{
	"id": "f6ca32a8-41f9-47a4-bbad-d5f859e7efe3",
	"created_at": "2026-04-06T00:14:34.34728Z",
	"updated_at": "2026-04-10T03:37:32.661079Z",
	"deleted_at": null,
	"sha1_hash": "afd48999ebf13c8fd373213e65ef93bd383d7392",
	"title": "Cisco IOS Security Command Reference: Commands S to Z - set aggressive-mode client-endpoint through show content-scan [Support]",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 557403,
	"plain_text": "Cisco IOS Security Command Reference: Commands S to Z - set\r\naggressive-mode client-endpoint through show content-scan\r\n[Support]\r\nPublished: 2026-02-17 · Archived: 2026-04-05 14:47:31 UTC\r\nset aggressive-mode client-endpoint through show content-scan\r\nset aggressive-mode client-endpoint\r\nTo specify the Tunnel-Client-Endpoint attribute within an Internet Security Association Key Management Protocol\r\n(ISAKMP) peer configuration, use the set aggressive-mode client-endpoint command in ISAKMP policy\r\nconfiguration mode. To remove this attribute from your configuration, use the no form of this command.\r\nset aggressive-mode client-endpoint client-endpoint\r\nno set aggressive-mode client-endpoint client-endpoint\r\nSyntax Description\r\nclient-endpoint\r\nOne of the following identification types of the initiator end of the tunnel:\r\nID_IPV4 (IPV4 address)\r\nID_FQDN (fully qualified domain name, for example \"green.cisco.com\")\r\nID_USER_FQDN (e-mail address)\r\nThe ID type is translated to the corresponding ID type in Internet Key Exchange (IKE).\r\nCommand Default\r\nThe Tunnel-Client-Endpoint attribute is not defined.\r\nCommand Modes\r\nISAKMP policy configuration\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 1 of 144\n\nRelease Modification\r\n12.2(8)T This command was introduced.\r\n12.2(18)SXD This command was integrated into Cisco IOS Release 12.2(18)SXD.\r\n12.4(4)T Support for IPv6 was added.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nCisco IOS XE Release 2.1 This command was introduced on Cisco ASR 1000 Series Routers.\r\nUsage Guidelines\r\nBefore you can use this command, you must enable the crypto isakmp peer command.\r\nTo initiate an IKE aggressive mode negotiation and specify the RADIUS Tunnel-Client-Endpoint attribute, the set\r\naggressive-mode client-endpoint command, along with the set aggressive-mode password command, must be\r\nconfigured in the ISAKMP peer policy. The Tunnel-Client-Endpoint attribute will be communicated to the server\r\nby encoding it in the appropriate IKE identity payload.\r\nExamples\r\nThe following example shows how to initiate aggressive mode using RADIUS tunnel attributes:\r\ncrypto isakmp peer address 10.4.4.1\r\n set aggressive-mode client-endpoint user-fqdn user@cisco.com\r\n set aggressive-mode password cisco123\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 2 of 144\n\nCommand Description\r\ncrypto isakmp peer\r\nEnables an IPSec peer for IKE querying of AAA for tunnel attributes in\r\naggressive mode.\r\nset aggressive-mode\r\npassword\r\nSpecifies the Tunnel-Password attribute within an ISAKMP peer\r\nconfiguration.\r\nset aggressive-mode password\r\nTo specify the Tunnel-Password attribute within an Internet Security Association Key Management Protocol\r\n(ISAKMP) peer configuration, use the set aggressive-mode password command in ISAKMP policy configuration\r\nmode. To remove this attribute from your configuration, use the no form of this command.\r\nset aggressive-mode password password\r\nno set aggressive-mode password password\r\nSyntax Description\r\npassword\r\nPassword that is used to authenticate the peer to a remote server. The tunnel password is used as\r\nthe Internet Key Exchange (IKE) preshared key.\r\nCommand Default\r\nThe Tunnel-Password attribute is not defined.\r\nCommand Modes\r\nISAKMP policy configuration\r\nCommand History\r\nRelease Modification\r\n12.2(8)T This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 3 of 144\n\nRelease Modification\r\n12.2(18)SXD This command was integrated into Cisco IOS Release 12.2(18)SXD.\r\n12.3(2)T\r\nThis command was modified so that output shows that the preshared key is either encrypted\r\nor unencrypted.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nUsage Guidelines\r\nBefore you can use this command, you must enable the crypto isakmp peer command.\r\nTo initiate an IKE aggressive mode negotiation, the set aggressive-mode password command, along with the set\r\naggressive-mode client-endpoint command, must be configured in the ISAKMP peer policy. The Tunnel-Password\r\nattribute will be used as the IKE preshared key for the aggressive mode negotiation.\r\nOutput for the set aggressive-mode password command will show that the preshared key is either unencrypted or\r\nencrypted. An output example for an unencrypted preshared key would be as follows:\r\nset aggressive-mode password test123\r\nAn output example for a type 6 encrypted preshared key would be as follows:\r\nset aggressive-mode password 6 DV’P[aTVWWbcgKU]T\\T\\QhZAAB\r\nExamples\r\nThe following example shows how to initiate aggressive mode using RADIUS tunnel attributes:\r\nRouter (config)# crypto isakmp peer address 10.4.4.1\r\nRouter (config-isakmp-peer)# set aggressive-mode client-endpoint user-fqdn user@cisco.com\r\nRouter (config-isakmp-peer)#\r\nset aggressive-mode password cisco123\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 4 of 144\n\nCommand Description\r\ncrypto isakmp peer\r\nEnables an IPSec peer for IKE querying of AAA for tunnel attributes in\r\naggressive mode.\r\nset aggressive-mode client-endpointSpecifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer\r\nconfiguration.\r\nset group\r\nTo set the Group Domain of Interpretation (GDOI) crypto map to the GDOI group that has already been defined,\r\nuse the set group command in crypto map configuration mode. To remove the GDOI crypto map, use the no form\r\nof this command.\r\nset group group-name\r\nno set group group-name\r\nSyntax Description\r\ngroup-name Name of the GDOI group.\r\nCommand Default\r\nNone\r\nCommand Modes\r\ncrypto map configuration\r\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 5 of 144\n\nUsage Guidelines\r\nThis command must be configured for the GDOI crypto map to be complete.\r\nNote\r\nThis crypto map is specifically a GDOI crypto map, that is, the crypto map must be named as a GDOI\r\ncrypto map, as in this example: crypto map test 10 gdoi\r\nExamples\r\nThe following example shows that the group name is \"hsrp-group\":\r\nset group hsrp-group\r\nRelated Commands\r\nCommand Description\r\ncrypto\r\nmap\r\nEnters crypto map configuration mode and creates or modifies a crypto map entry, creates a\r\ncrypto profile that provides a template for configuration of dynamically created crypto maps,\r\nindicates that the key management mechanism is GDOI, or configures a client accounting list.\r\nset identity\r\nTo set the identity to the crypto map, use the set identity command in crypto map configuration mode.\r\nset identity name\r\nSyntax Description\r\nname Identity used to permit or restrict access for a host to a crypto map.\r\nCommand Default\r\nIf this command is not enabled, the encrypted connection does not have any restrictions other than the IP address\r\nof the encrypting peer.\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 6 of 144\n\nCrypto map configuration\r\nCommand History\r\nRelease Modification\r\n12.2(4)T This command was introduced.\r\n12.2(18)SXD This command was integrated into Cisco IOS Release 12.2(18)SXD.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\nUsage Guidelines\r\nUse the set identity command to set the identity to the configured crypto maps. When this command is applied,\r\nonly the hosts that match a configuration listed within the name argument can use that crypto map.\r\nExamples\r\nThe following example shows how to configure two IP Security (IPSec) crypto maps and apply the identity to\r\neach crypto map. That is, the identity is set to \"to-bigbiz\" for the first crypto map and \"to-little-com\" for the\r\nsecond crypto map.\r\n! The following is an IPSec crypto map (part of IPSec configuration). It can be used only\r\n! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.\r\ncrypto map map-to-bigbiz 10 ipsec-isakmp\r\n set peer 172.21.114.196\r\n set transform-set my-transformset\r\n match address 124\r\n set identity to-bigbiz\r\n!\r\ncrypto identity to-bigbiz\r\n dn ou=BigBiz\r\n!\r\n!\r\n! This crypto map can be used only by peers that have been authenticated by hostname\r\n! and if the certificate belongs to little.com.\r\ncrypto map map-to-little-com 10 ipsec-isakmp\r\n set peer 172.21.115.119\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 7 of 144\n\nset transform-set my-transformset\r\n match address 125\r\n identity to-little-com\r\n!