{ "id": "f182c1da-b16e-42e5-bf2f-d4973a3eee5f", "created_at": "2026-04-06T00:07:59.927806Z", "updated_at": "2026-04-10T13:12:53.402724Z", "deleted_at": null, "sha1_hash": "51abaed3b266533584534fb12d7dda01cde443a4", "title": "Cisco IOS Security Command Reference: Commands S to Z - traffic-export through zone security [Support]", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 618732, "plain_text": "Cisco IOS Security Command Reference: Commands S to Z -\r\ntraffic-export through zone security [Support]\r\nPublished: 2026-02-17 · Archived: 2026-04-02 10:49:28 UTC\r\ntraffic-export through zone security\r\ntrack(firewall)\r\nTo configure the redundancy group tracking, use the track command in redundancy application group\r\nconfiguration mode. To remove the redundancy group tracking, use the no form of this command.\r\ntrack object-number {decrement value | shutdown}\r\nno track object-number {decrement value | shutdown}\r\nSyntax Description\r\nobject-number ID of the event type.\r\ndecrement\r\nvalue\r\nSpecifies the value that the priority will be decremented. The range is from 1 to 255.\r\nshutdown\r\nShuts down a redundancy group if the tracked object goes down instead of changing the\r\npriority.\r\nCommand Default\r\nObjects and decrement priority per object are not tracked.\r\nCommand Modes\r\nRedundancy application group configuration (config-red-app-grp)\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 1 of 165\n\nRelease Modification\r\nCisco IOS XE Release 3.1S This command was introduced.\r\nUsage Guidelines\r\nThe redundancy group can track an object and decrease the priority value per object. Multiple objects can be\r\ntracked by the redundancy group to influence the priority appropriately. You can shut down a redundancy group if\r\nthe tracked object goes down instead of changing the priority.\r\nExamples\r\nThe following example shows how to track the redundancy group named group1 and assign a decrement value:\r\nRouter# configure terminal\r\nRouter(config)# redundancy\r\n \r\nRouter(config-red)# application redundancy\r\nRouter(config-red-app)# group 1\r\nRouter(config-red-app-grp)# track 200 decrement 50\r\nRelated Commands\r\nCommand Description\r\napplication\r\nredundancy\r\nEnters redundancy application configuration mode.\r\nauthentication\r\nConfigures clear text authentication and MD5 authentication for a redundancy\r\ngroup.\r\ncontrol Configures the control interface type and number for a redundancy group.\r\ndata Configures the data interface type and number for a redundancy group.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 2 of 165\n\nCommand Description\r\ngroup(firewall) Enters redundancy application group configuration mode.\r\nname Configures the redundancy group with a name.\r\npreempt Enables preemption on the redundancy group.\r\nprotocol Defines a protocol instance in a redundancy group.\r\nredundancy rii Configures the RII for the redundancy group.\r\ntracking\r\nTo override the default tracking policy on a port, use the tracking command in Neighbor Discovery (ND)\r\ninspection policy configuration mode.\r\ntracking {enable [reachable-lifetime {value | infinite}] | disable [stale-lifetime {value | infinite}]}\r\nSyntax Description\r\nenable Tracking is enabled.\r\nreachable-lifetime\r\n(Optional) The maximum amount of time a reachable entry is considered to be directly or\r\nindirectly reachable without proof of reachability.\r\nThe reachable-lifetime keyword can be used only with the enable keyword.\r\nUse of the reachable-lifetime keyword overrides the global reachable lifetime\r\nconfigured by the ipv6 neighbor binding reachable-lifetime command.\r\nvalue Lifetime value, in seconds. The range is from 1 to 86400, and the default is 300.\r\ninfinite Keeps an entry in a reachable or stale state for an infinite amount of time.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 3 of 165\n\ndisable Disables tracking.\r\nstale-lifetime\r\n(Optional) Keeps the time entry in a stale state, which overwrites the global stale-lifetime\r\nconfiguration.\r\nThe stale lifetime is 86,400 seconds.\r\nThe stale-lifetime keyword can be used only with the disable keyword.\r\nUse of the stale-lifetime keyword overrides the global stale lifetime configured by\r\nthe ipv6 neighbor binding stale-lifetime command.\r\nCommand Default\r\nThe time entry is kept in a reachable state.\r\nCommand Modes\r\nND inspection policy configuration (config-nd-inspection)\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\n15.0(2)SE This command was integrated into Cisco IOS Release 15.0(2)SE.\r\n15.3(1)S This command was integrated into Cisco IOS Release 15.3(1)S.\r\nUsage Guidelines\r\nThe tracking command overrides the default tracking policy set by the ipv6 neighbor tracking command on the\r\nport on which this policy applies. This function is useful on trusted ports where, for example, you may not want to\r\ntrack entries but want an entry to stay in the binding table to prevent it from being stolen.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 4 of 165\n\nThe reachable-lifetime keyword is the maximum time an entry will be considered reachable without proof of\r\nreachability, either directly through tracking or indirectly through ND inspection. After the reachable-lifetime\r\nvalue is reached, the entry is moved to stale. Use of the reachable-lifetime keyword with the tracking command\r\noverrides the global reachable lifetime configured by the ipv6 neighbor binding reachable-lifetime command.\r\nThe stale-lifetime keyword is the maximum time an entry is kept in the table before it is deleted or the entry is\r\nproven to be reachable, either directly or indirectly. Use of the stale-lifetime keyword with the tracking command\r\noverrides the global stale lifetime configured by the ipv6 neighbor binding stale-lifetime command.\r\nExamples\r\nThe following example defines an ND policy name as policy1, places the router in ND inspection policy\r\nconfiguration mode, and configures an entry to stay in the binding table for an infinite length of time on a trusted\r\nport:\r\nRouter(config)# ipv6 nd inspection policy policy1\r\nRouter(config-nd-inspection)# tracking disable stale-lifetime infinite\r\nRelated Commands\r\nCommand Description\r\nipv6 nd inspection\r\npolicy\r\nDefines the ND inspection policy name and enters ND inspection policy\r\nconfiguration mode.\r\nipv6 nd raguard policy\r\nDefines the RA guard policy name and enters RA guard policy configuration\r\nmode.\r\nipv6 neighbor binding Changes the defaults of neighbor binding entries in a binding table.\r\nipv6 neighbor tracking Enables tracking of entries in the binding table.\r\ntraffic-export\r\nTo control the operation of IP traffic capture mode in IP traffic export, use the traffic-export command in\r\nprivileged EXEC mode.\r\ntraffic-export interface type number {start | stop | clear | copy memory-device}\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 5 of 165\n\nSyntax Description\r\ntype number Type and number of the interface over which the packets being captured travel.\r\nstart Initiates a packet capture sequence.\r\nstop Halts a packet capture sequence.\r\nclear Clears the packet capture buffer.\r\ncopy Copies the contents of the packet capture buffer to an external device.\r\nmemory-deviceExternal memory device to which captured packets are transmitted. Options are flash: , tftp:\r\n, or usbflash0: .\r\nCommand Default\r\nThis command has no defaults.\r\nCommand Modes\r\nPrivileged EXEC.\r\nCommand History\r\nRelease Modification\r\n12.4(11)T This command was introduced.\r\nUsage Guidelines\r\nUse the traffic-export command to control the operation of IP traffic capture mode in IP traffic export. The\r\noperator uses CLI commands to start or stop capture of packets flowing across a monitored interface, to copy the\r\ncaptured packets to an external memory device, or to clear the internal buffer which holds the captured packets.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 6 of 165\n\nExamples\r\nThe following example illustrates the use of the traffic-export command to initiate the capture of packets on\r\ninterface FastEthernet 0/0.\r\nRouter# traffic-export interface fastethernet 0/0 start\r\n%RITE-5-CAPTURE_START: Started IP traffic capture for interface FastEthernet0/0\r\nrouter#\r\nThe following example illustrates the use of the traffic-export command to halt the packet capture sequence on\r\ninterface FastEthernet 0/0.\r\nRouter# traffic-export interface fastethernet 0/0 stop\r\n%RITE-5-CAPTURE_STOP: Stopped IP traffic capture for interface FastEthernet0/0\r\nrouter#\r\nThe following example illustrates the use of the traffic-export command to copy the contents of the packet capture\r\nbuffer to an external memory device. The example of the interactive dialog identifies the external memory device\r\nand the remote host in which it resides.\r\nRouter# traffic-export interface fastethernet0/0 copy tftp:\r\n \r\nAddress or name of remote host []? 172.18.207.15\r\n \r\nCapture buffer filename []? atmcapture\r\n \r\nCopying capture buffer to tftp://172.18.207.15/atmcapture !!\r\nrouter#\r\nThe following example illustrates the use of the traffic-export command to clear the packet capture buffer that is\r\nin local memory.\r\nRouter# traffic-export interface fastethernet 0/0 clear\r\n%RITE-5-CAPTURE_CLEAR: Cleared IP traffic capture buffer for interface FastEthernet0/0\r\nrouter#\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 7 of 165\n\nCommand Description\r\nip traffic-export apply\r\nprofile\r\nApplies an IP traffic export or IP traffic capture profile to a specific interface.\r\nip traffic-export profile\r\nCreates an IP traffic export or IP traffic capture profile on an ingress\r\ninterface.\r\ntransfer-encoding type\r\nTo permit or deny HTTP traffic according to the specified transfer-encoding of the message, use the transfer-encoding type command in appfw-policy-http configuration mode. To disable this inspection parameter, use the no\r\nform of this command.\r\ntransfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {reset | allow} [alarm]\r\nno transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {reset | allow} [alarm]\r\nSyntax Description\r\nchunked\r\nEncoding format (specified in RFC 2616, Hypertext Transfer Protocol--HTTP/1 ) in which the\r\nbody of the message is transferred in a series of chunks; each chunk contains its own size\r\nindicator.\r\ncompress Encoding format produced by the UNIX \"compress\" utility.\r\ndeflate\r\n\"ZLIB\" format defined in RFC 1950, ZLIB Compressed Data Format Specification version 3.3 ,\r\ncombined with the \"deflate\" compression mechanism described in RFC 1951, DEFLATE\r\nCompressed Data Format Specification version 1.3 .\r\ngzip Encoding format produced by the \"gzip\" (GNU zip) program.\r\nidentity Default encoding, which indicates that no encoding has been performed.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 8 of 165\n\ndefault All of the transfer encoding types.\r\naction Encoding types outside of the specified type are subject to the specified action (reset or allow ).\r\nreset\r\nSends a TCP reset notification to the client or server if the HTTP message fails the mode\r\ninspection.\r\nallow Forwards the packet through the firewall.\r\nalarm (Optional) Generates system logging (syslog) messages for the given action.\r\nCommand Default\r\nIf a given type is not specified, all transfer-encoding types are supported with the reset alarm action.\r\nCommand Modes\r\nappfw-policy-http configuration\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\nUsage Guidelines\r\nOnly encoding types specified by the transfer-encoding-type command are allowed through the firewall.\r\nExamples\r\nThe following example shows how to define the HTTP application firewall policy \"mypolicy.\" This policy\r\nincludes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule \"firewall,\"\r\nwhich will inspect all HTTP traffic entering the FastEthernet0/0 interface.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 9 of 165\n\n! Define the HTTP policy.\r\nappfw policy-name mypolicy\r\n application http\r\n strict-http action allow alarm\r\n content-length maximum 1 action allow alarm\r\n content-type-verification match-req-rsp action allow alarm\r\n max-header-length request 1 response 1 action allow alarm\r\n max-uri-length 1 action allow alarm\r\n port-misuse default action allow alarm\r\n request-method rfc default action allow alarm\r\n request-method extension default action allow alarm\r\n transfer-encoding type default action allow alarm\r\n!\r\n!\r\n! Apply the policy to an inspection rule.\r\nip inspect name firewall appfw mypolicy\r\nip inspect name firewall http\r\n!\r\n!\r\n! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.\r\ninterface FastEthernet0/0\r\n ip inspect firewall in\r\n!\r\n!\r\ntransport port\r\nTo configure the transport protocol for establishing a connection with the Diameter peer, use the transport port\r\ncommand in Diameter peer configuration mode. To block all sessions that are bound to the peer from using the\r\nconnection, use the no form of this command.\r\ntransport tcp port port-number\r\nno transport tcp port port-number\r\nSyntax Description\r\ntcp\r\nCurrently, TCP is the only supported transport protocol for establishing the connection with the\r\nDiameter peer.\r\nport-number\r\nCharacter string identifying the peer connection port.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 10 of 165\n\nCommand Default\r\nTCP is the default transport protocol.\r\nCommand Modes\r\nDiameter peer configuration\r\nCommand History\r\nRelease Modification\r\n12.4(9)T This command was introduced .\r\nExamples\r\nThe following example configures TCP as the transport protocol and port 4100 as the peer connection port:\r\nRouter (config-dia-peer)# transport tcp port\r\n 4100\r\nRelated Commands\r\nCommand Description\r\ndiameter peer Defines a Diameter peer and enters Diameter peer configuration mode.\r\ntransport port (ldap)\r\nTo configure the transport protocol for establishing a connection with the Lightweight Directory Access Protocol\r\n(LDAP) server, use the transport port command in LDAP server configuration mode. To delete all sessions that are\r\nbound to the server from using the connection, use the no form of this command.\r\ntransport port port-number\r\nno transport port port-number\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 11 of 165\n\nport-number Server connection port number. Valid port numbers range from 1 to 65535. The default is 389.\r\nCommand Default\r\nThe default port number is 389.\r\nCommand Modes\r\nLDAP server configuration (config-ldap-server)\r\nCommand History\r\nRelease Modification\r\n15.1(1)T This command was introduced.\r\nExamples\r\nThe following example shows how to configure the transport protocol and port 200 as the peer connection port:\r\nRouter(config)# ldap server server1\r\nRouter(config-ldap-server)# transport port 200\r\nRelated Commands\r\nCommand Description\r\nipv4 (ldap) Creates an IPv4 address within an LDAP server address pool.\r\nldap server Defines an LDAP server and enters LDAP server configuration mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 12 of 165\n\ntrm register\r\nTo allow the user to manually register the platform with the Trend Router Provisioning Server (TRPS), use the trm\r\nregister command in privileged EXEC mode.\r\ntrm register [force]\r\nSyntax Description\r\nforce Sends a new registration request to TRPS.\r\nCommand Default\r\nThis command is not enabled.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(15)XZ This command was introduced.\r\n12.4(20)T This command was integrated into Cisco IOS Release 12.4(20)T.\r\n15.1(2)T This command was modified. The force keyword was added.\r\nUsage Guidelines\r\nUse the trm register command to enable manual registration of the platform with the TRPS. If you do not use this\r\ncommand, the system sends a registration request to the TRPS every minute after boot-up until the registration is\r\nsuccessful.\r\nExamples\r\nThe following is sample output from the trm register command:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 13 of 165\n\nRouter# trm register\r\nProcessing registration request.\r\nPlease run ‘show ip trm subscription\" status to get more info\r\ntrustpoint (tti-petitioner)\r\nTo specify the trustpoint that is to be associated with the Trusted Transitive Introduction (TTI) exchange between\r\nthe Secure Device Provisioning (SDP) petitioner and the SDP registrar, use the trustpoint command in tti-petitioner configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of\r\nthis command.\r\ntrustpoint trustpoint-label\r\nno trustpoint trustpoint-label\r\nSyntax Description\r\ntrustpoint-label Name of trustpoint.\r\nCommand Default\r\nIf a trustpoint is not specified, a default trustpoint called \"tti\" is generated.\r\nCommand Modes\r\ntti-petitioner configuration\r\nCommand History\r\nRelease Modification\r\n12.3(8)T This command was introduced.\r\nUsage Guidelines\r\nUse the trustpoint command in tti-petitioner configuration mode to associate a trustpoint with the SDP petitioner.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 14 of 165\n\nThe following example shows how specify the trustpoint \"mytrust\":\r\ncrypto wui tti petitioner\r\n trustpoint mytrust\r\nAfter the SDP exchange is complete, the petitioner will automatically enroll with the registrar and obtain a\r\ncertificate. The following sample output from the show running-config command shows an automatically\r\ngenerated configuration which generates the default trustpoint \"tti\":\r\ncrypto pki trustpoint tti\r\n enrollment url http://pki1-36a.cisco.com:80\r\n revocation-check crl\r\n rsakeypair tti 1024\r\n auto-enroll 70\r\nRelated Commands\r\nCommand Description\r\ncrypto ca trustpoint Declares the CA that your router should use.\r\ncrypto wui tti\r\npetitioner\r\nConfigures a device to become an SDP petitioner and enters tti-petitioner\r\nconfiguration mode.\r\ntrustpoint signing\r\nTo specify the trustpoint and associated certificate to be used when signing all introduction data during the Secure\r\nDevice Provisioning (SDP) exchange, use the trustpoint signing command in tti-petitioner configuration mode. To\r\nchange the specified trustpoint or use the default trustpoint, use the no form of this command.\r\ntrustpoint signing trustpoint-label\r\nno trustpoint signing trustpoint-label\r\nSyntax Description\r\ntrustpoint-label Name of trustpoint.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 15 of 165\n\nCommand Default\r\nIf a trustpoint is not specified, any existing device certificate is used. If none is available, a self-signed certificate\r\nis generated.\r\nCommand Modes\r\ntti-petitioner configuration\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\nUsage Guidelines\r\nUse the trustpoint signing command in tti-petitioner configuration mode to associate a specific trustpoint with the\r\npetitioner for signing its certificate.\r\nExamples\r\nThe following example shows how to specify the trustpoint mytrust:\r\ncrypto provisioning petitioner\r\n trustpoint signing mytrust\r\nAfter the SDP exchange is complete, the petitioner automatically enrolls with the registrar and obtains a\r\ncertificate. The following sample output from the show running-config command shows an automatically\r\ngenerated configuration with the default trustpoint tti:\r\ncrypto pki trustpoint tti\r\n enrollment url http://pki1-36a.cisco.com:80\r\n revocation-check crl\r\n rsakeypair tti 1024\r\n auto-enroll 70\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 16 of 165\n\nCommand Description\r\ncrypto ca trustpoint Declares the CA that your router should use.\r\ncrypto provisioning\r\npetitioner\r\nConfigures a device to become an SDP petitioner and enters tti-petitioner\r\nconfiguration mode.\r\ntrustpoint (tti-petitioner)\r\nSpecifies the trustpoint associated with the SDP exchange between the petitioner\r\nand the registrar.\r\ntrusted-port (IPv6 NDP Inspection Policy)\r\nTo configure a port to become a trusted port, use the trusted-port command in Neighbor Discovery Protocol (\r\nNDP) inspection policy configuration mode . To disable this function, use the no form of this command.\r\ntrusted-port\r\nno trusted-port\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nNo ports are trusted.\r\nCommand Modes\r\nNDP inspection policy configuration\r\n(config-nd-inspection)\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 17 of 165\n\nRelease Modification\r\n15.0(2)SE This command was integrated into Cisco IOS Release 15.0(2)SE.\r\n15.3(1)S This command was integrated into Cisco IOS Release 15.3(1)S.\r\nUsage Guidelines\r\nWhen the trusted-port command is enabled, limited or no verification is performed when messages are received on\r\nports that have this policy. However, to protect against address spoofing, messages are analyzed so that the\r\nbinding information that they carry can be used to maintain the binding table. Bindings discovered from these\r\nports will be considered more trustworthy than bindings received from ports that are not configured to be trusted.\r\nUse the trusted-port command after enabling NDP inspection policy configuration mode using the ipv6 nd\r\ninspection policy command.\r\nExamples\r\nThe following example defines an NDP policy name as policy1, places the router in NDP inspection policy\r\nconfiguration mode, and configures the port to be trusted:\r\nRouter(config)# ipv6 nd inspection policy policy1\r\nRouter(config-nd-inspection)# trusted-port\r\nRelated Commands\r\nCommand Description\r\nipv6 nd inspection\r\npolicy\r\nDefines the NDP inspection policy name and enters NDP inspection policy\r\nconfiguration mode.\r\ntrusted-port (IPv6 RA Guard Policy)\r\nTo configure a port to become a trusted port, use the trusted-port command in router advertisement (RA) guard\r\npolicy configuration . To disable this function, use the no form of this command.\r\ntrusted-port\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 18 of 165\n\nno trusted-port\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nNo ports are trusted.\r\nCommand Modes\r\nRA guard policy configuration\r\n(config-ra-guard)\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\n15.0(2)SE This command was integrated into Cisco IOS Release 15.0(2)SE.\r\n15.3(1)S This command was integrated into Cisco IOS Release 15.3(1)S.\r\nUsage Guidelines\r\nWhen the trusted-port command is enabled, limited or no verification is performed when messages are received on\r\nports that have this policy. However, the device-role command takes precedence over the trusted-port command; if\r\nthe device role is configured as host, messages will be dropped regardless of trusted-port command configuration.\r\nExamples\r\nThe following example defines an RA guard policy name as raguard1, places the router in RA guard policy\r\nconfiguration mode, and configures the port to be trusted:\r\nRouter(config)# ipv6 nd inspection policy policy1\r\nRouter(config-ra-guard)# trusted-port\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 19 of 165\n\nRelated Commands\r\nCommand Description\r\nipv6 nd inspection\r\npolicy\r\nDefines the NDP inspection policy n ame and enters NDP inspection policy\r\nconfiguration mode.\r\nipv6 nd raguard policy Defines the RA guard policy name and enter RA guard policy configuration mode.\r\ntunnel-limit (GTP)\r\nTo specify the maximum number of General Packet Radio Service (GPRS) Tunneling Protocol (GTP) tunnels that\r\ncan be configured, use the tunnel-limit command in parameter-map type inspect configuration mode. To return to\r\nthe default tunnel limit, use the no form of this command.\r\ntunnel-limit max-tunnels\r\nno tunnel-limit\r\nSyntax Description\r\nmax-tunnelsNumber of GTP tunnels that can be configured. Valid values are from 1 to 4294967295. The\r\ndefault is 500.\r\nCommand Default\r\nA tunnel limit of 500 is configured.\r\nCommand Modes\r\nParameter-map type inspect configuration (config-profile)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.7S This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 20 of 165\n\nExamples\r\nThe following example shows how to limit the number of configured GTP tunnels to 23456:\r\nDevice(config)# parameter-map type inspect-global gtp\r\nDevice(config-profile)# tunnel-limit 23456\r\nDevice(config-profile)#\r\nRelated Commands\r\nCommand Description\r\nparameter-map type inspect-globalConfigures a global parameter map and enters parameter-map type inspect\r\nconfiguration mode.\r\ntunnel mode\r\nTo set the encapsulation mode for the tunnel interface, use the tunnel mode command in interface configuration\r\nmode. To restore the default mode, use the no form of this command.