallowed to participate in the specified service group. The access-list argument specifies either a number from 1 to\r\n99 to represent a standard access list number, or a name to represent a named standard access list. The access list\r\nspecifies which cache engines are permitted to participate in the service group. The default is for no group-list to\r\nbe configured, so that all cache engines may participate in the service group.\r\nThe password can be up to seven characters. When you designate a password, the messages that are not accepted\r\nby the authentication are discarded. The password name is combined with the HMAC MD5 value to create\r\nsecurity for the connection between the router and the cache engine.\r\nExamples\r\nThe following example shows how to enable the hardware acceleration for WCCP version 1:\r\nRouter(config)# ip wccp web-cache accelerated\r\nRelated Commands\r\nCommand Description\r\nip wccp version Specifies which version of WCCP to configure on your router.\r\nips signature update cisco\r\nTo initiate a one-time download of Cisco IOS Intrusion Prevention System (IPS) signatures from Cisco.com, use\r\nthe ips signature update cisco command in Privileged EXEC mode.\r\nips signature update cisco {next | latest | signature} [username name password password]\r\nSyntax Description\r\nnext Specifies the next signature file version from the current signature file on the router.\r\nlatest Specifies the IOS IPS to search for the latest signature file.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 146 of 238\n\nsignature This argument specifies a specific signature file on Cisco.com.\r\nusername name Defines the username for the automatic signature update function.\r\npassword password Defines the password for the automatic signature update function.\r\nCommand Default\r\nPrivileged EXEC mode (#)\r\nCommand History\r\nRelease Modification\r\n15.1(1)T This command was introduced.\r\nUsage Guidelines\r\nThe ips signature update cisco command is used to initiate a one-time download of IPS signatures from\r\nCisco.com. If you want IPS signatures to be periodically downloaded from Cisco.com, use the ip ips auto-update\r\ncommand in global configuration mode and subsequently the cisco command in IPS-auto-update configuration\r\nmode to enable automatic signature updates from Cisco.com.\r\nIf the username and password is not specified, then the username and password that is specified in the IPS auto\r\nupdate configuration is used. A user name and password must be configured for updating signatures directly from\r\nCisco.com.\r\nExamples\r\nThe following example shows how to get the latest automatic signature update from Cisco.com:\r\nRouter# ips signature update cisco latest\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 147 of 238\n\nCommand Description\r\nip ips auto-update Enables automatic signature updates for Cisco IOS IPS.\r\ncisco Enables automatic signature updates from Cisco.com.\r\nipsec profile\r\nTo associate an IPsec profile to an Easy VPN tunnel and to avoid fragmentation of Quick Mode (QM) packets, use\r\nthe ipsec profile command. To disable, use the no form of this command.\r\nipsec profile name\r\nno crypto ipsec profile\r\nSyntax Description\r\nCommand Default\r\nIf no IPsec profile is configured, Easy VPN Remote router sends all supported transform-sets during ISAKMP\r\nQM negotiations, which makes ISAKMP packets bigger and can cause fragmentation.\r\nCommand Modes\r\nCisco Easy VPN Remote configuration (config-crypto-ezvpn)\r\nCommand History\r\nRelease Modification\r\n12.4(20)T This command was introduced.\r\nUsage Guidelines\r\nUse the ipsec profile command to configure IPsec transform-sets to avoid fragmentation of ISAKMP QM packets.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 148 of 238\n\ncrypto ipsec transform-set set1 esp-aes esp-sha-hmac\r\ncrypto ipsec profile prof1\r\n set transform-set set1\r\n set pfs group2\r\ncrypto ipsec client ezvpn EZVPN_CLIENT\r\n connect auto\r\n group hw-clients key cisco\r\n mode network-extension\r\n peer 10.1.1.2\r\n ipsec-profile prof1\r\n virtual-interface 1\r\n username router1 password cisco\r\n xauth userid mode local\r\nipv4 (ldap)\r\nTo create an IPv4 address within a Lightweight Directory Access Protocol (LDAP) server address pool, use the\r\nipv4 command in LDAP server configuration mode. To delete an IPv4 address within an LDAP server address\r\npool, use the no form of this command.\r\nipv4 ipv4-address\r\nno ipv4 ipv4-address\r\nSyntax Description\r\nipv4-address IPv4 address of the LDAP server.\r\nCommand Default\r\nNo IPv4 addresses are created in the LDAP server address pool.\r\nCommand Modes\r\nLDAP server configuration (config-ldap-server)\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 149 of 238\n\nRelease Modification\r\n15.1(1)T This command was introduced.\r\nExamples\r\nThe following example shows how to create an IPv4 address in an LDAP server address pool:\r\nRouter(config)# ldap server server1\r\nRouter(config-ldap-server)# ipv4 10.0.0.1\r\nRelated Commands\r\nCommand Description\r\nldap server Defines an LDAP server and enters LDAP server configuration mode.\r\ntransport port (ldap ) Configures the transport protocol for establishing a connection with the LDAP server.\r\nipv6 crypto map\r\nTo enable an IPv6 crypto map on an interface, use the ipv6 crypto map command in interface configuration mode.\r\nTo disable, use the no form of this command.\r\nipv6 crypto map map-name\r\nno ipv6 crypto map\r\nSyntax Description\r\nmap-name Identifies the crypto map set.\r\nCommand Default\r\nNo IPv6 crypto maps are enabled on the interface.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 150 of 238\n\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\n15.1(4)M This command was introduced.\r\nUsage Guidelines\r\nThis command differentiates IPv6 and IPv4 crypto maps.\r\nExamples\r\nThe following example shows how to enable an IPv6 crypto map on an interface:\r\nRouter# configure terminal\r\nRouter(config\r\n)# interface ethernet 0/0\r\nRouter(config-if\r\n)# ipv6 crypto map CM_V4\r\nRelated Commands\r\nCommand Description\r\ncrypto map (global IPsec) Creates or modifies a crypto map entry.\r\nipv6 cga modifier rsakeypair\r\nTo generate an IPv6 cryptographically generated address (CGA) modifier for a specified Rivest, Shamir, and\r\nAdelman (RSA) key pair, use the ipv6 cga modifier rsakeypair command in global configuration mode. To disable\r\nthis function, use the no form of this command.\r\nipv6 cga modifier rsakeypair key-label sec-level sec-level-value [max-iterations value | cga-modifier]\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 151 of 238\n\nno ipv6 cga modifier rsakeypair\r\nSyntax Description\r\nkey-label The name to be used for RSA key pair\r\nsec-level sec-level-valueSpecifies the security level, which can be a number from 0 through 3. The most\r\nsecure level is 1.\r\nmax-iterations\r\nvalue\r\n(Optional) Maximum iteration for modifier generation. The value can be a number\r\nfrom 0 through 40000000.\r\ncga-modifier (Optional) An IPv6 address used as a CGA modifier.\r\nCommand Default\r\nNo CGA exists for an RSA key.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.4(24)T This command was introduced.\r\n15.1(3)T The max-iterations keyword and cga-modifier argument were added.\r\nUsage Guidelines\r\nUse this command to generate the CGA modifier for a specified RSA key pair, which enables the key to be used\r\nby Secure Neighbor Discovery (SeND).\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 152 of 238\n\nOnce the RSA key is generated, the modifier must be generated as well, using the ipv6 cga modifier rsakeypair\r\ncommand.\r\nA CGA has a security parameter that determines its strength against brute-force attacks. The security level can be\r\neither 0 or 1.\r\nExamples\r\nThe following example enables the specified key to be used by SeND (that is, generates the modifier):\r\nRouter(config)# ipv6 cga modifier rsakeypair SEND sec-level 1\r\nRelated Commands\r\nCommand Description\r\ncrypto key generate rsa Generates RSA key pairs.\r\nipv6 cga modifier rsakeypair Generates the CGA modifier for a specified RSA key.\r\nipv6 cga modifier rsakeypair (interface) Binds a SeND key to a specified interface.\r\nipv6 cga rsakeypair Specifies which RSA key should be used on an interface.\r\nipv6 cga rsakeypair\r\nTo bind a Secure Neighbor Discovery (SeND) key to a specified interface, use the ipv6 cga rsakeypair command\r\nin interface configuration mode. To disable this function, use the no form of this command.\r\nipv6 cga rsakeypair key-label\r\nno ipv6 cga rsakeypair\r\nSyntax Description\r\nkey-label The name to be used for the Rivest, Shamir, and Adelman (RSA) key pair.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 153 of 238\n\nCommand Default\r\nA SeND key is not bound to an interface.\r\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\n12.4(24)T This command was introduced.\r\nUsage Guidelines\r\nThe SeND key is used to generate an IPv6 modifier for a specified Rivest, Shamir and Adelman (RSA) key pair. A\r\nSeND key must be bound to the interface prior to its being used in the ipv6 address command. Use the ipv6 cga\r\nrsakeypair command to bind a SeND key to a specified interface.\r\nYou can then use the ipv6 address command to add the Cryptographic Addresses (CGA).\r\nExamples\r\nThe following example binds a SeND key to Ethernet interface 0/0:\r\nRouter(config)# interface Ethernet0/0\r\nRouter(config-if)# ip address 10.0.1.1 255.255.255.0\r\nRouter(config-if)# ipv6 cga rsakeypair SEND\r\nRelated Commands\r\nCommand Description\r\nipv6 address\r\nConfigures an IPv6 address based on an IPv6 general prefix and\r\nenables IPv6 processing on an interface.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 154 of 238\n\nCommand Description\r\ncrypto key generate rsa Generates RSA key pairs.\r\nipv6 cga modifier rsakeypair (global\r\nconfiguration)\r\nGenerates the CGA modifier for a specified RSA key.\r\nipv6 cga modifier rsakeypair\r\n(interface configuration)\r\nBinds a SeND key to a specified interface.\r\nipv6 cga rsakeypair Specifies which RSA key should be used on an interface.\r\nipv6 inspect\r\nTo apply a set of inspection rules to an interface, use the ipv6 inspect command in interface configuration mode.\r\nTo remove the set of rules from the interface, use the no form of this command.\r\nipv6 inspect inspection-name {in | out}\r\nno ipv6 inspect inspection-name {in | out}\r\nSyntax Description\r\ninspection-name Identifies which set of inspection rules to apply.\r\nin Applies the inspection rules to inbound traffic.\r\nout Applies the inspection rules to outbound traffic.\r\nCommand Default\r\nIf no set of inspection rules is applied to an interface, no traffic will be inspected by Context-Based Access\r\nControl (CBAC).\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 155 of 238\n\nInterface configuration\r\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\nUsage Guidelines\r\nUse this command to apply a set of inspection rules to an interface.\r\nTypically, if the interface connects to the external network, you apply the inspection rules to outbound traffic;\r\nalternately, if the interface connects to the internal network, you apply the inspection rules to inbound traffic.\r\nIf you apply the rules to outbound traffic, then return inbound packets will be permitted if they belong to a valid\r\nconnection with existing state information. This connection must be initiated with an outbound packet.\r\nIf you apply the rules to inbound traffic, then return outbound packets will be permitted if they belong to a valid\r\nconnection with existing state information. This connection must be initiated with an inbound packet.\r\nExamples\r\nThe following example applies a set of inspection rules named \"outboundrules\" to an external interface’s\r\noutbound traffic. This causes inbound IP traffic to be permitted only if the traffic is part of an existing session, and\r\nto be denied if the traffic is not part of an existing session.\r\ninterface serial0\r\n ipv6 inspect outboundrules out\r\nRelated Commands\r\nCommand Description\r\nipv6 inspect name Defines a set of inspection rules.\r\nipv6 inspect alert-off\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 156 of 238\n\nTo disable Context-based Access Control (CBAC) alert messages, which are displayed on the console, use the\r\nipv6 inspect alert off command in global configuration mode. To enable Cisco IOS firewall alert messages, use the\r\nno form of this command.\r\nipv6 inspect alert-off\r\nno ipv6 inspect alert-off\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nAlert messages are displayed.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\nExamples\r\nThe following example turns off CBAC alert messages:\r\nipv6 inspect alert-off\r\nRelated Commands\r\nCommand Description\r\nipv6 inspect audit\r\ntrail\r\nTurns on CBAC audit trail messages, which will be displayed on the console after each\r\nCBAC session close.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 157 of 238\n\nCommand Description\r\nipv6 inspect name Applies a set of inspection rules to an interface.\r\nipv6 inspect audit trail\r\nTo turn on Context-based Access Control (CBAC) audit trail messages, which will be displayed on the console\r\nafter each Cisco IOS firewall session closes, use the ipv6 inspect audit trail command in global configuration\r\nmode. To turn off Cisco IOS firewall audit trail message, use the no form of this command.\r\nipv6 inspect audit trail\r\nno ipv6 inspect audit trail\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nAudit trail messages are not displayed.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\nUsage Guidelines\r\nUse this command to turn on CBAC audit trail messages.\r\nExamples\r\nThe following example turns on CBAC audit trail messages:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 158 of 238\n\nipv6 inspect audit trail\r\nAfterward, audit trail messages such as the following are displayed:\r\n%FW-6-SESS_AUDIT_TRAIL: tcp session initiator (192.168.1.13:33192) sent 22 bytes -- responder (192.168.129.11:25\r\n%FW-6-SESS_AUDIT_TRAIL: ftp session initiator 192.168.1.13:33194) sent 336 bytes -- responder (192.168.129.11:21\r\nThese messages are examples of audit trail messages. To determine which protocol was inspected, refer to the\r\nresponder’s port number. The port number follows the responder’s IP address.