\r\ncrypto identity to-little-com\r\n fqdn little.com\r\nRelated Commands\r\nCommand Description\r\ncrypto identity\r\nConfigures the identity of the router with a given list of DNs in the\r\ncertificate of the router.\r\ncrypto map (global IPSec)\r\nCreates or modifies a crypto map entry and enters the crypto map\r\nconfiguration mode.\r\ncrypto mib ipsec flowmib history\r\nfailure size\r\nAssociates the identity of the router with the DN in the certificate of\r\nthe router.\r\nfqdn\r\nAssociates the identity of the router with the hostname that the peer\r\nused to authenticate itself.\r\nset ip access-group\r\nTo check a preencrypted or postdecrypted packet against an access control list (ACL) without having to use the\r\noutside physical interface ACL, use the set ip access-group command in crypto map configuration mode. To\r\ndisable the check, use the no form of this command.\r\nset ip access-group {access-list-number | access-list-name} {in | out}\r\nno set ip access-group {access-list-number | access-list-name} {in | out}\r\nSyntax Description\r\naccess-list-numberNumber of an access list. Values 100 through 199 are used for IP access lists (extended). The\r\nvalues 2000 through 2699 are used for expanded access lists (extended).\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 8 of 144\n\naccess-list-name\r\nName of an access list.\r\nin Sets access control for inbound clear-text packets (after decryption).\r\nout Sets access control for outbound clear-text packets (prior to encryption).\r\nCommand Default\r\nNo crypto map access ACLs are defined to filter clear-text packets going through the IPSec tunnel.\r\nCommand Modes\r\nCrypto map configuration\r\nCommand History\r\nRelease Modification\r\n12.3(8)T This command was introduced.\r\nUsage Guidelines\r\nThe set ip access-group command is used after the crypto map has been configured.\r\nExamples\r\nThe following example shows that a crypto map access ACL has been configured:\r\nRouter (config)# crypto map map vpn1 10\r\nRouter (config-crypto-map)# set ip access-group 151 in\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 9 of 144\n\nCommand Description\r\ncrypto\r\nmap\r\nAssigns a previously defined crypto map set to an interface so that the interface can provide\r\nIPSec services.\r\nset isakmp-profile\r\nTo set the Internet Security Association and Key Management Protocol (ISAKMP) profile name, use the set\r\nisakmp-profile command in crypto map configuration mode. To remove the ISAKMP profile name, use the no\r\nform of this command.\r\nset isakmp-profile profile-name\r\nno set isakmp-profile profile-name\r\nSyntax Description\r\nprofile-name Name of the ISAKMP profile.\r\nCommand Default\r\nIf the ISAKMP profile is not specified in the crypto map entry, the default is to the ISAKMP profile that is on the\r\nhead. If there is no ISAKMP profile on the head, the default is \"none.\"\r\nCommand Modes\r\nCrypto map configuration\r\nCommand History\r\nRelease Modification\r\n12.2(15)T This command was introduced.\r\n12.2(18)SXD This command was integrated into Cisco IOS Release 12.2(18)SXD.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 10 of 144\n\nRelease Modification\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nUsage Guidelines\r\nThis command describes the ISAKMP profile to use when you start the Internet Key Exchange (IKE) exchange.\r\nBefore configuring an ISAKMP profile on a crypto map, you should set up the ISAKMP profile.\r\nExamples\r\nThe following example shows that an ISAKMP profile has been configured on a crypto map:\r\ncrypto map vpnmap 10 ipsec-isakmp\r\n set isakmp-profile vpnprofile\r\nRelated Commands\r\nCommand Description\r\ncrypto ipsec transform-setDefines a transform set, which is an acceptable combination of security protocols\r\nand algorithms.\r\ncrypto map (global) Creates or modifies a crypto map entry.\r\nset nat demux\r\nTo enable L2TP--IPSec support for NAT or PAT Windows clients, use the set nat demux command in crypto map\r\nconfiguration mode. To disable L2TP--IPSec support, use the no form of this command.\r\nset nat demux\r\nno set nat demux\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 11 of 144\n\nCommand Default\r\nWith this command disabled, Windows clients lose connection when another Windows client establishes an IP\r\nSecurity (IPSec) protected Cisco IOS Layer 2 Tunneling Protocol (L2TP) tunnel to the same Cisco IOS L2TP\r\nNetwork Server (LNS) when there is a network address translation (NAT) or port address translation (PAT) server\r\nbetween the Windows clients and the LNS.\r\nCommand Modes\r\nCrypto map configuration\r\nCommand History\r\nRelease Modification\r\n12.3(11)T4 This command was introduced.\r\n12.4(1) This command was integrated into Release 12.4(1).\r\nUsage Guidelines\r\nUse this command if you have an environment with IPSec enabled and consisting of an LNS, and a network\r\naddress translation (NAT) or port address translation (PAT) server between the Windows clients and the LNS.\r\nThis command has been tested only with Windows 2000 L2TP/IPsec clients running hotfix 818043.\r\nYou must enter the crypto map command if you are using static crypto maps or the crypto dynamic-map command\r\nif you are using dynamic crypto maps before issuing the set nat demux command.\r\nNote\r\nIf you do not have IPSec enabled, or you do not have a NAT or PAT server, you can have multiple\r\nWindows clients connect to a LNS without this command enabled.\r\nExamples\r\nThe following example shows how to enable L2TP--IPSec support for NAT or PAT Windows clients for a\r\ndynamic crypto map:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 12 of 144\n\n.\r\n.\r\n.\r\n!Enable virtual private networking.\r\nvpdn enable\r\n! Default L2TP VPDN group\r\nvpdn-group 1\r\n!\r\n!Enables the LNS to accept dial in requests; specifies L2TP as the tunneling\r\nprotocol; specifies the number of the virtual templates used to clone\r\nvirtual-access interfaces; specifies an alternate IP address for a VPDN tunnel\r\naccept-dialin.\r\n protocol l2tp\r\n virtual-template 1\r\n source-ip 10.0.0.1\r\n!\r\n!Disables Layer 2 Tunneling Protocol (L2TP) tunnel authentication.\r\nno l2tp tunnel authentication\r\n!\r\n!Defines an Internet Key Exchange (IKE) policy and assigns priority 1.\r\ncrypto isakmp policy 1\r\n encr 3des\r\n group 2\r\n!\r\ncrypto isakmp policy 2\r\n encr 3des\r\n authentication pre-share\r\n group 2\r\n!\r\n!Defines a transform set.\r\ncrypto ipsec transform-set vpn esp-3des esp-md5-hmac\r\n mode transport\r\ncrypto mib ipsec flowmib history tunnel size 2\r\ncrypto mib ipsec flowmib history failure size 2\r\n!\r\n!Names the dynamic crypto map entry to create (or modify) and enters crypto map configuration mode.\r\ncrypto dynamic-map dyn_map 1\r\n!Specifies which transform sets can be used with the crypto map entry\r\n set transform-set vpn\r\n!Enables L2TP--IPSec support.\r\n set nat demux\r\n.\r\n.\r\n.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 13 of 144\n\nRelated Commands\r\nCommand Description\r\ncrypto dynamic-map\r\nNames the dynamic crypto map entry to create (or modify) and enters crypto map\r\nconfiguration mode.\r\ncrypto map\r\nNames the static crypto map entry to create (or modify) and enters crypto map\r\nconfiguration mode.\r\nshow crypto dynamic-map\r\nDisplays information about dynamic crypto maps.\r\nshow crypto ipsec sa Displays the settings used by current SAs.\r\nshow crypto map Displays information about static crypto maps.\r\nset peer (IPsec)\r\nTo specify an IP Security (IPsec) peer in a crypto map entry, use the set peer command in crypto map\r\nconfiguration mode. To remove an IPsec peer from a crypto map entry, use the no form of this command.\r\nset peer {host-name [dynamic] [default] | ip-address [default]}\r\nno set peer {host-name [dynamic] [default] | ip-address [default]}\r\nSyntax Description\r\nhost-nameSpecifies the IPsec peer by its hostname. This is the peer’s hostname concatenated with its\r\ndomain name (for example, myhost.example.com).\r\ndynamic\r\n(Optional) The hostname of the IPsec peer will be resolved via a domain name server (DNS)\r\nlookup right before the router establishes the IPsec tunnel.\r\ndefault (Optional) If there are multiple IPsec peers, designates that the first peer is the default peer.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 14 of 144\n\nip-address\r\nSpecifies the IPsec peer by its IP address.\r\nCommand Default\r\nNo peer is defined.\r\nCommand Modes\r\nCrypto map configuration (config-crypto-map)\r\nCommand History\r\nRelease Modification\r\n11.2 This command was introduced.\r\n12.3(4)T The dynamic keyword was added.