\r\ntunnel mode {aurp | auto | cayman | dvmrp | eon | gre | gre multipoint | gre ip | gre ipv6 | ipip [decapsulate-any] | ipsec ipv4 | iptalk | ipv6 | ipsec ipv6 | mpls | nos | rbscp}\r\nno tunnel mode\r\nSyntax Description\r\naurp Specifies AppleTalk Update-Based Routing Protocol.\r\nauto Enables auto tunneling mode.\r\ncayman Specifies Cayman TunnelTalk AppleTalk encapsulation.\r\ndvmrp Specifies Distance Vector Multicast Routing Protocol.\r\neon Specifies EON compatible Connectionless Network Protocol (CLNS) tunnel.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 21 of 165\n\ngre Specifies generic routing encapsulation (GRE) protocol. This is the default.\r\ngre\r\nmultipoint\r\nSpecifies Multipoint GRE (mGRE).\r\ngre ip Specifies GRE tunneling using IPv4 as the delivery protocol.\r\ngre ipv6 Specifies GRE tunneling using IPv6 as the delivery protocol.\r\nipip Specifies IP-over-IP encapsulation.\r\ndecapsulate-any\r\n(Optional) Terminates any number of IP-in-IP tunnels at one tunnel interface. This tunnel\r\nwill not carry any outbound traffic; however, any number of remote tunnel endpoints can use\r\na tunnel configured this way as their destination.\r\nipsec ipv4 Specifies tunnel mode is IPsec, and the transport is IPv4.\r\niptalk Specifies Apple IPTalk encapsulation.\r\nipv6 Specifies static tunnel interface configured to encapsulate IPv6 or IPv4 packets in IPv6.\r\nipsec ipv6 Specifies tunnel mode is IPsec, and the transport is IPv6.\r\nmpls Specifies Multiprotocol Label Switching (MPLS) encapsulation.\r\nnos Specifies KA9Q/NOS compatible IP over IP.\r\nrbscp Specifies Rate Based Satellite Control Protocol (RBSCP).\r\nCommand Default\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 22 of 165\n\nThe default is GRE tunneling.\r\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\n10.0 This command was introduced.\r\n10.3 This command was modified. The aurp , dvmrp , and ipip keywords were added.\r\n11.2\r\nThis command was modified. The optional decapsulate-any keywords were\r\nadded.\r\n12.2(13)T This command was modified. The gre multipoint keywords were added.\r\n12.3(7)T\r\nThis command was modified. The following keywords were added:\r\ngre ipv6 to support GRE tunneling using IPv6 as the delivery protocol.\r\nipv6 to allow a static tunnel interface to be configured to encapsulate IPv6\r\nor IPv4 packets in IPv6.\r\nrbscp to support RBSCP.\r\n12.3(14)T This command was modified. The ipsec ipv4 keywords were added.\r\n12.2(18)SXE This command was modified. The gre multipoint keywords were added.\r\n12.2(30)S This command was integrated into Cisco IOS Release 12.2(30)S.\r\n12.2(25)SG This command was integrated into Cisco IOS Release 12.2(25)SG.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 23 of 165\n\nRelease Modification\r\n12.4(4)T This command was modified. The ipsec ipv6 keywords were added.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nCisco IOS XE Release\r\n2.1\r\nThis command was implemented on the Cisco ASR 1000 Series Aggregation\r\nServices Routers.\r\n15.4(2)T This command was modified. The auto keyword was added.\r\n15.4(2)S\r\nThis command was implemented on the Cisco ASR 901 Series Aggregation\r\nServices Router.\r\nCisco IOS XE Release\r\n3.12S\r\nThis command was integrated into Cisco IOS XE Release 3.12S.\r\nUsage Guidelines\r\nAuto Tunneling\r\nAuto tunneling mode eases the configuration and spares you about knowing the responder’s details. It\r\nautomatically applies the tunneling protocol (GRE or IPsec) and transport protocol (IPv4 or IPv6) on the virtual\r\ntemplate as soon as the IKE profile creates the virtual access interface.\r\nCayman Tunneling\r\nDesigned by Cayman Systems, Cayman tunneling implements tunneling to enable Cisco devices to interoperate\r\nwith Cayman GatorBoxes. With Cayman tunneling, you can establish tunnels between two devices or between a\r\nCisco device and a GatorBox. When using Cayman tunneling, you must not configure the tunnel with an\r\nAppleTalk network address.\r\nDVMRP\r\nUse DVMRP when a device connects to an mrouted (multicast) device to run DVMRP over a tunnel. You must\r\nconfigure Protocol Independent Multicast (PIM) and an IP address on a DVMRP tunnel.\r\nGRE with AppleTalk\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 24 of 165\n\nGRE tunneling can be done between Cisco devices only. When using GRE tunneling for AppleTalk, you configure\r\nthe tunnel with an AppleTalk network address. Using the AppleTalk network address, you can ping the other end\r\nof the tunnel to check the connection.\r\nIPsec in IPv6 Transport\r\nIPv6 IPsec encapsulation provides site-to-site IPsec protection of IPv6 unicast and multicast traffic. This feature\r\nallows IPv6 devices to work as a security gateway, establishes IPsec tunnels between another security gateway\r\ndevice, and provides crypto IPsec protection for traffic from an internal network when being transmitting across\r\nthe public IPv6 Internet. IPv6 IPsec is very similar to the security gateway model using IPv4 IPsec protection.\r\nMultipoint GRE\r\nAfter enabling mGRE tunneling, you can enable the tunnel protection command, which allows you to associate\r\nthe mGRE tunnel with an IPsec profile. Combining mGRE tunnels and IPsec encryption allows a single mGRE\r\ninterface to support multiple IPsec tunnels, thereby simplifying the size and complexity of the configuration.\r\nNote\r\nGRE tunnel keepalives configured using the keepalive command under a GRE interface are supported\r\nonly on point-to-point GRE tunnels.\r\nRBSCP\r\nRBSCP tunneling is designed for wireless or long-distance delay links with high error rates, such as satellite links.\r\nUsing tunnels, RBSCP can improve the performance of certain IP protocols, such as TCP and IPsec, over satellite\r\nlinks without breaking the end-to-end model.\r\nSource and Destination Address\r\nYou cannot have two tunnels that use the same encapsulation mode with exactly the same source and destination\r\naddress. The workaround is to create a loopback interface and source packets off of the loopback interface.\r\nExamples\r\nThe following example shows how to enable auto tunneling mode:\r\nDevice(config)# interface tunnel 0\r\nDevice(config-if)# tunnel source ethernet 0\r\nDevice(config-if)# tunnel destination 10.108.164.19\r\nDevice(config-if)# tunnel mode auto\r\nThe following example shows how to enable Cayman tunneling:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 25 of 165\n\nDevice(config)# interface tunnel 0\r\nDevice(config-if)# tunnel source ethernet 0\r\nDevice(config-if)# tunnel destination 10.108.164.19\r\nDevice(config-if)# tunnel mode cayman\r\nThe following example shows how to enable GRE tunneling:\r\nDevice(config)# interface tunnel 0\r\nDevice(config-if)# appletalk cable-range 4160-4160 4160.19\r\nDevice(config-if)# appletalk zone Engineering\r\nDevice(config-if)# tunnel source ethernet0\r\nDevice(config-if)# tunnel destination 10.108.164.19\r\nDevice(config-if)# tunnel mode gre\r\nThe following example shows how to configure a tunnel using IPsec encapsulation with IPv4 as the transport\r\nmechanism:\r\nDevice(config)# crypto ipsec profile PROF\r\nDevice(config)# set transform tset\r\nDevice(config)# interface Tunnel0\r\nDevice(config)# ip address 10.1.1.1 255.255.255.0\r\nDevice(config)# tunnel mode ipsec ipv4\r\nDevice(config)# tunnel source Loopback0\r\nDevice(config)# tunnel destination 172.16.1.1\r\nDevice(config-if)# tunnel protection ipsec profile PROF\r\nThe following example shows how to configure an IPv6 IPsec tunnel interface:\r\nDevice(config)# interface tunnel 0\r\nDevice(config-if)# ipv6 address 2001:0DB8:1111:2222::2/64\r\nDevice(config-if)# tunnel destination 10.0.0.1\r\nDevice(config-if)# tunnel source Ethernet 0/0\r\nDevice(config-if)# tunnel mode ipsec ipv6\r\nDevice(config-if)# tunnel protection ipsec profile profile1\r\nThe following example shows how to enable mGRE tunneling:\r\ninterface Tunnel0\r\n bandwidth 1000\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 26 of 165\n\nip address 10.0.0.1 255.255.255.0\r\n! Ensures longer packets are fragmented before they are encrypted; otherwise, the ! receiving router would have\r\n ip mtu 1416\r\n! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not ! advertise routes that are le\r\n no ip split-horizon eigrp 1\r\n no ip next-hop-self eigrp 1\r\n delay 1000\r\n! Sets IPSec peer address to Ethernet interface’s public address.\r\n tunnel source Ethernet0\r\n tunnel mode gre multipoint\r\n! The following line must match on all nodes that want to use this mGRE tunnel.\r\n tunnel key 100000\r\n tunnel protection ipsec profile vpnprof\r\nThe following example shows how to enable RBSCP tunneling:\r\nDevice(config)# interface tunnel 0\r\nDevice(config-if)# tunnel source ethernet 0\r\nDevice(config-if)# tunnel destination 10.108.164.19\r\nDevice(config-if)# tunnel mode rbscp\r\nRelated Commands\r\nCommand Description\r\nappletalk cable-range Enables an extended AppleTalk network.\r\nappletalk zone Sets the zone name for the connected AppleTalk network.\r\ntunnel destination Specifies the destination for a tunnel interface.\r\ntunnel protection Associates a tunnel interface with an IPsec profile.\r\ntunnel source Sets the source address of a tunnel interface.\r\ntunnel mode ipsec dual-overlay\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 27 of 165\n\nTo configure the tunnel mode as dual-overlay, use the tunnel mode ipsec dual-overlay command in interface\r\nconfiguration mode. To restore the default mode, use the no form of this command.\r\ntunnel mode ipsec dual-overlay\r\nno tunnel mode ipsec dual-overlay\r\nSyntax Description\r\nipsec Tunnel mode is IPsec.\r\ndual-overlay Specifies a dual-overlay tunnel.\r\nCommand Default\r\nNone.\r\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Cupertino 17.9.1a This command was introduced.\r\nUsage Guidelines\r\nUse the tunnel mode ipsec dual-overlay command to specify the encapsulation protocol for the tunnel. IPsec\r\ndual-overlay tunnel modes provides the capabilities to carry both IPv4 and IPv6 traffic using a single IPsec\r\nSecurity Association (SA) that is tunnelled over IPv4.\r\nExamples\r\nThe following example shows how to configure the tunnel mode as dual-overlay:\r\nDevice(config)# interface tunnel 1\r\nDevice(config-if)# ipv6 enable\r\nDevice(config-if)# tunnel source ethernet 0/0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 28 of 165\n\nDevice(config-if)# tunnel mode ipsec dual-overlay\r\nDevice(config-if)# tunnel destination 10.108.164.19 255.255.255.255.0\r\nDevice(config-if)# tunnel protection IPsec profile ipsecprof\r\nRelated Commands\r\nCommand Description\r\ntunnel protection Associates a tunnel interface with an IPsec profile.\r\ntunnel mode Sets the encapsulation mode for the tunnel interface.\r\ntunnel protection\r\nTo associate a tunnel interface with an IP Security (IPsec) profile, use the tunnel protection command in interface\r\nconfiguration mode. To disassociate a tunnel with an IPsec profile, use the no form of this command.\r\ntunnel protection { ipsec profile name [shared | { isakmp-profile | ikev2-profile } name ] } | { timeout\r\npending-connection \u003ctimeout\u003e }\r\nno tunnel protection { ipsec profile name [shared | { isakmp-profile | ikev2-profile } name ] } | { timeout\r\npending-connection \u003ctimeout\u003e }\r\nSyntax Description\r\nipsec profile Enables generic routing encapsulation (GRE) tunnel encryption via IPsec.\r\nname\r\nName of the IPsec profile. This value must match the name specified in the crypto\r\nipsec profile command.\r\nshared\r\n(Optional) Allows the tunnel protection IPsec Security Association Database\r\n(SADB) to share the same dynamic crypto map instead of creating a unique crypto\r\nmap per tunnel interface.\r\nisakmp-profile Specifies the isakmp profile for the crypto connection.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 29 of 165\n\nikev2-profile Specifies the ikev2 profile for the crypto connection.\r\nshared name Name of the shared socket for the crypto connection.\r\ntimeout pending-connection secondsSpecifies the timeout to terminate pending connections. The default value is 300\r\nseconds. The range is 60-3600\r\nCommand Default\r\nTunnel interfaces are not associated with IPsec profiles.\r\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\nXE 17.3.4 The timeout pending-connection keyword was introduced.\r\n12.2(13)T This command was introduced.\r\n12.3(5)T The shared keyword was added.\r\n12.2(18)SXE This command was integrated into Cisco IOS Release 12.2(18)SXE.\r\n12.4(5)\r\nThe shared keyword was changed so that if it is used with the tunnel protection\r\ncommand, the tunnel source command must specify an interface instead of an IP\r\naddress.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.(33)SRA.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 30 of 165\n\nRelease Modification\r\nCisco IOS XE\r\nRelease 2.5\r\nThis command was modified. This command was integrated into Cisco IOS XE\r\nRelease 2.5.\r\n15.4(2)S\r\nThis command was implemented on the Cisco ASR 901 Series Aggregation Services\r\nRouter.\r\nUsage Guidelines\r\nUse the tunnel protection command to specify that IPsec encryption will be performed after the GRE has been\r\nadded to the tunnel packet. The tunnel protection command can be used with multipoint GRE (mGRE) and point-to-point GRE (p-pGRE) tunnels. With p-pGRE tunnels, the tunnel destination address will be used as the IPsec\r\npeer address. With mGRE tunnels, multiple IPsec peers are possible; the corresponding Next Hop Resolution\r\nProtocol (NHRP) mapping nonbroadcast multiaccess (NBMA) destination addresses will be used as the IPsec peer\r\naddresses.\r\nThe shared Keyword\r\nIf you want to configure two Dynamic Multipoint VPN (DMVPN) mGRE and IPsec tunnels on the same router\r\nwith the same local endpoint (tunnel source) configuration, you must issue the shared keyword.\r\nThe dynamic crypto map that is created by the tunnel protection command is always different from a crypto map\r\nthat is configured directly on the interface.\r\nUnlike with the tunnel protection command, which specifies that IPsec encryption will be performed after GRE\r\nencapsulation, configuring a crypto map on a tunnel interface specifies that encryption will be performed before\r\nGRE encapsulation.\r\nIf the shared keyword is used, the tunnel source command must specify an interface instead of an IP address.\r\nCrypto sockets are not shared if the tunnel source is not specified as an interface.\r\nNote\r\nGRE keepalive is supported only with crypto map. GRE tunnel keepalives (configured with the\r\nkeepalive command under the GRE interface) are not supported in combination with the tunnel\r\nprotection command.\r\nThe tunnel mode command must be configured before running the tunnel protection command. Changing the\r\nsequence by configuring this command followed by the tunnel mode command results in the tunnel not having\r\nconnectivity.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 31 of 165\n\nExamples\r\nThe following example shows how to associate the IPsec profile “vpnprof” with an mGRE tunnel interface. In this\r\nexample, the IPsec source peer address will be the IP address from Ethernet interface 0. There is a static NHRP\r\nmapping from IP address 10.0.0.3 to IP address 172.16.2.1, so for this NHRP mapping the IPsec destination peer\r\naddress will be 172.16.2.1. The IPsec proxy will be as follows: permit gre host ethernet0-ip-address host ip-address . Other NHRP mappings (static or dynamic) will automatically create additional IPsec security\r\nassociations (SAs) with the same source peer address and the destination peer address from the NHRP mapping.\r\nThe IPsec proxy for these NHRP mappings will be as follows: permit gre host ethernet0-ip-address host NHRP-mapping-NBMA-address .\r\ncrypto ipsec profile vpnprof\r\n set transform-set trans2\r\n!\r\ninterface Tunnel0\r\n bandwidth 1000\r\n ip address 10.0.0.1 255.255.255.0\r\n! Ensures that longer packets are fragmented before they are encrypted; otherwise, the\r\n! receiving router would have to do the reassembly.\r\n ip mtu 1416\r\n ip nhrp authentication donttell\r\n ip nhrp map multicast dynamic\r\n ip nhrp network-id 99\r\n ip nhrp holdtime 300\r\n! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not\r\n! advertise routes that are learned via the mGRE interface back out that interface.\r\n no ip split-horizon eigrp 1\r\n no ip next-hop-self eigrp 1\r\n delay 1000\r\n! Sets the IPSec peer address to the Ethernet interface’s public address.\r\n tunnel source Ethernet0\r\n tunnel mode gre multipoint\r\n! The following line must match on all nodes that want to use this mGRE tunnel.\r\n tunnel key 100000\r\n tunnel protection ipsec profile vpnprof\r\nThe following example shows how to associate the IPsec profile “vpnprof” with a p-pGRE tunnel interface. In this\r\nexample, the IPsec source peer address will be the IP address from Ethernet interface 0. The IPsec destination peer\r\naddress will be 172.16.1.10 (per the tunnel destination address command). The IPsec proxy will be as follows:\r\npermit gre host ethernet0-ip-address host ip-address .\r\ninterface Tunnel1\r\n ip address 10.0.1.1 255.255.255.252\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 32 of 165\n\n! Ensures that longer packets are fragmented before they are encrypted; otherwise, the\r\n! receiving router would have to do the reassembly.\r\n ip mtu 1420\r\n tunnel source Ethernet0\r\n tunnel destination 172.16.1.10\r\n tunnel protection ipsec profile vpnprof\r\nIn the following example, the crypto sockets are shared between the Tunnel0 and Tunnel1 interfaces because the\r\ntunnel protection command on both interfaces uses the same profile and is configured with the shared keyword.\r\nBoth tunnels specify the tunnel source to be an Ethernet0/0 interface.\r\ninterface Tunnel0\r\nip address 10.255.253.3 255.255.255.0\r\nno ip redirects\r\nip mtu 1436\r\nip nhrp authentication h1there\r\nip nhrp map 10.255.253.1 192.168.1.1\r\nip nhrp map multicast 192.168.1.1\r\nip nhrp network-id 253\r\nip nhrp holdtime 600\r\nip nhrp nhs 10.255.253.1\r\nip ospf message-digest-key 1 md5 wellikey\r\nip ospf network broadcast\r\nip ospf cost 35\r\nip ospf priority 0\r\nno ip mroute-cache\r\ntunnel source Ethernet0/0\r\ntunnel mode gre multipoint\r\ntunnel key 253\r\ntunnel protection ipsec profile dmvpn-profile shared\r\ninterface Tunnel1\r\nip address 10.255.254.3 255.255.255.0\r\nno ip redirects\r\nip mtu 1436\r\nip nhrp authentication h1there\r\nip nhrp map multicast 192.168.1.3\r\nip nhrp map 10.255.254.1 192.168.1.3\r\nip nhrp network-id 254\r\nip nhrp holdtime 600\r\nip nhrp nhs 10.255.254.1\r\nip ospf message-digest-key 1 md5 wellikey\r\nip ospf network broadcast\r\nip ospf priority 0\r\nno ip mroute-cache\r\ntunnel source Ethernet0/0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 33 of 165\n\ntunnel mode gre multipoint\r\ntunnel key 254\r\ntunnel protection ipsec profile dmvpn-profile shared\r\nRelated Commands\r\nCommand Description\r\ncrypto ipsec\r\nprofile\r\nDefines the IPsec parameters that are to be used for IPsec encryption between two IPsec\r\nrouters.\r\ninterface Configures an interface type and enters interface configuration mode.\r\nkeepalive (tunnel\r\ninterfaces)\r\nEnables keepalive packets and specifies the number of times that the Cisco IOS software\r\ntries to send keepalive packets without a response before bringing the tunnel protocol\r\ndown for a specific interface.\r\npermit Sets conditions for a named IP access list.\r\ntunnel source Sets the source address for a tunnel interface.\r\ntunnel protection ipsec policy\r\nTo associate an ACL with a Static Virtual Tunnel Interface (SVTI), use the tunnel protection ipsec policy\r\ncommand in the interface configuration mode. To disassociate an ACL from an SVTI, use the no form of this\r\ncommand.\r\ntunnel protection ipsec policy {ipv4 | ipv6} acl\r\nno tunnel protection ipsec policy {ipv4 | ipv6} acl\r\nSyntax Description\r\nipv4 Specifies that the traffic selector is of type IPv4.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 34 of 165\n\nipv6 Specifies that the traffic selector is of type IPv6.\r\nacl Name or number identifying the ACL to be associated.\r\nCommand Default\r\nBy default, an ACL is not associated with an SVTI and a traffic selector of ‘any any’ is used.\r\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\n16.12.1 Command introduced.\r\nUsage Guidelines\r\nBy default, an SVTI supports a single IPSec SA with ‘any any’ as the traffic selector. To create IPSec SAs for non-any-any proxies, define the non-any-any proxies in ACLs and associate the ACL with an SVTI using this\r\ncommand.\r\nTo disassociate an ACL from an SVTI use the no form of the command. When an ACL is disassociated from an\r\nSVTI, the SVTI resumes the default behavior of supporting a single IPSec SA with ‘any any’ as the traffic\r\nselector.\r\nExamples\r\nThe following example shows how to configure multi-SA support for an SVTI with an IPv4 traffic selector:\r\nDevice(conf)# interface Tunnel0\r\nDevice(config-if)# ip address 11.1.1.2 255.255.255.0\r\nDevice(config-if)# tunnel source Ethernet0/0\r\nDevice(config-if)# tunnel mode ipsec ipv4\r\nDevice(config-if)# tunnel destination 172.168.17.1\r\nDevice(config-if)# tunnel protection ipsec policy ipv4 ipsec_acl1\r\nDevice(config-if)# tunnel protection ipsec profile ipsec_prof\r\nip access-list extended ipsec_acl1\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 35 of 165\n\npermit ip 30.0.0.0 0.0.0.255 40.0.0.0 0.0.0.255\r\npermit ip 50.0.0.0 0.0.0.255 60.0.0.0 0.0.0.255\r\nThe following example shows how to configure multi-SA support for an SVTI with an IPv6 traffic selector:\r\nDevice(config)# interface Tunnel0\r\nDevice(config-if)# ipv6 address 400::10:1/112\r\nDevice(config-if)# tunnel destination 2003::8:2\r\nDevice(config-if)# tunnel source Ethernet 0/0\r\nDevice(config-if)# tunnel mode ipsec ipv6\r\nDevice(config-if)# tunnel protection ipsec policy ipv6 ipsec_acl2\r\nDevice(config-if)# tunnel protection ipsec profile ipsec_prof\r\nipv6 access-list ipsec_acl2\r\nsequence 10 permit ipv6 host 2005::10:1 host 2005::11:1\r\nsequence 20 permit ipv6 host 2005::15:1 host 2005::16:1\r\nsequence 30 permit ipv6 host 2005::20:1 host 2005::21:1\r\ntype echo protocol ipIcmpEcho\r\nNote\r\nEffective with Cisco IOS Release 12.4(4)T, 12.2(33)SRB, 12.2(33)SB, and 12.2(33)SXI, the type\r\necho protocol ipIcmpEcho command is replaced by the icmp-echo command. See the icmp- echo\r\ncommand for more information.\r\nTo configure an IP Service Level Agreements (SLAs) Internet Control Message Protocol (ICMP) echo operation,\r\nuse the type echo protocol ipIcmpEcho command in IP SLA monitor configuration mode.\r\ntype echo protocol ipIcmpEcho {destination-ip-address | destination-hostname} [source-ipaddr {ip-address |\r\nhostname} | source-interface interface-name]\r\nSyntax Description\r\ndestination-ip-address |\r\ndestination-hostname\r\nDestination IP address or hostname for the operation.\r\nsource-ipaddr {ip-address\r\n| hostname }\r\n(Optional) Specifies the source IP address or hostname . When a source IP\r\naddress or hostname is not specified, IP SLAs chooses the IP address nearest to\r\nthe destination.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 36 of 165\n\nsource-interface interface-name\r\n(Optional) Specifies the source interface for the operation.\r\nCommand Default\r\nNo IP SLAs operation type is configured for the operation being configured.\r\nCommand Modes\r\nIP SLA monitor configuration (config-sla-monitor)\r\nCommand History\r\nRelease Modification\r\n11.2 This command was introduced.\r\n12.0(5)T\r\nThe following keyword and arguments were added:\r\nsource-ipaddr {ip-address | hostname\r\n12.3(7)XR The source-interface keyword and interface-name argument were added.\r\n12.3(11)T The source-interface keyword and interface-name argument were added.\r\n12.4(4)T This command was replaced by the icmp-echo command.\r\n12.2(33)SRB This command was replaced by the icmp-echo command.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\n12.2(33)SB This command was replaced by the icmp-echo command.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 37 of 165\n\nRelease Modification\r\n12.2(33)SXI This command was replaced by the icmp-echo command.\r\nUsage Guidelines\r\nThe default request packet data size for an ICMP echo operation is 28 bytes. Use the request-data-size command\r\nto modify this value. This data size is the payload portion of the ICMP packet, which makes a 64-byte IP packet.\r\nYou must configure the type of IP SLAs operation (such as User Datagram Protocol [UDP] jitter or Internet\r\nControl Message Protocol [ICMP] echo) before you can configure any of the other parameters of the operation. To\r\nchange the operation type of an existing IP SLAs operation, you must first delete the IP SLAs operation (using the\r\nno ip sla monitor global configuration command) and then reconfigure the operation with the new operation type.