\r\nRelated Commands\r\nCommand Description\r\nipv6 inspect alert-off Disables CBAC alert messages.\r\nipv6 inspect name Applies a set of inspection rules to an interface.\r\nipv6 inspect max-incomplete high\r\nTo define the number of existing half-open sessions that will cause the software to start deleting half-open\r\nsessions, use the ipv6 inspect max-incomplete high command in global configuration mode. To reset the threshold\r\nto the default of 500 half-open sessions, use the no form of this command.\r\nipv6 inspect max-incomplete high number\r\nno ipv6 inspect max-incomplete high\r\nSyntax Description\r\nnumber\r\nSpecifies the rate of new unestablished TCP sessions that will cause the software to start deleting\r\nhalf-open sessions. The default is 500 half-open sessions. The value range is 1 through\r\n4294967295.\r\nCommand Default\r\nThe default is 500 half-open sessions.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 159 of 238\n\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\nUsage Guidelines\r\nAn unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate\r\nthat a denial-of-service attack is occurring. For TCP, \"half-open\" means that the session has not reached the\r\nestablished state. For User Datagram Protocol, \"half-open\" means that the firewall has detected traffic from one\r\ndirection only.\r\nContext-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate\r\nof session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate\r\nmeasurements. Measurements are made once a minute.\r\nWhen the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the\r\nsoftware will delete half-open sessions as required to accommodate new connection requests. The software will\r\ncontinue to delete half-open requests as necessary, until the number of existing half-open sessions drops below\r\nanother threshold (the max-incomplete low number).\r\nThe global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.\r\nExamples\r\nThe following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800:\r\nipv6 inspect max-incomplete high 900\r\nipv6 inspect max-incomplete low 800\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 160 of 238\n\nCommand Description\r\nipv6 inspect max-incomplete lowDefines the number of existing half-open sessions that will cause the software\r\nto stop deleting half-open sessions.\r\nipv6 inspect one-minute\r\nhigh\r\nDefines the rate of new unestablished sessions that will cause the software to\r\nstart deleting half-open sessions.\r\nipv6 inspect one-minute\r\nlow\r\nDefines the rate of new unestablished TCP sessions that will cause the\r\nsoftware to stop deleting half-open sessions.\r\nipv6 inspect tcp max-incomplete hostSpecifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.\r\nipv6 inspect max-incomplete low\r\nTo define the number of existing half-open sessions that will cause the software to stop deleting half-open\r\nsessions, use the ipv6 inspect max-incomplete low command in global configuration mode. To reset the threshold\r\nto the default of 400 half-open sessions, use the no form of this command.\r\nipv6 inspect max-incomplete low number\r\nno ipv6 inspect max-incomplete low\r\nSyntax Description\r\nnumber\r\nSpecifies the number of existing half-open sessions that will cause the software to stop deleting\r\nhalf-open sessions . The default is 400 half-open sessions. Value range is 1 through 4294967295.\r\nCommand Default\r\nThe default is 400 half-open sessions.\r\nCommand Modes\r\nGlobal configuration\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 161 of 238\n\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\nUsage Guidelines\r\nAn unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate\r\nthat a denial-of-service attack is occurring. For TCP, \"half-open\" means that the session has not reached the\r\nestablished state. For User Datagram Protocol, \"half-open\" means that the firewall has detected traffic from one\r\ndirection only.\r\nContext-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate\r\nof session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate\r\nmeasurements. Measurements are made once a minute.\r\nWhen the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the\r\nsoftware will delete half-open sessions as required to accommodate new connection requests. The software will\r\ncontinue to delete half-open requests as necessary, until the number of existing half-open sessions drops below\r\nanother threshold (the max-incomplete low number).\r\nThe global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.\r\nExamples\r\nThe following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800:\r\nipv6 inspect max-incomplete high 900\r\nipv6 inspect max-incomplete low 800\r\nRelated Commands\r\nCommand Description\r\nipv6 inspect max-incomplete highDefines the number of existing half-open sessions that will cause the software\r\nto start deleting half-open sessions.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 162 of 238\n\nCommand Description\r\nipv6 inspect one-minute\r\nhigh\r\nDefines the rate of new unestablished sessions that will cause the software to\r\nstart deleting half-open sessions.\r\nipv6 inspect one-minute\r\nlow\r\nDefines the rate of new unestablished TCP sessions that will cause the\r\nsoftware to stop deleting half-open sessions.\r\nipv6 inspect tcp max-incomplete hostSpecifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.\r\nipv6 inspect name\r\nTo define a set of ipv6 inspection rules, use the ipv6 inspect name command in global configuration mode. To\r\nremove the inspection rule for a protocol or to remove the entire set of inspection rules, use the no form of this\r\ncommand.\r\nipv6 inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]\r\nno ipv6 inspect name inspection-name [protocol]\r\nSyntax Description\r\ninspection-name\r\nNames the set of inspection rules. If you want to add a protocol to an existing set of\r\nrules, use the same inspection name as the existing set of rules.\r\nprotocol\r\nA specified protocol. Possible protocol values are icmp , udp , tcp , and ftp . This value\r\nis optional in the no version of this command.\r\nalert {on | off }\r\n(Optional) For each inspected protocol, the generation of alert messages can be set be\r\non or off. If no option is selected, alerts are generated based on the setting of the ipv6\r\ninspect alert-off command.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 163 of 238\n\naudit-trail {on | off\r\n}\r\n(Optional) For each inspected protocol, the audit trail can be set on or off. If no option\r\nis selected, audit trail messages are generated based on the setting of the ipv6 inspect\r\naudit-trail command.\r\ntimeout seconds\r\n(Optional) Specifies the number of seconds for a different idle timeout to override the\r\nglobal TCP or User Datagram Protocol (UDP) idle timeouts for the specified protocol.\r\nThis timeout overrides the global TCP and UPD timeouts but will not override the\r\nglobal Domain Name System (DNS) timeout.\r\ntimeout seconds\r\n(fragmentation)\r\nConfigures the number of seconds that a packet state structure remains active. When\r\nthe timeout value expires, the router drops the unassembled packet, freeing that\r\nstructure for use by another packet. The default timeout value is 1 second.\r\nIf this number is set to a value greater than 1 second, it will be automatically adjusted\r\nby the Cisco IOS software when the number of free state structures goes below certain\r\nthresholds: when the number of free states is less than 32, the timeout will be divided\r\nby 2. When the number of free states is less than 16, the timeout will be set to 1 second.\r\nCommand Default\r\nNo set of inspection rules is defined.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\n12.3(11)T FTP protocol support was added.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 164 of 238\n\nTo define a set of inspection rules, enter this command for each protocol that you want the Cisco IOS firewall to\r\ninspect, using the same inspection-name . Give each set of inspection rules a unique inspection-name , which\r\nshould not exceed the 16-character limit. Define either one or two sets of rules per interface--you can define one\r\nset to examine both inbound and outbound traffic, or you can define two sets: one for outbound traffic and one for\r\ninbound traffic.\r\nTo define a single set of inspection rules, configure inspection for all the desired application-layer protocols, and\r\nfor TCP, UDP, or Internet Control Message Protocol (ICMP) as desired. This combination of TCP, UDP, and\r\napplication-layer protocols join together to form a single set of inspection rules with a unique name. (There are no\r\napplication-layer protocols associated with ICMP.)\r\nTo remove the inspection rule for a protocol, use the no form of this command with the specified inspection name\r\nand protocol. To remove the entire set of named inspection rules, use the no form of this command with the\r\nspecified inspection name.\r\nIn general, when inspection is configured for a protocol, return traffic entering the internal network will be\r\npermitted only if the packets are part of a valid, existing session for which state information is being maintained.\r\nTCP and UDP Inspection\r\nYou can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through\r\nthe firewall, even if the application-layer protocol is not configured to be inspected. However, TCP and UDP\r\ninspection do not recognize application-specific commands, and therefore might not permit all return packets for\r\nan application, particularly if the return packets have a different port number from the previous exiting packet.\r\nAny application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For\r\nexample, if inspection is configured for FTP, all control channel information will be recorded in the state table,\r\nand all FTP traffic will be permitted back through the firewall if the control channel information is valid for the\r\nstate of the FTP session. The fact that TCP inspection is configured is irrelevant.\r\nWith TCP and UDP inspection, packets entering the network must exactly match an existing session: the entering\r\npackets must have the same source or destination addresses and source or destination port numbers as the exiting\r\npacket (but reversed). Otherwise, the entering packets will be blocked at the interface.\r\nICMP Inspection\r\nAn ICMP inspection session is on the basis of the source address of the inside host that originates the ICMP\r\npacket. Dynamic access control lists (ACLs) are created for return ICMP packets of the allowed types (destination\r\nunreachable, echo-reply, time-exceeded, and packet too big) for each session. There are no port numbers\r\nassociated with an ICMP session, and the permitted IP address of the return packet is wild-carded in the ACL. The\r\nwild-card address is because the IP address of the return packet cannot be known in advance for time-exceeded\r\nand destination-unreachable replies. These replies can come from intermediate devices rather than the intended\r\ndestination.\r\nFTP Inspection\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 165 of 238\n\nCisco IOS Firewall uses layer 7 support for application modules such as FTP.\r\nCisco IOS IPv6 Firewall uses RFC 2428 to garner IPv6 addresses and corresponding ports. If an address other\r\nthan an IPv6 address is present, the FTP data channel is not opened.\r\nIPv6-specific port-to-application mapping (PAM) provides FTP inspection. PAM translates TCP or UDP port\r\nnumbers into specific network services or applications. By mapping port numbers to network services or\r\napplications, an administrator can force firewall inspection on custom configurations not defined by well-known\r\nports. PAM delivers with the standard well-known ports defined as defaults.\r\nThe table below describes the transport-layer and network-layer protocols.\r\nTable 1. Protocol Keywords--Transport-Layer and Network-Layer Protocols\r\nProtocol Keyword\r\nICMP icmp\r\nTCP tcp\r\nUDP udp\r\nFTP ftp\r\nUse of the timeout Keyword\r\nIf you specify a timeout for any of the transport-layer or application-layer protocols, the timeout will override the\r\nglobal idle timeout for the interface to which the set of inspection rules is applied.\r\nIf the protocol is TCP or a TCP application-layer protocol, the timeout will override the global TCP idle timeout.\r\nIf the protocol is UDP or a UDP application-layer protocol, the timeout will override the global UDP idle timeout.\r\nIf you do not specify a timeout for a protocol, the timeout value applied to a new session of that protocol will be\r\ntaken from the corresponding TCP or UDP global timeout value valid at the time of session creation.\r\nThe default ICMP timeout is deliberately short (10 seconds) due to the security hole that is opened by allowing\r\nICMP packets with a wild-carded source address back into the inside network. The timeout will occur 10 seconds\r\nafter the last outgoing packet from the originating host. For example, if you send a set of 10 ping packets spaced\r\none second apart, the timeout will expire in 20 seconds or 10 seconds after the last outgoing packet. However, the\r\ntimeout is not extended for return packets. If a return packet is not seen within the timeout window, the hole will\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 166 of 238\n\nbe closed and the return packet will not be allowed in. Although the default timeout can be made longer if desired,\r\nit is recommended that this value be kept relatively short.\r\nExamples\r\nThe following example causes the software to inspect TCP sessions and UDP sessions:\r\nipv6 inspect name myrules tcp\r\nipv6 inspect name myrules udp audit-trail on\r\nRelated Commands\r\nCommand Description\r\nipv6 inspect alert-off\r\nDisables CBAC alert messages.\r\nipv6 inspect audit\r\ntrail\r\nTurns on CBAC audit trail messages, which will be displayed on the console after each\r\nCBAC session close.\r\nipv6 inspect one-minute high\r\nTo define the rate of new unestablished sessions that will cause the software to start deleting half-open sessions,\r\nuse the ipv6 inspect one-minute high command in global configuration mode. To reset the threshold to the default\r\nof 500 half-open sessions, use the no form of this command.