\r\n12.2(18)SXD This command was integrated into Cisco IOS Release 12.2(18)SXD.\r\n12.3(14)T The default keyword was added.\r\n12.2(33)SRA The command was integrated into Cisco IOS Release 12.2(33)SRA\r\nUsage Guidelines\r\nUse this command to specify an IPsec peer for a crypto map.\r\nThis command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto\r\ndynamic-map command), this command is not required, and in most cases is not used (because, in general, the\r\npeer is unknown).\r\nFor crypto map entries created with the crypto map map-name seq-num ipsec-isakmp command, you can specify\r\nmultiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 15 of 144\n\nthat the router heard from (received either traffic or a negotiation request from) for a given data flow. If the\r\nattempt fails with the first peer, Internet Key Exchange (IKE) tries the next peer on the crypto map list.\r\nFor crypto map entries created with the crypto map map-name seq-num ipsec-manual command , you can specify\r\nonly one IPsec peer per crypto map. If you want to change the peer, you must first delete the old peer and then\r\nspecify the new peer.\r\nYou can specify the remote IPsec peer by its hostname only if the hostname is mapped to the peer’s IP address in a\r\nDNS or if you manually map the hostname to the IP address with the ip host command.\r\nThe dynamic Keyword\r\nWhen specifying the hostname of a remote IPsec peer via the set peer command, you can also issue the dynamic\r\nkeyword, which defers DNS resolution of the hostname until right before the IPsec tunnel has been established.\r\nDeferring resolution enables the Cisco IOS software to detect whether the IP address of the remote IPsec peer has\r\nchanged. Thus, the software can contact the peer at the new IP address.\r\nIf the dynamic keyword is not issued, the hostname is resolved immediately after it is specified. So, the Cisco IOS\r\nsoftware cannot detect an IP address change and, therefore, attempts to connect to the IP address that it previously\r\nresolved.\r\nThe default Keyword\r\nIf there are multiple peers and you specify the default keyword, the first peer is designated as the default peer.\r\nIf dead peer detection (DPD) detects a failure, the default peer is retried before there is an attempt to connect to\r\nthe next peer in the peer list.\r\nIf the default peer is unresponsive, the next peer in the peer list becomes the new current peer. Future connections\r\nthrough the crypto map will try that peer.\r\nExamples\r\nThe following example shows a crypto map configuration when IKE will be used to establish the security\r\nassociations (SAs). In this example, an SA could be set up to either the IPsec peer at 10.0.0.1 or the peer at\r\n10.0.0.2.\r\ncrypto map mymap 10 ipsec-isakmp\r\n match address 101\r\n set transform-set my_t_set1\r\n set peer 10.0.0.1\r\n set peer 10.0.0.2\r\nThe following example shows how to configure a router to perform real-time Domain Name System (DNS)\r\nresolution with a remote IPsec peer; that is, the hostname of peer is resolved via a DNS lookup right before the\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 16 of 144\n\nrouter establishes a connection (an IPsec tunnel) with the peer.\r\ncrypto map secure_b 10 ipsec-isakmp\r\n match address 140\r\n set peer b.cisco.com dynamic\r\n set transform-set xset\r\ninterface serial1\r\n ip address 10.30.0.1\r\n crypto map secure_b\r\naccess-list 140 permit ...\r\nThe following example shows that the first peer, at IP address 10.1.1.1, is the default peer:\r\ncrypto map tohub 1 ipsec-isakmp\r\n set peer 10.1.1.1 default\r\n set peer 10.2.2.2\r\nThe following example shows that the peer with the hostname user1 is the default peer.\r\ncrypto map tohub 2 ipsec-isakmp\r\n set peer user1 dynamic default\r\n set peer user2 dynamic\r\nRelated Commands\r\nCommand Description\r\ncrypto dynamic-map\r\nCreates a dynamic crypto map entry and enters the crypto map configuration\r\ncommand mode.\r\ncrypto map (global\r\nIPSec)\r\nCreates or modifies a crypto map entry and enters the crypto map configuration\r\nmode.\r\ncrypto map (interface\r\nIPSec)\r\nApplies a previously defined crypto map set to an interface.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 17 of 144\n\nCommand Description\r\ncrypto map local-addressSpecifies and names an identifying interface to be used by the crypto map for IPsec\r\ntraffic.\r\nmatch address (IPSec) Specifies an extended access list for a crypto map entry.\r\nset pfs\r\nSpecifies that IPsec should ask for PFS when requesting new SAs for this crypto\r\nmap entry, or that IPsec requires PFS when receiving requests for new SAs.\r\nset security-association\r\nlevel per-host\r\nSpecifies that separate IPsec SAs should be requested for each source/destination\r\nhost pair.\r\nset security-association\r\nlifetime\r\nOverrides (for a particular crypto map entry) the global lifetime value, which is\r\nused when negotiating IPsec SAs.\r\nset session-key Specifies the IPsec session keys within a crypto map entry.\r\nset transform-set Specifies which transform sets can be used with the crypto map entry.\r\nshow crypto map\r\n(IPSec)\r\nDisplays the crypto map configuration.\r\nset pfs\r\nTo optionally specify that IP security (IPsec) requests the perfect forward secrecy (PFS) Diffie-Hellman (DH)\r\nprime modulus group identifier when requesting new security associations (SAs) for a crypto map entry or when\r\nIPsec requires PFS when receiving requests for new SAs, use the set pfs command in crypto m ap configuration\r\nmode. To specify that IPsec should not request PFS during the DH exchange, use the no form of this command.\r\nset pfs {group1 | group2 | group5 | group14 | group15 | group16 | group19 | group20}\r\nno set pfs\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 18 of 144\n\ngroup1 Specifies the 768-bit DH identifier.\r\ngroup2 Specifies the 1024-bit DH identifier.\r\ngroup5 Specifies the 1536-bit DH identifier.\r\ngroup14 Specifies the 2048-bit DH identifier.\r\ngroup15 Specifies the 3072-bit DH identifier.\r\ngroup16 Specifies the 4096-bit DH identifier.\r\ngroup19 Specifies the 256-bit elliptic curve DH (ECDH) identifier.\r\ngroup20 Specifies the 384-bit ECDH identifier.\r\nCommand Default\r\nBy default, PFS is not requested. If no group is specified with this command, the group1 keyword is used as the\r\ndefault.\r\nCommand Modes\r\nCrypto map configuration (config-crypto-map)\r\nCommand History\r\nRelease Modification\r\n11.3 T This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 19 of 144\n\nRelease Modification\r\n12.1(1.3)T Support was added for DH group 5.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a\r\nspecific 12.2SX release of this train depends on your feature set, platform, and platform\r\nhardware.\r\n12.4(20)T Support for IPv6 was added.\r\nCisco IOS XE\r\nRelease 2.2\r\nSupport was added for DH groups 14, 15, and 16 on the Cisco ASR 1000 series routers.\r\n12.4(22)T\r\nSupport for DH groups 14, 15, and 16 on the Cisco ASR 1000 series routers was\r\nintegrated into Cisco IOS Release 12.4(22)T.\r\n15.1(2)T\r\nThis command was modified. DH groups 19 and 20 were added in Cisco IOS Release\r\n15.1(2)T.\r\nUsage Guidelines\r\nThis command is available for ipsec-isakmp crypto map entries and dynamic crypto map entries for both IKEv1\r\nand IKEv2.\r\nDuring negotiation, this command causes IPsec to request PFS when requesting new security associations for the\r\ncrypto map entry. The default (group1 ) is sent if the set pfs statement does not specify a group. If the peer initiates\r\nthe negotiation and the local configuration specifies PFS, the remote peer must perform a PFS exchange or the\r\nnegotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and\r\nan offer of either group1 or group2 will be accepted. If the local configuration specifies group2 , that group must\r\nbe part of the offer of the peer or the negotiation will fail. If the local configuration does not specify PFS, it will\r\naccept any offer of PFS from the peer.\r\nPFS adds another level of security; if one key is ever cracked by an attacker, then only the data sent with that key\r\nwill be compromised. Without PFS, data sent with other keys could be compromised also.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 20 of 144\n\nWith PFS, every time a new security association is negotiated, a new DH exchange occurs. (This exchange\r\nrequires additional processing time.)\r\nThe 1024-bit DH prime modulus group, group2 , provides more security than group1 but requires more processing\r\ntime than group1 .