\r\nExamples\r\nIn the following example, IP SLAs operation 10 is created and configured as an echo operation using the IP/ICMP\r\nprotocol and the destination IP address 172.16.1.175.\r\nip sla monitor 10\r\n type echo protocol ipIcmpEcho 172.16.1.175\r\n!\r\nip sla monitor schedule 10 start-time now\r\nRelated Commands\r\nCommand Description\r\nip sla\r\nmonitor\r\nBegins configuration for an IP SLAs operation and enters IP SLA monitor configuration\r\nmode.\r\nudp half-open\r\nTo configure timeout values for UDP half-opened sessions, use the udp half-open command in parameter-map\r\ntype inspect configuration mode. To disable the timeout values for UDP half-opened sessions, use the no form of\r\nthis command.\r\nudp half-open idle-time milliseconds [ageout-time miliiseconds]\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 38 of 165\n\nudp half-open idle-time\r\nSyntax Description\r\nidle-time Specifies the idle timeout for UDP half-opened sessions going through the firewall.\r\nmilliseconds\r\nAmount of time, in milliseconds, during which a UDP session will continue to be\r\nmanaged while there is no activity. Valid values are from 1 to 2147483.\r\nageout-time\r\nmilliseconds\r\n(Optional) Specifies the aggressive aging time for UDP half-opened sessions. Valid\r\nvalues are from 1 to 2147483.\r\nCommand Default\r\nThe timeout default is 30 seconds.\r\nCommand Modes\r\nParameter-map type inspect configuration (config-profile)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.4S This command was introduced.\r\nUsage Guidelines\r\nYou must configure the parameter-map type inspect command before you can configure the udp half-open\r\ncommand.\r\nAn UDP half-opened session is when only one UDP packet is detected in the UDP flow.\r\nExamples\r\nThe following example shows how to configure the idle timeout and the aggressive aging time for UDP half-open\r\nsessions:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 39 of 165\n\nRouter(config)# parameter-map type inspect pmap\r\nRouter(config-profile)# udp half-open idle-time 67800 ageout-time 67800\r\nRouter(config-profile)# end\r\n \r\n \r\nRelated Commands\r\nCommand Description\r\nparameter-map type\r\ninspect\r\nConfigures an inspect parameter map for connecting thresholds, timeouts, and other\r\nparameters pertaining to the inspect action.\r\nudp idle-time\r\nTo configure the idle timeout for UDP sessions, use the udp idle-time command in parameter-map type inspect\r\nconfiguration mode. To disable the timeout, use the no form of this command.\r\nudp idle-time seconds [ageout-time seconds]\r\nno udp idle-time\r\nSyntax Description\r\nseconds\r\nAmount of time, in seconds, during which a UDP session will continue to be managed\r\nwhile there is no activity. Valid values are from 1 to 2147483.\r\nageout-time\r\nseconds\r\n(Optional) Specifies the aggressive aging time for UDP packets. Valid values are from 1 to\r\n2147483.\r\nCommand Default\r\nThe timeout default is 30 seconds.\r\nCommand Modes\r\nParameter-map type inspect configuration\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 40 of 165\n\nRelease Modification\r\n12.4(6)T This command was introduced.\r\nCisco IOS XE Release\r\n2.1\r\nThis command was integrated into Cisco IOS XE Release 2.1.\r\nCisco IOS XE Release\r\n3.4S\r\nThis command was modified. The ageout-time seconds keyword and argument\r\npair was added.\r\nUsage Guidelines\r\nWhen you configure an inspect parameter map, you can enter the udp idle-time command after you enter the\r\nparameter-map type inspect command.\r\nWhen the software detects a valid UDP packet, it establishes state information for a new UDP session. Because\r\nUDP is a connectionless service, there are no actual sessions, and the software examines the information in the\r\npacket and determines if the packet is similar to other UDP packets (for example, it has similar source or\r\ndestination addresses and if the packet was detected soon after another similar UDP packet).\r\nIf the software detects no UDP packets for the UDP session for the period of time defined by the UDP idle\r\ntimeout, the software will not continue to manage state information for the session.\r\nFor detailed information about creating a parameter map, see the parameter-map type inspect command.\r\nExamples\r\nThe following example shows that there is no activity and the UDP session will continue to be managed for 75\r\nseconds:\r\nRouter(config)# parameter-map type inspect eng-network-profile\r\nRouter(config-profile)# udp idle-time 75\r\nRouter(config-profile)# end\r\nThe following example shows how to configure the aging out time for UDP sessions:\r\nRouter(config)# parameter-map type inspect eng-network-profile\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 41 of 165\n\nRouter(config-profile)# udp idle-time 75 ageout-time 50\r\nRouter(config-profile)# end\r\nRelated Commands\r\nCommand Description\r\nip inspect udp idle-timeSpecifies the UDP idle timeout (the length of time for which a UDP session will still\r\nbe managed while there is no activity).\r\nparameter-map type\r\ninspect\r\nConfigures an inspect parameter map for connecting thresholds, timeouts, and other\r\nparameters pertaining to the inspect action.\r\nunmatched-action\r\nTo define the action when the user request does not match the IP address or host site configuration, use the\r\nunmatched-action command in URL rewrite configuration mode. To disable the action, use the no form of this\r\ncommand.\r\nunmatched-action [direct-access | redirect]\r\nno unmatched-action [direct-access | redirect]\r\nSyntax Description\r\ndirect-access(Optional) Provides direct access to the URL and an information page stating that the user can\r\naccess the URL directly.\r\nredirect\r\n(Optional) Provides the user with direct access to the URL, but the user does not receive the\r\ninformation page as with the direct-access keyword.\r\nCommand Default\r\nDirect access to the URL\r\nCommand Modes\r\nURL rewrite configuration (config-webvpn-url-rewrite)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 42 of 165\n\nCommand History\r\nRelease Modification\r\n12.4(20)T This command was introduced.\r\nExamples\r\nThe following example shows that the user has direct access to the URL:\r\nRouter (config)# webvpn context\r\nRouter (config-webvpn-context)# url rewrite\r\nRouter (config-webvpn-url-rewrite)# unmatched-action direct-access\r\nRelated Commands\r\nCommand Description\r\nhost (webvpn url rewrite) Selects the hostname of the site to be mangled on an SSL VPN gateway.\r\nip (webvpn url rewrite) Configures the IP address of the site to be mangled on an SSL VPN gateway.\r\nurl (ips-auto-update)\r\nTo define a location in which to retrieve the Cisco IOS Intrusion Prevention System (IPS) signature configuration\r\nfiles, use the url command in IPS-auto-update configuration mode.\r\nurl url\r\nSyntax Description\r\nurl Location in which the router retrieves the latest signature files.\r\nCommand Default\r\nThe default value is defined in the signature definition XML.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 43 of 165\n\nCommand Modes\r\nIPS-auto-update configuration\r\nCommand History\r\nRelease Modification\r\n12.4(11)T This command was introduced.\r\nUsage Guidelines\r\nAutomatic signature updates allow users to override the existing IPS configuration and automatically keep\r\nsignatures up to date on the basis of a preset time, which can be configured to a preferred setting.\r\nExamples\r\nIn this example, the signature package file is pulled from the TFTP server at the start of every hour or every day,\r\nSunday through Thursday. (Note that adjustments are made for months without 31 days and daylight savings\r\ntime.)\r\nRouter# show ip ips auto-update\r\n \r\nIPS Auto Update Configuration\r\nURL : tftp://192.168.0.2/jdoe/ips-auto-update/IOS_reqSeq-dw.xml\r\nUsername : not configured\r\nPassword : not configured\r\nAuto Update Intervals\r\n minutes (0-59) : 0\r\n hours (0-23) : 0-23\r\n days of month (1-31) : 1-31\r\n days of week: (0-6) : 1-5\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 44 of 165\n\nCommand Description\r\nip ips auto-update Enables automatic signature updates for Cisco IOS IPS.\r\nurl rewrite\r\nTo mangle selective URL requests on a Secure Socket Layer virtual private network (SSL VPN) gateway and\r\nenter URL rewrite mode, use the url rewrite command in webvpn context configuration mode. To disable selected\r\nURL requests, use the no form of this command.\r\nurl rewrite\r\nno url rewrite\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nAll requests are mangled.\r\nCommand Modes\r\nWebvpn context configuration (config-webvpn-context)\r\nCommand History\r\nRelease Modification\r\n12.4(20)T This command was introduced.\r\nUsage Guidelines\r\nConfiguring the url rewrite command enters the url rewrite submode, in which selected IP addresses or hosts are\r\ndefined for mangling.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 45 of 165\n\nThe following example shows that selective URL mangling has been configured for IP address 10.1.1.0\r\n255.255.0.0:\r\nRouter (config)# webvpn context\r\nRouter (config-webvpn-context)# url rewrite\r\nRouter (config-webvpn-url-rewrite)# ip 10.1.0.0 255.255.0.0\r\nRelated Commands\r\nCommand Description\r\nhost (webvpn url rewrite) Selects the name of the host site to be mangled on an SSL VPN gateway.\r\nip (webvpn url rewrite)\r\nConfigures the IP address of the site to be mangled on an SSL VPN\r\ngateway.\r\nunmatched-action (webvpn url\r\nrewrite)\r\nDefines the action when the user request does not match the IP address or\r\nhost site configuration.\r\nurlfilter\r\nTo enable Cisco IOS URL filtering, use the urlfilter command in policy-map-class configuration mode. To disable\r\nURL filtering, use the no form of this command.\r\nurlfilter parameter-map-name\r\nno urlfilter parameter-map-name\r\nSyntax Description\r\nparameter-map-name Name of the parameter map for the URL filter.\r\nCommand Default\r\nNone\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 46 of 165\n\nPolicy-map-class configuration\r\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\nUsage Guidelines\r\nYou can use this command only after entering the policy-map type inspect , class type inspect , and parameter-map\r\ntype inspect commands.\r\nExamples\r\nThe following example enables Cisco IOS firewall URL filtering:\r\npolicy-map type inspect p1\r\n class type inspect c1\r\n urlfilter param1\r\nRelated Commands\r\nCommand Description\r\nclass type inspect Specifies the traffic (class) on which an action is to be performed.\r\npolicy-map type inspect Creates Level 3 and Level 4 inspect type policy maps.\r\nurl-list\r\nTo enter webvpn URL list configuration mode to configure a list of URLs to which a user has access on the portal\r\npage of a Secure Sockets Layer Virtual Private Network (SSL VPN) and to attach the URL list to a policy group,\r\nuse the url-list command in webvpn context configuration and webvpn group policy configuration mode,\r\nrespectively. To remove the URL list from the SSL VPN context configuration and from the policy group, use the\r\nno form of this command.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 47 of 165\n\nurl-list name\r\nno url-list name\r\nSyntax Description\r\nname Name of the URL list. The list name can up to 64 characters in length.\r\nCommand Default\r\nWebvpn URL list configuration mode is not entered, and a list of URLs to which a user has access on the portal\r\npage of a SSL VPN website is not configured. If the command is not used to attach a URL list to a policy group,\r\nthen a URL list is not attached to a group policy.\r\nCommand Modes\r\nWebvpn context configuration\r\nWebvpn group policy configuration\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\nUsage Guidelines\r\nEntering this command places the router in SSL VPN URL list configuration mode. In this mode, the list of URLs\r\nis configured. A URL list can be configured under the SSL VPN context configuration and then separately for each\r\nindividual policy group configuration. Individual URL list configurations must have unique names.\r\nExamples\r\nThe following example creates a URL list:\r\nRouter(config)# webvpn context context1\r\n \r\nRouter(config-webvpn-context)# url-list ACCESS\r\n \r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 48 of 165\n\nRouter(config-webvpn-url)# heading \"Quick Links\"\r\n \r\nRouter(config-webvpn-url)# url-text \"Human Resources\" url-value hr.mycompany.com\r\n \r\nRouter(config-webvpn-url)# url-text Engineering url-value eng.mycompany.com\r\nRouter(config-webvpn-url)# url-text \"Sales and Marketing\" products.mycompany.com\r\nThe following example attaches a URL list to a policy group configuration:\r\nRouter(config)# webvpn context context1\r\n \r\nRouter(config-webvpn-context)# url-list ACCESS\r\n \r\nRouter(config-webvpn-url)# heading \"Quick Links\"\r\n \r\nRouter(config-webvpn-url)# url-text \"Human Resources\" url-value hr.mycompany.com\r\n \r\nRouter(config-webvpn-url)# url-text Engineering url-value eng.mycompany.com\r\nRouter(config-webvpn-url)# url-text \"Sales and Marketing\" products.mycompany.com\r\nRouter(config-webvpn-url)# exit\r\n \r\nRouter(config-webvpn-context)# policy group ONE\r\n \r\nRouter(config-webvpn-group)# url-list ACCESS\r\nRelated Commands\r\nCommand Description\r\nheading\r\nConfigures the heading that is displayed above URLs listed on the portal page of a SSL VPN\r\nwebsite.\r\npolicy group Attaches a URL list to policy group configuration.\r\nurl-list\r\nEnters webvpn URL list configuration mode to configure the list of URLs to which a user\r\nhas access on the portal page of a SSL VPN website.\r\nurl-text Adds an entry to a URL list.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 49 of 165\n\nCommand Description\r\nwebvpn\r\ncontext\r\nEnters webvpn context configuration mode to configure the SSL VPN context.\r\nurl-profile\r\nTo specify a URL profile that configures the SDP registrar to run HTTPS, use the url-profile command in tti-registrar configuration mode. To remove this configuration, use the no form of this command.\r\nurl-profile {start profile-name | intro profile-name}\r\nnourl-profile {start profile-name | intro profile-name}\r\nSyntax Description\r\nstart\r\nIndicates that a URL profile is to be associated with the Start SDP deployment phase of iPhone\r\ndeployment.\r\nintro\r\nindicate that a URL profile is to be associated with the Introduction SDP deployment phase of\r\niPhone deployment.\r\nprofile-name\r\nSpecifies the name of a unique URL profile.\r\nCommand Default\r\nNo URL profile is defined for the iPhone deployment.\r\nCommand Modes\r\nTti-registrar configuration mode (tti-registrar)\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 50 of 165\n\nRelease Modification\r\n15.1(2)T This command was introduced.\r\nUsage Guidelines\r\nThe SDP Registrar is enabled to run HTTPs. It is recommended that the ip http secure-server command is issued\r\nto enable the HTTPS web server. If a secure server is enabled, then the ip http secure-trustpoint command should\r\nalso be issued. Disable standard HTTP server through the no ip http server command (if the standard server is\r\nenabled). The specified trustpoint is a registrar local trustpoint appropriate for HTTPS communication between\r\nthe registrar and the iPhone’s browser.\r\nThe url-profile command can use the same or a different URL profile for the Introduction and Start SDP\r\ndeployment phases.\r\nExamples\r\nThe following example configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a\r\ncorporate network from global configuration mode:\r\nRouter(config)# crypto provisioning registrar\r\nRouter(tti-registrar)# url-profile start START\r\nRouter(tti-registrar)# url-profile intro INTRO\r\nRouter(tti-registrar)# match url /sdp/intro\r\nRouter(tti-registrar)# match authentication trustpoint apple-tp\r\nRouter(tti-registrar)# match certificate cat 10\r\nRouter(tti-registrar)# mime-type application/x-apple-aspen-config\r\nRouter(tti-registrar)# template location flash:intro.mobileconfig\r\nRouter(tti-registrar)# template variable p iphone-vpn\r\nRelated Commands\r\nCommand Description\r\ncrypto provisioning\r\nregistrar\r\nConfigures a device to become a registrar for the SDP exchange and enters tti-registrar configuration mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 51 of 165\n\nCommand Description\r\nmatch url Specifies the URL to be associated with the URL profile.\r\nmatch authentication\r\ntrustpoint\r\nEnters the trustpoint name that should be used to authenticate the peer’s certificate.\r\nmatch certificate Enters the name of the certificate map used to authorize the peer’s certificate.\r\nmime-type\r\nSpecifies the MIME type that the SDP registrar should use to respond to a request\r\nreceived through the URL profile.\r\ntemplate location\r\nSpecifies the location of the template that the SDP Registrar should use while\r\nresponding to a request received through the URL profile.\r\ntemplate variable p\r\nSpecifies the value that goes into the OU field of the subject name in the certificate\r\nto be issued.\r\nvalidate source-mac\r\nTo check the source media access control (MAC) address against the link-layer address, use the validate source-mac command in Neighbor Discovery ( ND) inspection policy configuration mode .\r\nvalidate source-mac\r\nno validate source-mac\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nThis command is disabled by default.\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 52 of 165\n\nND inspection policy configuration (config-nd-inspection)\r\nRA guard policy configuration\r\n(config-ra-guard)\r\nCommand History\r\nRelease Modification\r\n12.2(50)SY This command was introduced.\r\nUsage Guidelines\r\nWhen the router receives an ND message that contains a link-layer address, the source MAC address is checked\r\nagainst the link-layer address. Use the validate source-mac command to drop the packet if the link-layer address\r\nand the MAC addresses are different from each other.\r\nExamples\r\nThe following example enables the router to drop an ND message whose link-layer address does not match the\r\nMAC address:\r\nRouter(config)# ipv6 nd inspection policy policy1\r\nRouter(config-nd-inspection)# validate source-mac\r\nRelated Commands\r\nCommand Description\r\nipv6 nd inspection\r\npolicy\r\nDefines the ND inspection policy n ame and enters ND inspection policy\r\nconfiguration mode.\r\nipv6 nd raguard policy Defines the RA guard policy name and enter RA guard policy configuration mode.\r\nurl-text\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 53 of 165\n\nTo add an entry to a URL list, use the url-text command in webvpn URL list configuration mode. To remove the\r\nentry from a URL list, use the no form of this command.\r\nurl-text name url-value url\r\nno url-text name url-value url\r\nSyntax Description\r\nname Text label for the URL. The label must be inside quotation marks if it contains spaces.\r\nurl-value url An HTTP URL.\r\nCommand Default\r\nAn entry is not added to a URL list.\r\nCommand Modes\r\nWebvpn URL list configuration\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\nExamples\r\nThe following example configures a heading for a URL list:\r\nRouter(config)# webvpn context context1\r\n \r\nRouter(config-webvpn-context)# url-list ACCESS\r\nRouter(config-webvpn-url)# heading \"Quick Links\"\r\n \r\nRouter(config-webvpn-url)# url-text \"Human Resources\" url-value hr.mycompany.com\r\n \r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 54 of 165\n\nRouter(config-webvpn-url)# url-text Engineering url-value eng.mycompany.com\r\nRouter(config-webvpn-url)# url-text \"Sales and Marketing\" products.mycompany.com\r\nRelated Commands\r\nCommand Description\r\nurl-list\r\nEnters webvpn URL list configuration mode to configure the list of URLs to which a user has\r\naccess on the portal page of a SSL VPN website.\r\nusage\r\nTo specify the intended use for the certificate, use the usage command in ca-trustpoint configuration mode. To\r\nrestore the default behavior, use the no form of this command.\r\nusage method1 [method2 [method3] ]\r\nno usage method1 [method2 [method3] ]\r\nSyntax Description\r\nmethod1 method2 method3\r\n]]\r\nIntended use for the certificate; the available options are ike , ssl-client , and\r\nssl-server .\r\nYou must choose at least one method, and you may choose all three methods.\r\nCommand Default\r\nike\r\nCommand Modes\r\nCa-trustpoint configuration\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 55 of 165\n\nRelease Modification\r\n12.2(8)T This command was introduced.\r\nUsage Guidelines\r\nBefore you can issue the usage command, you must enable the crypto ca trustpoint command, which declares the\r\ncertification authority (CA) that your router should use and enters ca-trustpoint configuration mode.\r\nThis command may be used as a hint to set or clear key usage or other attributes in the certificate request.\r\nExamples\r\nThe following example shows how to specify the certificate named \"frog\" for Internet Key Exchange (IKE):\r\ncrypto ca trustpoint frog\r\n enrollment url http://frog.phoobin.com/\r\n subject-name OU=Spiral Dept., O=tiedye.com\r\n ip-address ethernet-0\r\n usage ike\r\n auto-enroll regenerate\r\n password revokeme\r\n rsa-key frog 2048\r\nRelated Commands\r\nCommand Description\r\ncrypto ca trustpoint Declares the CA that your router should use.\r\nuser\r\nTo enter the names of users that are allowed to authenticate using the local authentication server, use the user\r\ncommand in local RADIUS server configuration mode. To remove the username and password from the local\r\nRADIUS server, use the no form of this command.\r\nuser username {password | nthash} password [group group-name | mac-auth-only]\r\nno user username {password | nthash} password [group group-name | mac-auth-only]\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 56 of 165\n\nSyntax Description\r\nusername Name of the user that is allowed to authenticate using the local authentication server.\r\npassword Indicates that the user password will be entered.\r\nnthash Indicates that the NT value of the password will be entered.\r\npassword User password.\r\ngroup group-name\r\n(Optional) Name of group to which the user will be added.\r\nmac-auth-only\r\n(Optional) Specifies that the user is allowed to authenticate using only MAC\r\nauthentication.\r\nCommand Default\r\nIf no group name is entered, the user is not assigned to a VLAN and is never required to reauthenticate.\r\nCommand Modes\r\nLocal RADIUS server configuration\r\nCommand History\r\nRelease Modification\r\n12.2(11)JA\r\nThis command was introduced on the Cisco Aironet Access Point 1100 and the Cisco Aironet\r\nAccess Point 1200.\r\n12.2(15)JA This command was modified to support MAC address authentication on the local authenticator.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 57 of 165\n\nRelease Modification\r\n12.3(2)JA This command was modified to support EAP-FAST authentication on the local authenticator.\r\n12.3(11)T\r\nThis command was integrated into Cisco IOS Release 12.3(11)T and implemented on the\r\nfollowing platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco\r\n3700, and Cisco 3800 series routers.\r\nUsage Guidelines\r\nThis command is not supported on bridges.\r\nIf you do not know the user password, look up the NT value of the password in the authentication server database,\r\nand enter the NT hash as a hexadecimal string.\r\nExamples\r\nThe following example shows that the user named \"user1\" has been allowed to authenticate using the local\r\nauthentication server (using the password \"userisok\"). This user will be added to the group named \"team1\".\r\nRouter(config-radsrv)# user user1 password userisok group team1\r\nThe following example shows how to add a user to the list of clients allowed to authenticate using MAC-based\r\nauthentication on the local authenticator.\r\nAP(config-radsrv)# user 00074218d01b password 00074218d01b group cashiers\r\nRelated Commands\r\nCommand Description\r\nblock count\r\nConfigures the parameters for locking out members of a group to help protect\r\nagainst unauthorized attacks.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 58 of 165\n\nCommand Description\r\nclear radius local-server Clears the statistics display or unblocks a user.\r\ndebug radius local-server Displays the debug information for the local server.\r\ngroup\r\nEnters user group configuration mode and configures shared setting for a user\r\ngroup.\r\nnas\r\nAdds an access point or router to the list of devices that use the local\r\nauthentication server.