\r\nipv6 inspect one-minute high number\r\nno ipv6 inspect one-minute high\r\nSyntax Description\r\nnumber\r\nSpecifies the rate of new unestablished TCP sessions that will cause the software to start deleting\r\nhalf-open sessions . The default is 500 half-open sessions. Value range is 1 through 4294967295\r\nCommand Default\r\nThe default is 500 half-open sessions.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 167 of 238\n\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\nUsage Guidelines\r\nAn unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate\r\nthat a denial-of-service attack is occurring. For TCP, \"half-open\" means that the session has not reached the\r\nestablished state. For User Datagram Protocol, \"half-open\" means that the firewall has detected traffic from one\r\ndirection only.\r\nContext-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate\r\nof session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate\r\nmeasurements. Measurements are made once a minute.\r\nWhen the rate of new connection attempts rises above a threshold (the one-minute high number), the software will\r\ndelete half-open sessions as required to accommodate new connection attempts. The software will continue to\r\ndelete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold\r\n(the one-minute low number). The rate thresholds are measured as the number of new session connection attempts\r\ndetected in the last one-minute sample period. (The rate is calculated as an exponentially-decayed rate.)\r\nThe global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.\r\nExamples\r\nThe following example causes the software to start deleting half-open sessions when more than 1000 session\r\nestablishment attempts have been detected in the last minute, and to stop deleting half-open sessions when fewer\r\nthan 950 session establishment attempts have been detected in the last minute:\r\nipv6 inspect one-minute high 1000\r\nipv6 inspect one-minute low 950\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 168 of 238\n\nCommand Description\r\nipv6 inspect one-minute\r\nlow\r\nDefines the rate of new unestablished TCP sessions that will cause the\r\nsoftware to stop deleting half-open sessions.\r\nipv6 inspect max-incomplete highDefines the number of existing half-open sessions that will cause the software\r\nto start deleting half-open sessions.\r\nipv6 inspect max-incomplete lowDefines the number of existing half-open sessions that will cause the software\r\nto stop deleting half-open sessions.\r\nipv6 inspect tcp max-incomplete hostSpecifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.\r\nipv6 inspect one-minute low\r\nTo define the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open\r\nsessions, use the ipv6 inspect one-minute low command in global configuration mode. To reset the threshold to\r\nthe default of 400 half-open sessions, use the no form of this command.\r\nipv6 inspect one-minute low number\r\nno ipv6 inspect one-minute low\r\nSyntax Description\r\nnumber\r\nSpecifies the rate of new unestablished TCP sessions that will cause the software to stop deleting\r\nhalf-open sessions . The default is 400 half-open sessions. Value range is 1 through 4294967295.\r\nCommand Default\r\nThe default is 400 half-open sessions.\r\nCommand Modes\r\nGlobal configuration\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 169 of 238\n\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\nUsage Guidelines\r\nAn unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate\r\nthat a denial-of-service attack is occurring. For TCP, \"half-open\" means that the session has not reached the\r\nestablished state. For User Datagram Protocol, \"half-open\" means that the firewall has detected traffic from one\r\ndirection only.\r\nContext-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate\r\nof session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate\r\nmeasurements. Measurements are made once a minute.\r\nWhen the rate of new connection attempts rises above a threshold (the one-minute high number), the software will\r\ndelete half-open sessions as required to accommodate new connection attempts. The software will continue to\r\ndelete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold\r\n(the one-minute low number). The rate thresholds are measured as the number of new session connection attempts\r\ndetected in the last one-minute sample period. (The rate is calculated as an exponentially decayed rate.)\r\nThe global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.\r\nExamples\r\nThe following example causes the software to start deleting half-open sessions when more than 1000 session\r\nestablishment attempts have been detected in the last minute, and to stop deleting half-open sessions when fewer\r\nthan 950 session establishment attempts have been detected in the last minute:\r\nipv6 inspect one-minute high 1000\r\nipv6 inspect one-minute low 950\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 170 of 238\n\nCommand Description\r\nipv6 inspect max-incomplete highDefines the number of existing half-open sessions that will cause the software\r\nto start deleting half-open sessions.\r\nipv6 inspect max-incomplete lowDefines the number of existing half-open sessions that will cause the software\r\nto stop deleting half-open sessions.\r\nipv6 inspect one-minute\r\nhigh\r\nDefines the rate of new unestablished sessions that will cause the software to\r\nstart deleting half-open sessions.\r\nipv6 inspect tcp max-incomplete hostSpecifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention.\r\nipv6 inspect routing-header\r\nTo specify whether Context-based Access Control (CBAC) should inspect packets containing an IPv6 routing\r\nheader, use the ipv6 inspect routing-header command. To drop packets containing an IPv6 routing header, use the\r\nno form of this command.\r\nipv6 inspect routing-header\r\nno ipv6 inspect routing-header\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nPackets containing IPv6 routing header are dropped.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 171 of 238\n\nRelease Modification\r\n12.3(7)T This command was introduced.\r\nUsage Guidelines\r\nAn IPv6 source uses the routing header to list one or more intermediate nodes to be visited between the source and\r\ndestination of the packet. The Cisco IOS firewall uses this header to retrieve the destination host address. Cisco\r\nIOS firewall will establish the appropriate inspection session based on the retrieved address from the routing\r\nheader.\r\nThe originating node lists all intermediate nodes that the packet must traverse. The source and destination address\r\npair in the IPv6 header identifies the hop between the originating node and the first intermediate node. Once the\r\nfirst intermediate node receives the packet, it looks for a routing header. If the routing header is present, the next\r\nintermediate node address is swapped with the destination address in the IPv6 header and the packet is forwarded\r\nto the next intermediate node. This sequence continues for each intermediate node listed in the routing until no\r\nmore entries exist in the routing header. The last entry in the routing header is the final destination address.\r\nExamples\r\nThe following example causes the software to inspect TCP sessions and UDP sessions:\r\nip inspect routing-header\r\nRelated Commands\r\nCommand Description\r\nipv6 inspect alert-off\r\nDisables CBAC alert messages.\r\nipv6 inspect audit\r\ntrail\r\nTurns on CBAC audit trail messages, which will be displayed on the console after each\r\nCBAC session close.\r\nipv6 inspect name Applies a set of inspection rules to an interface.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 172 of 238\n\nipv6 inspect tcp idle-time\r\nTo specify the TCP idle timeout (the length of time a TCP session will still be managed while there is no activity),\r\nuse the ipv6 inspect tcp idle-time command in global configuration mode. To reset the timeout to the default of\r\n3600 seconds (1 hour), use the no form of this command.\r\nipv6 inspect tcp idle-time seconds\r\nno ipv6 inspect tcp idle-time\r\nSyntax Description\r\nseconds\r\nSpecifies the length of time, in seconds, for which a TCP session will still be managed while there\r\nis no activity. The default is 3600 seconds (1 hour).\r\nCommand Default\r\nThe default is 3600 seconds (1 hour)\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\nUsage Guidelines\r\nWhen the software detects a valid TCP packet that is the first in a session, and if Context-based Access Control\r\n(CBAC) inspection is configured for the packet’s protocol, the software establishes state information for the new\r\nsession.\r\nIf the software detects no packets for the session for a time period defined by the TCP idle timeout, the software\r\nwill not continue to manage state information for the session.\r\nThe global value specified for this timeout applies to all TCP sessions inspected by CBAC. This global value can\r\nbe overridden for specific interfaces when you define a set of inspection rules with the ipv6 inspect name (global\r\nconfiguration) command.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 173 of 238\n\nNote\r\nThis command does not affect any of the currently defined inspection rules that have explicitly\r\ndefined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout\r\nvalue. If you change the TCP idle timeout with this command, the new timeout will apply to any new\r\ninspection rules you define or to any existing inspection rules that do not have an explicitly defined\r\ntimeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit\r\nthe global timeout value.\r\nExamples\r\nThe following example sets the global TCP idle timeout to 1800 seconds (30 minutes):\r\nipv6 inspect tcp idle-time 1800\r\nThe following example sets the global TCP idle timeout back to the default of 3600 seconds (one hour):\r\nno ipv6 inspect tcp idle-time\r\nRelated Commands\r\nCommand Description\r\nipv6 inspect name Defines a set of IPv6 inspection rules.\r\nipv6 inspect tcp max-incomplete host\r\nTo specify threshold and blocking time values for TCP host-specific denial-of-service detection and prevention,\r\nuse the ipv6 inspect tcp max-incomplete host command in global configuration mode. To reset the threshold and\r\nblocking time to the default values, use the no form of this command.\r\nipv6 inspect tcp max-incomplete host number block-time minutes\r\nno ipv6 inspect tcp max-incomplete host\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 174 of 238\n\nnumber\r\nSpecifies how many half-open TCP sessions with the same host destination address can exist at a\r\ntime, before the software starts deleting half-open sessions to the host. Use a number from 1 to\r\n250. The default is 50 half-open sessions. Value range is 1 through 4294967295\r\nblock-time\r\nSpecifies blocking of connection initiation to a host. Value range is 0 through 35791.\r\nminutes\r\nSpecifies how long the software will continue to delete new connection requests to the host. The\r\ndefault is 0 minutes.\r\nCommand Default\r\nThe default is 50 half-open sessions and 0 minutes.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\nUsage Guidelines\r\nAn unusually high number of half-open sessions with the same destination host address could indicate that a\r\ndenial-of-service attack is being launched against the host. For TCP, \"half-open\" means that the session has not\r\nreached the established state.\r\nWhenever the number of half-open sessions with the same destination host address rises above a threshold (the\r\nmax-incomplete host number), the software will delete half-open sessions according to one of the following\r\nmethods:\r\nIf the block-time minutes timeout is 0 (the default):\r\nThe software will delete the oldest existing half-open session for the host for every new connection request to the\r\nhost. This ensures that the number of half-open sessions to a given host will never exceed the threshold.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 175 of 238\n\nIf the block-time minutes timeout is greater than 0:\r\nThe software will delete all existing half-open sessions for the host, and then block all new connection requests to\r\nthe host. The software will continue to block all new connection requests until the block-time expires.\r\nThe software also sends syslog messages whenever the max-incomplete host number is exceeded and when\r\nblocking of connection initiations to a host starts or ends.\r\nThe global values specified for the threshold and blocking time apply to all TCP connections inspected by\r\nContext-based Access Control (CBAC).\r\nExamples\r\nThe following example changes the max-incomplete host number to 40 half-open sessions, and changes the block-time timeout to 2 minutes (120 seconds):\r\nipv6 inspect tcp max-incomplete host 40 block-time 120\r\nThe following example resets the defaults (50 half-open sessions and 0 seconds):\r\nno ipv6 inspect tcp max-incomplete host\r\nRelated Commands\r\nCommand Description\r\nipv6 inspect max-incomplete highDefines the number of existing half-open sessions that will cause the software to\r\nstart deleting half-open sessions.\r\nipv6 inspect max-incomplete lowDefines the number of existing half-open sessions that will cause the software to\r\nstop deleting half-open sessions.\r\nipv6 inspect one-minute\r\nhigh\r\nDefines the rate of new unestablished sessions that will cause the software to\r\nstart deleting half-open sessions.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 176 of 238\n\nCommand Description\r\nipv6 inspect one-minute\r\nlow\r\nDefines the rate of new unestablished TCP sessions that will cause the software\r\nto stop deleting half-open sessions.\r\nipv6 inspect tcp synwait-time\r\nTo define how long the software will wait for a TCP session to reach the established state before dropping the\r\nsession, use the ipv6 inspect tcp synwait-time command in global configuration mode. To reset the timeout to the\r\ndefault of 30 seconds, use the no form of this command.\r\nipv6 inspect tcp synwait-time seconds\r\nno ipv6 inspect tcp synwait-time\r\nSyntax Description\r\nseconds\r\nSpecifies how long, in seconds, the software will wait for a TCP session to reach the established\r\nstate before dropping the session . The default is 30 seconds. Value range is 1 through 2147483\r\nCommand Default\r\nThe default is 30 seconds.