\r\nThe group chosen must be strong enough (have enough bits) to protect the IPsec keys during negotiation. While\r\nthere is some disagreement regarding how many bits are necessary in the DH group to protect a specific key size,\r\nit is generally agreed that group14 is good protection for 128-bit keys, group15 is good protection for 192-bit\r\nkeys, and group16 is good protection for 256-bit keys.\r\nNote\r\ngroup5 may be used for 128-bit keys, but group14 is better.\r\nThe ISAKMP group and the IPsec PFS group should be the same if PFS is used. If PFS is not used, a group is not\r\nconfigured in the IPsec crypto map.\r\nExamples\r\nThe following example specifies that PFS should be used whenever a new security association is negotiated for\r\nthe crypto map mymap 10:\r\ncrypto map mymap 10 ipsec-isakmp\r\n set pfs group2\r\nRelated Commands\r\nCommand Description\r\ncrypto dynamic-map\r\nCreates a dynamic crypto map entry and enters the crypto map configuration\r\ncommand mode.\r\ncrypto map (global IPsec)\r\nCreates or modifies a crypto map entry and enters the crypto map configuration\r\nmode.\r\ncrypto map (interface\r\nIPsec)\r\nApplies a previously defined crypto map set to an interface.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 21 of 144\n\nCommand Description\r\ncrypto map local-address\r\nSpecifies and names an identifying interface to be used by the crypto map for\r\nIPsec traffic.\r\nmatch address (IPsec) Specifies an extended access list for a crypto map entry.\r\nset peer (IPsec) Specifies an IPsec peer in a crypto map entry.\r\nset security-association\r\nlevel per-host\r\nSpecifies that separate IPsec security associations should be requested for each\r\nsource/destination host pair.\r\nset security-association\r\nlifetime\r\nOverrides (for a particular crypto map entry) the global lifetime value, which is\r\nused when negotiating IPsec security associations.\r\nset transform-set Specifies which transform sets can be used with the crypto map entry.\r\nshow crypto map (IPsec) Displays the crypto map configuration.\r\nset platform software trace forwarding-manager alg\r\nTo set the platform software trace levels for the forwarding manager application layer gateway (ALG), use the set\r\nplatform software trace forwarding-manager alg command in privileged EXEC mode.\r\nset platform software trace forwarding-manager {F0 | F1 | FP | R0 | R1 | RP} {active | standby} alg {debug |\r\nemergency | error | info | noise | notice | verbose | warning}\r\nSyntax Description\r\nF0 Specifies slot 0 of the Embedded Service Processor (ESP).\r\nF1 Specifies slot 1 of the ESP.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 22 of 144\n\nFP Specifies the ESP.\r\nR0 Specifies slot 0 of the Route Processor (RP).\r\nR1 Specifies slot 1 of the RP.\r\nRP Specifies the RP.\r\nactive Specifies the active instance of the processor.\r\nstandby Specifies the standby instance of the processor.\r\ndebug Sets debug messages for ALGs.\r\nemergency Sets emergency messages for ALGs.\r\nerror Sets error messages for ALGs.\r\ninfo Sets informational messages for ALGs.\r\nnoise Sets the maximum message level for ALGs.\r\nnotice Sets notice messages for ALGs.\r\nverbose Sets detailed debug messages for ALGs.\r\nwarning Sets warning messages for ALGs.\r\nCommand Default\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 23 of 144\n\nTrace levels are not set.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.11S This command was introduced.\r\nUsage Guidelines\r\nUse this command to troubleshoot platform-specific ALG issues.\r\nExamples\r\nThe following is example shows how to set platform-specific debug messages for ALGs:\r\nDevice# set platform software trace forwarding-manager FP active alg debug\r\n \r\nRelated Commands\r\nalg sip blacklist Configures a dynamic SIP ALG blacklist for destinations.\r\nalg sip processor Configures the maximum number of backlog messages that wait for shared resources.\r\nalg sip timer Configures a timer that SIP ALG uses to manage SIP calls.\r\nset reverse-route\r\nTo define a distance metric for each static route or to tag a reverse route injection (RRI)-created route, use the set\r\nreverse-route command in crypto map configuration or IPsec profile configuration mode. To delete the tag or\r\ndistance metric, use the no form of this command.\r\nset reverse-route [distance number | tag tag-id | gateway next-hop]\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 24 of 144\n\nno set reverse-route [distance number | tag tag-id | gateway next-hop]\r\nSyntax Description\r\ndistance\r\nnumber\r\n(Optional) Defines a distance metric for each static route. The range is from 1 to 255.\r\ntag tag-id\r\n(Optional) Creates a route and tags it. The tag value can be used as a match value for\r\ncontrolling redistribution using route maps.\r\ngateway next-hop(Optional) Defines the next-hop IP address of the preferred gateway through which\r\nencrypted traffic can be routed.\r\nCommand Default\r\nThe distance metric is 1 and the tag is 0.\r\nCommand Modes\r\nCrypto map configuration (config-crypto-map)\r\nIPsec profile configuration (config-crypto-profile)\r\nCommand History\r\nRelease Modification\r\n12.4(15)T\r\nThis command was introduced. This command replaced the reverse-route tag\r\ncommand.\r\nCisco IOS XE Release\r\n3.2S\r\nThis command was modified. The gateway next-hop keyword and argument pair\r\nwas added.\r\nUsage Guidelines\r\nThis command can be applied on a per-crypto map basis or to a virtual tunnel interface (VTI) in a reverse route\r\ninjection configuration.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 25 of 144\n\nRRI provides a scalable mechanism to dynamically learn and advertise the IP address and subnets that belong to a\r\nremote site that connects through an IPsec VPN tunnel.\r\nWhen enabled in an IPsec crypto map, RRI learns all the subnets from any network that is defined in the crypto\r\naccess control list (ACL) as the destination network. The learned routes are installed into the local routing table as\r\nstatic routes that point to the encrypted interface. When the IPsec tunnel is torn down, the associated static routes\r\nare removed. These static routes may then be redistributed into other dynamic routing protocols so that they can\r\nbe advertised to other parts of the network (usually by redistributing RRI routes into dynamic routing protocols on\r\nthe core side).\r\nThe set reverse-route command provides a way to configure a server so that a dynamically learned route can take\r\nprecedence over static routes. The static routes are used only in the absence of the dynamically learned route.\r\nInserting an RRI in the remote peer through a gateway that is configured in the crypto IPsec profile ensures that\r\nthe traffic to the remote peer is always routed through the configured gateway.\r\nIf you configure the RRI gateway when there are no sessions, then no changes occur. A route to the remote peer is\r\nadded only when a new security association (SA) becomes active.\r\nTo change to a new gateway when there are active sessions, you must delete the active sessions. You cannot add,\r\ndelete, or change a gateway configuration when there are active sessions.\r\nThe gateway configuration scenarios with respect to sessions are exhibited irrespective of whether Front Virtual\r\nRouting and Forwarding (FVRF) has been configured.\r\nExamples\r\nThe following example shows how to set the value of the metric distance for each dynamic route to 20 in a crypto\r\nmap situation. The configuration is on an Easy VPN server.\r\ncrypto dynamic-map mode 1\r\n set security-association lifetime seconds 300\r\n set transform-set 3dessha\r\n set isakmp-profile profile2\r\n set reverse-route distance 20\r\n reverse-route\r\nThe following example shows how to set the value of the metric distance for each dynamic route to 20 for a VTI.\r\nThe configuration is on an Easy VPN server.\r\ncrypto isakmp profile profile1\r\n keyring mykeyring\r\n match identity group examplegroup\r\n client authentication list authenlist\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 26 of 144\n\nisakmp authorization list autholist\r\n client configuration address respond\r\n virtual-template 1\r\ncrypto ipsec profile vi\r\n set transform-set 3dessha\r\n set reverse-route distance 20\r\n set reverse-route gateway 10.0.0.1\r\n set isakmp-profile profile1\r\n!\r\ninterface Virtual-Template1 type tunnel\r\n ip unnumbered\r\n tunnel mode ipsec ipv4\r\n tunnel protection ipsec profile vi\r\nRelated Commands\r\nCommand Description\r\ndebug crypto ipsec Displays IPsec events.\r\nreverse-route Creates source proxy information for a crypto map entry.\r\nset security-association dummy\r\nTo enable the generation and transmission of dummy packets for an IPsec traffic flow in a crypto map, use the set\r\nsecurity-association dummy command in crypto map configuration mode. To disable this generation and\r\ntransmission, use the no form of this command.