\r\nradius-server host Specifies the remote RADIUS server host.\r\nradius-server local\r\nEnables the access point or router to be a local authentication server and enters\r\ninto configuration mode for the authenticator.\r\nreauthentication time\r\nSpecifies the time (in seconds) after which access points or wireless-aware\r\nrouters must reauthenticate the members of a group.\r\nshow radius local-server\r\nstatistics\r\nDisplays statistics for a local network access server.\r\nssid Specifies up to 20 SSIDs to be used by a user group.\r\nvlan Specifies a VLAN to be used by members of a user group.\r\nuser-group\r\nTo define a user group for dynamically authenticating and enforcing security policies on a per user basis, use the\r\nuser-group command in identity policy configuration mode. To delete the user-group, use the no form of this\r\ncommand.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 59 of 165\n\nuser-group group-name\r\nno user-group group-name\r\nSyntax Description\r\ngroup-name Name of the user-group.\r\nCommand Default\r\nNone\r\nCommand Modes\r\nIdentity policy configuration (config-identity policy)\r\nCommand History\r\nRelease Modification\r\n12.4(20)T This command was introduced.\r\nUsage Guidelines\r\nThe user-group command is used if the Tag and Template method of user-group support is used. The Tag and\r\nTemplate method associates IP addresses with user-groups using locally defined policies. A tag is received from\r\nthe access control server (ACS), and this tag matches a template (identity policy with defined user-group) on the\r\nnetwork access device (NAD).\r\nTo use the user-group command, you must first enter identity policy configuration mode by using the identity\r\npolicy command. The identity policy defines one or more user-groups, to which source IP addresses are\r\nassociated.\r\nNote\r\nAnother method of user-group association is available. User-group support can be achieved by\r\nconfiguring the supplicant-group attribute on the ACS.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 60 of 165\n\nThe following example creates the identity policy \"auth_proxy_ip\" and configures the user-group\r\n\"auth_proxy_ug\":\r\nRouter(config)# identity policy auth_proxy_ip\r\nRouter(config-identity-policy)# user-group auth_proxy_ug\r\nRelated Commands\r\nCommand Description\r\nclass-map Creates a class map to be used for matching packets to a specified class.\r\nidentity policy Creates an identity policy.\r\nuser-group (parameter-map)\r\nTo configure the user group associations for Cloud Web Security content scanning, use the user-group command\r\nin parameter-map type inspect configuration mode. To disable the user group association, use the no form of this\r\ncommand.\r\nuser-group {group-name [username] | exclude | include} username\r\nno user-group {name [username] | exclude | include} username\r\nSyntax Description\r\ngroup-name Name of the default user group.\r\nusername (Optional) Specifies the default username.\r\nexclude Excludes the specified user group.\r\ninclude Includes the specified user group.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 61 of 165\n\nusername Username.\r\nCommand Default\r\nA user group is not configured.\r\nCommand Modes\r\nParameter-map type inspect configuration (config-profile)      \r\nCommand History\r\nRelease Modification\r\n15.2(1)T1 This command was introduced.\r\nUsage Guidelines\r\nUse the group-name argument to have the same content scanning policy for all users in a branch office. A prefix of\r\nLDAP:// is attached the group-name argument when this information is sent to Cloud Web Security to match the\r\nconfigured directory groups.\r\nThe username keyword is the global username that is sent to Cloud Web Security when there is no content\r\nscanning session specific to the configured username.\r\nBy default, all the configured user groups of a user are sent to Cloud Web Security. Use the user-group command\r\nto allow the administrator to filter the user groups sent to Cloud Web Security by configuring the include or the\r\nexclude keywords. When you configure the include keyword, only user groups that are in the include list are sent\r\nto Cloud Web Security. User groups in the exclude list are filtered from the list of user groups that is sent to Cloud\r\nWeb Security. The default value for the include list is everything and the exclude list is empty. You can configure\r\nmultiple instances of include and exclude user groups.\r\nYou can configure only one group on an interface. The static user group that is configured on the interface takes\r\nprecedence over the group name configured in the Cloud Web Security parameter map.\r\nExamples\r\nThe following example shows how to exclude a user group from being sent to Cloud Web Security:\r\nDevice(config)# parameter-map type cws global\r\nDevice(config-profile)# user-group exclude group1\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 62 of 165\n\nRelated Commands\r\nCommand Description\r\nparameter-map type cws\r\nglobal\r\nConfigures a global Cloud Web Security parameter map and enters parameter-map type inspect configuration mode.\r\nuser-group logging\r\nTo enable user-group syslogs, use the user-group logging command in global configuration mode. To disable user-group syslogs, use the no form of this command.\r\nuser-group logging [group group-name]\r\nno user-group logging [group group-name]\r\nSyntax Description\r\ngroup (Optional) Configures logging for a specific user group.\r\ngroup-name (Optional) Name of the user-group.\r\nCommand Default\r\nNone\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 63 of 165\n\nRelease Modification\r\n12.4(20)T This command was introduced.\r\nExamples\r\nThe following example enables syslogs for the user-group \"auth_proxy_ug\":\r\nRouter(config)# user-group logging group auth_proxy_ug\r\nRelated Commands\r\nCommand Description\r\nuser-group\r\nCreates a user-group for dynamically authenticating and enforcing security policies on a per\r\nuser basis\r\nusername\r\nTo establish a username-based authentication system, use the username command in global configuration mode.\r\nTo remove an established username-based authentication, use the no form of this command.\r\nusername name [aaa attribute list aaa-list-name]\r\nusername name [access-class access-list-number]\r\nusername name [autocommand command]\r\nusername name [callback-dialstring telephone-number]\r\nusername name [callback-line [tty] line-number [ending-line-number] ]\r\nusername name [callback-rotary rotary-group-number]\r\nusername name [dnis]\r\nusername name [mac]\r\nusername name [nocallback-verify]\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 64 of 165\n\nusername name [noescape]\r\nusername name [nohangup]\r\nusername name [nopassword | password password | password encryption-type encrypted-password]\r\nusername name [one-time {password {0 | 7 | password} | secret {0 | 5 | password}}]\r\nusername name [password secret]\r\nusername name [privilege level]\r\nusername name [secret {0 | 5 | password}]\r\nusername name [user-maxlinks number]\r\nusername [lawful-intercept] name [privilege privilege-level | view view-name] password password\r\nno username name\r\nSyntax Description\r\nname\r\nHostname, server name, user ID, or command name. The name argument can be only\r\none word. Blank spaces and quotation marks are not allowed.\r\naaa attribute list\r\naaa-list-name\r\nUses the specified authentication, authorization, and accounting (AAA) method list.\r\naccess-class\r\naccess-list-number\r\n(Optional) Specifies an outgoing access list that overrides the access list specified in the\r\naccess-class command available in line configuration mode. It is used for the duration of\r\nthe user’s session.\r\nautocommand\r\ncommand\r\n(Optional) Causes the specified command to be issued automatically after the user logs\r\nin. When the command is complete, the session is terminated. Because the command\r\ncan be any length and can contain embedded spaces, commands using the autocommand\r\nkeyword must be the last option on the line.\r\ncallback-dialstring\r\ntelephone-number\r\n(Optional) For asynchronous callback only: permits you to specify a telephone number\r\nto pass to the DCE device.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 65 of 165\n\ncallback-line line-number\r\n(Optional) For asynchronous callback only: relative number of the terminal line (or the\r\nfirst line in a contiguous group) on which you enable a specific username for callback.\r\nNumbering begins with zero.\r\nending-line-number\r\n(Optional) Relative number of the last line in a contiguous group on which you want to\r\nenable a specific username for callback. If you omit the keyword (such as tty ), then\r\nline-number and ending-line-number are absolute rather than relative line numbers.\r\ntty (Optional) For asynchronous callback only: standard asynchronous line.\r\ncallback-rotary\r\nrotary-group-number\r\n(Optional) For asynchronous callback only: permits you to specify a rotary group\r\nnumber on which you want to enable a specific username for callback. The next\r\navailable line in the rotary group is selected. Range: 1 to 100.\r\ndnis\r\nDoes not require a password when obtained via Dialed Number Identification Service\r\n(DNIS).\r\nmac Allows a MAC address to be used as the username for MAC filtering done locally.\r\nnocallback-verify\r\n(Optional) Specifies that the authentication is not required for EXEC callback on the\r\nspecified line.\r\nnoescape\r\n(Optional) Prevents a user from using an escape character on the host to which that user\r\nis connected.\r\nnohangup\r\n(Optional) Prevents Cisco IOS software from disconnecting the user after an automatic\r\ncommand (set up with the autocommand keyword) has completed. Instead, the user gets\r\nanother EXEC prompt.\r\nnopassword\r\nNo password is required for this user to log in. This is usually the most useful keyword\r\nto use in combination with the autocommand keyword.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 66 of 165\n\npassword\r\nSpecifies the password to access the name argument. A password must be from 1 to 25\r\ncharacters, can contain embedded spaces, and must be the last option specified in the\r\nusername command.\r\npassword Password that a user enters.\r\nencryption-type\r\nSingle-digit number that defines whether the text immediately following is encrypted\r\nand if so, what type of encryption is used. Defined encryption types are 0, which means\r\nthat the text immediately following is not encrypted, and 7, which means that the text is\r\nencrypted using a Cisco-defined encryption algorithm.\r\nencrypted-password\r\nEncrypted password that a user enters.\r\none-time\r\nSpecifies that the username and password is valid for only one time. This configuration\r\nis used to prevent default credentials from remaining in user configurations.\r\n0\r\nSpecifies that an unencrypted password or secret (depending on the configuration)\r\nfollows.\r\n7 Specifies that a hidden password follows.\r\n5 Specifies that a hidden secret follows.\r\nsecret Specifies a secret for the user.\r\nsecret\r\nFor Challenge Handshake Authentication Protocol (CHAP) authentication: specifies the\r\nsecret for the local router or the remote device. The secret is encrypted when it is stored\r\non the local router. The secret can consist of any string of up to 11 ASCII characters.\r\nThere is no limit to the number of username and password combinations that can be\r\nspecified, allowing any number of remote devices to be authenticated.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 67 of 165\n\nprivilege\r\nprivilege-level\r\n(Optional) Sets the privilege level for the user. Range: 1 to 15.\r\nuser-maxlinks\r\nnumber\r\nMaximum number of inbound links allowed for a user.\r\nlawful-intercept (Optional) Configures lawful intercept users on a Cisco device.\r\nname\r\nHostname, server name, user ID, or command name. The name argument can be only\r\none word. Blank spaces and quotation marks are not allowed.\r\nview view-name\r\n(Optional) For CLI view only: associates a CLI view name, which is specified with the\r\nparser view command, with the local AAA database.\r\npassword\r\npassword\r\nPassword to access the CLI view.\r\nCommand Default\r\nNo username-based authentication system is established.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n10.0 This command was introduced.\r\n11.1 This command was modified. The following keywords and arguments were added:\r\ncallback-dialstring telephone-number\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 68 of 165\n\nRelease Modification\r\ncallback-rotary rotary-group-number\r\ncallback-line [tty ] line-number [ending-line-number\r\nnocallback-verify\r\n12.3(7)T\r\nThis command was modified. The following keywords and arguments were added:\r\nlawful-intercept\r\nview\r\nview-name\r\n12.2(33)SRB\r\nThis command was modified. The following keywords and arguments were\r\nintegrated into Cisco IOS Release 12.2(33)SRB:\r\nlawful-intercept\r\nview\r\nview-name\r\n12.2(33)SB\r\nThis command was modified. The following keywords and arguments were\r\nintegrated into Cisco IOS Release 12.2(33)SB:\r\nlawful-intercept\r\nview\r\nview-name\r\nCisco IOS XE Release\r\n2.1\r\nThis command was integrated into Cisco IOS XE Release 2.1.\r\n12.2(33)SXI This command was integrated into Cisco IOS Release 12.2(33)SXI.\r\n12.4 This command was modified. The following keywords were integrated into Cisco\r\nIOS Release 12.4:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 69 of 165\n\nRelease Modification\r\none-time\r\nsecret\r\n0, 5, 7\r\n15.1(1)S\r\nThis command was modified. Support for the nohangup keyword was removed\r\nfrom Secure Shell (SSH).\r\nCisco IOS XE Release\r\n3.2SE\r\nThis command was modified. The mac keyword was added.\r\nUsage Guidelines\r\nThe username command provides username or password authentication, or both, for login purposes only.\r\nMultiple username commands can be used to specify options for a single user.\r\nAdd a username entry for each remote system with which the local router communicates and from which it\r\nrequires authentication. The remote device must have a username entry for the local router. This entry must have\r\nthe same password as the local router’s entry for that remote device.\r\nThis command can be useful for defining usernames that get special treatment. For example, you can use this\r\ncommand to define an \"info\" username that does not require a password but connects the user to a general purpose\r\ninformation service.\r\nThe username command is required as part of the configuration for CHAP. Add a username entry for each remote\r\nsystem from which the local router requires authentication.\r\nNote\r\nTo enable the local router to respond to remote CHAP challenges, one username name entry must be\r\nthe same as the hostname entry that has already been assigned to the other router.\r\nTo avoid the situation of a privilege level 1 user entering into a higher privilege level, configure a per-user\r\nprivilege level other than 1 (for example, 0 or 2 through 15).\r\nPer-user privilege levels override virtual terminal privilege levels.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 70 of 165\n\nIn Cisco IOS Release 15.1(1)S and later releases, the nohangup keyword is not supported with SSH. If the\r\nusername user autocommand command-name command is configured and SSH is used, the session disconnects\r\nafter executing the configured command once. This behavior with SSH is opposite to the Telnet behavior, where\r\nTelnet continuously asks for authentication and keeps executing the command until the user exits Telnet manually.\r\nCLI and Lawful Intercept Views\r\nBoth CLI views and lawful intercept views restrict access to specified commands and configuration information.\r\nA lawful intercept view allows a user to secure access to lawful intercept commands that are held within the TAP-MIB, which is a special set of Simple Network Management Protocol (SNMP) commands that stores information\r\nabout calls and users.\r\nUsers who are specified via the lawful-intercept keyword are placed in the lawful-intercept view, by default, if no\r\nother privilege level or view name has been explicitly specified.\r\nIf no value is specified for the secret argument and the debug serial-interface command is enabled, an error is\r\ndisplayed when a link is established and the CHAP challenge is not implemented. The CHAP debugging\r\ninformation is available using the debug ppp negotiation , debug serial-interface , and debug serial-packet\r\ncommands. For more information about debug commands, refer to the Cisco IOS Debug Command Reference .\r\nExamples\r\nThe following example shows how to implement a service similar to the UNIX who command, which can be\r\nentered at the login prompt and lists the current users of the router:\r\nusername who nopassword nohangup autocommand show users\r\nThe following example shows how to implement an information service that does not require a password to be\r\nused. The command takes the following form:\r\nusername info nopassword noescape autocommand telnet nic.ddn.mil\r\nThe following example shows how to implement an ID that works even if all the TACACS+ servers break. The\r\ncommand takes the following form:\r\nusername superuser password superpassword\r\nThe following example shows how to enable CHAP on interface serial 0 of \"server_l.\" It also defines a password\r\nfor a remote server named \"server_r.\"\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 71 of 165\n\nhostname server_l\r\nusername server_r password theirsystem\r\ninterface serial 0\r\n encapsulation ppp\r\n ppp authentication chap\r\nThe following is output from the show running-config command displaying the passwords that are encrypted:\r\nhostname server_l\r\nusername server_r password 7 121F0A18\r\ninterface serial 0\r\n encapsulation ppp\r\n ppp authentication chap\r\nIn the following example, a privilege level 1 user is denied access to privilege levels higher than 1:\r\nusername user privilege 0 password 0 cisco\r\nusername user2 privilege 2 password 0 cisco\r\nThe following example shows how to remove the username-based authentication for user2:\r\nno username user2\r\nRelated Commands\r\nCommand Description\r\narap callback Enables an ARA client to request a callback from an ARA client.\r\ncallback forced-wait\r\nForces the Cisco IOS software to wait before initiating a callback to a requesting client.\r\ndebug ppp\r\nnegotiation\r\nDisplays PPP packets sent during PPP startup, where PPP options are negotiated.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 72 of 165\n\nCommand Description\r\ndebug serial-interface\r\nDisplays information about a serial connection failure.\r\ndebug serial-packetDisplays more detailed serial interface debugging information than you can obtain using\r\ndebug serial interface command.\r\nppp callback\r\n(DDR)\r\nEnables a dialer interface that is not a DTR interface to function either as a callback\r\nclient that requests callback or as a callback server that accepts callback requests.\r\nppp callback\r\n(PPP client)\r\nEnables a PPP client to dial into an asynchronous interface and request a callback.\r\nshow users Displays information about the active lines on the router.\r\nusername (dot1x credentials)\r\nTo specify the username for an 802.1X credentials profile, use the username command in dot1x credentials\r\nconfiguration mode. To remove the username, use the no form of this command.\r\nusername name\r\nno username\r\nSyntax Description\r\nname Name of the credentials profile.\r\nCommand Default\r\nA username is not specified.\r\nCommand Modes\r\nDot1x credentials configuration\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 73 of 165\n\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\nUsage Guidelines\r\nBefore using this command, the dot1x credentials command must have been configured.\r\nExamples\r\nThe following example shows which credentials profile should be used when configuring a supplicant:\r\ndot1x credentials basic-user\r\n username router\r\n password secret\r\n description This credentials profile should be used for most configured ports\r\nThe credentials structure can be applied to an interface, along with the dot1x pae supplicant command and\r\nkeyword, to enable supplicant functionality on that interface.\r\ninterface fastethernet 0/1\r\n dot1x credentials basic-user\r\n dot1x pae supplicant\r\nRelated Commands\r\nCommand Description\r\ndot1x credentials Specifies an 802.1X credentials profile to be used.\r\nusername (ips-autoupdate)\r\nTo define a username and password in which to access signature files from the server, use the username command\r\nin IPS-auto-update configuration mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 74 of 165\n\nusername name password password\r\nSyntax Description\r\nname Username required to access the latest updated signature file package.\r\npassword password Password required to access the latest updated signature file package.\r\nCommand Default\r\nThe default value is defined in the signature definition XML.\r\nCommand Modes\r\nIPS-auto-update configuration\r\nCommand History\r\nRelease Modification\r\n12.4(11)T This command was introduced.\r\nUsage Guidelines\r\nAutomatic signature updates allow users to override the existing Intrusion Prevention System (IPS) configuration\r\nand automatically keep signatures up to date on the basis of a preset time, which can be configured to a preferred\r\nsetting.\r\nUse the ip ips auto-update command to enable Cisco IOS IPS to automatically update the signature file on the\r\nsystem. Thereafter, you can optionally issue the username command to specify a username and password to access\r\nsignature files.\r\nExamples\r\nThe following example shows how to configure automatic signature updates and issue the show ip ips auto-update\r\ncommand to verify the configuration:\r\nRouter# clock set ?\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 75 of 165\n\nhh:mm:ss Current Time\r\nRouter# clock set 10:38:00 20 apr 2006\r\nRouter#\r\n*Apr 20 17:38:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:37:55 MST Thu Apr 20 2006 to 10:\r\nRouter(config)# ip ips auto-update\r\nRouter(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5\r\nRouter(config-ips-auto-update)# $s-auto-update/IOS_reqSeq-dw.xml\r\n \r\nRouter(config-ips-auto-update)#^Z\r\nRouter#\r\n*May 4 2006 15:50:28 MST: IPS Auto Update: setting update timer for next update: 0 hrs 10 min\r\n*May 4 2006 15:50:28 MST: %SYS-5-CONFIG_I: Configured from console by cisco on console\r\nRouter#\r\nRouter# show ip ips auto-update\r\n \r\nIPS Auto Update Configuration\r\nURL : tftp://192.168.0.2/jdoe/ips-auto-update/IOS_reqSeq-dw.xml\r\nUsername : not configured\r\nPassword : not configured\r\nAuto Update Intervals\r\n minutes (0-59) : 0\r\n hours (0-23) : 0-23\r\n days of month (1-31) : 1-31\r\n days of week: (0-6) : 1-5\r\nRelated Commands\r\nCommand Description\r\nip ips auto-update Enables automatic signature updates for Cisco IOS IPS.\r\nusername algorithm-type\r\nTo set the algorithm type to hash a user password configured using the username secret command, use the\r\nusername algorithm-type command in global configuration mode.\r\nusername name algorithm-type {md5 | scrypt | sha256}\r\nSyntax Description\r\nmd5 Selects the message digest algorithm 5 (MD5) as the hashing algorithm.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 76 of 165\n\nscrypt Selects scrypt as the hashing algorithm.\r\nsha256\r\nSelects Password-Based Key Derivation Function 2 (PBKDF2) with Secure Hash Algorithm, 26-\r\nbits (SHA-256) as the hashing algorithm.\r\nCommand Default\r\nNo algorithm type is established for the username-based authentication system.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n15.3(3)M This command was introduced.\r\n15.3(3)S This command was integrated into the Cisco IOS Release 15.3(3)S.\r\nUsage Guidelines\r\nYou must configure the password using the username secret command before hashing the password with the\r\nusername algorithm-type command.\r\nUse the username algorithm-type command to generate the following types of passwords:\r\nCommand keyword Type of password\r\nmd5 Type 5\r\nsha256 Type 8\r\nscrypt Type 9\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 77 of 165\n\nNote\r\nType 5, 8, and 9 passwords are not reversible.\r\nIf you configure type 8 or type 9 passwords and then downgrade to a release that does not support type 8 and type\r\n9 passwords, you must configure the type 5 passwords before downgrading. If not, you are locked out of the\r\ndevice and a password recovery is required.\r\nNote\r\nIf you are using an external AAA server to manage privilege levels, you are not locked out of the\r\ndevice.