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\nUsage Guidelines\r\nUse this command to define how long Cisco IOS software will wait for a TCP session to reach the established\r\nstate before dropping the session. The session is considered to have reached the established state after the session’s\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 177 of 238\n\nfirst SYN bit is detected.\r\nThe global value specified for this timeout applies to all TCP sessions inspected by Context-based Access Control\r\n(CBAC).\r\nExamples\r\nThe following example changes the \"synwait\" timeout to 20 seconds:\r\nipv6 inspect tcp synwait-time 20\r\nThe following example changes the \"synwait\" timeout back to the default (30 seconds):\r\nno ipv6 inspect tcp synwait-time\r\nRelated Commands\r\nCommand Description\r\nipv6 inspect udp\r\nidle-time\r\nSpecifies the User Datagram Protocol idle timeout (the length of time for which a UDP\r\n\"session\" will still be managed while there is no activity).\r\nipv6 inspect udp idle-time\r\nTo specify the User Datagram Protocol idle timeout (the length of time for which a UDP \"session\" will still be\r\nmanaged while there is no activity), use the ipv6 inspect udp idle-time command in global configuration mode. To\r\nreset the timeout to the default of 30 seconds, use the no form of this command.\r\nipv6 inspect udp idle-time seconds\r\nno ipv6 inspect udp idle-time\r\nSyntax Description\r\nseconds\r\nSpecifies the length of time a UDP \"session\" will still be managed while there is no activity . The\r\ndefault is 30 seconds. Value range is 1 through 2147483\r\nCommand Default\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 178 of 238\n\nThe default is 30 seconds.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\nUsage Guidelines\r\nWhen the software detects a valid UDP packet, if Context-based Access Control (CBAC) inspection is configured\r\nfor the packet’s protocol, the software establishes state information for a new UDP \"session.\" Because UDP is a\r\nconnectionless service, there are no actual sessions, so the software approximates sessions by examining the\r\ninformation in the packet and determining if the packet is similar to other UDP packets (for example, it has similar\r\nsource or destination addresses) and if the packet was detected soon after another similar UDP packet.\r\nIf the software detects no UDP packets for the UDP session for the a period of time defined by the UDP idle\r\ntimeout, the software will not continue to manage state information for the session.\r\nThe global value specified for this timeout applies to all UDP sessions inspected by CBAC. This global value can\r\nbe overridden for specific interfaces when you define a set of inspection rules with the ipv6 inspect name\r\ncommand.\r\nNote\r\nThis command does not affect any of the currently defined inspection rules that have explicitly\r\ndefined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout\r\nvalue. If you change the UDP idle timeout with this command, the new timeout will apply to any new\r\ninspection rules you define or to any existing inspection rules that do not have an explicitly defined\r\ntimeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit\r\nthe global timeout value.\r\nExamples\r\nThe following example sets the global UDP idle timeout to 120 seconds (2 minutes):\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 179 of 238\n\nipv6 inspect udp idle-time 120\r\nThe following example sets the global UDP idle timeout back to the default of 30 seconds:\r\nno ipv6 inspect udp idle-time\r\nipv6 nd inspection\r\nTo apply the Neighbor Discovery Protocol (NDP) Inspection feature, use the ipv6 nd inspection command in\r\ninterface configuration mode. To remove the NDP Inspection feature, use the no form of this command.\r\nipv6 nd inspection [ attach-policy [ policy-name] | vlan { add | except | none | remove | all} vlan\r\nvlan-id ]]\r\nno ipv6 nd inspection\r\nSyntax Description\r\nattach-policy\r\n(Optional) Attaches an NDP Inspection policy.\r\npolicy-name\r\n(Optional) The NDP Inspection policy name.\r\nvlan (Optional) Applies the ND Inspection feature to a VLAN on the interface.\r\nadd (Optional) Adds a VLAN to be inspected.\r\nexcept (Optional) Inspects all VLANs except the one specified.\r\nnone (Optional) Specifies that no VLANs are inspected.\r\nremove (Optional) Removes the specified VLAN from NDP inspection.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 180 of 238\n\nall (Optional) Inspects NDP traffic from all VLANs on the port.\r\nvlan-id\r\n(Optional) A specific VLAN on the interface. More than one VLAN can be specified. The\r\nVLAN number that can be used is from 1 to 4094.\r\nCommand Default\r\nAll NDP messages are inspected. Secure Neighbor Discovery (SeND) options are ignored. Neighbors are probed\r\nbased on the criteria defined in the Neighbor Tracking feature. Per-port IPv6 address limit enforcement is\r\ndisabled. Layer 2 header source MAC address validations are disabled. Per-port rate limiting of the NDP messages\r\nin software is disabled.\r\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\n15.0(2)SE\r\nThis command was integrated into Cisco IOS Release 15.0(2)SY.\r\nThe limited-broadcast keyword was deprecated.\r\nCisco IOS XE Release 3.2SE\r\nThis command was integrated into Cisco IOS XE Release 3.2SE.\r\nThe limited-broadcast keyword was deprecated.\r\nUsage Guidelines\r\nThe ipv6 nd inspection command applies the NDP Inspection feature on a specified interface. If you enable the\r\noptional attach-policy or vlan keywords, NDP traffic is inspected by policy or by VLAN. If no VLANs are\r\nspecified, NDP traffic from all VLANs on the port is inspected (which is equivalent to using the vlan all\r\nkeywords).\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 181 of 238\n\nIf no policy is specified in this command, the default criteria are as follows:\r\nAll NDP messages are inspected.\r\nSeND options are ignored.\r\nNeighbors are probed based on the criteria defined in neighbor tracking feature.\r\nPer-port IPv6 address limit enforcement is disabled.\r\nLayer 2 header source MAC address validations are disabled.\r\nPer-port rate limiting of the NDP messages in software is disabled.\r\nIf a VLAN is specified, its parameter is either a single VLAN number from 1 to 4094 or a range of VLANs\r\ndescribed by two VLAN numbers, the lesser one first, separated by a dash (for example, vlan 1-100,200,300-400\r\n). Do not enter any spaces between comma-separated VLAN parameters or in dash-specified ranges.\r\nExamples\r\nThe following example enables NDP inspection on a specified interface:\r\nRouter(config-if)# ipv6 nd inspection\r\nipv6 nd inspection policy\r\nTo define the neighbor discovery (ND) inspection policy name and enter ND inspection policy configuration\r\nmode, use the ipv6 nd inspection command in ND inspection configuration mode. To remove the ND inspection\r\npolicy, use the no form of this command.\r\nipv6 nd inspection policy policy-name\r\nno ipv6 nd inspection policy policy-name\r\nSyntax Description\r\npolicy-name The ND inspection policy name.\r\nCommand Default\r\nNo ND inspection policies are configured.\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 182 of 238\n\nND inspection configuration (config-nd-inspection)\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\n15.0(2)SE This command was integrated into Cisco IOS Release 15.0(2)SE.\r\nCisco IOS XE Release 3.2SE This command was integrated into Cisco IOS XE Release 3.2SE.\r\nUsage Guidelines\r\nThe ipv6 nd inspection policy command defines the ND inspection policy name and enters ND inspection policy\r\nconfiguration mode. Once you are in ND inspection policy configuration mode, you can use any of the following\r\ncommands:\r\ndevice-role\r\ndrop-unsecure\r\nlimit address-count\r\nsec-level minimum\r\ntracking\r\ntrusted-port\r\nvalidate source-mac\r\nExamples\r\nThe following example defines an ND policy name as policy1:\r\nRouter(config)# ipv6 nd inspection policy policy1\r\nRouter(config-nd-inspection)#\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 183 of 238\n\nCommand Description\r\ndevice-role Specifies the role of the device attached to the port.\r\ndrop-unsecure Drops messages with no or invalid options or an invalid signature.\r\nlimit address-count Limits the number of IPv6 addresses allowed to be used on the port.\r\nsec-level minimum Specifies the minimum security level parameter value when CGA options are used.\r\ntracking Overrides the default tracking policy on a port.\r\ntrusted-port Configures a port to become a trusted port.\r\nvalidate source-mac Checks the source MAC address against the link-layer address.\r\nipv6 nd prefix framed-ipv6-prefix\r\nTo add the prefix in a received RADIUS framed IPv6 prefix attribute to the interface’s neighbor discovery prefix\r\nqueue, use the ipv6 nd prefix framed-ipv6-prefix command in interface configuration mode. To disable this\r\nfeature, use the no form of this command.\r\nipv6 nd prefix framed-ipv6-prefix\r\nno ipv6 nd prefix framed-ipv6-prefix\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nPrefix is sent in the router advertisements (RAs).\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 184 of 238\n\nInterface configuration\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\n12.2(18)SXE This command was integrated into Cisco IOS Release 12.2(18)SXE.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nUsage Guidelines\r\nUse the ipv6 nd prefix framed-ipv6-prefix command to add the prefix in a received RADIUS framed IPv6 prefix\r\nattribute to the interface’s neighbor discovery prefix queue and include it in RAs sent on the interface’s link. By\r\ndefault, the prefix is sent in RAs. If the prefix in the attribute should be used by other applications such as the\r\nDynamic Host Configuration Protocol (DHCP) for IPv6 server, administrators can disable the default behavior\r\nwith the no form of the command.\r\nExamples\r\nThe following example adds the prefix in a received RADIUS framed IPv6 prefix attribute to the interface’s\r\nneighbor discovery prefix queue:\r\nipv6 nd prefix framed-ipv6-prefix\r\nipv6 nd raguard attach-policy\r\nTo apply the IPv6 router advertisement (RA) guard feature on a specified interface, use the ipv6 nd raguard attach-policy command in interface configuration mode.\r\nipv6 nd raguard attach-policy [policy-name [vlan {add | except | none | remove | all} vlan [vlan1, vlan2,\r\nvlan3...]]]\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 185 of 238\n\npolicy-name\r\n(Optional) IPv6 RA guard policy name.\r\nvlan (Optional) Applies the IPv6 RA guard feature to a VLAN on the interface.\r\nadd Adds a VLAN to be inspected.\r\nexcept All VLANs are inspected except the one specified.\r\nnone No VLANs are inspected.\r\nremove Removes the specified VLAN from RA guard inspection.\r\nall ND traffic from all VLANs on the port is inspected.\r\nvlan\r\n(Optional) A specific VLAN on the interface. More than one VLAN can be specified (vlan1 ,\r\nvlan2 , vlan3 ...). The range of available VLAN numbers is from 1 through 4094.\r\nCommand Default\r\nAn IPv6 RA guard policy is not configured.\r\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 186 of 238\n\nRelease Modification\r\n15.2(4)S This command was integrated into Cisco IOS Release 15.2(4)S.\r\n15.0(2)SE This command was integrated into Cisco IOS Release 15.0(2)SE.\r\nCisco IOS XE Release 3.2SE This command was integrated into Cisco IOS XE Release 3.2SE.\r\nUsage Guidelines\r\nIf no policy is specified using the policy-name argument, the port device role is set to host and all inbound router\r\ntraffic (for example, RA and redirect messages) is blocked.\r\nIf no VLAN is specified (which is equal to entering the vlan all keywords after the policy-name argument), RA\r\nguard traffic from all VLANs on the port is analyzed.\r\nIf specified, the VLAN parameter is either a single VLAN number from 1 through 4094 or a range of VLANs\r\ndescribed by two VLAN numbers, the lesser one first, separated by a dash. Do not enter any spaces between\r\ncomma-separated vlan parameters or in dash-specified ranges; for example, vlan 1-100,200,300-400.\r\nExamples\r\nIn the following example, the IPv6 RA guard feature is applied on GigabitEthernet interface 0/0:\r\nDevice(config)# interface GigabitEthernet 0/0\r\nDevice(config-if)# ipv6 nd raguard attach-policy\r\nipv6 nd raguard policy\r\nTo define the router advertisement (RA) guard policy name and enter RA guard policy configuration mode, use\r\nthe ipv6 nd raguard policy command in global configuration mode.\r\nipv6 nd raguardpolicy policy-name\r\nSyntax Description\r\npolicy-name IPv6 RA guard policy name.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 187 of 238\n\nCommand Default\r\nAn RA guard policy is not configured.\r\nCommand Modes\r\nGlobal configuration (config)#\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\n15.2(4)S This command was integrated into Cisco IOS Release 15.2(4)S.\r\n15.0(2)SE This command was integrated into Cisco IOS Release 15.0(2)SE.\r\nCisco IOS XE Release 3.2SE This command was integrated into Cisco IOS XE Release 3.2SE.\r\nUsage Guidelines\r\nUse the ipv6 nd raguard policy command to configure RA guard globally on a router. Once the device is in ND\r\ninspection policy configuration mode, you can use any of the following commands:\r\ndevice-role\r\ndrop-unsecure\r\nlimit address-count\r\nsec-level minimum\r\ntrusted-port\r\nvalidate source-mac\r\nAfter IPv6 RA guard is configured globally, you can use the ipv6 nd raguard attach-policy command to enable\r\nIPv6 RA guard on a specific interface.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 188 of 238\n\nExamples\r\nThe following example shows how to define the RA guard policy name as policy1 and place the device in policy\r\nconfiguration mode:\r\nDevice(config)# ipv6 nd raguard policy policy1\r\nDevice(config-ra-guard)#\r\nRelated Commands\r\nTable 2.\r\nCommand Description\r\ndevice-role Specifies the role of the device attached to the port.\r\ndrop-unsecure Drops messages with no or invalid options or an invalid signature.\r\nipv6 nd raguard attach-policy\r\nApplies the IPv6 RA guard feature on a specified interface.\r\nlimit address-count Limits the number of IPv6 addresses allowed to be used on the port.\r\nsec-level minimum\r\nSpecifies the minimum security level parameter value when CGA options are\r\nused.\r\ntrusted-port Configures a port to become a trusted port.\r\nvalidate source-mac Checks the source MAC address against the link layer address.