\r\nset security-association dummy {pps rate | seconds seconds}\r\nno set security-association dummy\r\nSyntax Description\r\npps rate Packets per second rate. The range is 0 to 25.\r\nseconds seconds Delay, in seconds, between packets. The range is 1 to 3600.\r\nCommand Default\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 27 of 144\n\nGenerating and transmitting dummy packets is disabled.\r\nCommand Modes\r\nCrypto map configuration (config-crypto-map)\r\nCommand History\r\nRelease Modification\r\n15.2(4)M3 This command was introduced.\r\nCisco IOS XE Release 3.10S This command was integrated into Cisco IOS XE Release 3.10S.\r\nUsage Guidelines\r\nRFC 4303 specifies a method to hide packet data in an IPsec traffic flow by adding dummy packets to the flow.\r\nUse the set security-association dummy command to generate and transmit dummy packets to hide data in the\r\nIPsec traffic flow in a crypto map. The dummy packet is designated by setting the next header field in the\r\nEncapsulating Security Payload (ESP) packet to a value of 59. When a crypto engine receives such packets, it\r\ndiscards them.\r\nUse the pps rate keyword/argument pair to specify a rate greater than one packet per second.\r\nWhen using this command to generate dummy packets for a specific crypto map, dummy packets are generated\r\nfor all flows created in the crypto map.\r\nExamples\r\nThe following example generates dummy packets every five seconds in the traffic flow of a crypto map:\r\ncrypto map tohub 1 ipsec-isakmp\r\n set peer 10.1.1.1 default\r\n set peer 10.2.2.2\r\n set security-association dummy seconds 5\r\n set transform-set aes_sha2\r\n match address 101\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 28 of 144\n\nCommand Description\r\ncrypto ipsec security-association\r\ndummy\r\nEnables the generation and transmission of dummy packets in an IPsec\r\ntraffic flow.\r\nset security-association idle-time\r\nTo specify the maximum amount of time for which the current peer can be idle before the default peer is used, use\r\nthe set security-association idle-time command in crypto map configuration mode. To disable this feature, use the\r\nno form of this command.\r\nset security-association idle-time seconds [default]\r\nno set security-association idle-time seconds [default]\r\nSyntax Description\r\nseconds\r\nNumber of seconds for which the current peer can be idle before the default peer is used. Although\r\nthe command will accept values for seconds ranging from 60 to 86400 seconds, the configured\r\nvalue will be rounded up to the next multiple of 600 seconds (ten minutes).\r\ndefault\r\n(Optional) Specifies that the next connection is directed to the default peer. Default: If the default\r\nkeyword is not specified and there is a connection timeout, the current peer remains unchanged.\r\nCommand Default\r\nThe default peer is not used if the current peer times out.\r\nCommand Modes\r\nCrypto map configuration (config-crypto-map)\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 29 of 144\n\nRelease Modification\r\n12.3(14)T This command was introduced.\r\n12.2(33)SRA The command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2(33)SXH This command was integrated into Cisco IOS Release 12.2(33)SXH.\r\nUsage Guidelines\r\nThis command is optional. Use this command if you want the default peer to be used if the current peer times out.\r\nIf there is a timeout to the current peer, the connection to that peer is closed. The next time a connection is\r\ninitiated, it is directed to the default peer specified in the set peer command.\r\nThe configured value for seconds is rounded up to the next multiple of 600 seconds (ten minutes), and the rounded\r\nvalue becomes the polling interval for peer idle detection. Because the idle condition must be observed in two\r\nsuccessive pollings, the period of inactivity may last up to twice the polling period before the connection to the\r\nidle peer can be closed.\r\nExamples\r\nIn the following example, if the current peer is idle for at least 750 seconds, the default peer 10.1.1.1 (which was\r\nspecified in the set peer command) is used for the next attempted connection:\r\ncrypto map tohub 1 ipsec-isakmp\r\n set peer 10.1.1.1 default\r\n set peer 10.2.2.2\r\n set security-association idle-time 750 default\r\nIn this example, the configured value of 750 seconds will be rounded up to 1200 seconds (the next multiple of\r\n600), which becomes the idle polling interval. The connection to the idle peer will be closed after two successive\r\nidle pollings, resulting in an inactivity period of between 1200 and 2400 seconds before the connection is closed.\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 30 of 144\n\nCommand Description\r\nset peer (IPSec) Specifies an IPsec peer in a crypto map entry.\r\nset security-association level per-host\r\nTo specify that separate IP Security security associations should be requested for each source/destination host pair,\r\nuse the set security-association level per-host command in cryp to map configuration mode. To specify that one\r\nsecurity association should be requested for each crypto map access list permit entry, use the no form of this\r\ncommand.\r\nset security-association level per-host\r\nno set security-association level per-host\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nFor a given crypto map, all traffic between two IPSec peers matching a single crypto map access list permit entry\r\nwill share the same security association.\r\nCommand Modes\r\nCrypto map configuration\r\nCommand History\r\nRelease Modification\r\n11.3 T This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 31 of 144\n\nRelease Modification\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nThis command is only available for ipsec-isakmp crypto map entries and is not supported for dynamic crypto map\r\nentries.\r\nWhen you use this command, you need to specify that a separate security association should be used for each\r\nsource/destination host pair.\r\nNormally, within a given crypto map, IPSec will attempt to request security associations at the granularity\r\nspecified by the access list entry. For example, if the access list entry permits IP protocol traffic between subnet A\r\nand subnet B, IPSec will attempt to request security associations between subnet A and subnet B (for any IP\r\nprotocol), and unless finer-grained security associations are established (by a peer request), all IPSec-protected\r\ntraffic between these two subnets would use the same security association.\r\nThis command causes IPSec to request separate security associations for each source/destination host pair. In this\r\ncase, each host pairing (where one host was in subnet A and the other host was in subnet B) would cause IPSec to\r\nrequest a separate security association.\r\nWith this command, one security association would be requested to protect traffic between host A and host B, and\r\na different security association would be requested to protect traffic between host A and host C.\r\nThe access list entry can specify local and remote subnets, or it can specify a host-and-subnet combination. If the\r\naccess list entry specifies protocols and ports, these values are applied when establishing the unique security\r\nassociations.\r\nUse this command with care, as multiple streams between given subnets can rapidly consume system resources.\r\nExamples\r\nThe following example shows what happens with an access list entry of permit ip 10.1.1.0 0.0.0.255 10.2.2.0\r\n0.0.0.255 and a per-host level:\r\nA packet from 10.1.1.1 to 10.2.2.1 will initiate a security association request, which would look like it\r\noriginated via permit ip host 10.1.1.1 host 10.2.2.1 .\r\nA packet from 10.1.1.1 to 10.2.2.2 will initiate a security association request, which would look like it\r\noriginated via permit ip host 10.1.1.1 host 10.2.2.2 .\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 32 of 144\n\nA packet from 10.1.1.2 to 10.2.2.1 will initiate a security association request, which would look like it\r\noriginated via permit ip host 10.1.1.2 host 10.2.2.1\r\nWithout the per-host level, any of the above packets will initiate a single security association request originated\r\nvia permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 .\r\nRelated Commands\r\nCommand Description\r\ncrypto dynamic-mapCreates a dynamic crypto map entry and enters the crypto map configuration command\r\nmode.\r\ncrypto map (global\r\nIPSec)\r\nCreates or modifies a crypto map entry and enters the crypto map configuration mode.