\r\nExamples\r\nThe following example shows how to generate a type 8 (PBKDF2 with SHA-256) or a type 9 (SCRYPT)\r\npassword:\r\nDevice# configure terminal\r\nDevice(config)# enable algorithm-type sha256 secret cisco\r\nDevice(config)# enable algorithm-type scrypt secret cisco\r\nDevice(config)# end\r\nDevice# show running-config | inc username\r\nenable secret 8 $8$dsYGNam3K1SIJO$7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE9UlMQFs\r\nenable secret 9 $9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v7pqCxkKM\r\nRelated Commands\r\nCommand Description\r\nenable algorithm-typeSets the algorithm type to hash a user password configured using the enable secret\r\ncommand.\r\nenable password Sets a local password to control access to various privilege levels.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 78 of 165\n\nCommand Description\r\nenable secret Specifies an additional layer of security over the enable password command.\r\nusername Establishes a username-based authentication system.\r\nusername secret\r\nTo encrypt a user password with irreversible encryption, use the username secret command in global configuration\r\nmode.\r\nusername name secret {0 password | 5 secret-string | 4 secret-string | 8 secret-string | 9 secret-string}\r\nSyntax Description\r\nname Username.\r\n0 Specifies an unencrypted secret.\r\npassword Clear-text password.\r\n5 secret-stringmessage digest alogrithm5 (MD5) encrypted secret text string, which is stored as the\r\nencrypted user password.\r\n4 secret-string\r\nSecure Hash Algorithm, 26-bits (SHA-256) encrypted secret text string, which is stored as the\r\nencrypted user password.\r\nNote\r\n \r\nNOTE: Effective with CSCue95644, the 4 keyword is deprecated.\r\n8 secret-stringPassword-Based Key Derivation Function 2 (PBKDF2) with SHA-256 hashed secret text\r\nstring, which is stored as the hashed user password.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 79 of 165\n\n9 secret-string\r\nScrypt hashed secret text string, which is stored as the hashed user password.\r\nCommand Default\r\nNo username-based authentication system is established.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.0(18)S This command was introduced.\r\n12.1(8a)E This command was integrated into Cisco IOS Release 12.1(8a)E.\r\n12.2(8)T This command was integrated into Cisco IOS Release 12.2(8)T.\r\n12.2(14)SX Support for this command was introduced on the Supervisor Engine 720.\r\n12.2(17d)SXB\r\nSupport for this command on the Supervisor Engine 2 was extended to Cisco IOS Release\r\n12.2(17d)SXB.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n15.0(1)S\r\nThis command was integrated into Cisco IOS Release 15.0(1)S. Algorithm types 0 , 4 , and\r\n5 were added.\r\n15.1(1)SY This command was integrated into Cisco IOS Release 15.1(1)SY.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 80 of 165\n\nRelease Modification\r\n15.3(3)M\r\nThis command was modified.\r\nThe 4 keyword was deprecated and support for type 8 and type 9 algorithms were\r\nadded.\r\nThe warning message for the type 5 algorithm was removed.\r\nThe warning message for removal of support for the type 4 algorithm was added.\r\n15.3(3)S The command modifications were integrated into Cisco IOS Release 15.3(3)S.\r\nUsage Guidelines\r\nUse the username secret command to configure a username and MD5-encrypted user password. MD5 encryption\r\nis a strong encryption method that is not retrievable; thus, you cannot use MD5 encryption with protocols that\r\nrequire clear-text passwords, such as Challenge Handshake Authentication Protocol (CHAP).\r\nThe username secret command provides an additional layer of security over the username password. It also\r\nprovides better security by encrypting the password using non reversible MD5 encryption and storing the\r\nencrypted text. The added layer of MD5 encryption is useful in environments in which the password crosses the\r\nnetwork or is stored on a TFTP server.\r\nUse MD5 as the encryption type if you paste into this command an encrypted password that you copied from a\r\nrouter configuration file.\r\nUse this command to enable Enhanced Password Security for the specified, unretrievable username. This\r\ncommand enables MD5 encryption on the password. MD5 encryption is a strong encryption method. You cannot\r\nuse MD5 encryption with protocols, such as CHAP, that require clear-text passwords.\r\nThis command can be useful for defining usernames that get special treatment. For example, you can use this\r\ncommand to define an “info” username that does not require a password but connects the user to a general-purpose information service.\r\nWith CSCue95644, you can use the username secret command to configure a username and hash the user\r\npassword with MD5, PBKDF2 with SHA-256, or scrypt hashing algorithms.\r\nNote\r\nIf you use type 8 or type 9 passwords and then downgrade to an older version of Cisco IOS software\r\nthat does not support type 8 and type 9 passwords, you must reconfigure the passwords to use type 5\r\nhashing before downgrading. If not, you are locked out of the device and password recovery is\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 81 of 165\n\nrequired. If you are using an external AAA server to manage privilege levels, you are not locked out\r\nof the device.\r\nThe username command provides username or secret authentication for login purposes only. The name argument\r\ncan be one word only. Spaces and quotation marks are not allowed. You can use multiple username commands to\r\nspecify options for a single user.\r\nExamples\r\nThe following example shows how to configure username “abc” and enable MD5 encryption on the clear-text\r\npassword “xyz”:\r\nusername abc secret 0 xyz\r\nThe following example shows how to configure username “cde” and enter an MD5 encrypted text string that is\r\nstored as the username password:\r\nusername cde secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0\r\nThe following example shows how to configure username “xyz” and enter an MD5 encrypted text string that is\r\nstored as the username password:\r\nusername xyz secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0\r\nThe following example shows the sample warning message that is displayed when a user enters the username\r\nsecret 4 encrypted-password command:\r\nDevice# configure terminal\r\nDevice(config)# username demo secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY\r\nWARNING: Command has been added to the configuration but Type 4 passwords have been deprecated.\r\nMigrate to a supported password type\r\nDevice(config)# end\r\nDevice# show running-config | inc username\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 82 of 165\n\nusername demo secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY\r\nRelated Commands\r\nCommand Description\r\nenable password Sets a local password to control access to various privilege levels.\r\nenable secret Specifies an additional layer of security over the enable password command.\r\nusername Establishes a username-based authentication system.\r\nusername algorithm-typeSets the algorithm type to hash a user password configured using the username\r\nsecret command.\r\nuser-profile location\r\nTo store user bookmarks in a directory on a device, use the user-profile location command in webvpn context\r\nconfiguration mode. To remove a directory that has been configured, use the no form of this command.\r\nuser-profile location device:directory\r\nnouser-profile location device:directory\r\nSyntax Description\r\ndevice: Storage location on a device. See the table below for a list of acceptable storage locations.\r\ndirectory Name of the directory.\r\nCommand Default\r\nThe default location is flash:/webvpn/\u003ccontext-name\u003e/.\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 83 of 165\n\nWebvpn context configuration (config-webvpn-context)\r\nCommand History\r\nRelease Modification\r\n12.4(15)T This command was introduced.\r\nUsage Guidelines\r\nThe table below lists accept storage locations.\r\nTable 1. Type of Storage Location\r\nType of Storage\r\nLocation\r\nDescription\r\narchive Archived file system.\r\nBootflash Bootflash memory.\r\ndisk0 On Disk 0.\r\ndisk1 On Disk 1.\r\nFlash Flash memory.\r\nFTP FTP network server.\r\nHTTP HTTP file server.\r\nHTTPS HTTP secure server.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 84 of 165\n\nType of Storage\r\nLocation\r\nDescription\r\nnull Null destination for copies. You can copy a remote file to null to determine its size.\r\nNVRAM Storage location is in NVRAM.\r\nPRAM Phase-change memory (PRAM)--type of nonvolatile computer memory.\r\nRCP Remote copy protocol network server.\r\nSCP\r\nSecure Copy--A means of securely transferring computer files between a local and a\r\nremote host or between two remote hosts using the Secure Shell (SSH) protocol.\r\nslot0 On Slot 0.\r\nslot1 On Slot 1.\r\nsystem System memory, including the running configuration.\r\ntmpsys Temporary system in a file system.\r\nExamples\r\nThe following example shows bookmarks are stored in flash on the directory webvpn/sslvpn_context/.\r\nRouter# webvpn context context1\r\nRouter# user-profile location flash:/webvpn/sslvpn_context/\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 85 of 165\n\nCommand Description\r\nwebvpn context Configures the SSL VPN context and enters webvpn context configuration mode.\r\nvariable\r\nTo define the next-hop variable in a mitigation parameter map for Transitory Messaging Services (TMS), use the\r\nvariable command in parameter-map configuration mode. To remove the next-hop variable from the mitigation\r\nparameter map, use the no form of this command.\r\nNote\r\nEffective with Cisco IOS Release 12.4(20)T, the variable command is not available in Cisco IOS\r\nsoftware.\r\nvariable name {number | ipv4 ip-address | null0}\r\nno variable name\r\nSyntax Description\r\nname Specifies the variable name.\r\nnumber Specifies the number associated with this variable from 0 to 4294967295.\r\nipv4 ip-address Sets the next hop action-variable type to a specific IP address.\r\nnull0 Sets the next hop to interface null 0 (null route).\r\nCommand Default\r\nThe next-hop variable in a mitigation parameter map for TMS is not defined.\r\nCommand Modes\r\nParameter-map configuration (config-profile)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 86 of 165\n\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\n12.4(15)XZ This command was integrated into Cisco IOS Release 12.4(15)XZ.\r\nUsage Guidelines\r\nThe variable command is configured to set the next-hop variable in a mitigation type parameter map. The next hop\r\ncan be configured to route to a null 0 interface (null route) or route to a specific interface for collection and\r\nanalysis.\r\nNote\r\nIf the next hop is defined in a threat file and as a variable by configuring this command, the next-hop\r\nvalue defined in the threat file will have precedence over the parameter map variable.\r\nExamples\r\nThe following example configures a variable that routes all priority 5 traffic to the null0 interface:\r\nRouter(config)# class-map type control mitigation match-all MIT_CLASS_2\r\n \r\nRouter(config-cmap)# match primitive any\r\n \r\nRouter(config-cmap)# match priority 5\r\nRouter(config-cmap)# exit\r\nRouter(config)# parameter-map type mitigation MIT_PAR_2\r\nRouter(config-profile)# variable RTBH null0\r\nRouter(config-profile)# exit\r\nRouter(config)# policy-map type control mitigation MIT_POL_2\r\n \r\nRouter(config-pmap)# class MIT_CLASS_2\r\nRouter(config-pmap-c)# redirect route $RTBH\r\nRouter(config-pmap-c)# source parameter MIT_PAR_2\r\nRouter(config-pmap-c)# exit\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 87 of 165\n\nRouter(config-pmap)# exit\r\n \r\nRelated Commands\r\nCommand Description\r\nacl drop\r\nConfigures an ACL drop enforcement action in a TMS Rules Engine\r\nconfiguration.\r\nclass-map type control\r\nmitigation\r\nConfigures a mitigation type class map.\r\nignore (TMS)\r\nConfigures the TMS Rules Engine to ignore a mitigation enforcement\r\naction.\r\nmatch primitive Configures a primitive match in a mitigation type class map.\r\nmatch priority Configures the match priority level for a mitigation enforcement action.\r\nparameter-map type mitigation Configures a mitigation type parameter map.\r\npolicy-map type control tms Configures a TMS type policy map.\r\nredirect route Configures a redirect enforcement action in a mitigation type policy map.\r\nsource parameter\r\nAttaches a mitigation type parameter map to a policy-map class\r\nconfiguration.\r\ntms-class Associates an interface with an ACL drop enforcement action.\r\nview\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 88 of 165\n\nTo add a normal command-line interface (CLI) view to a superview, use the view command in view configuration\r\nmode. To remove a CLI view from a superview, use the no form of this command.\r\nview view-name\r\nno view view-name\r\nSyntax Description\r\nview-name CLI view that is to be added to the given superview.\r\nCommand Default\r\nA superview will not contain any CLI views until this command is enabled.\r\nCommand Modes\r\nView configuration (config-view)\r\nCommand History\r\nRelease Modification\r\n12.3(11)T This command was introduced.\r\n12.2(33)SRB This command was integrated into Cisco IOS Release 12.2(33)SRB.\r\nCisco IO XE Release 2.1 This command was integrated into Cisco IOS XE Release 2.1.\r\n12.2(33)SXI This command was integrated into Cisco IOS Release 12.2(33)SXI.\r\nUsage Guidelines\r\nBefore you can use this command to add normal views to a superview, ensure that the following steps have been\r\ntaken:\r\nA password has been configured for the superview (via the secret 5 command).\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 89 of 165\n\nThe normal views that are to be added to the superview are valid views in the system; that is, the views\r\nhave been successfully created via the parser view command.\r\nExamples\r\nThe following sample output from the show running-config command shows that \"view_one\" and \"view_two\"\r\nhave been added to superview \"su_view1,\" and \"view_three\" and \"view_four\" have been added to superview\r\n\"su_view2\":\r\n!\r\nparser view su_view1 superview\r\n secret 5 \u003cencoded password\u003e\r\n view view_one\r\n view view_two\r\n!\r\nparser view su_view2 superview\r\n secret 5 \u003cencoded password\u003e\r\n view view_three\r\n view view_four\r\n!\r\nRelated Commands\r\nCommand Description\r\nparser view Creates or changes a CLI view and enters view configuration mode.\r\nsecret 5 Associates a CLI view or a superview with a password.\r\nvirtual-template (IKEv2 profile)\r\nTo configure an Internet Key Exchange (IKEv2) profile with a virtual template to be used for cloning the virtual\r\naccess interfaces, use the virtual-template command in IKEv2 profile configuration mode. To remove the virtual\r\ntemplate from IKEv2 profile, use the no form of this command.\r\nvirtual-template template-number mode auto\r\nno virtual-template template-number\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 90 of 165\n\ntemplate-number\r\nIdentifying number of the virtual template that will be used to clone virtual access\r\ninterfaces.\r\nmode auto Enables auto tunneling mode.\r\nCommand Default\r\nA virtual template is not specified.\r\nCommand Modes\r\nIKEv2 profile configuration (config-ikev2-profile)\r\nCommand History\r\nRelease Modification\r\n15.1(1)T This command was introduced.\r\nCisco IOS XE Release 3.3S This command was integrated into Cisco IOS XE Release 3.3S.\r\n15.2(4)S This command was integrated into Cisco IOS Release 15.2(4)S.\r\n15.4(2)T This command was modified. The mode auto keywords were added.\r\nCisco IOS XE Release 3.12S This command was integrated into Cisco IOS XE Release 3.12S.\r\nUsage Guidelines\r\nUse this command to specify the virtual template for cloning a virtual access interface.\r\nAuto tunneling mode eases the configuration and spares you about knowing the responder’s details. It\r\nautomatically applies the tunneling protocol (GRE or IPsec) and transport protocol (IPv4 or IPv6) on the virtual\r\ntemplate as soon as the IKE profile creates the virtual access interface.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 91 of 165\n\nThe following example shows how virtual-template 1 is configured for profile1:\r\nDevice(config)# crypto ikev2 profile profile1\r\nDevice(config-ikev2-profile)# virtual-template 1\r\nThe following example shows how auto tunneling mode is configured for profile A:\r\nDevice(config)# crypto ikev2 profile profile A\r\nDevice(config-ikev2-profile)# virtual-template 1 mode auto\r\nRelated Commands\r\nCommand Description\r\ncrypto ikev2 profile Defines an IKEv2 profile.\r\nshow ikev2 profile Displays the default or user-defined IKEv2 profile.\r\nvirtual-template (webvpn context)\r\nTo associate a virtual template with a Secure Socket Layer Virtual Private Network (SSL VPN) context, use the\r\nvirtual-template command in webvpn context configuration mode. To disable the configuration, use the no form of\r\nthis command.\r\nvirtual-template template-number [tunnel]\r\nno virtual-template\r\nSyntax Description\r\ntemplate-numberNumber of the virtual template that will be used to clone virtual access interfaces. The\r\nrange is from 1 to 1000.\r\ntunnel (Optional) Applies the virtual template for every full tunnel session.\r\nCommand Default\r\nNo virtual template is enabled.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 92 of 165\n\nCommand Modes\r\nWebvpn context configuration (config-webvpn-context)\r\nCommand History\r\nRelease Modification\r\n15.0(1)M This command was introduced.\r\n15.1(1)T This command was modified. The tunnel keyword was added.\r\nUsage Guidelines\r\nYou can configure the desired IP features in the virtual template and then use the virtual-template command to\r\napply the configuration on a per-context or per-tunnel basis. The per-context configuration applies the IP features\r\nto all the users connecting to that WebVPN context and the per-tunnel configuration applies the IP features for\r\neach SSL VPN full tunnel established in the WebVPN context.\r\nExamples\r\nThe following example shows how to associate a virtual template with an SSL VPN context:\r\nRouter# configure terminal\r\nRouter(config)# webvpn context context1\r\nRouter(config-webvpn-context)# virtual-template 1\r\nRelated Commands\r\nCommand Description\r\ninservice Enables an SSL VPN context.\r\nwebvpn context Enters webvpn context configuration mode to configure the SSL VPN context.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 93 of 165\n\nvlan (local RADIUS server group)\r\nTo specify a VLAN to be used by members of the user group, use the vlan command in local RADIUS server\r\ngroup configuration mode. To reset the parameter to the default value, use the no form of this command.\r\nvlan vlan\r\nno vlan vlan\r\nSyntax Description\r\nCommand Default\r\nNo default behavior or values\r\nCommand Modes\r\nLocal RADIUS server group configuration\r\nCommand History\r\nRelease Modification\r\n12.2(11)JA\r\nThis command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access\r\nPoint 1200.\r\n12.3(11)T\r\nThis command was implemented on the following platforms: Cisco 2600XM, Cisco 2691,\r\nCisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.\r\nUsage Guidelines\r\nThe access point or router moves group members into the VLAN that you specify, overriding any other VLAN\r\nassignments. You can assign only one VLAN to a user group.\r\nExamples\r\nThe following example shows that VLAN \"225\" is to be used by members of the user group:\r\nvlan 225\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 94 of 165\n\nRelated Commands\r\nCommand Description\r\nblock count\r\nConfigures the parameters for locking out members of a group to help protect\r\nagainst unauthorized attacks.\r\nclear radius local-server Clears the statistics display or unblocks a user.\r\ndebug radius local-server Displays the debug information for the local server.\r\ngroup\r\nEnters user group configuration mode and configures shared setting for a user\r\ngroup.\r\nnas\r\nAdds an access point or router to the list of devices that use the local\r\nauthentication server.\r\nradius-server host Specifies the remote RADIUS server host.\r\nradius-server local\r\nEnables the access point or router to be a local authentication server and enters\r\ninto configuration mode for the authenticator.\r\nreauthentication time\r\nSpecifies the time (in seconds) after which access points or wireless-aware\r\nrouters must reauthenticate the members of a group.\r\nshow radius local-server\r\nstatistics\r\nDisplays statistics for a local network access server.\r\nssid Specifies up to 20 SSIDs to be used by a user group.\r\nuser Authorizes a user to authenticate using the local authentication server.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 95 of 165\n\nvlan group\r\nTo create or modify a VLAN group, use the vlan group command in global configuration mode. To remove a\r\nVLAN list from the VLAN group, use the no form of this command.\r\nvlan group group-name vlan-list vlan-list\r\nno vlan group group-name vlan-list vlan-list\r\nSyntax Description\r\ngroup-name\r\nVLAN group name.\r\nvlan-list\r\nVLAN list name. See the \"Usage Guidelines\" section for additional information about the vlan-list argument.\r\nCommand Default\r\nThis command has no default settings.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.2(33)SXI1 This command was introduced.\r\nUsage Guidelines\r\nThe VLAN group name may contain up to 32 characters and must begin with a letter.\r\nThe vlan-list argument can be a single VLAN ID, a list of VLAN IDs, or VLAN ID ranges (vlan-id -vlan-id ).\r\nMultiple entries are separated by a hyphen (-) or a comma (,).\r\nIf the named VLAN group does not exist, the vlan group command creates the group and maps the specified\r\nVLAN list to the group. If the named VLAN group exists, the specified VLAN list is mapped to the group.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 96 of 165\n\nThe no form of the vlan group command removes the specified VLAN list from the VLAN group. When you\r\nremove the last VLAN from the VLAN group, the VLAN group is deleted.\r\nA maximum of 100 VLAN groups can be configured, and a maximum of 4094 VLANs can be mapped to a VLAN\r\ngroup.\r\nExamples\r\nThis example shows how to map VLANs 7 through 9 and 11 to a VLAN group:\r\nRouter(config)# vlan group ganymede vlan-list 7-9,11\r\nThis example shows how to remove VLAN 7 from the VLAN group:\r\nRouter(config)# no vlan group ganymede vlan-list 7\r\nRelated Commands\r\nCommand Description\r\nshow vlan group Displays the VLANs mapped to VLAN groups.\r\nvpdn aaa attribute\r\nTo enable reporting of network access server (NAS) authentication, authorization, and accounting (AAA)\r\nattributes related to a virtual private dialup network (VPDN) to the AAA server, use the vpdn aaa attribute\r\ncommand in global configuration mode. To disable reporting of AAA attributes related to VPDN, use the no form\r\nof this command.\r\nvpdn aaa attribute {nas-ip-address {vpdn-nas | vpdn-tunnel-client} | nas-port {physical-channel-id | vpdn-nas}}\r\nno vpdn aaa attribute {nas-ip-address {vpdn-nas | vpdn-tunnel-client} | nas-port}\r\nSyntax Description\r\nnas-ip-address vpdn-nas Enables reporting of the VPDN NAS IP address to the AAA server.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 97 of 165\n\nnas-ip-address vpdn-tunnel-client\r\nEnables reporting of the VPDN tunnel client IP address to the AAA server.\r\nnas-port vpdn-nas Enables reporting of the VPDN NAS port to the AAA server.\r\nnas-port physical-channel-id\r\nEnables reporting of the VPDN NAS port physical channel identifier to the\r\nAAA server.\r\nCommand Default\r\nAAA attributes are not reported to the AAA server.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n11.3NA This command was introduced.\r\n11.3(8.1)T This command was integrated into Cisco IOS Release 11.3(8.1)T.\r\n12.1(5)T This command was modified to support the PPP extended NAS-Port format.\r\n12.2(13)T The physical-channel-id keyword was added\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 98 of 165\n\nRelease Modification\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a\r\nspecific 12.2SX release of this train depends on your feature set, platform, and\r\nplatform hardware.\r\n12.4(24)T The vpdn-tunnel-client keyword was added.\r\n12.2(33)XND The vpdn-tunnel-client keyword was added.\r\n12.2(33)SRE The vpdn-tunnel-client keyword was added.\r\nCisco IOS XE\r\nRelease 2.5\r\nThe vpdn-tunnel-client keyword was added.\r\nUsage Guidelines\r\nThis command can be used with RADIUS or TACACS+, and is applicable only on the VPDN tunnel server.