\r\nipv6 nd secured certificate-db\r\nTo configure the maximum number of entries in an IPv6 Secure Neighbor Discovery (SeND) certificate database,\r\nuse the ipv6 nd secured certificate-db command in global configuration mode. To disable any maximum number\r\nof entries set for a SeND certificate database, use the no form of this command.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 189 of 238\n\nipv6 nd secured certificate-db max-entries max-entries-value\r\nno ipv6 nd secured certificate-db max-entries\r\nSyntax Description\r\nmax-entries max-entries-valueSpecifies the maximum number of entries in the certificate database. The range\r\nis from 1 to 1000.\r\nCommand Default\r\nNo SeND certificate database is configured.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.4(24)T This command was introduced.\r\nUsage Guidelines\r\nThis command allows you to set up a maximum size for the certificate database (DB), to protect against denial of\r\nservice (DoS) certificate flooding. When the limit is reached, new certificates are dropped.\r\nThe certificate DB is relevant on a router in host mode only, because it stores certificates received from routers.\r\nExamples\r\nThe following example configures a SeND certificate database with a maximum number of 500 entries:\r\nRouter(config)# ipv6 nd secured certificate-db max-entries 500\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 190 of 238\n\nCommand Description\r\nipv6 nd secured full-secure (global\r\nconfiguration)\r\nEnables SeND security mode on a router.\r\nipv6 nd secured full-secure\r\n(interface configuration)\r\nEnables SeND security mode on a specified interface.\r\nipv6 nd secured key-length Configures SeND key-length options.\r\nipv6 nd secured timestamp Configures the SeND time stamp.\r\nipv6 nd secured timestamp-db\r\nConfigures the maximum number of entries that did not reach the\r\ndestination in a SeND time-stamp database.\r\nipv6 nd secured full-secure\r\nTo enable the secure mode for IPv6 Secure Neighbor Discovery (SeND) on a router, use the ipv6 nd secured full-secure command in global configuration mode. To disable SeND security mode, use the no form of this command.\r\nipv6 nd secured full-secure\r\nno ipv6 nd secured full-secure\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nNon-SeND neighbor discovery messages are accepted by the router.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 191 of 238\n\nRelease Modification\r\n12.4(24)T This command was introduced.\r\nUsage Guidelines\r\nThe ipv6 nd secured full-secure command in global configuration mode allows you to configure the router to\r\naccept or reject non-SeND neighbor discovery messages. If this command is enabled, non-SeND messages are\r\nrejected by the specified router.\r\nExamples\r\nThe following example enables SeND security mode on a router:\r\nRouter(config)# ipv6 nd secured full-secure\r\nRelated Commands\r\nCommand Description\r\nipv6 nd secured full-secure (interface configuration) Enables SeND security mode on a specified interface.\r\nipv6 nd secured full-secure (interface)\r\nTo enable the secure mode for IPv6 Secure Neighbor Discovery (SeND) on a specified interface, use the ipv6 nd\r\nsecured full-secure command in interface configuration mode. To provide the co-existence mode for secure and\r\nnonsecure neighbor discovery messages on an interface, use the no form of this command.\r\nipv6 nd secured full-secure\r\nno ipv6 nd secured full-secure\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nNon-SeND messages are accepted by the interface.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 192 of 238\n\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\n12.4(24)T This command was introduced.\r\nUsage Guidelines\r\nThe ipv6 nd secured full-secure command in interface configuration mode allows you to configure a specified\r\ninterface to accept or reject non-SeND neighbor discovery messages. If this command is enabled, non-SeND\r\nmessages are rejected by the interface. If this command is not enabled, secure and nonsecure neighbor discovery\r\nmessages can coexist on the same interface.\r\nExamples\r\nThe following example enables SeND security mode on an interface:\r\nRouter(config)# interface Ethernet0/0\r\nRouter(config-if)# ipv6 nd secured full-secure\r\nRelated Commands\r\nCommand Description\r\nipv6 nd secured full-secure (global configuration) Enables SeND security mode on a specified router.\r\nipv6 nd secured key-length\r\nTo configure IPv6 Secure Neighbor Discovery (SeND) key-length options, use the ipv6 nd secured key-length\r\ncommand in global configuration mode. To disable the key length, use the no form of this command.\r\nipv6 nd secured key-length [ [minimum | maximum] value]\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 193 of 238\n\nno ipv6 nd secured key-length\r\nSyntax Description\r\nminimum\r\nvalue\r\n(Optional) Sets the minimum key-length value, which should be at least 384 bits. The range\r\nis from 384 to 2048 bits, and the default key-length value is 1024 bits.\r\nmaximum\r\nvalue\r\n(Optional) Sets the maximum key-length value. The range is from 384 to 2048 bits, and the\r\ndefault key-length value is 1024 bits.\r\nCommand Default\r\nThe key length is 1024 bits.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.4(24)T This command was introduced.\r\nUsage Guidelines\r\nWhen used by SeND, the key length is checked against the key-length value, as set in the ipv6 nd secured key-length command. When packets are received from a neighbor with a key length that is out of the configured\r\nboundaries, the packets are treated as unsecure.\r\nExamples\r\nThe following example sets the minimum key-length value to 512 bits and the maximum value to 1024 bits:\r\nRouter(config)# ipv6 nd secured key-length minimum 512\r\nRouter(config)# ipv6 nd secured key-length maximum 1024\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 194 of 238\n\nRelated Commands\r\nCommand Description\r\nipv6 nd secured certificate-db\r\nConfigures the maximum number of entries in a SeND\r\ncertificate database.\r\nipv6 nd secured full-secure (global\r\nconfiguration)\r\nEnables SeND security mode on a specified router.\r\nipv6 nd secured full-secure (interface\r\nconfiguration)\r\nEnables SeND security mode on a specified interface.\r\nipv6 nd secured timestamp Configures the SeND time stamp.\r\nipv6 nd secured timestamp-db\r\nConfigures the maximum number of entries in a SeND time-stamp database.\r\nipv6 nd secured sec-level\r\nTo configure the minimum security value that IPv6 Secure Neighbor Discovery (SeND) will accept from its peer,\r\nuse the ipv6 nd secured sec-level command in global configuration mode. To disable the security level, use the no\r\nform of this command.\r\nipv6 nd secured sec-level [minimum value]\r\nno ipv6 nd secured sec-level\r\nSyntax Description\r\nminimum\r\nvalue\r\n(Optional) Sets the minimum security level, which is a value from 0 through 7. The default\r\nsecurity level is 1.\r\nCommand Default\r\nThe default security level is 1.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 195 of 238\n\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.4(24)T This command was introduced.\r\nUsage Guidelines\r\nThe ipv6 nd secured sec-level command allows the user to configure the minimum security value the router will\r\naccept from its peer.\r\nExamples\r\nThe following example sets the minimum security level to 2:\r\nRouter(config)# ipv6 nd secured sec-level 2\r\nRelated Commands\r\nCommand Description\r\nipv6 nd secured certificate-db\r\nConfigures the maximum number of entries in a SeND certificate\r\ndatabase.\r\nipv6 nd secured full-secure (global\r\nconfiguration)\r\nEnables SeND security mode on a specified router.\r\nipv6 nd secured full-secure (interface\r\nconfiguration)\r\nEnables SeND security mode on a specified interface.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 196 of 238\n\nCommand Description\r\nipv6 nd secured key-length Configures SeND key-length options.\r\nipv6 nd secured timestamp Configures the SeND time stamp.\r\nipv6 nd secured timestamp-db\r\nConfigures the maximum number of unreached entries in a SeND\r\ntime-stamp database.\r\nipv6 nd secured timestamp\r\nTo configure the IPv6 Secure Neighbor Discovery (SeND) time stamp, use the ipv6 nd secured timestamp\r\ncommand in interface configuration mode. To return to the default settings, use the no form of this command.\r\nipv6 nd secured timestamp {delta value | fuzz value}\r\nno ipv6 nd secured timestamp\r\nSyntax Description\r\ndelta\r\nvalue\r\nSpecifies the maximum time difference accepted between the sender and the receiver. Default\r\nvalue is 300 seconds.\r\nfuzz\r\nvalue\r\nSpecifies the maximum age of the message, when the delta is taken into consideration; that is, the\r\namount of time, in seconds, that a packet can arrive after the delta value before being rejected.\r\nDefault value is 1 second.\r\nCommand Default\r\nDefault time-stamp values are used.\r\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 197 of 238\n\nRelease Modification\r\n12.4(24)T This command was introduced.\r\nUsage Guidelines\r\nThe ipv6 nd secured timestamp command configures the amount of time the router waits before it accepts or\r\nrejects packets it has received.\r\nExamples\r\nThe following example configures the SeND time stamp to be 600 seconds:\r\nRouter(config)# interface Ethernet0/0\r\nRouter(config-if)# ipv6 nd secured timestamp delta 600\r\nRelated Commands\r\nCommand Description\r\nipv6 nd secured certificate-db\r\nConfigures the maximum number of entries in a SeND certificate\r\ndatabase.\r\nipv6 nd secured full-secure (global\r\nconfiguration)\r\nEnables SeND security mode on a specified router.\r\nipv6 nd secured full-secure (interface\r\nconfiguration)\r\nEnables SeND security mode on a specified interface.\r\nipv6 nd secured key-length Configures SeND key-length options.\r\nipv6 nd secured timestamp-db\r\nConfigures the maximum number of unreached entries in a SeND\r\ntime-stamp database.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 198 of 238\n\nipv6 nd secured timestamp-db\r\nTo configure the maximum number of unreached entries in an IPv6 Secure Neighbor Discovery (SeND) time-stamp database, use the ipv6 nd secured timestamp-db command in global configuration mode. To return to the\r\ndefault settings, use the no form of this command.\r\nipv6 nd secured timestamp-db max-entries max-entries-value\r\nno ipv6 nd secured timestamp-db max-entries\r\nSyntax Description\r\nmax-entries max-entries-valueSpecifies the maximum number of entries in the certificate database. The range\r\nis from 1 to 1000.\r\nCommand Default\r\nNo time-stamp database is configured.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.4(24)T This command was introduced.\r\nExamples\r\nThe following example configures the time-stamp database on a router:\r\nRouter(config)# ipv6 nd secured timestamp-db max-entries 345\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 199 of 238\n\nCommand Description\r\nipv6 nd secured certificate-db\r\nConfigures the maximum number of entries in a SeND\r\ncertificate database.\r\nipv6 nd secured full-secure (global\r\nconfiguration)\r\nEnables SeND security mode on a specified router.\r\nipv6 nd secured full-secure (interface\r\nconfiguration)\r\nEnables SeND security mode on a specified interface.\r\nipv6 nd secured key-length Configures SeND key-length options.\r\nipv6 nd secured timestamp Configures the SeND time stamp.\r\nipv6 nd secured trustanchor\r\nTo specify an IPv6 Secure Neighbor Discovery (SeND) trusted anchor on an interface, use the ipv6 nd secured\r\ntrustanchor command in interface configuration mode. To remove a trusted anchor, use the no form of this\r\ncommand.\r\nipv6 nd secured trustanchor trustanchor-name\r\nno ipv6 nd secured trustanchor trustanchor-name\r\nSyntax Description\r\ntrustanchor-name The name to be found in the certificate of the trustpoint.\r\nCommand Default\r\nNo trusted anchor is defined.\r\nCommand Modes\r\nInterface configuration (config-if)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 200 of 238\n\nCommand History\r\nRelease Modification\r\n12.4(24)T This command was introduced.\r\nUsage Guidelines\r\nThe ipv6 nd secured trustanchor command is used to select the certificate authority (CA) you want to authenticate.\r\nThe trusted anchors configured by this command act as as references to the trustpoints configured.\r\nA crypto Public Key Infrastructure (PKI) trustpoint can be a self-signed root CA or a subordinate CA. The\r\ntrustpoint-name argument refers to the name to be found in the certificate of the trustpoint.\r\nThe ipv6 nd secured trustanchor and ipv6 nd secured trustpoint commands both generate an entry in the SeND\r\nconfiguration database that points to the trustpoint provided. More than one trustpoint can be provided for each\r\ncommand, and the same trustpoint can be used in both commands.\r\nExamples\r\nThe following example specifies trusted anchor anchor1 on Ethernet interface 0/0:\r\nRouter(config)# interface Ethernet0/0\r\nRouter(config-if)# ipv6 nd secured trustanchor anchor1\r\nRelated Commands\r\nCommand Description\r\ncrypto pki trustpoint Declares the trustpoint that your router should use.\r\nipv6 nd secured\r\ntrustpoint\r\nSpecifies which trustpoint should be used for selecting the certificate to\r\nadvertise.\r\nipv6 nd secured trustpoint\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 201 of 238\n\nTo specify which trustpoint should be used in the ipv6 Secure Neighbor Discovery (SeND) protocol for selecting\r\nthe certificate to advertise, use the ipv6 nd secured trustpoint command in interface configuration mode. To\r\ndisable the trustpoint, use the no form of this command.\r\nipv6 nd secured trustpoint trustpoint-name\r\nno ipv6 nd secured trustpoint trustpoint-name\r\nSyntax Description\r\ntrustpoint-name The name to be found in the certificate of the trustpoint.\r\nCommand Default\r\nSeND is not enabled on a specified interface.\r\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\n12.4(24)T This command was introduced.\r\nUsage Guidelines\r\nThe ipv6 nd secured trustpoint command enables SeND on an interface and specifies which trustpoint should be\r\nused. The trustpoint points to the Rivest, Shamir, and Adelman (RSA) key pair and the trusted anchor (which is\r\nthe certificate authority [CA] signing your certificate).