\r\ncrypto map\r\n(interface IPSec)\r\nApplies a previously defined crypto map set to an interface.\r\ncrypto map local-addressSpecifies and names an identifying interface to be used by the crypto map for IPSec\r\ntraffic.\r\nmatch address\r\n(IPSec)\r\nSpecifies an extended access list for a crypto map entry.\r\nset peer (IPSec) Specifies an IPSec peer in a crypto map entry.\r\nset pfs\r\nSpecifies that IPSec should ask for PFS when requesting new security associations for\r\nthis crypto map entry, or that IPSec requires PFS when receiving requests for new\r\nsecurity associations.\r\nset security-association lifetimeOverrides (for a particular crypto map entry) the global lifetime value, which is used\r\nwhen negotiating IPSec security associations.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 33 of 144\n\nCommand Description\r\nset transform-set Specifies which transform sets can be used with the crypto map entry.\r\nshow crypto map\r\n(IPSec)\r\nDisplays the crypto map configuration.\r\nset security-association lifetime\r\nTo set the TEK lifetime for a specific crypto map entry or IPsec profile that is used when negotiating IPsec\r\nsecurity associations (SAs), use the set security-association lifetime command in crypto map configuration mode\r\nor IPsec profile configuration mode. To reset a lifetime to the global value, use the no form of this command.\r\nset security-association lifetime {days number-of-days | kilobytes {number-of-kilobytes | disable} | seconds\r\nnumber-of-seconds}\r\nset security-association lifetime {days | kilobytes | seconds}\r\nSyntax Description\r\ndays number-of-days Lifetime in days. The range is 1 to 30.\r\nkilobytes number-of-kilobytesVolume of traffic (in kilobytes) that can pass between IPsec peers using an SA. The\r\nrange is 2560 to 4294967295.\r\ndisable Disables the SA rekey based on the traffic-volume lifetime.\r\nseconds number-of-seconds\r\nLifetime in seconds. The range is 120 to 2592000.\r\nNote\r\n \r\nIt is not recommended to use a lifetime value that is lower than 900\r\nseconds in production routers.\r\nCommand Default\r\nGlobal lifetime values are used.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 34 of 144\n\nCommand Modes\r\nCrypto map configuration (config-crypto-map)\r\nIPsec profile configuration (ipsec-profile)\r\nCommand History\r\nRelease Modification\r\n11.3 T This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform\r\nhardware.\r\n12.4(20)T Support for IPv6 was added.\r\n12.2(33)SXI This command was modified. The disable keyword was added.\r\nCisco IOS XE\r\nRelease 2.3\r\nThis command was integrated into Cisco IOS XE Release 2.3.\r\n15.0(1)M This command was modified. The disable keyword was added.\r\n15.3(2)T\r\nThis command was modified. The days number-of-days keyword and argument pair was\r\nadded, and the maximum value for the seconds number-of-seconds keyword and\r\nargument pair was extended from 86400 seconds to 2592000 seconds.\r\nCisco IOS XE\r\nRelease 3.9S\r\nThis command was integrated into Cisco IOS XE Release 3.9S.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 35 of 144\n\nThe TEK lifetime determines the lifetime of the SA. You enter this command on the key server (KS) or primary\r\nKS. This command sets the value for a specific crypto map entry or IPsec profile by overriding the global lifetime\r\nvalue. The SA and corresponding keys expire after the timed lifetime or traffic-volume lifetime is reached\r\n(whichever is first). This command is available only for ipsec-isakmp crypto map entries, dynamic crypto map\r\nentries, and IPsec profiles.\r\nNote\r\nFor Cisco Group Encrypted Transport (GET) VPN, you must use the command in IPsec profile\r\nconfiguration mode. This is because GET VPN uses the lifetime from the IPsec profile (not the crypto\r\nmap).\r\nIf a specific crypto map entry or IPsec profile has lifetimes configured, when the router requests new SAs during\r\nSA negotiation, it specifies its crypto map or IPsec profile lifetime in the request to the peer; it uses this lifetime as\r\nthe lifetime of the new SAs. When the router receives a negotiation request from a peer, it uses the smaller of the\r\nlifetimes proposed by the peer or by the locally configured lifetime.\r\nA new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA is\r\nready. The timed lifetime and the traffic volume lifetime each have a jitter mechanism to avoid SA rekey\r\ncollisions. The new SA is negotiated either (30 plus a random number of) seconds before the seconds lifetime\r\nexpires or when the traffic volume reaches (90 minus a random number of) the percent of the kilobytes lifetime\r\n(whichever occurs first).\r\nSA rekey starts at 25 percent of the SA key’s lifetime, which is earlier than the hard expiration, with a random\r\njitter timing variation. During this time, the interval between SA soft and hard expiration should be more than 30\r\nseconds but less than 200 seconds.\r\nA lifetime change is not applied to existing SAs but is used in subsequent negotiations to establish SAs supported\r\nby this crypto map entry or IPsec profile. To enable the change sooner, you can clear all or part of the SA database\r\nby using the clear crypto sa command.\r\nIf no traffic has passed through the tunnel during the life of the SA, no new SA is negotiated when the lifetime\r\nexpires. Instead, a new SA is negotiated only when IPsec sees a packet to be protected.\r\nThe lifetime values are ignored for manually established SAs (using an ipsec-manual crypto map entry).\r\nShorter lifetimes discourage a successful key recovery attack, because the attacker has less data encrypted under\r\nthe same key to work with. However, shorter lifetimes need more CPU processing time.\r\nNote\r\nFor any configured lifetime longer than 24 hours, when ESP is used and the encryption algorithm is\r\nnot NULL (esp-null or implicitly NULL such as with esp-gcm), the encryption algorithm must be\r\nAES-CBC (esp-aes) or AES-GCM (esp-gcm) with an AES key of 128 bits or stronger.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 36 of 144\n\nYou should use a timed lifetime rather than a traffic-volume lifetime, because a small traffic-volume lifetime\r\ncauses frequent SA rekeys. High throughput of encryption or decryption traffic can cause intermittent packet\r\ndrops. The minimum traffic-volume lifetime threshold of 2560 kilobytes is not recommended on SAs that protect\r\na medium-to-high throughput data link.\r\nDisabling the traffic-volume lifetime affects only the router on which it is configured. It does not affect peer router\r\nbehavior or the current router’s time-based rekey. You should disable the traffic-volume lifetime when using high\r\nbandwidth (such as with 10-Gigabit Ethernet). This reduces packet loss in high traffic environments by preventing\r\nfrequent rekeys when the volume lifetimes are reached.\r\nYou can also disable the traffic-volume lifetime by entering the crypto ipsec security-association lifetime kilobytes\r\ndisable command.\r\nOn Cisco ASR 1000 Series Aggregation Services Routers, the values specified for this command in the global\r\nconfiguration mode might not be overridden by the values specified for this command under the IPsec profile\r\nconfiguration mode, unless the shut and no shut commands are specified for the values under IPsec profile. If the\r\nvalues are not specified under IPsec profile, then global values are applied.\r\nExamples\r\nThe following example shows how to set the timed lifetime for a specific crypto map entry named map1 to 2700\r\nseconds (45 minutes):\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# crypto map map1 10 ipsec-isakmp\r\nDevice(config-crypto-map)# set security-association lifetime seconds 2700\r\nDevice(config-crypto-map)# end\r\nThe following example shows how to disable the traffic-volume lifetime for a specific crypto map entry named\r\nmap2:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nDevice(config)# crypto map map1 10 ipsec-isakmp\r\nDevice(config-crypto-map)# set security-association lifetime kilobytes disable\r\nDevice(config-crypto-map)# end\r\nThe following example shows how to set the timed lifetime to 3 days for an IPsec profile named profile1:\r\nDevice\u003e enable\r\nDevice# configure terminal\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 37 of 144\n\nDevice(config)# crypto ipsec profile profile1\r\nDevice(ipsec-profile)# set security-association lifetime days 3\r\nDevice(ipsec-profile)# end\r\nRelated Commands\r\nCommand Description\r\ncrypto dynamic-map Creates a dynamic crypto map entry.\r\ncrypto ipsec security-association lifetime\r\nChanges global lifetime values used when negotiating SAs.\r\ncrypto map (global\r\nIPsec)\r\nCreates or modifies a crypto map entry.