\r\nThe PPP extended NAS-Port format enables the NAS-Port and NAS-Port-Type attributes to provide port details to\r\na RADIUS server when one of the following protocols is configured:\r\nPPP over ATM\r\nPPP over Ethernet (PPPoE) over ATM\r\nPPPoE over 802.1Q VLANs\r\nBefore PPP extended NAS-Port format attributes can be reported to the RADIUS server, the radius-server attribute\r\nnas-port format command with the d keyword must be configured on both the tunnel server and the NAS, and the\r\ntunnel server and the NAS must both be Cisco routers.\r\nWhen you configure the vpdn aaa attribute nas-ip-address vpdn-nas command, the L2TP network server (LNS)\r\nreports the IP address of the last multihop node for multihop over Layer 2 Forwarding (L2F). For multihop over\r\nLayer 2 Tunneling Protocol (L2TP), the IP address of the originating NAS is reported.\r\nWhen you configure the vpdn aaa attribute nas-ip-address vpdn-tunnel-client command, the LNS reports the IP\r\naddress of the last multihop node in the RADIUS NAS-IP-Address attribute for the L2TP multihop. This eases the\r\nmigration for customers moving from L2F to L2TP.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 99 of 165\n\nNote\r\nReporting of NAS AAA attributes related to a VPDN on a AAA server is not supported for Point-to-Point Tunneling Protocol (PPTP) sessions with multihop deployment.\r\nExamples\r\nThe following example configures VPDN on a tunnel server and enables reporting of VPDN AAA attributes to the\r\nAAA server:\r\nvpdn enable\r\nvpdn-group 1\r\n accept-dialin\r\n protocol any\r\n virtual-template 1\r\n!\r\n terminate-from hostname nas1\r\n local name ts1\r\n!\r\nvpdn aaa attribute nas-ip-address vpdn-nas\r\nvpdn aaa attribute nas-port vpdn-nas\r\nvpdn aaa attribute nas-port physical-channel-id\r\nThe following example configures the tunnel server for VPDN, enables AAA, configures a RADIUS AAA server,\r\nand enables reporting of PPP extended NAS-Port format values to the RADIUS server. PPP extended NAS-Port\r\nformat must also be configured on the NAS for this configuration to be effective.\r\nvpdn enable\r\nvpdn-group L2TP-tunnel\r\n accept-dialin\r\n protocol l2tp\r\n virtual-template 1\r\n!\r\n terminate-from hostname nas1\r\n local name ts1\r\n!\r\naaa new-model\r\naaa authentication ppp default local group radius\r\naaa authorization network default local group radius\r\naaa accounting network default start-stop group radius\r\n!\r\nradius-server host 172.16.79.76 auth-port 1645 acct-port 1646\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 100 of 165\n\nradius-server retransmit 3\r\nradius-server attribute nas-port format d\r\nradius-server key ts123\r\n!\r\nvpdn aaa attribute nas-port vpdn-nas\r\nRelated Commands\r\nCommand Description\r\nradius-server attribute nas-port format Selects the NAS-Port format used for RADIUS accounting features.\r\nvrf (ca-trustpoint)\r\nTo specify the VRF instance in the public key infrastructure (PKI) trustpoint to be used for enrollment, certificate\r\nrevocation list (CRL) retrieval, and online certificate status protocol (OCSP) status, use the vrf command in ca-trustpoint configuration mode. To remove the VRF instance that was specified, use the no form of this command.\r\nvrf vrf-name\r\nno vrf vrf-name\r\nSyntax Description\r\nvrf vrf-name Specifies the name of the VRF.\r\nCommand Default\r\nNo VRF is specified.\r\nCommand Modes\r\nCa-trustpoint configuration (ca-trustpoint)\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 101 of 165\n\nRelease Modification\r\n15.1T This command was introduced.\r\nUsage Guidelines\r\nBefore you can configure this command, you must enable the crypto pki trustpoint command with and the\r\ntrustpoint-name argument, which enters ca-trustpoint configuration mode.\r\nExamples\r\nRouter(config)# crypto pki trustpoint mytp\r\nRouter(ca-trustpoint)# vrf myvrf\r\nRelated Commands\r\nCommand Description\r\ncrypto pki trustpoint Declares the trustpoint and a given name and enters ca-trustpoint configuration mode.\r\nvrf (ca-trustpool)\r\nTo specify the VRF instance in the public key infrastructure (PKI) trustpool to be used for enrolment, certificate\r\nrevocation list (CRL) retrieval, and online certificate status protocol (OCSP) status, use the vrf command in ca-trustpool configuration mode. To remove the VRF instance that was specified, use the no form of this command.\r\nvrf vrf-name\r\nno vrf vrf-name\r\nSyntax Description\r\nvrf vrf-name Specifies the name of the VRF.\r\nCommand Default\r\nNo VRF is specified.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 102 of 165\n\nCommand Modes\r\nCa-trustpool configuration (ca-trustpool)\r\nCommand History\r\nRelease Modification\r\n15.2(2)T This command was introduced.\r\n15.1(1)SY This command was integrated into Cisco IOS 15.1(1)SY.\r\nUsage Guidelines\r\nBefore you can configure this command, you must enable the crypto pki trustpool policy command, which enters\r\nca-trustpool configuration mode.\r\nExamples\r\nRouter(config)# crypto pki trustpool policy\r\nRouter(ca-trustpool)# vrf myvrf\r\n \r\nRelated Commands\r\nCommand Description\r\ncabundle url Configures the URL from which the PKI trustpool CA bundle is downloaded.\r\nchain-validation\r\nEnables chain validation from the peer's certificate to the root CA certificate in the\r\nPKI trustpool.\r\ncrypto pki trustpool\r\nimport\r\nManually imports (downloads) the CA certificate bundle into the PKI trustpool to\r\nupdate or replace the existing CA bundle.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 103 of 165\n\nCommand Description\r\ncrypto pki trustpool\r\npolicy\r\nConfigures PKI trustpool policy parameters.\r\ndefault Resets the value of a ca-trustpool configuration command to its default.\r\nmatch Enables the use of certificate maps for the PKI trustpool.\r\nocsp Specifies OCSP settings for the PKI trustpool.\r\nrevocation-check Disables revocation checking when the PKI trustpool policy is being used.\r\nshow Displays the PKI trustpool policy of the router in ca-trustpool configuration mode.\r\nshow crypto pki\r\ntrustpool\r\nDisplays the PKI trustpool certificates of the router and optionally shows the PKI\r\ntrustpool policy.\r\nsource interface\r\nSpecifies the source interface to be used for CRL retrieval, OCSP status, or the\r\ndownloading of a CA certificate bundle for the PKI trustpool.\r\nstorage\r\nSpecifies a file system location where PKI trustpool certificates are stored on the\r\nrouter.\r\nvrf (isakmp profile)\r\nTo define the virtual routing and forwarding (VRF) value to which the IP Security (IPSec) tunnel will be mapped,\r\nuse the vrf command in Internet Security Association Key Management (ISAKMP) profile configuration mode. To\r\ndisable the VRF that was defined, use the no form of this command.\r\nvrf ivrf\r\nno vrf ivrf\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 104 of 165\n\nSyntax Description\r\nivrf VRF to which the IPSec tunnel will be mapped.\r\nCommand Default\r\nThe VRF will be the same as the front door VRF (FVRF).\r\nCommand Modes\r\nISAKMP\r\nprofile configuration (config-isa-prof)\r\nCommand History\r\nRelease Modification\r\n12.2(15)T This command was introduced.\r\n12.2(18)SXD This command was integrated into Cisco IOS Release 12.2(18)SXD.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nCisco IOS XE Release 2.6 This command was integrated into Cisco IOS XE Release 2.6.\r\nUsage Guidelines\r\nUse this command to map IPSec tunnels that terminate on a global interface to a specific Virtual Private Network\r\n(VPN).\r\nIf traffic from the router to a certification authority (CA) (for authentication, enrollment, or for obtaining a\r\ncertificate revocation list [CRL]) or to a Lightweight Directory Access Protocol (LDAP) server (for obtaining a\r\nCRL) needs to be routed via a VRF, the vrf command must be added to the trustpoint. Otherwise, such traffic will\r\nuse the default routing table.\r\nIf a profile does not specify one or more trustpoints, all trustpoints in the router will be used to attempt to validate\r\nthe certificate of the peer (Internet Key Exchange [IKE] main mode or signature authentication). If one or more\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 105 of 165\n\ntrustpoints are specified, only those trustpoints will be used.\r\nExamples\r\nThe following example shows that two IPSec tunnels to VPN 1 and VPN 2 are terminated:\r\ncrypto isakmp profile vpn1\r\n vrf vpn1\r\n keyring vpn1\r\n match identity address 172.16.1.1 255.255.255.255\r\ncrypto isakmp profile vpn2\r\n vrf vpn2\r\n keyring vpn2\r\n match identity address 10.1.1.1 255.255.255.255\r\ncrypto ipsec transform-set vpn1 esp-3des esp-sha-hmac\r\ncrypto ipsec transform-set vpn2 esp-3des esp-md5-hmac\r\n!\r\ncrypto map crypmap 1 ipsec-isakmp\r\n set peer 172.16.1.1\r\n set transform-set vpn1\r\n set isakmp-profile vpn1\r\n match address 101\r\ncrypto map crypmap 3 ipsec-isakmp\r\n set peer 10.1.1.1\r\n set transform-set vpn2\r\n set isakmp-profile vpn2\r\n match address 102\r\n!\r\n!\r\ninterface Ethernet1/2\r\n ip address 172.26.1.1 255.255.255.0\r\n duplex half\r\n no keepalive\r\n no cdp enable\r\n crypto map crypmap\r\nvrfname\r\nTo associate a Virtual Private Network (VPN) front-door routing and forwarding instance (FVRF) with a SSL\r\nVPN gateway, use the vrfname command in webvpn gateway configuration mode. To disassociate the FVRF from\r\nthe SSL VPN gateway, use the no form of this command.\r\nvrfname name\r\nno vrfname name\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 106 of 165\n\nSyntax Description\r\nCommand Default\r\nA VPN FVRF is not associated with a SSL VPN gateway.\r\nCommand Modes\r\nWebvpn gateway (config-webvpn-gateway)\r\nCommand History\r\nRelease Modification\r\n12.4(15)T This command was introduced.\r\nUsage Guidelines\r\nOnly one FVRF can be associated with each SSL VPN context configuration.\r\nExamples\r\nThe following example shows FVRF has been configured:\r\nRouter (config) ip vrf vrf_1\r\nRouter (config-vrf) end\r\nRouter (config) webvpn gateway mygateway\r\nRouter (config-webvpn-gateway) vrfname vrf_1\r\nRouter (cofig-webvpn-gateway) end\r\nRelated Commands\r\nCommand Description\r\nwebvpn gateway Enters webvpn gateway configuration mode to configure a SSL VPN gateway.\r\nvrf-name\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 107 of 165\n\nTo associate a Virtual Private Network (VPN) routing and forwarding instance (VRF) with a SSL VPN context,\r\nuse the vrf-name command in webvpn context configuration mode. To remove the VRF from the WebVPN\r\ncontext configuration, use the no form of this command.\r\nvrf-name name\r\nno vrf-name\r\nSyntax Description\r\nCommand Default\r\nA VPN VRF is not associated with a SSL VPN context.\r\nCommand Modes\r\nWebvpn context configuration\r\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\nUsage Guidelines\r\nThe VRF is first defined in global configuration mode. Only one VRF can be associated with each SSL VPN\r\ncontext configuration.\r\nExamples\r\nThe following example associates a VRF with a SSL VPN context:\r\nRouter (config)# ip vrf BLUE\r\nRouter (config-vrf)# rd 10.100.100.1\r\nRouter (config-vrf)# webvpn context context1\r\nRouter (config-webvpn-context)# vrf-name BLUE\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 108 of 165\n\nCommand Description\r\nwebvpn context Enters webvpn context configuration mode to configure the SSL VPN context.\r\nvsa vendor-id\r\nTo define vendor-specific attributes (VSAs), use the vsa vendor-id command in server-group configuration mode.\r\nTo remove the configuration from the list, use the no form of this command.\r\nvsa vendor-id vendor-id vendor-type vendor-type\r\nno vsa vendor-id vendor-id vendor-type vendor-type\r\nSyntax Description\r\nvendor-id Vendor-specific ID. Valid values are from 0 to 65535.\r\nvendor-type vendor-type Specifies the sub-attribute type for the vendor ID.\r\nCommand Default\r\nVendor ID is not defined.\r\nCommand Modes\r\nServer-group configuration (config-radius-attrl)\r\nCommand History\r\nRelease Modification\r\nCisco IOS Release 12.2(33)SRA This command was introduced.\r\nUsage Guidelines\r\nVendor-specific ID 9 defines Cisco VSAs and 311 defines Microsoft VSAs. For more information about vendor-specific attributes, see the RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values\r\nchapter.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 109 of 165\n\nNote\r\nIn Cisco IOS Release 15.1(1)SY, the Microsoft VSAs was defined as 8; however, it was changed to\r\n311 in Cisco IOS Release 15.1(1)SY2.\r\nExamples\r\nThe following example shows how to define vendor-specific attributes:\r\nDevice(config)# aaa new-model\r\nDevice(config)# radius-server attribute list usage-only\r\nDevice(config-radius-attrl)# vsa vendor-id 311 vendor-type 11\r\nDevice(config-radius-attrl)# exit\r\nRelated Commands\r\nCommand Description\r\naaa new-model Enables the AAA access control model.\r\nattribute (server-group) Adds attributes to an accept or reject list.\r\nradius-server host Specifies a RADIUS server host.\r\nweb-agent-url\r\nTo configure the Netegrity agent URL to which Single SignOn (SSO) authentication requests will be dispatched,\r\nuse the web-agent-url command in webvpn sso server configuration mode. To remove the Netegrity agent URL,\r\nuse the no form of this command.\r\nweb-agent-url url\r\nno web-agent-url url\r\nSyntax Description\r\nurl URL to which SSO authentication requests will be dispatched.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 110 of 165\n\nCommand Default\r\nAuthentication requests will not be dispatched to a Netegrity agent URL.\r\nCommand Modes\r\nWebvpn sso server configuration\r\nCommand History\r\nRelease Modification\r\n12.4(11)T This command was introduced.\r\nUsage Guidelines\r\nNote\r\nA web agent URL and policy server secret key are required for a SSO server configuration. If they are\r\nnot configured, a warning message is displayed. (See the warning message information in the\r\nExamples section below.)\r\nExamples\r\nThe following example shows that SSO authentication requests will be dispatched to the URL\r\nhttp://www.example.com/webvpn/:\r\nwebvpn context context1\r\n sso-server test-sso-server\r\n web-agent-url http://www.example.com/webvpn/\r\nExamples\r\nIf a web agent URL and policy server secret key are not configured, a message similar to the following is\r\nreceived:\r\nWarning: must configure web agent URL for sso-server \"example\"\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 111 of 165\n\nWarning: must configure SSO policy server secret key for sso-server \"example\"\r\nWarning: invalid configuration. SSO for \"example\" being disabled\r\nRelated Commands\r\nCommand Description\r\nwebvpn context Enters webvpn context configuration mode to configure the SSL VPN context.\r\nwebvpn\r\nNote\r\nEffective with Cisco IOS Release 12.4(6)T, the webvpn command is replaced by the webvpn context\r\nand webvpn gateway commands. See the these commands for more information.\r\nTo enter Web VPN configuration mode, use the webvpn command in global configuration mode. To remove all\r\ncommands that were entered in Web VPN configuration mode, use the no form of this command.\r\nwebvpn\r\nno webvpn\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nWeb VPN configuration mode is not entered.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 112 of 165\n\nRelease Modification\r\n12.3(14)T This command was introduced.\r\n12.4(6)T This command was replaced by the webvpn context and webvpn gateway commands.\r\nExamples\r\nThe following example shows that Web VPN configuration mode has been entered:\r\nRouter (config)#\r\nwebvpn\r\nRouter (config-webvpn)#\r\nRelated Commands\r\nCommand Description\r\nwebvpn enable Enables WebVPN in the system.\r\nwebvpn-homepage\r\nTo specify the WebVPN home page URL, use the webvpn-homepage command in WebVPN group policy\r\nconfiguration mode. To disable the configuration, use the no form of this command.\r\nwebvpn-homepage homepage-url [redirection-time seconds]\r\nno webvpn-homepage\r\nSyntax Description\r\nhomepage-url Home page URL.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 113 of 165\n\nredirection-time\r\nseconds\r\n(Optional) Specifies the home page redirection time, in seconds. The range is from 0\r\nto 15. The default value is 5.\r\nCommand Default\r\nThe default reditection time is 5 seconds.\r\nCommand Modes\r\nWebVPN group policy configuration (config-webvpn-group)\r\nCommand History\r\nRelease Modification\r\n15.1(1)T This command was introduced.\r\nUsage Guidelines\r\nYou can use the webvpn-homepage command to specify the WebVPN home page URL and apply the WebVPN\r\nredirection time to a particular policy group users. This command helps you to customize and have your own\r\nportal page.\r\nThe portal page is not displayed if you configure the webvpn-homepage command and set the redirection time to\r\n0. If the redirection time is greater than 0, then the portal page is displayed for the time the redirection time is\r\nconfigured and then redirects you to the home page.\r\nIf the configuration is not successful, an appropriate error message is displayed.\r\nExamples\r\nThe following example shows how to specify the home page URL \"http://192.0.2.0\" with the redirection time of\r\n12 seconds:\r\nRouter# configure terminal\r\nRouter(config)# webvpn context context1\r\nRouter(config-webvpn-context)# policy group policy1\r\nRouter(config-webvpn-group)# webvpn-homepage http://192.0.2.0 redirection-time 12\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 114 of 165\n\nRelated Commands\r\nCommand Description\r\npolicy group Enters WebVPN group policy configuration mode.\r\nshow webvpn policy group Displays the context configuration associated with a policy group.\r\nwebvpn context Enters WebVPN context configuration mode.\r\nwebvpn cef\r\nTo enable Secure Socket Layer virtual private network (SSL VPN) full-tunnel Cisco Express Forwarding (CEF)\r\nsupport, use the webvpn cef command in global configuration mode. To disable full-tunnel CEF support, use the\r\nno form of this command.\r\nwebvpn cef\r\nno webvpn cef\r\nSyntax Description\r\nThere are no arguments or keywords.\r\nCommand Default\r\nThis command is set by default.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.4(20)T This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 115 of 165\n\nUsage Guidelines\r\nIP CEF must be turned on before this command can take effect.\r\nExamples\r\nThe following example shows that full-tunnel CEF is being disabled:\r\nRouter (config)# no webvpn cef\r\nRelated Commands\r\nCommand Description\r\nip cef Enables CEF on the route processor card.\r\nwebvpn context\r\nTo enter webvpn context configuration mode to configure the Secure Sockets Layer Virtual Private Network (SSL\r\nVPN) context, use the webvpn context command in global configuration mode. To remove the SSL VPN\r\nconfiguration from the router configuration file, use the no form of this command.\r\nwebvpn context name\r\nno webvpn context name\r\nSyntax Description\r\nname Name of the SSL VPN context configuration.\r\nCommand Default\r\nWebvpn context configuration mode is not entered, and a SSL VPN context is not configured.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 116 of 165\n\nRelease Modification\r\n12.4(6)T This command was introduced.\r\nUsage Guidelines\r\nThe SSL VPN context defines the central configuration of the SSL VPN. Entering the webvpn context command\r\nplaces the router in webvpn context configuration mode.\r\nNote\r\nThe ssl authenticate verify all command is enabled by default when a context configuration is created.\r\nThe context cannot be removed from the router configuration while a SSL VPN gateway is in an\r\nenabled state (in service).\r\nExamples\r\nThe following example configures and activates the SSL VPN context configuration:\r\nRouter(config)# webvpn context context1\r\n \r\nRouter(config-webvpn-context)# inservice\r\n \r\nRelated Commands\r\nCommand Description\r\naaa authentication\r\n(WebVPN)\r\nConfigures AAA authentication for SSL VPN sessions.\r\ncsd enable Enables CSD support for SSL VPN sessions.\r\ndefault-group-policy Specifies a default group policy for SSL VPN sessions.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 117 of 165\n\nCommand Description\r\ngateway (WebVPN) Specifies the gateway for SSL VPN sessions.\r\ninservice Enables a SSL VPN gateway or context process.\r\nlogin-message Configures a message for a user login text box on the login page.\r\nlogo\r\nConfigures a custom logo to be displayed on the login and portal pages of a SSL\r\nVPN website.\r\nmax-users (WebVPN) Limits the number of connections to a SSL VPN that will be permitted\r\nnbns-list\r\nEnters webvpn NBNS list configuration mode to configure a NBNS server list for\r\nCIFS name resolution.\r\npolicy group Enters a webvpn group policy configuration mode to configure a group policy.\r\nport-forward\r\nEnters webvpn port-forward list configuration mode to configure a port-forwarding\r\nlist.\r\nsecondary-color\r\nConfigures the color of the secondary title bars on the login and portal pages of a\r\nSSL VPN website.\r\nsecondary-text-color Configures the color of the text on the secondary bars of a SSL VPN website.\r\ntitle\r\nConfigures the HTML title string that is shown in the browser title and on the title\r\nbar of a SSL VPN website.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 118 of 165\n\nCommand Description\r\ntitle-color\r\nConfigures the color of the title bars on the login and portal pages of a SSL VPN\r\nwebsite.\r\nurl-list\r\nEnters webvpn URL list configuration mode to configure the list of URLs to which\r\na user has access on the portal page of a SSL VPN website.\r\nvrf-name Associates a VRF with a SSL VPN context.\r\nwebvpn create template\r\nTo create templates for multilanguage support for messages initiated by the head-end in a Secure Socket Layer\r\nVirtual Private Network (SSL VPN), configure the webvpn create template command in user EXEC or privileged\r\nEXEC mode.\r\nwebvpn create template {browser-attribute | language | url-list}device:\r\nSyntax Description\r\nbrowser-attribute Creates a template file named \"battr_tpl.xml\".\r\nlanguage Creates a template file named \"lang.js\".\r\nurl-list Creates a template file named \"url_list_tpl.xml\".\r\ndevice : Storage device on the system for the templates, such as flash: or disk0.\r\nCommand Default\r\nTemplate files are not created.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 119 of 165\n\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(22)T This command was introduced.\r\nUsage Guidelines\r\nAfter template files have been created, they can be copied to a PC for editing and then reimported to the storage\r\ndevice.\r\nExamples\r\nThe following example shows that a browser-attribute template file is to be created in flash:\r\nRouter# webvpn create template browser-attribute flash:\r\nThe following example shows that the language file is to be created in flash:\r\nRouter# webvpn create template language flash:\r\nThe following example shows that a URL list template is to be created in flash:\r\nRouter# webvpn create template url-list flash:\r\nRelated Commands\r\nCommand Description\r\nbrowser-attribute\r\nimport\r\nImports user-defined browser attributes into a webvpn context.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 120 of 165\n\nCommand Description\r\nimport Imports a user-defined URL list into a webvpn context.\r\nlanguage Specifies the language to be used in a webvpn context.\r\nurl-list\r\nEnters webvpn URL list configuration mode to configure a list of URLs to which a user\r\nhas access on the portal page of a SSL VPN and attaches the URL list to a policy group.\r\nwebvpn enable\r\nNote\r\nEffective with Cisco IOS Release 12.4(6)T, the webvpn enable command is replaced by the inservice\r\ncommand. See the inservice command for more information.\r\nTo enable WebVPN in the system, use the webvpn enable command in global configuration mode. To disable\r\nWebVPN in the system, use the no form of this command.\r\nwebvpn enable [gateway-addr ip-address]\r\nno webvpn enable [gateway-addr ip-address]\r\nSyntax Description\r\ngateway-addr\r\nip-address\r\n(Optional) Enables WebVPN on only the IP address that is specified. If this keyword and\r\nargument are not configured, WebVPN is enabled globally on all IP addresses.\r\nCommand Default\r\nWebVPN is disabled in the system.\r\nCommand Modes\r\nWeb VPN configuration\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 121 of 165\n\nRelease Modification\r\n12.3(14)T This command was introduced.\r\n12.4(6)T This command was replaced by the inservice command.\r\nUsage Guidelines\r\nThis command initializes the required system data structures, initializes TCP sockets, and performs other startup\r\ntasks related to WebVPN.