\r\nThe ipv6 nd secured trustpoint and ipv6 nd secured trustanchor commands both generate an entry in the SeND\r\nconfiguration database that points to the trustpoint provided. More than one trustpoint can be provided for each\r\ncommand, and the same trustpoint can be used in both commands. However, the trustpoint provided in the ipv6 nd\r\nsecured trustpoint command must include a router certificate and the signing CA certificate. It may also include\r\nthe certificate chain up to the root certificate provided by a CA that hosts (connected to the router) will trust.\r\nThe trustpoint provided in the ipv6 nd secured trustanchor command must only include a CA certificate.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 202 of 238\n\nThe following example specifies trusted anchor anchor1 on Ethernet interface 0/0:\r\nRouter(config)# interface Ethernet0/0\r\nRouter(config-if)# ipv6 nd secured trustpoint trustpoint1\r\nRelated Commands\r\nCommand Description\r\ncrypto pki trustpoint Declares the trustpoint that your router should use.\r\nipv6 nd secured trustanchor Specifies a trusted anchor on an interface.\r\nipv6 nd suppress-ra\r\nNote\r\nEffective with Cisco IOS Release 12.4(2)T, the ipv6 nd suppress-ra command is replaced by the ipv6\r\nnd ra suppress command. See the ipv6 nd ra suppress command for more information.\r\nTo suppress IPv6 router advertisement transmissions on a LAN interface, use the ipv6 nd suppress-ra command in\r\ninterface configuration mode. To reenable the sending of IPv6 router advertisement transmissions on a LAN\r\ninterface, use the no form of this command.\r\nipv6 nd suppress-ra\r\nno ipv6 nd suppress-ra\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nIPv6 router advertisements are automatically sent on Ethernet and FDDI interfaces if IPv6 unicast routing is\r\nenabled on the interfaces. IPv6 router advertisements are not sent on other types of interfaces.\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 203 of 238\n\nInterface configuration\r\nCommand History\r\nRelease Modification\r\n12.2(2)T This command was introduced.\r\n12.0(21)ST This command was integrated into Cisco IOS Release 12.0(21)ST.\r\n12.0(22)S This command was integrated into Cisco IOS Release 12.0(22)S.\r\n12.2(14)S This command was integrated into Cisco IOS Release 12.2(14)S.\r\n12.4(2)T This command was replaced by the ipv6 nd ra suppress command.\r\nUsage Guidelines\r\nUse the no ipv6 nd suppress-ra command to enable the sending of IPv6 router advertisement transmissions on\r\nnon-LAN interface types (for example, serial or tunnel interfaces).\r\nExamples\r\nThe following example suppresses IPv6 router advertisements on Ethernet interface 0/0:\r\nRouter(config)# interface ethernet 0/0\r\nRouter(config-if)# ipv6 nd suppress-ra\r\nThe following example enables the sending of IPv6 router advertisements on serial interface 0/1:\r\nRouter(config)# interface serial 0/1\r\nRouter(config-if)# no ipv6 nd suppress-ra\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 204 of 238\n\nCommand Description\r\nshow ipv6 interface Displays the usability status of interfaces configured for IPv6.\r\nipv6 neighbor binding\r\nTo change the defaults of neighbor binding entries in a binding table, use the ipv6 neighbor binding command in\r\nglobal configuration mode. To return the networking device to its default, use the no form of this command.\r\nipv6 neighbor binding [reachable-lifetime value | stale-lifetime value]\r\nno ipv6 neighbor binding\r\nSyntax Description\r\nreachable-lifetime\r\nvalue\r\n(Optional) The maximum time, in seconds, an entry is considered reachable without getting a\r\nproof of reachability (direct reachability through tracking, or indirect reachability through\r\nNeighbor Discovery protocol [NDP] inspection). After that, the entry is moved to stale. The\r\nrange is from 1 through 3600 seconds, and the default is 300 seconds (or 5 minutes).\r\nstale-lifetime\r\nvalue\r\n(Optional) The maximum time, in seconds, a stale entry is kept in the binding table before\r\nthe entry is deleted or proof is received that the entry is reachable.\r\nThe default is 24 hours (86,400 seconds).\r\ndown-lifetime\r\nvalue\r\n(Optional) The maximum time, in seconds, an entry learned from a down interface is kept in\r\nthe binding table before the entry is deleted or proof is received that the entry is reachable.\r\nThe default is 24 hours (86,400 seconds).\r\nCommand Default\r\nReachable lifetime: 300 seconds Stale lifetime: 24 hours Down lifetime: 24 hours\r\nCommand Modes\r\nGlobal configuration (config)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 205 of 238\n\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\nUsage Guidelines\r\nUse the ipv6 neighbor binding command to configure information about individual entries in a binding table. If no\r\nkeywords or arguments are configured, the IPv6 neighbor binding entry defaults are used.\r\nIf the tracking reachable-lifetime command is configured, it overrides ipv6 neighbor binding reachable-lifetime\r\nconfiguration. If the tracking stale-lifetime command is configured, it overrides ipv6 neighbor binding stale-lifetime configuration.\r\nExamples\r\nThe following example shows how to change the reachable lifetime for binding entries to 100 seconds:\r\nRouter(config)# ipv6 neighbor binding reachable-entries 100\r\nRelated Commands\r\nCommand Description\r\nipv6 neighbor tracking Tracks entries in the binding table.\r\ntracking Overrides the default tracking policy on a port.\r\nipv6 neighbor binding down-lifetime\r\nTo change the default of a neighbor binding entry’s down lifetime, use the ipv6 neighbor binding down-lifetime\r\ncommand in global configuration mode. To return the networking device to its default, use the no form of this\r\ncommand.\r\nipv6 neighbor binding down-lifetime {value | infinite}\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 206 of 238\n\nno ipv6 neighbor binding down-lifetime\r\nSyntax Description\r\nvalue\r\nThe maximum time, in minutes, an entry learned from a down interface is kept in the table before\r\ndeletion. The range is from 1 to 3600 minutes.\r\nThe default is 24 hours (86,400 seconds).\r\ninfinite Keeps an entry in the binding table for an infinite amount of time.\r\nCommand Default\r\nA neighbor binding entry is down for 24 hours before it is deleted from the binding table.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\nUsage Guidelines\r\nUse the ipv6 neighbor binding down-lifetime command to change the amount of time a neighbor binding is down\r\nbefore that binding is removed from the binding table.\r\nExamples\r\nThe following example shows how to change a binding entry’s down lifetime to 2 minutes before it is deleted\r\nfrom the binding table:\r\nRouter(config)# ipv6 neighbor binding down-lifetime 2\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 207 of 238\n\nCommand Description\r\nipv6 neighbor tracking Tracks entries in the binding table.\r\nipv6 neighbor binding logging\r\nTo enable the logging of binding table main events, use the ipv6 neighbor binding logging command in global\r\nconfiguration mode. To disable this function, use the no form of this command.\r\nipv6 neighbor binding logging\r\nno ipv6 neighbor binding logging\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nBinding table events are not logged.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\n15.0(2)SE This command was integrated into Cisco IOS Release 15.0(2)SE.\r\n15.3(1)S This command was integrated into Cisco IOS Release 15.3(1)S.\r\nCisco IOS XE Release 3.2SE This command was integrated into Cisco IOS XE Release 3.2SE.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 208 of 238\n\nUsage Guidelines\r\nThe ipv6 neighbor binding logging command enables the logging of the following binding table events:\r\nAn entry is inserted into the binding table.\r\nA binding table entry was updated.\r\nA binding table entry was deleted from the binding table.\r\nA binding table entry was not inserted into the binding table, possibly because of a collision with an\r\nexisting entry, or because the maximum number of entries has been reached.\r\nExamples\r\nThe following example shows how to enable binding table event logging:\r\nRouter(config)# ipv6 neighbor binding logging\r\nRelated Commands\r\nCommand Description\r\nipv6 neighbor binding vlan Adds a static entry to the binding table database.\r\nipv6 neighbor tracking Tracks entries in the binding table.\r\nipv6 snooping logging packet drop Configures IPv6 snooping security logging.\r\nipv6 neighbor binding max-entries\r\nTo specify the maximum number of entries that are allowed to be inserted in the binding table cache, use the ipv6\r\nneighbor binding max-entries command in global configuration mode. To return to the default, use the no form of\r\nthis command.\r\nipv6 neighbor binding max-entries entries [vlan-limit number | interface-limit number | mac-limit number]\r\nno ipv6 neighbor binding max-entries entries [vlan-limit | mac-limit]\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 209 of 238\n\nentries Number of entries that can be inserted into the cache.\r\nvlan-limit number (Optional) Specifies a neighbor binding limit per number of VLANs.\r\ninterface-limit\r\nnumber\r\n(Optional) Specifies a neighbor binding limit per interface.\r\nmac-limit number\r\n(Optional) Specifies a neighbor binding limit per number of Media Access Control\r\n(MAC) addresses.\r\nCommand Default\r\nThis command is disabled.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\n15.0(2)SE This command was integrated into Cisco IOS Release 15.0(2)SE.\r\n15.3(1)S This command was integrated into Cisco IOS Release 15.3(1)S.\r\nCisco IOS XE Release 3.2SE This command was integrated into Cisco IOS XE Release 3.2SE.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 210 of 238\n\nThe ipv6 neighbor binding max-entries command is used to control the content of the binding table. This\r\ncommand specifies the maximum number of entries that are allowed to be inserted in the binding table cache.\r\nOnce this limit is reached, new entries are refused, and the Neighbor Discovery Protocol (NDP) traffic source with\r\nthe new entry is dropped.\r\nIf the maximum number of entries specified is lower than the current number of entries in the database, no entries\r\nare cleared, and the new threshold is reached after normal cache attrition.\r\nThe maximum number of entries can be set globally per VLAN, interface, or MAC addresses.\r\nExamples\r\nThe following example shows how to specify globally the maximum number of entries inserted into the cache:\r\nRouter(config)# ipv6 neighbor binding max-entries 100\r\nRelated Commands\r\nCommand Description\r\nipv6 neighbor binding vlan Adds a static entry to the binding table database.\r\nipv6 neighbor tracking Tracks entries in the binding table.\r\nipv6 neighbor binding stale-lifetime\r\nTo set the length of time a stale entry is kept in the binding table, use the ipv6 neighbor binding stale-lifetime\r\ncommand in global configuration mode. To return to the default setting, use the no form of this command.\r\nipv6 neighbor binding stale-lifetime {value | infinite}\r\nno ipv6 neighbor binding\r\nSyntax Description\r\nvalue\r\nThe maximum time, in minutes, a stale entry is kept in the table before it is deleted or some proof\r\nof reachability is seen. The range is from 1 to 3600 minutes, and the default is 24 hours (or 1440\r\nminutes).\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 211 of 238\n\ninfinite Keeps an entry in the binding table for an infinite amount of time.\r\nCommand Default\r\nStale lifetime: 1440 minutes (24 hours)\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\nUsage Guidelines\r\nUse the ipv6 neighbor binding stale-lifetime command to configure the length of time a stale entry is kept in the\r\nbinding table before it is removed.\r\nExamples\r\nThe following example shows how to change the stale lifetime for a binding entry to 720 minutes (or 12 hours):\r\nRouter(config)# ipv6 neighbor binding stale lifetime 720\r\nRelated Commands\r\nCommand Description\r\nipv6 neighbor binding Changes the defaults of neighbor binding entries in a binding table.\r\nipv6 neighbor binding vlan\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 212 of 238\n\nTo add a static entry to the binding table database, use the ipv6 neighbor binding vlan command in global\r\nconfiguration mode. To remove the static entry, use the no form of this command.\r\nipv6 neighbor binding vlan vlan-id {interface type number | ipv6-address | mac-address} [tracking [disable |\r\nenable | retry-interval value] | reachable-lifetime value]\r\nno ipv6 neighbor binding vlan vlan-id\r\nSyntax Description\r\nvlan-id ID of the specified VLAN.\r\ninterface type\r\nnumber\r\nAdds static entries by the specified interface type and number.\r\nipv6-address IPv6 address of the static entry.\r\nmac-address Media Access Control (MAC) address of the static entry.\r\ntracking (Optional) Verifies a static entry’s reachability directly.\r\ndisable (Optional) Disables tracking for a particular static entry.\r\nenable (Optional) Enables tracking for a particular static entry.\r\nretry-interval\r\nvalue\r\n(Optional) Verifies a static entry’s reachability, in seconds, at the configured interval. The\r\nrange is from 1 to 3600, and the default is 300.\r\nreachable-lifetime\r\nvalue\r\n(Optional) Specifies the maximum time, in seconds, an entry is considered reachable without\r\ngetting a proof of reachability (direct reachability through tracking, or indirect reachability\r\nthrough Neighbor Discovery Protocol [NDP] inspection). After that, the entry is moved to\r\nstale. The range is from 1 to 3600 seconds, and the default is 300 seconds.\r\nCommand Default\r\nRetry interval: 300 seconds\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 213 of 238\n\nReachable lifetime: 300 seconds\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\n15.0(2)SE This command was integrated into Cisco IOS Release 15.0(2)SE.\r\n15.3(1)S This command was integrated into Cisco IOS Release 15.3(1)S.\r\nCisco IOS XE Release 3.2SE This command was integrated into Cisco IOS XE Release 3.2SE.\r\nUsage Guidelines\r\nThe ipv6 neighbor binding vlan command is used to control the content of the binding table. Use this command to\r\nadd a static entry in the binding table database. The binding table manager is responsible for aging out entries and\r\nverifying their reachability directly by probing them (if the tracking keyword is enabled). Use of the tracking\r\nkeyword overrides any general behavior provided globally by the ipv6 neighbor tracking command for this static\r\nentry. The disable keyword disables tracking for this static entry. The stale-lifetime keyword defines the maximum\r\ntime the entry will be kept once it is determined to be not reachable (or stale).