\r\ncrypto map (interface\r\nIPsec)\r\nApplies a previously defined crypto map set to an interface.\r\ncrypto map local-addressSpecifies and names an identifying interface to be used by the crypto map for\r\nIPsec traffic.\r\nmatch address (IPsec) Specifies an extended access list for a crypto map entry.\r\nset peer (IPsec) Specifies an IPsec peer in a crypto map entry.\r\nset pfs\r\nSpecifies that IPsec should ask for PFS when requesting new SAs for this crypto\r\nmap entry, or that IPsec requires PFS when receiving requests for new SAs.\r\nset security-association\r\nlevel per-host\r\nSpecifies that separate SAs should be requested for each source/destination host\r\npair.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 38 of 144\n\nCommand Description\r\nset transform-set Specifies the transform sets that can be used with the crypto map entry.\r\nshow crypto map (IPsec) Displays the crypto map configuration.\r\nset security-association replay disable\r\nTo disable anti-replay checking for a particular crypto map, dynamic crypto map, or crypto profile, use the set\r\nsecurity-association replay disable command in crypto map configuration or crypto profile configuration mode. To\r\nenable anti-replay checking, use the no form of this command.\r\nset security-association replay disable\r\nno set security-association replay disable\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nAnti-replay checking is enabled.\r\nCommand Modes\r\nCrypto map configuration\r\nCrypto profile configuration\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 39 of 144\n\nRelease Modification\r\n12.2(18)SXF6 This command was integrated into Cisco IOS Release 12.2(18)SXF6.\r\nExamples\r\nThe following example shows that anti-replay checking has been disabled for the crypto map named \"mymap.\"\r\ncrypto map mymap 30\r\nset security-association replay disable\r\nRelated Commands\r\nCommand Description\r\nset security-association\r\nreplay window-size\r\nControls the SAs that are created using the policy specified by a particular\r\ncrypto map, dynamic crypto map, or crypto profile.\r\nset security-association replay window-size\r\nTo control the security associations (SAs) that are created using the policy specified by a particular crypto map,\r\ndynamic crypto map, or crypto profile, use the set security-association replay window-size command in crypto\r\nmap configuration or crypto profile configuration mode. To reset the crypto map to follow the global configuration\r\nthat was specified by the crypto ipsec security-association replay window-size command, use the no form of this\r\ncommand.\r\nset security-association replay window-size [N]\r\nno set security-association replay window-size\r\nSyntax Description\r\nN\r\n(Optional) Size of the window. The value can be 64, 128, 256, 512, or 1024. This value sets the window\r\nsize for a particular crypto map, dynamic crypto map, or crypto profile.\r\nCommand Default\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 40 of 144\n\nWindow size is not set.\r\nCommand Modes\r\nCrypto map configuration\r\nCrypto profile configuration\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2(18)SXF6 This command was integrated into Cisco IOS Release 12.2(18)SXF6.\r\nExamples\r\nThe following example shows that the SA window size has been set to 256 for the crypto map named \"mymap\":\r\ncrypto map mymap 10\r\nset security-association replay window-size 256\r\nRelated Commands\r\nCommand Description\r\nset security-association replay\r\ndisable\r\nDisables anti-replay checking for a particular crypto map, dynamic crypto\r\nmap, or crypto profile.\r\nset security-policy limit\r\nTo define an upper limit to the number of flows that can be created for an individual virtual access interface, use\r\nthe set security-policy limit command in IPsec profile configuration mode. To remove the limitation, use the no\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 41 of 144\n\nform of this command.\r\nset security-policy limit maximum-limit\r\nno set security-policy limit\r\nSyntax Description\r\nmaximum-limitThe number of security policy entries that can be negotiated with the peer. The range is\r\nfrom 0 to 50000.\r\nCommand Default\r\nThe upper limit to the number of flows that can be created for an individual virtual access interface is not defined.\r\nCommand Modes\r\nIPsec profile configuration (config-crypto-profile)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.2S This command was introduced.\r\n15.2(1)T This command was integrated into Cisco IOS Release 15.2(1)T.\r\nUsage Guidelines\r\nThe behavior of the set security-policy limit command is disabled by default. Any change to the maximum limit is\r\napplied to the existing session. If the maximum limit is set to 0, then no new IPsec security associations (SAs) are\r\ncreated.\r\nNote\r\nBeginning in Cisco IOS Release 15.2(1)T, you can modify the maximum limit by using the ipsec\r\nflow-limit command.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 42 of 144\n\nThe following example shows how to limit the number of flows that can be created for an individual virtual access\r\ninterface to 5:\r\ncrypto ipsec profile ipsec-profile-1\r\n set security-policy limit 5\r\nRelated Commands\r\nCommand Description\r\ncrypto ipsec profile\r\nDefines the IPsec parameters that are to be used for IPsec encryption between two\r\nIPsec routers and enters IPsec profile configuration mode.\r\ncrypto isakmp\r\nprofile\r\nDefines an ISAKMP profile and IPsec user sessions.\r\ninterface virtual-templateCreates a virtual template interface that can be configured and applied dynamically\r\nwhen virtual access interfaces are created.\r\nipsec flow-limit\r\nSpecifies the maximum number of IPsec SAs that an IKev2 DVTI session can have on\r\nan IKev2 responder.\r\nset session-key\r\nTo manually specify the IP Security session keys within a crypto map entry, use the set session-key command in\r\ncrypto map configuration mode. This command is available only for ipsec-manual crypto map entries. To remove\r\nIPSec session keys from a crypto map entry, use the no form of this command.\r\nAuthentication Header (AH) Protocol Syntax\r\nset session-key {inbound | outbound} ah spi hex-key-string\r\nno set session-key {inbound | outbound} ah\r\nEncapsulation Security Protocol (ESP) Syntax\r\nset session-key {inbound | outbound} esp spi cipher hex-key-string authenticator hex-key-string\r\nno set session-key {inbound | outbound} esp\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 43 of 144\n\nSyntax Description\r\ninbound Sets the inbound IPSec session key. (You must set both inbound and outbound keys.)\r\noutbound Sets the outbound IPSec session key. (You must set both inbound and outbound keys.)\r\nah\r\nSets the IPSec session key for the AH protocol. Use when the crypto map entry’s transform\r\nset includes an AH transform.\r\nesp\r\nSets the IPSec session key for ESP. Use when the crypto map entry’s transform set includes\r\nan ESP transform.\r\nspi\r\nSpecifies the security parameter index (SPI), a number that is used to uniquely identify a\r\nsecurity association. The SPI is an arbitrary number you assign in the range of 256 to\r\n4,294,967,295 (FFFF FFFF).\r\nYou can assign the same SPI to both directions and both protocols. However, not all peers\r\nhave the same flexibility in SPI assignment. For a given destination address/protocol\r\ncombination, unique SPI values must be used. The destination address is that of the router if\r\ninbound, the peer if outbound.\r\nhex-key-string\r\nSpecifies the session key; enter in hexadecimal format.\r\nThis is an arbitrary hexadecimal string of 8, 16, or 20 bytes.\r\nIf the crypto map’s transform set includes a DES algorithm, specify at least 8 bytes per key.\r\nIf the crypto map’s transform set includes an MD5 algorithm, specify at least 16 bytes per\r\nkey.\r\nIf the crypto map’s transform set includes an SHA algorithm, specify 20 bytes per key.\r\nKeys longer than the above sizes are simply truncated.\r\ncipher Indicates that the key string is to be used with the ESP encryption transform.\r\nauthenticator (Optional) Indicates that the key string is to be used with the ESP authentication transform.\r\nThis argument is required only when the crypto map entry’s transform set includes an ESP\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 44 of 144\n\nauthentication transform.\r\nCommand Default\r\nNo session keys are defined by default.\r\nCommand Modes\r\nCrypto map configuration\r\nCommand History\r\nRelease Modification\r\n11.3 T This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nUse this command to define IPSec keys for security associations via ipsec-manual crypto map entries. (In the case\r\nof ipsec-isakmp crypto map entries, the security associations with their corresponding keys are automatically\r\nestablished via the IKE negotiation.)