\r\nExamples\r\nThe following example shows that WebVPN has been enabled in the system:\r\nwebvpn enable\r\nRelated Commands\r\nCommand Description\r\nwebvpn Enters Web VPN configuration mode.\r\nwebvpn gateway\r\nTo enter webvpn gateway configuration mode to configure a SSL VPN gateway, use the webvpn gateway\r\ncommand in global configuration mode. To remove the SSL VPN gateway from the router configuration file, use\r\nthe no form of this command.\r\nwebvpn gateway name\r\nno webvpn gateway name\r\nSyntax Description\r\nname Name of the virtual gateway service.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 122 of 165\n\nCommand Default\r\nWebvpn gateway configuration mode is not entered, and a SSL VPN gateway is not configured.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\nUsage Guidelines\r\nEntering the webvpn gateway command places the router in webvpn gateway configuration mode. Configuration\r\nsettings specific to the SSL VPN gateway are entered in this configuration mode.\r\nThe SSL VPN gateway acts as a proxy for connections to protected resources. Protected resources are accessed\r\nthrough a secure encrypted connection between the gateway and a web-enabled browser on a remote device, such\r\nas a personal computer.\r\nThe gateway is configured using an IP address at which SSL VPN remote-user sessions terminate. The gateway is\r\nnot active until the inservice command has been entered in SSL VPN gateway configuration mode. Only one\r\ngateway can be configured in a SSL VPN-enabled network.\r\nExamples\r\nThe following example creates and enables a SSL VPN gateway process named SSL_GATEWAY:\r\nRouter(config)# webvpn gateway SSL_GATEWAY\r\n \r\nRouter(config-webvpn-gateway)# ip address 10.1.1.1 port 443\r\nRouter(config-webvpn-gateway)# ssl trustpoint SSLVPN\r\n \r\nRouter(config-webvpn-gateway)# http-redirect 80\r\n \r\nRouter(config-webvpn-gateway)# inservice\r\n \r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 123 of 165\n\nRelated Commands\r\nCommand Description\r\nhostname\r\n(WebVPN)\r\nConfigures a SSL VPN hostname.\r\nhttp-redirect Configures HTTP traffic to be carried over HTTPS.\r\ninservice Enables a SSL VPN gateway or context process.\r\nip address\r\n(WebVPN)\r\nConfigures a proxy IP address on a SSL VPN gateway.\r\nssl encryption\r\nConfigures the specify the encryption algorithms that the SSL protocol will use for an\r\nSSL VPN.\r\nssl trustpoint Configures the certificate trust point on a SSL VPN gateway.\r\nwebvpn import svc profile\r\nTo enable an AnyConnect profile to be imported from a router, use the webvpn import svc profile command in\r\nglobal configuration mode. To disable the configuration, use the no form of this command.\r\nwebvpn import svc profile profile-name device-name\r\nno webvpn import svc profile profile-name\r\nSyntax Description\r\nprofile-name Name of the AnyConnect profile.\r\ndevice-name Device name and filename of the AnyConnect profile thats needs to be imported.\r\nCommand Default\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 124 of 165\n\nAnyConnect profiles are not imported to the Cisco IOS headend.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n15.0(1)M This command was introduced.\r\nUsage Guidelines\r\nYou can use the webvpn import svc profile command to import the AnyConnect profile to the Cisco IOS headend.\r\nIn order to import the AnyConnect profile to the Cisco IOS headend, the administrator must download the\r\nAnyConnect profile from an AnyConnect client (this profile comes by default with AnyConnect), update the\r\nprofile file to enable the AnyConnect support, and then import the modified profile into the Cisco IOS software.\r\nExamples\r\nThe following example shows how to import the AnyConnect profile to the Cisco IOS headend:\r\nRouter\u003e enable\r\n \r\nRouter# configure terminal\r\nRouter(config)# webvpn import svc profile profile1 disk0:filename\r\n \r\nRelated Commands\r\nCommand Description\r\nsvc profile Applies a particular AnyConnect profile to the webvpn gateway.\r\nwebvpn install\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 125 of 165\n\nTo install a Cisco Secure Desktop (CSD) or Cisco AnyConnect VPN Client package file to a Secure Socket Layer\r\nvirtual private network (SSL VPN) gateway for distribution to end users, use the webvpn install command in\r\nglobal configuration mode. To remove a package file from the SSL VPN gateway, use the no form of this\r\ncommand.\r\nwebvpn install [csd location-name | svc location-name [sequence sequence-number]]\r\nno webvpn install [csd location-name | svc location-name [sequence sequence-number]]\r\nSyntax Description\r\ncsd location-name\r\n(Optional) Installs the CSD client software package. The filename and path are entered.\r\nsvc location-name(Optional) Installs the Cisco AnyConnect VPN Client software package. The filename\r\nand path are entered.\r\nsequence\r\nsequence-number\r\n(Optional) Allows for multiple packages to be installed to one gateway. If the sequence\r\nkeyword and the sequence-number argument are not configured, a sequence number of 1\r\nis applied to the package.\r\nCommand Default\r\nNeither a CSD nor a Cisco AnyConnect VPN Client package file is installed to a WebVPN gateway.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\n12.4(20)T The sequence sequence-number keyword and argument were added.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 126 of 165\n\nUsage Guidelines\r\nThe installation packages must first be copied to a local file system, such as disk, flash or USB flash. The CSD\r\nand Cisco AnyConnect VPN Client software packages are pushed to end users as access is needed. The end user\r\nmust have administrative privileges, and the Java Runtime Environment (JRE) for Windows version 1.4 or a later\r\nversion must be installed before a CSD or Cisco AnyConnect VPN Client package can be installed.\r\nNote\r\nSecure Sockets Layer Virtual Private Network (SSL VPN) Client (SVC) is the predecessor of Cisco\r\nAnyConnect VPN Client software.\r\nIf you have not entered the sequence keyword and the sequence-number argument and you want to install another\r\npackage, you can remove the previous package (using the no form of the command) or you can provide another\r\nsequence number.\r\nIf you try to install a package with a sequence number that is being used, you will get an error message.\r\nExamples\r\nThe following example shows how to install the Cisco AnyConnect VPN Client package to an SSL VPN gateway.\r\nThe package is being copied to a flash file system.\r\nRouter(config)# webvpn install svc flash:/webvpn/svc.pkg\r\n \r\nSSLVPN Package SSL-VPN-Client : installed successfully\r\nThe following example shows how to install the CSD package to an SSL VPN gateway. The package is being\r\ncopied to a flash file system.\r\nRouter(config)# webvpn install csd flash:/securedesktop_3_1_0_9.pkg\r\n \r\nSSLVPN Package Cisco-Secure-Desktop : installed successfully\r\nThe following example shows how to install Cisco AnyConnect VPN Client package to an SSL VPN gateway.\r\nThe file is being copied to a USB file system.\r\nRouter(config)# webvpn install csd usbflash0:securedesktop-ios-3.1.1.45-k9.pkg\r\nSSLVPN Package Cisco-Secure-Desktop : installed successfully\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 127 of 165\n\nRelated Commands\r\nCommand Description\r\nshow webvpn install status Displays the installation status of SVC or CSD client software packages.\r\nwebvpn sslvpn-vif nat\r\nTo enable Network Address Translation (NAT) on the WebVPN virtual interface, use the webvpn sslvpn-vif nat\r\ncommand in global configuration mode. To disable NAT on the WebVPN virtual interface, use the no form of this\r\ncommand.\r\nwebvpn sslvpn-vif nat {enable | inside | outside}\r\nno webvpn sslvpn-vif nat {enable | inside | outside}\r\nSyntax Description\r\nenable Enables address translation.\r\ninside Enables the inside interface for address translation.\r\noutside Enables the outside interface for address translation.\r\nCommand Default\r\nNAT is disabled by default on the WebVPN virtual interface.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 128 of 165\n\nRelease Modification\r\n12.4(20)T This command was introduced.\r\nUsage Guidelines\r\nUse the show running-config command to verify if NAT has been enabled.\r\nExamples\r\nThe following example shows that NAT has been enabled on the WebVPN virtual interface:\r\nRouter(config)# webvpn sslvpn-vif nat enable\r\nRelated Commands\r\nCommand Description\r\nshow running-config Displays the contents of the current running configuration file.\r\nwhitelist (cws)\r\nTo configure allowed listing of traffic based on the access control list (ACL) and the HTTP header whose header\r\nmatches the configured regular expression, use the whitelist command in Cloud Web Security allowed listing\r\nconfiguration mode. To disable allowed listing of traffic, use the no form of this command.\r\nwhitelist {acl {acl-list | extended-acl-list | acl-name} | [header | | {host | user-agent} | user | user-group] regex\r\nregex-host | notify-tower}\r\nno whitelist {acl {acl-list | extended-acl-list | acl-name} | [header | | {host | user-agent} | user | user-group] regex\r\nregex-host | notify-tower}\r\nSyntax Description\r\nacl\r\nSpecifies the ACL. The IP addresses that are used are the pre-NAT IP addresses for\r\nmatching the access control list.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 129 of 165\n\nacl-list\r\nAccess list to create allowed listing of content scanning traffic. Valid values are from 1 to\r\n199.\r\nextended-acl-listExtended access list to allowed listing of content-scan traffic. Valid values are from 1300 to\r\n2699.\r\nacl-name Access list name.\r\nheader Specifies the allowed list using the HTTP header.\r\nhost Specifies the allowed list using the host header field.\r\nuser-agent Specifies the allowed list using the user agent header field.\r\nuser Specifies the name of the user whose content appears in the allowed list.\r\nuser-group Specifies the user-group whose content appears on the allowed list.\r\nregex Specifies the HTTP header host, user, and user group values as regular expression (regex).\r\nregex-host Name of the host regular expression.\r\nnotify-tower Specifies the allowed list to notify Cloud Web Security.\r\nCommand Default\r\nAllowed listing is not configured.\r\nCommand Modes\r\nCloud Web Security allowed listing configuration  (config-cws-wl)\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 130 of 165\n\nRelease Modification\r\n15.3(3)M This command was introduced.\r\n15.4(2)T This command was modified. The notify-tower keyword was removed.\r\nUsage Guidelines\r\nAn approved list contains entities that are provided a particular privilege, service, mobility, access, or recognition.\r\nAn approved list means to grant access. The web traffic that is on the allowed list is not sent for content scanning\r\nto Cloud Web Security.\r\nThe header keyword specifies the allowed listing attribute on the HTTP header that matches the configured\r\nregular expression.\r\nThe notify-tower keyword specifies whether ScanSafe needs to be notified about allowed listing.\r\nExamples\r\nThe following example shows how to configure allowed listing based on the ACL for Cisco IOS Release\r\n15.3(3)M:\r\nDevice(config)# content-scan whitelisting\r\nDevice(config-cws-wl)# whitelist acl 199\r\n \r\nThe following example shows how to configure whitelisting based on the ACL for Cisco IOS Release 15.4(2)T\r\nand later:\r\nDevice(config)# cws whitelisting\r\nDevice(config-cws-wl)# whitelist acl 199\r\n \r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 131 of 165\n\nCommand Description\r\ncontent-scan\r\nwhitelisting\r\nEnables allowed listing of incoming traffic and enters Cloud Web Security allowed\r\nlisting configuration mode.\r\ncws whitelisting\r\nEnables allowed listing of incoming traffic and enters Cloud Web Security allowed\r\nlisting configuration mode.\r\nwins\r\nTo specify the primary and secondary Windows Internet Naming Service (WINS) servers, use the wins command\r\nin ISAKMP group configuration mode or IKEv2 client group configuration mode. To remove this command from\r\nyour configuration, use the no form of this command.\r\nwins primary-server [secondary-server]\r\nno wins primary-server [secondary-server]\r\nSyntax Description\r\nprimary-server Name of the primary WINS server.\r\nsecondary-server (Optional) Name of the secondary WINS server.\r\nCommand Default\r\nNo primary or secondary WINS server is specified.\r\nCommand Modes\r\nISAKMP group configuration (config-isakmp-group)\r\nIKEv2 client group configuration (config-ikev2-client-config-group)\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 132 of 165\n\nRelease Modification\r\n12.2(8)T This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS 12.2SX family of releases. Support in a\r\nspecific 12.2SX release is dependent on your feature set, platform, and platform\r\nhardware.\r\nCisco IOS XE\r\nRelease 3.3S\r\nThis command was integrated into Cisco IOS XE Release 3.3S.\r\nUsage Guidelines\r\nUse this command to specify the primary and secondary WINS server for the remote access client. You must\r\nenable the following commands before enabling the wins command:\r\ncrypto isakmp client configuration group --Specifies the group policy information that has to be defined or\r\nchanged.\r\ncrypto ikev2 authorization policy --Specifies the local group policy authorization parameters.\r\nExamples\r\nThe following example shows how to define a primary and secondary WINS server for the group \"cisco\":\r\ncrypto isakmp client configuration group cisco\r\n key cisco\r\n dns 10.2.2.2 10.3.2.3\r\n pool dog\r\n acl 199\r\n wins 10.1.1.2 10.1.1.3\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 133 of 165\n\nCommand Description\r\nacl Configures split tunneling.\r\ncrypto ikev2 authorization policy Specifies an IKEv2 client configuration group.\r\ncrypto isakmp client configuration group Specifies the DNS domain to which a group belongs.\r\nwlccp authentication-server client\r\nTo configure the list of servers to be used for 802.1X authentication, use the wlccp authentication-server client\r\ncommand in global configuration mode. To disable the server list, use the no form of this command.\r\nwlccp authentication-server client {any | eap | leap | mac} list\r\nno wlccp authentication-server client {any | eap | leap | mac} list\r\nSyntax Description\r\nany Specifies client devices that use any authentication.\r\neap Specifies client devices that use Extensible Authentication Protocol (EAP) authentication.\r\nleap Specifies client devices that use Light Extensible Authentication Protocol (LEAP) authentication.\r\nmac Specifies client devices that use MAC-based authentication.\r\nlist List of client devices.\r\nCommand Default\r\nNo default behavior or values\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 134 of 165\n\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.2(11)JA This command was introduced.\r\n12.3(11)T\r\nThis command was implemented on the following platforms: Cisco 2600XM, Cisco 2691,\r\nCisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.\r\nUsage Guidelines\r\nYou can specify a list of client devices that use any type of authentication, or you can specify a list of client\r\ndevices that use a certain type of authentication (such as EAP, LEAP, or MAC-based authentication).\r\nExamples\r\nThe following example shows how to configure the server list for LEAP authentication for client devices:\r\nRouter (config)# wlccp authentication-server client leap leap-list1\r\nRelated Commands\r\nCommand Description\r\ndebug wlccp packet Displays packet traffic to and from the WDS router.\r\ndebug wlccp wds Displays either WDS debug state or WDS statistics messages.\r\nshow wlccp wds\r\nShows information about access points and client devices on the WDS\r\nrouter.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 135 of 165\n\nCommand Description\r\nwlccp authentication-server\r\ninfrastructure\r\nConfigures the list of servers to be used for 802.1X authentication for the\r\nwireless infrastructure devices.\r\nwlccp wds priority interface\r\nEnables a wireless device such as an access point or a wireless-aware\r\nrouter to be a WDS candidate.\r\nwlccp authentication-server infrastructure\r\nTo configure the list of servers to be used for 802.1X authentication for the wireless infrastructure devices, use the\r\nwlccp authentication-server infrastructure command in global configuration mode. To disable the server list, use\r\nthe no form of this command.\r\nwlccp authentication-server infrastructure list\r\nno wlccp authentication-server infrastructure list\r\nSyntax Description\r\nlist\r\nList of servers to be used for 802.1X authentication for the wireless infrastructure devices, such as\r\naccess points, repeaters, and wireless-aware routers.\r\nCommand Default\r\nNo default behavior or values\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.2(11)JA This command was introduced on Cisco Aironet access points.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 136 of 165\n\nRelease Modification\r\n12.3(11)T\r\nThis command was implemented on the following platforms: Cisco 2600XM, Cisco 2691,\r\nCisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.\r\nExamples\r\nThis example shows how to configure the server list for 802.1X authentication for infrastructure devices\r\nparticipating in Cisco Centralized Key Management:\r\nRouter (config)# wlccp authentication-server infrastructure wlan-list1\r\nRelated Commands\r\nCommand Description\r\ndebug wlccp packet Displays packet traffic to and from the WDS router.\r\ndebug wlccp wds Displays either WDS debug state or WDS statistics messages.\r\nshow wlccp wds Shows information about access points and client devices on the WDS router.\r\nwlccp authentication-server\r\nclient\r\nConfigures the list of servers to be used for 802.1X authentication.\r\nwlccp wds priority interface\r\nEnables a wireless device such as an access point or a wireless-aware router\r\nto be a WDS candidate.\r\nwlccp wds priority interface\r\nTo configure the router or access point to provide WDS, use the wlccp wds priority interface command in global\r\nconfiguration mode. To remove the WDS configuration from the router or access point, use the no form of the\r\ncommand .\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 137 of 165\n\nwlccp wds priority priority interface interface\r\nno wlccp wds priority priority interface interface\r\nSyntax Description\r\npriority\r\nPriority of this WDS candidate. The valid range is from 1 to 255. The greater the priority value,\r\nthe higher the priority.\r\ninterface\r\nInterface on which the router sends out WDS advertisements. Supported interface types are as\r\nfollows:\r\nFor access points--bvi\r\nFor wireless-aware routers--bvi, svi, Fast Ethernet, and Gigabit Ethernet.\r\nCommand Default\r\nNo default behavior or values\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.2(11)JA This command was introduced with support for Cisco Aironet access points.\r\n12.3(11T\r\nThis command was implemented on the following platforms: Cisco 2600XM, Cisco 2691,\r\nCisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.\r\nUsage Guidelines\r\nThe WDS candidate with the highest priority becomes the active WDS device.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 138 of 165\n\nThis example shows how to configure the priority for an access point as a candidate to provide WDS with priority\r\n200:\r\nRouter (config)# wlccp wds priority 200 interface bvi 1\r\nRelated Commands\r\nCommand Description\r\ndebug wlccp packet Displays packet traffic to and from the WDS router.\r\ndebug wlccp wds Displays either WDS debug state or WDS statistics messages.\r\nshow wlccp wds\r\nShows information about access points and client devices on the WDS\r\nrouter.\r\nwlccp authentication-server\r\nclient\r\nConfigures the list of servers to be used for 802.1X authentication.\r\nwlccp authentication-server\r\ninfrastructure\r\nConfigures the list of servers to be used for 802.1X authentication for the\r\nwireless infrastructure devices.\r\nxauth userid mode\r\nTo specify how the Easy VPN client handles extended authentication (Xauth) requests, use the xauth userid mode\r\ncommand in Cisco IOS Easy VPN remote configuration mode. To remove the setting, use the no form of this\r\ncommand.\r\nxauth userid mode {http-intercept | interactive | local}\r\nno xauth userid mode {http-intercept | interactive | local}\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 139 of 165\n\nhttp-intercept\r\nHTTP connections are intercepted from the user through the inside interface and the prompt.\r\ninteractive\r\nTo authenticate, the user must use the command-line interface (CLI) prompts on the console.\r\nInteractive is the default behavior.\r\nlocal The saved username or password is used in the configuration.\r\nCommand Default\r\nIf the command is not configured, the default behavior is interactive.\r\nCommand Modes\r\nCisco IOS Easy VPN remote configuration (config-crypto-ezvpn)\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific\r\n12.2SX release is dependent on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nIf you want to be prompted by the console, use the interactive keyword.\r\nIf you want to use a saved username or password, use the local keyword. If a local username or password is\r\ndefined, the mode changes to that username or password.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 140 of 165\n\nThe following example shows that HTTP connections will be intercepted from the user and that the user can\r\nauthenticate using web-based activation:\r\ncrypto ipsec client ezvpn tunnel22\r\n connect manual\r\n group tunnel22 key 22tunnel\r\n mode client\r\n peer 192.168.0.1\r\n xauth userid mode http-intercept\r\n!\r\n!\r\ninterface Ethernet0\r\n ip address 10.4.23.15 255.0.0.0\r\n crypto ipsec client ezvpn tunnel22 inside !\r\ninterface Ethernet1\r\n ip address 192.168.0.13 255.255.255.128\r\n duplex auto\r\n crypto ipsec client ezvpn catch22\r\n!\r\nRelated Commands\r\nCommand Description\r\ncrypto ipsec client\r\nezvpn\r\nCreates a Cisco Easy VPN remote configuration.\r\ndebug crypto ipsec\r\nclient ezvpn\r\nDisplays information about voice control messages that have been captured by the\r\nVoice DSP Control Message Logger.\r\ndebug ip auth-proxy\r\nezvpn\r\nDisplays information related to proxy authentication behavior for web-based\r\nactivation.\r\nshow crypto ipsec client\r\nezvpn\r\nDisplays the Cisco Easy VPN Remote configuration.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 141 of 165\n\nCommand Description\r\nshow ip auth-proxy\r\nDisplays the authentication proxy entries or the running authentication proxy\r\nconfiguration.\r\nxsm\r\nTo enable XML Subscription Manager (XSM) client access to the device, use the xsm command in global\r\nconfiguration mode. To disable XSM client access to the device, use the no form of this command.\r\nxsm\r\nno xsm\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nXSM client access to the device is enabled.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.1(6)E This command was introduced.\r\n12.2(9)YE This command was integrated into Cisco IOS Release 12.2(9)YE.\r\n12.2(9)YO1 This command was integrated into Cisco IOS Release 12.2(9)YO1.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 142 of 165\n\nRelease Modification\r\n12.2(13)T This command was integrated into Cisco IOS Release 12.2(13)T.\r\n12.2(14)S This command was integrated into Cisco IOS Release 12.2(14)S.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nThis command requires that the ip http server command is enabled. Enabling the xsm command also enables the\r\nxsm vdm and xsm edm commands. This command must be enabled for the XSM client (such as VPN Device\r\nManager [VDM]) to operate.\r\nExamples\r\nIn the following example, access by remote XSM clients to XSM data on the device is disabled:\r\nRouter# no xsm\r\nRelated Commands\r\nCommand Description\r\nip http server Enables a device to be reconfigured through the Cisco browser interface.\r\nshow xsm status Displays information and status about clients subscribed to the XSM server.\r\nshow xsm xrd-list Displays all XRDs for clients subscribed to the XSM server.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 143 of 165\n\nCommand Description\r\nxsm dvdm Grants access to switch operations.\r\nxsm edm Grants access to EDM monitoring and configuration data.\r\nxsm vdm Grants access to VPN-specific monitoring and configuration data.\r\nxsm dvdm\r\nTo enable switch-specific configuration data (for example, configuring switch ports and VLANs) when running\r\nVPN Device Manager (VDM) on a switch, use the xsm dvdm command in global configuration mode. To disable\r\nswitch-specific configuration data for VDM, use the no form of this command.