\r\nExamples\r\nThe following example shows how to change the reachable lifetime for binding entries to 100 seconds:\r\nRouter(config)# ipv6 neighbor binding vlan reachable-lifetime 100\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 214 of 238\n\nCommand Description\r\nipv6 neighbor binding max-entriesSpecifies the maximum number of entries that are allowed to be inserted in\r\nthe cache.\r\nipv6 neighbor tracking Tracks entries in the binding table.\r\nipv6 neighbor tracking\r\nTo track entries in the binding table, use the ipv6 neighbor tracking command in global configuration mode. To\r\ndisable entry tracking, use the no form of this command.\r\nipv6 neighbor tracking [retry-interval value]\r\nno ipv6 neighbor tracking [retry-interval value]\r\nSyntax Description\r\nretry-interval\r\nvalue\r\n(Optional) Verifies a static entry’s reachability at the configured interval time, in seconds,\r\nbetween two probings. The range is from 1 to 3600, and the default is 300.\r\nCommand Default\r\nEntries in the binding table are not tracked.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 215 of 238\n\nRelease Modification\r\n15.0(2)SE This command was integrated into Cisco IOS Release 15.0(2)SE.\r\n15.3(1)S This command was integrated into Cisco IOS Release 15.3(1)S.\r\nCisco IOS XE Release 3.2SE This command was integrated into Cisco IOS XE Release 3.2SE.\r\nUsage Guidelines\r\nThe ipv6 neighbor tracking command enables the tracking of entries in the binding table. Entry reachability is\r\ntested at every interval configured by the optional retry-interval keyword (or every 300 seconds, which is the\r\ndefault retry interval) using the neighbor unreachability detection (NUD) mechanism used for directly tracking\r\nneighbor reachability.\r\nReachability can also be established indirectly by using Neighbor Discovery Protocol (NDP) inspection up to the\r\nVERIFY_MAX_RETRIES value (the default is 10 seconds). When there is no response, entries are considered\r\nstale and are deleted after the stale lifetime value is reached (the default is 1440 minutes).\r\nWhen the ipv6 neighbor tracking command is disabled, entries are considered stale after the reachable lifetime\r\nvalue is met (the default is 300 seconds) and deleted after the stale lifetime value is met.\r\nTo change the default values of neighbor binding entries in a binding table, use the ipv6 neighbor binding\r\ncommand.\r\nExamples\r\nThe following example shows how to track entries in a binding table:\r\nRouter(config)# ipv6 neighbor tracking\r\nRelated Commands\r\nCommand Description\r\nipv6 neighbor binding Changes the defaults of neighbor binding entries in a binding table.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 216 of 238\n\nipv6 port-map\r\nTo establish port-to-application mapping (PAM) for the system, use the ipv6 port-map command in global\r\nconfiguration mode. To delete user-defined PAM entries, use the no form of this command.\r\nipv6 port-map application port port-num [list acl-name]\r\nno ipv6 port-map application port port-num [list acl-name]\r\nSyntax Description\r\napplication Specifies the predefined application that requires port mapping.\r\nport port-num\r\nSpecifies a port number. The range is from 1 to 65535.\r\nlist acl-name\r\n(Optional) Specifies the name of the IPv6 access list (ACL) associated with the port\r\nmapping.\r\nCommand Default\r\nNone\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(11)T This command was introduced.\r\nUsage Guidelines\r\nThe ipv6 port-map command associates TCP or User Datagram Protocol (UDP) port numbers with applications or\r\nservices, establishing a table of default port mapping information at the firewall. This information is used to\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 217 of 238\n\nsupport network environments that run services using ports that are different from the registered or well-known\r\nports associated with a service or application.\r\nThe port mapping information in the PAM table is of one of three types:\r\nSystem-defined\r\nUser-defined\r\nHost-specific\r\nSystem-Defined Port Mapping\r\nInitially, PAM creates a set of system-defined entries in the mapping table using well-known or registered port\r\nmapping information set up during the system start-up. The Cisco IOS Firewall Context-Based Access Control\r\nfeature requires the system-defined mapping information to function properly. System-defined mapping\r\ninformation cannot be deleted or changed; that is, you cannot map HTTP services to port 21 (FTP) or FTP services\r\nto port 80 (HTTP).\r\nThe table below lists the default system-defined services and applications in the PAM table.\r\nTable 3. System-Defined Port Mapping\r\nApplication\r\nName\r\nWell-Known or Registered Port\r\nNumber\r\nProtocol Description\r\ncuseeme 7648 CU-SeeMe Protocol\r\nexec 512 Remote Process Execution\r\nftp 21 File Transfer Protocol (control port)\r\nh323 1720\r\nH.323 Protocol (for example, MS NetMeeting,\r\nIntel Video Phone)\r\nhttp 80 Hypertext Transfer Protocol\r\nlogin 513 Remote login\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 218 of 238\n\nApplication\r\nName\r\nWell-Known or Registered Port\r\nNumber\r\nProtocol Description\r\nmsrpc 135 Microsoft Remote Procedure Call\r\nnetshow 1755 Microsoft NetShow\r\nreal-audio-video 7070 RealAudio and RealVideo\r\nsccp 2000 Skinny Client Control Protocol (SCCP)\r\nsmtp 25 Simple Mail Transfer Protocol (SMTP)\r\nsql-net 1521 SQL-NET\r\nstreamworks 1558 StreamWorks Protocol\r\nsunrpc 111 SUN Remote Procedure Call\r\ntftp 69 Trivial File Transfer Protocol\r\nvdolive 7000 VDOLive Protocol\r\nNote\r\nYou can override the system-defined entries for a specific host or subnet using the list keyword in the\r\nipv6 port-map command.\r\nUser-Defined Port Mapping\r\nNetwork applications that use non-standard ports require user-defined entries in the mapping table. Use the ipv6\r\nport-map command to create default user-defined entries in the PAM table.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 219 of 238\n\nTo map a range of port numbers with a service or application, you must create a separate entry for each port\r\nnumber.\r\nNote\r\nIf you try to map an application to a system-defined port, a message appears warning you of a\r\nmapping conflict.\r\nUse the no form of the ipv6 port-map command to delete user-defined entries from the PAM table.\r\nTo overwrite an existing user-defined port mapping, use the ipv6 port-map command to associate another service\r\nor application with the specific port.\r\nHost-Specific Port Mapping\r\nUser-defined entries in the mapping table can include host-specific mapping information, which establishes port\r\nmapping information for specific hosts or subnets. In some environments, it might be necessary to override the\r\ndefault port mapping information for a specific host or subnet, including a system-defined default port mapping\r\ninformation. Use the list keyword for the ipv6 port-map command to specify an ACL for a host or subnet that uses\r\nPAM.\r\nNote\r\nIf the host-specific port mapping information is the same as existing system-defined or user-defined\r\ndefault entries, host-specific port changes have no effect.\r\nExamples\r\nThe following user-defined port-mapping configuration map port 8080 to the HTTP application:\r\nipv6 port-map http port 8080\r\nHost-specific port-mapping configuration maps port 2121 to the FTP application from a particular set of host.\r\nFirst, the user needs to create a permit IPv6 access list for the allowed host(s). In the following example, packets\r\nfrom the hosts in the 2001:0DB8:1:7 subset destined for port 2121 will be mapped to the FTP application:\r\nRouter(config)# ipv6 access-list ftp-host\r\nRouter(config-ipv6-acl)# permit 2001:0DB8:1:7::/64 any\r\nThe port-map configuration is then configured as follows:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 220 of 238\n\nRouter(config)# ipv6 port-map ftp port 2121 list ftp-host\r\n \r\nRelated Commands\r\nCommand Description\r\nshow ipv6 port-map Displays IPv6 port-mapping information.\r\nipv6 radius source-interface\r\nTo specify an interface to use for the source address in RADIUS packets, use the ipv6 radius source-interface\r\ncommand in global configuration mode. To remove the specified interface from the configuration, use the no form\r\nof this command.\r\nipv6 radius source-interface interface vrf vrf-name\r\nno ipv6 radius source-interface interface\r\nSyntax Description\r\ninterface Interface to be used for the source address in RADIUS packets.\r\nvrf vrf-name VPN routing/forwarding parameter name.\r\nCommand Default\r\nNo interface is specified.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 221 of 238\n\nRelease Modification\r\nCisco IOS XE Release 3.2S This command was introduced.\r\nCisco IOS XE Fuji 16.9.1 The vrf vrf-name keyword-argument pair was added.\r\nUsage Guidelines\r\nThe ipv6 radius source-interface command specifies an interface to use for the source address in RADIUS\r\npackets.\r\nExamples\r\nThe following example shows how to configure the Gigabit Ethernet interface to be used as the source address in\r\nRADIUS packets:\r\nRouter(config)# ipv6 radius source-interface GigabitEthernet 0/0/0\r\nRelated Commands\r\nCommand Description\r\nradius\r\nserver\r\nConfigures the RADIUS server for IPv6 or IPv4 and enters RADIUS server configuration\r\nmode.\r\nipv6 routing-enforcement-header loose\r\nTo provide backward compatibility with legacy IPv6 inspection, use the ipv6 routing-enforcement-header loose\r\ncommand in parameter map type inspect configuration mode. To disable this feature, use the no form of this\r\ncommand.\r\nipv6 routing-enforcement-header loose\r\nno ipv6 routing-enforcement-header loose\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 222 of 238\n\nCommand Default\r\nBackward compatibility is not provided.\r\nCommand Modes\r\nparameter map type inspect configuration mode (config-profile)\r\nCommand History\r\nRelease Modification\r\n15.1(2)T This command was introduced.\r\nUsage Guidelines\r\nThe ipv6 routing-enforcement-header loose command provides backward compatibility with legacy IPv6\r\ninspection. Enabling this command ensures that the firewall will not drop IPv6 traffic with routing headers. The\r\ndefault firewall behavior is to drop all IPv6 traffic without a routing header.\r\nExamples\r\nThe following example enables backward compatibility with legacy IPv6 inspection on an inspect type parameter\r\nmap named v6-param-map:\r\nRouter(config)# parameter-map type inspect v6-param-map\r\nRouter (config-profile)# ipv6 routing-header-enforcement loose\r\nRelated Commands\r\nCommand Description\r\nparameter-map type\r\ninspect\r\nConfigures an inspect type parameter map for connecting thresholds, timeouts, and\r\nother parameters pertaining to the inspect action.\r\nipv6 snooping logging packet drop\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 223 of 238\n\nTo enable the logging of dropped packets by the IPv6 first-hop security feature, use the ipv6 snooping logging\r\npacket drop command in global configuration mode. To disable the logging of dropped packets by the IPv6 first-hop security feature, use the no form of this command.\r\nipv6 snooping logging packet drop\r\nno ipv6 snooping logging packet drop\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nSnooping security logging is not enabled.\r\nCommand Modes\r\nGlobal configuration (config)#\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\nUsage Guidelines\r\nUse the ipv6 snooping logging packet drop command to log packets that are dropped when they are received on an\r\nunauthorized port. For example, this command will log RA packets that are dropped because of the RA guard\r\nfeature.\r\nRelated Commands\r\nCommand Description\r\nipv6 neighbor binding logging Enables the logging of binding table main events.\r\nipv6 tacacs source-interface\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 224 of 238\n\nTo specify an interface to use for the source address in TACACS packets, use the ipv6 tacacs source-interface\r\ncommand in global configuration mode. To remove the specified interface from the configuration, use the no form\r\nof this command.\r\nipv6 tacacs source-interface interface vrf vrf-name\r\nno ipv6 tacacs source-interface interface\r\nSyntax Description\r\ninterface Interface to be used for the source address in TACACS packets.\r\nvrf vrf-name VPN routing/forwarding parameter name.\r\nCommand Default\r\nNo interface is specified.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.2S This command was introduced.\r\nCisco IOS XE Fuji 16.9.1 The vrf vrf-name keyword-argument pair was added.\r\nUsage Guidelines\r\nThe ipv6 tacacs source-interface command specifies an interface to use for the source address in TACACS\r\npackets.\r\nExamples\r\nThe following example shows how to configure the Gigabit Ethernet interface to be used as the source address in\r\nTACACS packets:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 225 of 238\n\nRouter(config)# ipv6 tacacs source-interface GigabitEthernet 0/0/0\r\nRelated Commands\r\nCommand Description\r\ntacacs\r\nserver\r\nConfigures the TACACS+ server for IPv6 or IPv4 and enters TACACS+ server configuration\r\nmode.\r\nipv6 virtual-reassembly\r\nTo enable Virtual Fragment Reassembly (VFR) on an interface, use the ipv6 virtual-reassembly command in\r\nglobal configuration mode. To remove VFR configuration, use the no form of this command.\r\nipv6 virtual-reassembly [in | out] [max-reassemblies maxreassemblies] [max-fragments max-fragments]\r\n[timeout seconds] [drop-fragments]\r\nno ipv6 virtual-reassembly [in | out] [max-reassemblies maxreassemblies] [max-fragments max-fragments]\r\n[timeout seconds] [drop-fragments]\r\nSyntax Description\r\nin (Optional) Enables VFR on the ingress direction of the interface.\r\nout (Optional) Enables VFR on the egress direction of the interface.\r\nmax-reassemblies\r\nmaxreassemblies\r\n(Optional) Sets the maximum number of concurrent reassemblies (fragment sets)\r\nthat the Cisco IOS software can handle at a time. The default value is 64.\r\nmax-fragments max-fragments(Optional) Sets the maximum number of fragments allowed per datagram (fragment\r\nset). The default is 16.