\r\nxsm dvdm\r\nno xsm dvdm\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nAccess to switch-specific configuration data is enabled when XSM is enabled.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.2(9)YO1 This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 144 of 165\n\nRelease Modification\r\n12.2(13)T This command was integrated into Cisco IOS Release 12.2(13)T.\r\nUsage Guidelines\r\nAccess to switch-specific configuration data (dVDM) is enabled by default when XSM is enabled.\r\nThe no xsm dvdm command allows you to disable only switch-specific XSM data. Note however that disabling\r\ndVDM will prevent the VDM application from communicating properly with the device (switch). There is\r\nminimal performance impact associated with leaving dVDM enabled.\r\nExamples\r\nIn the following example, access to switch-specific configuration data is disabled in XSM:\r\nRouter(config)# no xsm dvdm\r\n \r\nRelated Commands\r\nCommand Description\r\nxsm Enables XSM client access to the router.\r\nxsm edm Grants access to EDM monitoring and configuration data.\r\nxsm history vdm Enables specific VPN statistics collection on the XSM server.\r\nxsm vdm Grants access to VPN-specific monitoring and configuration data.\r\nxsm edm\r\nTo grant access to Embedded Device Manager (EDM) monitoring and configuration data, use the xsm edm\r\ncommand in global configuration mode. To cancel access to EDM monitoring and configuration data, use the no\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 145 of 165\n\nform of this command.\r\nxsm edm\r\nno xsm edm\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nAccess to EDM monitoring and configuration data is granted by default if XSM is enabled.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.1(6)E This command was introduced.\r\n12.2(9)YE This command was integrated into Cisco IOS Release 12.2(9)YE.\r\n12.2(9)YO1 This command was integrated into Cisco IOS Release 12.2(9)YO1.\r\n12.2(13)T This command was integrated into Cisco IOS Release 12.2(13)T.\r\n12.2(14)S This command was integrated into Cisco IOS Release 12.2(14)S.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 146 of 165\n\nUsage Guidelines\r\nThis command exists to allow you to disable EDM using the no xsm edm form of the command. EDM is enabled\r\nby default when XSM is enabled.\r\nEDM provides the following generic information to the VPN Device Manager (VDM):\r\nRelevant interfaces\r\nIP routing\r\nAccess-list details\r\nBasic device health\r\nNote that disabling EDM prevents XSM clients (such as VDM) from working properly and also disables the xsm\r\nhistory edm command. There is minimal performance impact associated with leaving EDM enabled.\r\nExamples\r\nIn the following example, access to EDM data is disabled:\r\nRouter(config)# xsm\r\n \r\nRouter(config)# no xsm edm\r\n \r\nRelated Commands\r\nCommand Description\r\nxsm Enables XSM client access to the router.\r\nxsm dvdm Grants access to switch operations.\r\nxsm history edm Enables statistics collection for the EDM on the XSM server.\r\nxsm vdm Grants access to VPN-specific monitoring and configuration data.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 147 of 165\n\nxsm history vdm\r\nTo enable specific VPN statistics collection on the XML Subscription Manager (XSM) server, use the xsm history\r\nvdm command in global configuration mode. To disable collection of specific selected VPN statistics on the XSM\r\nserver, use the no form of this command.\r\nxsm history vdm\r\nno xsm history vdm\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nVPN statistics collecting is disabled.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.1(6)E This command was introduced.\r\n12.2(9)YE This command was integrated into Cisco IOS Release 12.2(9)YE.\r\n12.2(9)YO1 This command was integrated into Cisco IOS Release 12.2(9)YO1.\r\n12.2(13)T This command was integrated into Cisco IOS Release 12.2(13)T.\r\n12.2(14)S This command was integrated into Cisco IOS Release 12.2(14)S.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 148 of 165\n\nRelease Modification\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nWith this command enabled, you can save up to five days of data. Historical information on items such as the\r\nnumber of active IKE tunnels, IPSec tunnels, total crypto throughput, and total throughput is gathered and made\r\navailable, thus enabling XSM clients (such as VPN Device Manager [VDM]) to display charts and data. Use of\r\nthis command consumes resources on the device. Disabling this command clears all your historical data. The\r\nXSM server does not save history data across reloads.\r\nExamples\r\nThe following example shows how to enable specific VPN statistics collection on the XSM server:\r\nRouter(config)# xsm\r\n \r\nRouter(config)# xsm history vdm\r\n \r\nRelated Commands\r\nCommand Description\r\nxsm Enables XSM client access to the router.\r\nxsm history edm Enables statistics collection for the EDM on the XSM server.\r\nxsm vdm Grants access to VPN-specific monitoring and configuration data.\r\nxsm history edm\r\nTo enable statistics collection for the Embedded Device Manager (EDM) on the XML Subscription Manager\r\n(XSM) server, use the xsm history edm command in global configuration mode. To disable statistics collection for\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 149 of 165\n\nthe EDM on the XSM server, use the no form of this command.\r\nxsm history edm\r\nno xsm history edm\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nEDM statistics collection is disabled.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.1(6)E This command was introduced.\r\n12.2(9)YE This command was integrated into Cisco IOS Release 12.2(9)YE.\r\n12.2(9)YO1 This command was integrated into Cisco IOS Release 12.2(9)YO1.\r\n12.2(13)T This command was integrated into Cisco IOS Release 12.2(13)T.\r\n12.2(14)S This command was integrated into Cisco IOS Release 12.2(14)S.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 150 of 165\n\nUsage Guidelines\r\nUse this command to save up to five days of data. Historical information on items such as RAM and CPU\r\nutilization is gathered and made available, thus enabling XSM clients (such as VPN Device Manager [VDM]) to\r\ndisplay charts and data. Use of this command consumes resources on the device. Disabling this command clears\r\nall your historical data, as the XSM server does not save this data between reloads.\r\nExamples\r\nIn the following example, statistics collection for the EDM is enabled on the XSM server:\r\nRouter(config)# xsm\r\n \r\nRouter(config)# xsm history edm\r\n \r\nRelated Commands\r\nCommand Description\r\nxsm Enables XSM client access to the router.\r\nxsm edm Grants access to EDM monitoring and configuration data.\r\nxsm history vdm Enables specific VPN statistics collection on the XSM server.\r\nxsm privilege configuration level\r\nTo enable the XML Subscription Manager (XSM) configuration privilege level required to subscribe to XML\r\nRequest Descriptors (XRDs), use the xsm privilege configuration level command in global configuration mode.\r\nTo remove a previously configured XSM configuration privilege level, use the no form of this command.\r\nxsm privilege configuration level number\r\nno xsm privilege configuration level number\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 151 of 165\n\nnumber Integer in the range from 1 to 15 that identifies the privilege level. The default is 15.\r\nCommand Default\r\nThe default level is 15.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.1(6)E This command was introduced.\r\n12.2(9)YE This command was integrated into Cisco IOS Release 12.2(9)YE.\r\n12.2(9)YO1 This command was integrated into Cisco IOS Release 12.2(9)YO1.\r\n12.2(13)T This command was integrated into Cisco IOS Release 12.2(13)T.\r\n12.2(14)S This command was integrated into Cisco IOS Release 12.2(14)S.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nUsage Guidelines\r\nThe privilege level for the xsm privilege configuration level command must be greater than or equal to the\r\nprivilege level for the xsm privilege monitor level command. For example, if the xsm privilege configuration 7\r\ncommand is enabled, you need a minimum privilege level of 7 to subscribe to configuration XRDs. The higher the\r\nnumber the higher the privilege level. Trying to set a conflicting range of privilege settings will force the Cisco\r\ndevice to display the following message:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 152 of 165\n\nAttempt to set monitor privilege greater than configuration. Privilege denied.\r\nYou can check the XSM privilege level settings by using the show xsm status command. Use the show xsm xrd-list command to check which privilege level is required for each XRD.\r\nNote\r\nThe initial login set by your system administrator determines whether you have the necessary IOS\r\nprivilege level for actually configuring the Cisco router. Ask your system administrator for more\r\ninformation about privilege levels.\r\nExamples\r\nThe following example shows how to set a configuration privilege level of 15, and a monitor privilege level of 11\r\nfor subscription to XRDs. Users with a privilege level below 11 are denied access.\r\nRouter(config)# xsm privilege configuration level 15\r\nRouter(config)# xsm privilege monitor level 11\r\nRelated Commands\r\nCommand Description\r\nprivilege Configures IOS privilege parameters.\r\nxsm privilege monitor level Enables monitor privilege level to subscribe to XRDs.\r\nxsm privilege monitor level\r\nTo enable the XML Subscription Manager (XSM) monitoring privilege level required to subscribe to XML\r\nRequest Descriptors (XRDs), use the xsm privilege monitor level command in global configuration mode. To\r\nremove a previously configured XSM monitoring privilege level, use the no form of this command.\r\nxsm privilege monitor level number\r\nno xsm privilege monitor level number\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 153 of 165\n\nnumber Integer in the range from 1 to 15 that identifies the privilege level. The default is 15.\r\nThe default is level 1.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.1(6)E This command was introduced.\r\n12.2(9)YE This command was integrated into Cisco IOS Release 12.2(9)YE.\r\n12.2(9)YO1 This command was integrated into Cisco IOS Release 12.2(9)YO1.\r\n12.2(13)T This command was integrated into Cisco IOS Release 12.2(13)T.\r\n12.2(14)S This command was integrated into Cisco IOS Release 12.2(14)S.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nUsage Guidelines\r\nThe privilege level for the xsm privilege monitor level command must be less than or equal to the privilege level\r\nfor the xsm privilege configuration level command. For example, if the xsm privilege monitor 7 command is\r\nenabled, you need a minimum privilege level of 7 to subscribe to monitor XRDs. The higher the number the\r\nhigher the privilege level. Trying to set a conflicting range of privilege settings will force the Cisco device to\r\ndisplay the following message:\r\nAttempt to set monitor privilege greater than configuration. Privilege denied.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 154 of 165\n\nYou can check the XSM privilege level settings by using the show xsm status command. Use the show xsm xrd-list command to check which privilege level is required for each XRD.\r\nNote\r\nThe initial login set by your system administrator determines whether you have the necessary IOS\r\nprivilege level for actually configuring the Cisco router. Ask your system administrator for more\r\ninformation about privilege levels.\r\nExamples\r\nThe following example shows how to set a configuration privilege level of 15 and a monitor privilege level of 11\r\nfor subscription to XRDs. Users with a privilege level below 11 are denied access.\r\nRouter(config)# xsm privilege configuration level 15\r\nRouter(config)# xsm privilege monitor level 11\r\nRelated Commands\r\nCommand Description\r\nprivilege Configures IOS privilege parameters.\r\nxsm privilege configuration level Enables configuration privilege level to subscribe to XRDs.\r\nxsm vdm\r\nTo grant access to VPN-specific monitoring and configuration data for the VPN Device Manager (VDM), use the\r\nxsm vdm command in global configuration mode. To cancel access to VPN-specific monitoring and configuration\r\ndata for VDM, use the no form of this command.\r\nxsm vdm\r\nno xsm vdm\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 155 of 165\n\nEnabled (Access to VPN-specific monitoring and configuration data for the VDM is granted when XSM is\r\nenabled.)\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.1(6)E This command was introduced.\r\n12.2(9)YE This command was integrated into Cisco IOS Release 12.2(9)YE.\r\n12.2(9)YO1 This command was integrated into Cisco IOS Release 12.2(9)YO1.\r\n12.2(13)T This command was integrated into Cisco IOS Release 12.2(13)T.\r\n12.2(14)S This command was integrated into Cisco IOS Release 12.2(14)S.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nUsage Guidelines\r\nThis command enables access to the following VPN-specific information:\r\nIPSec\r\nIKE\r\nTunneling\r\nEncryption\r\nKeys and certificates\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 156 of 165\n\nIf XSM is enabled, this command is enabled by default. Access to VPN-specific monitoring and configuration\r\ndata within XSM can be disabled by using the no form of the command. However, disabling this command will\r\nprevent VDM from working properly and will also disable the xsm history vdm command. Leaving this command\r\nenabled has minimal performance impact.\r\nExamples\r\nIn the following example, access to VPN-specific monitoring and configuration data is disabled:\r\nRouter(config)# xsm\r\n \r\nRouter(config)# no xsm dvm\r\n \r\nRelated Commands\r\nCommand Description\r\nxsm Enables XSM client access to the router.\r\nxsm dvdm Grants access to switch operations.\r\nxsm edm Grants access to EDM monitoring and configuration data.\r\nxsm history vdm Enables specific VPN statistics collection on the XSM server.\r\nzone-member security\r\nTo attach an interface to a security zone, use the zone-member security command in interface configuration mode.\r\nTo detach the interface from a zone, use the no form of this command.\r\nzone-member security zone-name\r\nno zone-member security zone-name\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 157 of 165\n\nzone-name Name of the security zone to which an interface is attached.\r\nCommand Default\r\nNone\r\nCommand Modes\r\nInterface configuration (config-if)\r\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\nCisco IOS XE Release 2.6 This command was integrated into Cisco IOS XE Release 2.6.\r\nUsage Guidelines\r\nThe zone-member security command attaches an interface into a security zone. When an interface is in a security\r\nzone, all traffic to and from that interface (except traffic going to the router or initiated by the router) is dropped\r\nby default. To permit traffic through an interface that is a zone member, you must make that zone part of a zone-pair to which you apply a policy. If the policy permits traffic (via inspect or pass actions), traffic can flow through\r\nthe interface.\r\nExamples\r\nThe following example attaches interface GigabitEthernet 0/0/1 to zone z1:\r\nDevice(config)# interface gigabitethernet 0/0/1\r\n Device(config-if)# zone-member security z1\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 158 of 165\n\nCommand Description\r\nzone security Creates a zone.\r\nzone-mismatch drop\r\nTo validates the zone pair that is attached to an existing session, and allow traffic that matches the zone pair into\r\nthe network, use the zone-mismatch drop command. To disable the configuration, use the no form of this\r\ncommand.\r\nzone-mismatch drop\r\nno zone-mismatch drop\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nThe traffic that do not belong to a zone pair are inspected by the zone-based firewall.\r\nCommand Modes\r\nParameter map type inspect (config-profile)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.15S This command was introduced.\r\nCisco IOS 15.5(2)T This command was implemented on Cisco IOS Release 15.5(2)T.\r\nUsage Guidelines\r\nThe command allows you to validate the zone pair that is associated with an existing session, and allows traffic\r\nthat matches the zone pair into the network. When you configure the command, the firewall drops all packets\r\n(IPv4 and IPv6) that match an existing session but whose zone pair does not match the zone through which these\r\npackets arrive or leave.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 159 of 165\n\nWhen you configure thezone-mismatch drop command under the parameter-map type inspect-global command,\r\nthe zone mismatch handling configuration applies to the global firewall configuration. Traffic between all zones\r\nare inspected for zone-pair mismatch.\r\nWhen you configure thezone-mismatch drop command under the parameter-map type inspect command the zone\r\nmismatch handling configuration is applied on a per-policy basis.\r\nWhen you configure this command, the configuration is effective only for new sessions. For existing sessions,\r\ntraffic is not dropped if the sessions do not belong to the same zone pair.\r\nExamples\r\nThe following example shows how configure the zone-mismatch drop command:\r\nDevice# configure terminal\r\nDevice(config)# parameter-map type inspect pmap1\r\nDevice(config-profile)# zone-mismatch drop\r\nDevice(config-profile)# end\r\nThe following example shows how configure the zone mismatch handling configuration for the global firewall\r\nconfiguration:\r\nDevice# configure terminal\r\nDevice(config)# parameter-map type inspect-global\r\nDevice(config-profile)# zone-mismatch drop\r\nDevice(config-profile)# end\r\nRelated Commands\r\nCommand Description\r\nparameter-map type inspect\r\nparameter-map-name\r\nConfigures an inspect-type parameter map for connecting thresholds,\r\ntimeouts, and other parameters pertaining to the inspect action.\r\nparameter-map type inspect-globalConfigures a global parameter map and enters parameter-map type inspect\r\nconfiguration mode.\r\nzone pair security\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 160 of 165\n\nTo create a zone pair, use the zone-pair security command in global configuration mode. To delete a zone pair, use\r\nthe no form of this command.\r\nzone-pair security zone-pair-name source {source-zone-name | self | default} destination {destination-zone-name | self | default}\r\nno zone-pair security zone-pair-name source {source-zone-name | self | default} destination {destination-zone-name | self | default}\r\nSyntax Description\r\nzone-pair-name Name of the zone being attached to an interface.\r\nsource source-zone-name Specifies the name of the router from which traffic is originating.\r\ndefault\r\nSpecifies the name of the default security zone. Interfaces without configured\r\nzones belong to the default zone.\r\ndestination destination-zone-name\r\nSpecifies the name of the device to which traffic is bound.\r\nself\r\nSpecifies the system-defined zone. Indicates whether traffic will be going to or\r\nfrom a device.\r\nCommand Default\r\nA zone pair is not created.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 161 of 165\n\nRelease Modification\r\n12.4(6)T This command was introduced.\r\nCisco IOS XE Release\r\n2.6S\r\nThis command was modified. The default keyword was added.\r\n15.1(2)T This command was modified. Support for IPv6 was added.\r\nCisco IOS XE Release\r\n3.9S\r\nThis command was modified to define a zone pair and attach a service policy to\r\nthe zone pair.\r\nUsage Guidelines\r\nThis command creates a zone pair, which permits a unidirectional firewall policy between a pair of security zones.\r\nAfter you enter this command, you can enter the service-policy type inspect command.\r\nIf you created only one zone, you can use the system-defined default zone (self) as part of a zone pair. Such a zone\r\npair and its associated policy applies to traffic directed to the router or generated by the router. It does not affect\r\ntraffic through the router.\r\nYou can specify the self keyword for the source or destination, but not for both. You cannot modify or remove\r\nconfiguration from the self zone. You can specify the default keyword to include all the interfaces that are not\r\nconfigured with any other zones. However, the default zone needs to be defined before it can be used in a zone\r\npair.\r\nExamples\r\nThe following example shows how to create zones z1 and z2, identify them, and create a zone pair where z1 is the\r\nsource and z2 is the destination:\r\nzone security z1\r\n description finance department networks\r\nzone security z2\r\n description engineering services network\r\nzone-pair security zp source z1 destination z2\r\nzone-pair security\r\nThe following example shows how to define zone pair z1-z2 and attach the service policy p1 to the zone pair:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 162 of 165\n\nzone-pair security zp source z1 destination z2\r\n service-policy type inspect p1\r\nThe following example shows how to define a zone pair z1 and z2 and attach the service policy gtp_l4p to the\r\nzone pair:\r\nzone-pair security clt2srv1 source z1 destination z2\r\n service-policy type inspect gtp_l4p\r\ninterface GigabitEthernet0/0/0\r\nip address 172.168.0.1 255.255.255.0\r\nzone-member security z1\r\ninterface GigabitEthernet0/0/2\r\nip address 172.168.0.1 255.255.255.0\r\nzone-member security z2\r\nThe following example shows how the zone pair is configured between system-defined and default zones:\r\nzone security default\r\nclass-map type inspect match-all tcp-traffic\r\n match protocol tcp\r\n match access-group 199\r\npolicy-map type inspect p1\r\n class type inspect tcp-traffic\r\nzone-pair security self-default-zp source self destination default\r\n service-policy type inspect p1\r\nRelated Commands\r\nCommand Description\r\nzone-member security Attaches an interface to a security zone.\r\nzone-pair Creates a zone pair.\r\nzone security\r\nTo create a security zone, use the zone security command in global configuration mode. To delete a security zone,\r\nuse the no form of this command.\r\nzone security {zone-name | default}\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 163 of 165\n\nno zone security {zone-name | default}\r\nSyntax Description\r\nzone-name\r\nName of the security zone. You can enter up to 256 alphanumeric characters.\r\ndefault\r\nSpecifies the name of a default security zone. Interfaces that are not configured on any of the\r\nsecurity zones belong to the default zone.\r\nCommand Default\r\nThere is a system-defined \"self\" zone.\r\nCommand Modes\r\nGlobal configuration (config)\r\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\nCisco IOS XE Release 2.6 This command was modified. The default keyword was added.\r\n15.1(2)T Support for IPv6 was added.\r\nUsage Guidelines\r\nWe recommend that you create at least two security zones so that you can create a zone pair. If you create only one\r\nzone, you can use the default system-defined self zone. The self zone cannot be used for traffic going through a\r\nrouter. You can specify the default keyword to include all the interfaces that are not configured with any other\r\nzones.\r\nTo configure an interface to be a member of a security zone, use the zone-member security command.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 164 of 165\n\nExamples\r\nThe following example shows how to create and describe zones x1 and z1:\r\nzone security x1\r\n description testzonex\r\nzone security z1\r\n description testzonez\r\nThe following example shows how to create a default zone:\r\nzone security default\r\n description system level default zone\r\nRelated Commands\r\nCommand Description\r\ndescription (identify zone) Contains a description of a zone.\r\nzone-member security Attaches an interface to a zone.\r\nzone-pair security Creates a zonepair.\r\nBack to Top\r\nSource: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630\r\nPage 165 of 165\n\naaa accounting ! network default start-stop group radius\nradius-server host 172.16.79.76 auth-port 1645 acct-port 1646\n Page 100 of 165", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630" ], "report_names": [ "sec-cr-t2.html#wp1047035630" ], "threat_actors": [], "ts_created_at": 1775434079, "ts_updated_at": 1775826773, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/51abaed3b266533584534fb12d7dda01cde443a4.pdf", "text": "https://archive.orkl.eu/51abaed3b266533584534fb12d7dda01cde443a4.txt", "img": "https://archive.orkl.eu/51abaed3b266533584534fb12d7dda01cde443a4.jpg" } }