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 226 of 238\n\ntimeout seconds\r\n(Optional) Sets the timeout value of the fragment state. The default timeout value is\r\n2 seconds. If a datagram does not receive all its fragments within 2 seconds, all of\r\nthe fragments received previously will be dropped and the fragment state will be\r\ndeleted.\r\ndrop-fragments (Optional) Turns the drop fragments feature on or off.\r\nCommand Default\r\nMax-reassemblies = 64 Fragments = 16 If neither the in or out keyword is specified, VFR is enabled on the\r\ningress direction of the interface only.drop-fragments keyword is not enabled.\r\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\n15.1(1)T\r\nThe in and out keywords were added.\r\nThe out keyword must be used to configure or disable the egress direction\r\nof the interface.\r\nCisco IOS XE Release\r\n3.4S\r\nThe drop-fragments keyword was added.\r\nUsage Guidelines\r\nWhen the ipv6 virtual-reassembly command is configured on an interface without using one of the command\r\nkeywords, VFR is enabled on the ingress direction of the interface only. In Cisco IOS XE Release 3.4S, all VFR-related alert messages are suppressed by default.\r\nMaximum Number of Reassemblies\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 227 of 238\n\nWhenever the maximum number of 256 reassemblies (fragment sets) is crossed, all the fragments in the\r\nforthcoming fragment set will be dropped and an alert message VFR-4-FRAG_TABLE_OVERFLOW will be\r\nlogged to the syslog server.\r\nMaximum Number of Fragments per Fragment Set\r\nIf a datagram being reassembled receives more than eight fragments then, tall fragments will be dropped and an\r\nalert message VFR-4-TOO_MANY_FRAGMENTS will be logged to the syslog server.\r\nExplicit Removal of Egress Configuration\r\nAs of the Cisco IOS 15.1(1)T release, the no ipv6 virtual-reassembly command, when used without keywords,\r\nremoves ingress configuration only. To remove egress interface configuration, you must enter the out keyword.\r\nExamples\r\nThe following example configures the ingress direction on the interface. It sets the maximum number of\r\nreassemblies to 32, maximum fragments to 4, and the timeout to 7 seconds:\r\nRouter(config)# interface Ethernet 0/0\r\nRouter(config-if)# ipv6 virtual-reassembly max-reassemblies 32 max-fragments 4 timeout 7\r\nThe following example enables the VFR on the ingress direction of the interface. Note that even if the in keyword\r\nis not used, the configuration default is to configure the ingress direction on the interface:\r\nRouter(config)# interface Ethernet 0/0\r\nRouter(config-if)# ipv6 virtual-reassembly\r\nRouter(config-if)# end\r\nRouter# show run interface Ethernet 0/0\r\ninterface Ethernet0/0\r\nno ip address\r\nipv6 virtual-reassembly in\r\nThe following example enables egress configuration on the interface. Note that the out keyword must be used to\r\nenable and disable egress configuration on the interface:\r\nRouter(config)# interface Ethernet 0/0\r\nRouter(config-if)# ipv6 virtual-reassembly out\r\nRouter(config-if)# end\r\nRouter# show run interface Ethernet 0/0\r\ninterface Ethernet0/0\r\nno ip address\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 228 of 238\n\nipv6 virtual-reassembly out\r\nend\r\nThe following example disables egress configuration on the interface:\r\nRouter(config)# interface Ethernet 0/0\r\nRouter(config-if)# no\r\n ipv6 virtual-reassembly out\r\nRouter(config-if)# end\r\nipv6 virtual-reassembly drop-fragments\r\nTo drop all fragments on an interface, use the ipv6 virtual-reassembly drop-fragments command in global\r\nconfiguration mode. Use the no form of this command to remove the packet-dropping behavior.\r\nipv6 virtual-reassembly drop-fragments\r\nno ipv6 virtual-reassembly drop-fragments\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nFragments on an interface are not dropped.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\nExamples\r\nThe following example causes all fragments on an interface to be dropped:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 229 of 238\n\nipv6 virtual-reassembly drop-fragments\r\nipv6 vrf forwarding\r\nTo configure the Virtual Private Network (VPN) routing and forwarding (VRF) parameters to use with the\r\nTACACS+ server group, use the ipv6 vrf forwarding command in TACACS+ server-group configuration mode.\r\nTo enable server groups to use the global (default) routing table, use the no form of this command.\r\nipv6 vrf forwarding vrf-name\r\nno ipv6 vrf forwarding vrf-name\r\nSyntax Description\r\nvrf-name Name assigned to a VRF.\r\nCommand Default\r\nServer groups use the global routing table.\r\nCommand Modes\r\nTACACS+ server-group configuration (config-sg-tacacs+)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Fuji 16.9.1 This command was introduced.\r\nUsage Guidelines\r\nUse the ipv6 vrf forwarding command to specify a VRF for a TACACS+ server group.\r\nExamples\r\nThe following example shows how to configure the VRF user to reference the TACACS+ server in the server\r\ngroup tacacs1:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 230 of 238\n\naaa group server tacacs+tacacs1\r\n server-private 10.1.1.1 port 19 key cisco\r\n ipv6 vrf forwarding cisco\r\n ip tacacs source-interface Loopback0\r\n ip vrf cisco\r\n rd 100:1\r\n interface Loopback0\r\n ip address 10.0.0.2 255.0.0.0\r\n ipv6 vrf forwarding cisco\r\nThe following example shows a scenario where the ipv6 vrf forwarding command is used to choose one of the\r\nglobal source interfaces configured if the source interface is not configured under the server group:\r\nExample:\r\nGlobal configurations:\r\nip radius source-interface Loopback0 vrf RED\r\nip radius source-interface Loopback1 vrf BLUE\r\nip radius source-interface Loopback2 vrf GREEN\r\nServer Group configuration: Case 1\r\naaa group server radius radius-group1\r\nipv6 vrf forwarding RED\r\nipv6 radius source-interface Loopback0\r\n\u003e\u003e\u003e Here Loopback0 is considered as the source-interface.\r\nServer Group configuration: Case 2\r\naaa group server radius radius-group1\r\nipv6 vrf forwarding BLUE\r\n\u003e\u003e\u003e\u003e As the source interface is not mentioned under the server group, the command checks\r\nfor the vrf forwarding configured with the group and checks for the global source interface\r\nconfigurations associated with vrf BLUE, which is Loopback1, so here Loopback1 is used as\r\nthe source interface.\r\nServer Group configuration: Case 3\r\naaa group server radius radius-group1\r\nipv6 vrf forwarding GREEN\r\n\u003e\u003e\u003e Loopback2 is considered as the source-interface.\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 231 of 238\n\nCommand Description\r\naaa group server radius\r\nGroups different RADIUS server hosts into distinct lists and distinct\r\nmethods.\r\nip tacacs source-interface\r\nUses the IP address of a specified interface for all outgoing TACACS+\r\npackets.\r\nip vrf forwarding (server-group)Configures the VRF reference of an AAA RADIUS or TACACS+ server\r\ngroup.\r\nserver-private\r\nConfigures the IP address of the private RADIUS server for the group\r\nserver.\r\nisakmp authorization list\r\nTo configure an Internet Key Exchange (IKE) shared secret using the authentication, authorization, and\r\naccounting (AAA) server in an Internet Security Association and Key Management Protocol (ISAKMP) profile,\r\nuse the isakmp authorization list command in ISAKMP profile configuration mode. To disable the shared secret,\r\nuse the no form of this command.\r\nisakmp authorization list list-name\r\nno isakmp authorization list list-name\r\nSyntax Description\r\nlist-nameAAA authorization list used for configuration mode attributes or preshared keys for aggresive\r\nmode.\r\nCommand Default\r\nNo default behaviors or values\r\nCommand Modes\r\nISAKMP profile configuration (config-isa-prof)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 232 of 238\n\nCommand History\r\nRelease Modification\r\n12.2(15)T This command was introduced.\r\n12.2(18)SXD This command was integrated into Cisco IOS Release 12.2(18)SXD.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.2(33)SRA.\r\nCisco IOS XE Release 2.6 This command was integrated into Cisco IOS XE Release 2.6.\r\nUsage Guidelines\r\nThis command allows you to retrieve a shared secret from an AAA server.\r\nExamples\r\nThe following example shows that an IKE shared secret is configured using an AAA server on a router:\r\ncrypto isakmp profile vpnprofile\r\n isakmp authorization list ikessaaalist\r\nRelated Commands\r\nCommand Description\r\naaa authorization Sets parameters that restrict user access to a network.\r\nissuer-name\r\nTo specify the distinguished name (DN) as the certification authority (CA) issuer name for the certificate server,\r\nuse the issuer-name command in certificate server configuration mode. To clear the issuer name and return to the\r\ndefault, use the no form of this command.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 233 of 238\n\nissuer-name DN-string\r\nno issuer-name DN-string\r\nSyntax Description\r\nDN-string Name of the DN string.\r\nCommand Default\r\nIf the issuer name is not configured, the DN string is the certificate server name.\r\nCommand Modes\r\nCertificate server configuration (cs-server)\r\nCommand History\r\nRelease Modification\r\n12.3(4)T This command was introduced.\r\nUsage Guidelines\r\nYou must configure the crypto pki server command with the name of the certificate server in order to enter\r\ncertificate server configuration mode and configure this command.\r\nThe DN-string value cannot be changed after the certificate server generates its signed certificate.\r\nExamples\r\nThe following example shows how to define an issuer name for the certificate server “mycertserver”:\r\nRouter(config)# ip http server\r\nRouter(config)# crypto pki server mycertserver\r\nRouter(cs-server)# database level minimal\r\nRouter(cs-server)# database url nvram:\r\nRouter(cs-server)# issuer-name CN = ipsec_cs,L = My Town,C = US\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 234 of 238\n\nCommand Description\r\nauto-rollover Enables the automated CA certificate rollover functionality.\r\ncdp-url Specifies a CDP to be used in certificates that are issued by the certificate server.\r\ncrl (cs-server) Specifies the CRL PKI CS.\r\ncrypto pki server\r\nEnables a CS and enters certificate server configuration mode, or immediately\r\ngenerates shadow CA credentials\r\ndatabase archive\r\nSpecifies the CA certificate and CA key archive format--and the password--to encrypt\r\nthis CA certificate and CA key archive file.\r\ndatabase level Controls what type of data is stored in the certificate enrollment database.\r\ndatabase url Specifies the location where database entries for the CS is stored or published.\r\ndatabase username\r\nSpecifies the requirement of a username or password to be issued when accessing the\r\nprimary database location.\r\ndefault (cs-server) Resets the value of the CS configuration command to its default.\r\ngrant auto rollover\r\nEnables automatic granting of certificate reenrollment requests for a Cisco IOS\r\nsubordinate CA server or RA mode CA.\r\ngrant auto\r\ntrustpoint\r\nSpecifies the CA trustpoint of another vendor from which the Cisco IOS certificate\r\nserver automatically grants certificate enrollment requests.\r\ngrant none Specifies all certificate requests to be rejected.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 235 of 238\n\nCommand Description\r\ngrant ra-auto Specifies that all enrollment requests from an RA be granted automatically.\r\nhash (cs-server)\r\nSpecifies the cryptographic hash function the Cisco IOS certificate server uses to sign\r\ncertificates issued by the CA.\r\nlifetime (cs-server) Specifies the lifetime of the CA or a certificate.\r\nmode ra Enters the PKI server into RA certificate server mode.\r\nmode sub-cs Enters the PKI server into sub-certificate server mode\r\nredundancy (cs-server)\r\nSpecifies that the active CS is synchronized to the standby CS.\r\nserial-number (cs-server)\r\nSpecifies whether the router serial number should be included in the certificate request.\r\nshow (cs-server) Displays the PKI CS configuration.\r\nshutdown (cs-server)\r\nAllows a CS to be disabled without removing the configuration.\r\nivrf\r\nTo specify a user-defined VPN routing and forwarding (VRF) or use the global VRF, use the ivrf command in\r\nIKEv2 profile configuration mode. To delete the VRF specification, use the no form of this command.\r\nivrf name\r\nno ivrf\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 236 of 238\n\nCommand Default\r\nVRF is not specified.\r\nCommand Modes\r\nIKEv2 profile configuration (config-ikev2-profile)\r\nCommand History\r\nRelease Modification\r\n15.1(1)T This command was introduced.\r\nCisco IOS XE Release 3.3S This command was integrated into Cisco IOS XE Release 3.3S.\r\n15.2(4)S This command was integrated into Cisco IOS Release 15.2(4)S.\r\nUsage Guidelines\r\nUse this command to specify a user-defined VRF or a global VRF, which should be attached to static and dynamic\r\ncrypto maps. The inside VRF (IVRF) for a tunnel interface should be configured on the tunnel interface. IVRF\r\nspecifies the VRF for cleartext packets. The default value for IVRF is Forward VRF (FVRF).\r\nExamples\r\nThe following example shows how to specify IVRF:\r\nRouter(config)# crypto ikev2 profile profile1\r\nRouter(config-ikev2-profile)# ivrf vrf1\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 237 of 238\n\nCommand Description\r\ncrypto ikev2 profile Defines an IKEv2 profile.\r\nshow crypto ikev2 profile Displays the IKEv2 profile.\r\nBack to Top\r\nSource: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478\r\nPage 238 of 238\n\nip traffic-export no ip traffic-export apply profile-name apply profile-name  \nCisco 1841, Cisco 2800 Series, and Cisco 3800 Series\nip traffic-export apply profile-name size size \n   Page 82 of 238",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478"
	],
	"report_names": [
		"sec-cr-i3.html#wp1254331478"
	],
	"threat_actors": [],
	"ts_created_at": 1775434061,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e50bbad4ed5cb5108f9e03b75b42d7e80b7e3ed.pdf",
		"text": "https://archive.orkl.eu/1e50bbad4ed5cb5108f9e03b75b42d7e80b7e3ed.txt",
		"img": "https://archive.orkl.eu/1e50bbad4ed5cb5108f9e03b75b42d7e80b7e3ed.jpg"
	}
}