\r\nIf the crypto map’s transform set includes an AH protocol, you must define IPSec keys for AH for both inbound\r\nand outbound traffic. If the crypto map’s transform set includes an ESP encryption protocol, you must define\r\nIPSec keys for ESP encryption for both inbound and outbound traffic. If your transform set includes an ESP\r\nauthentication protocol, you must define IPSec keys for ESP authentication for inbound and outbound traffic.\r\nWhen you define multiple IPSec session keys within a single crypto map, you can assign the same security\r\nparameter index (SPI) number to all the keys. The SPI is used to identify the security association used with the\r\ncrypto map. However, not all peers have the same flexibility in SPI assignment. You should coordinate SPI\r\nassignment with your peer’s operator, making certain that the same SPI is not used more than once for the same\r\ndestination address/protocol combination.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 45 of 144\n\nSecurity associations established via this command do not expire (unlike security associations established via\r\nIKE).\r\nSession keys at one peer must match the session keys at the remote peer.\r\nIf you change a session key, the security association using the key will be deleted and reinitialized.\r\nExamples\r\nThe following example shows a crypto map entry for manually established security associations. The transform\r\nset \"t_set\" includes only an AH protocol.\r\ncrypto ipsec transform-set t_set ah-sha-hmac\r\ncrypto map mymap 20 ipsec-manual\r\n match address 102\r\n set transform-set t_set\r\n set peer 10.0.0.21\r\n set session-key inbound ah 300 1111111111111111111111111111111111111111\r\n set session-key outbound ah 300 2222222222222222222222222222222222222222\r\nThe following example shows a crypto map entry for manually established security associations. The transform\r\nset \"someset\" includes both an AH and an ESP protocol, so session keys are configured for both AH and ESP for\r\nboth inbound and outbound traffic. The transform set includes both encryption and authentication ESP transforms,\r\nso session keys are created for both using the cipher and authenticator keywords.\r\ncrypto ipsec transform-set someset ah-sha-hmac esp-des esp-sha-hmac\r\ncrypto map mymap 10 ipsec-manual\r\n match address 101\r\n set transform-set someset\r\n set peer 10.0.0.1\r\n set session-key inbound ah 300 9876543210987654321098765432109876543210\r\n set session-key outbound ah 300 fedcbafedcbafedcbafedcbafedcbafedcbafedc\r\n set session-key inbound esp 300 cipher 0123456789012345\r\n authenticator 0000111122223333444455556666777788889999\r\n set session-key outbound esp 300 cipher abcdefabcdefabcd\r\n authenticator 9999888877776666555544443333222211110000\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 46 of 144\n\nCommand Description\r\ncrypto map (global IPSec)\r\nCreates or modifies a crypto map entry and enters the crypto map configuration\r\nmode.\r\ncrypto map (interface\r\nIPSec)\r\nApplies a previously defined crypto map set to an interface.\r\ncrypto map local-address\r\nSpecifies and names an identifying interface to be used by the crypto map for\r\nIPSec traffic.\r\nmatch address (IPSec) Specifies an extended access list for a crypto map entry.\r\nset peer (IPSec) Specifies an IPSec peer in a crypto map entry.\r\nset transform-set Specifies which transform sets can be used with the crypto map entry.\r\nshow crypto map (IPSec) Displays the crypto map configuration.\r\nset transform-set\r\nTo specify which transform sets can be used with the crypto map entry, use the set transform-set command in\r\ncrypto map configuration mode. To remove all transform sets from a crypto map entry, use the no form of this\r\ncommand.\r\nset transform-set transform-set-name [transform-set2...transform-set6]\r\nno set transform-set\r\nSyntax Description\r\ntransform-set-nameName of the transform set.\r\nFor an ipsec-manual crypto map entry, you can specify only one transform set.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 47 of 144\n\nFor an ipsec-isakmp or dynamic crypto map entry, you can specify up to six transform\r\nsets.\r\nCommand Default\r\nNo transform sets are included by default.\r\nCommand Modes\r\nCrypto map configuration\r\nCommand History\r\nRelease Modification\r\n11.3 T This command was introduced.\r\n12.4(4)T Support for IPv6 was added.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a\r\nspecific 12.2SX release of this train depends on your feature set, platform, and platform\r\nhardware.\r\nCisco IOS XE\r\nRelease 2.1\r\nThis command was introduced on Cisco ASR 1000 Series Routers.\r\n15.4(2)S\r\nThis command was implemented on the Cisco ASR 901 Series Aggregation Services\r\nRouter.\r\nUsage Guidelines\r\nThis command is required for all static and dynamic crypto map entries.\r\nUse this command to specify which transform sets to include in a crypto map entry.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 48 of 144\n\nFor an ipsec-isakmp crypto map entry, you can list multiple transform sets with this command. List the higher\r\npriority transform sets first.\r\nIf the local router initiates the negotiation, the transform sets are presented to the peer in the order specified in the\r\ncrypto map entry. If the peer initiates the negotiation, the local router accepts the first transform set that matches\r\none of the transform sets specified in the crypto map entry.\r\nThe first matching transform set that is found at both peers is used for the security association. If no match is\r\nfound, IPSec will not establish a security association. The traffic will be dropped because there is no security\r\nassociation to protect the traffic.\r\nFor an ipsec-manual crypto map entry, you can specify only one transform set. If the transform set does not match\r\nthe transform set at the remote peer’s crypto map, the two peers will fail to correctly communicate because the\r\npeers are using different rules to process the traffic.\r\nIf you want to change the list of transform sets, re-specify the new list of transform sets to replace the old list. This\r\nchange is only applied to crypto map entries that reference this transform set. The change will not be applied to\r\nexisting security associations, but will be used in subsequent negotiations to establish new security associations. If\r\nyou want the new settings to take effect sooner, you can clear all or part of the security association database by\r\nusing the clear crypto sa command.\r\nAny transform sets included in a crypto map must previously have been defined using the crypto ipsec transform-set command.\r\nExamples\r\nThe following example defines two transform sets and specifies that they can both be used within a crypto map\r\nentry. (This example applies only when IKE is used to establish security associations. With crypto maps used for\r\nmanually established security associations, only one transform set can be included in a given crypto map entry.)\r\ncrypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac\r\ncrypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac\r\ncrypto map mymap 10 ipsec-isakmp\r\n match address 101\r\n set transform-set my_t_set1 my_t_set2\r\n set peer 10.0.0.1\r\n set peer 10.0.0.2\r\nIn this example, when traffic matches access list 101, the security association can use either transform set\r\n\"my_t_set1\" (first priority) or \"my_t_set2\" (second priority) depending on which transform set matches the remote\r\npeer’s transform sets.\r\nsgbp aaa authentication\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 49 of 144\n\nTo enable a Stack Group Bidding Protocol (SGBP) authentication list, use the sgbp aaa authentication command\r\nin global configuration mode. To disable the SGBP authentication list, use the no form of this command.\r\nsgbp aaa authentication list list-name\r\nno sgbp aaa authentication list list-name\r\nSyntax Description\r\nlist list-name Name of a list of methods of authentication to use.\r\nCommand Default\r\nA SGBP authentication list is not enabled. You must use the same authentication, authorization and accounting\r\n(AAA) method list as PPP usersl.\r\nCommand Modes\r\nGlobal configuration\r\nCommand History\r\nRelease Modification\r\n12.3(2)T This command introduced.\r\nUsage Guidelines\r\nUse the sgbp aaa authentication command to create a list different from the AAA list that is used by PPP users.\r\nExamples\r\nThe following example shows how to create the AAA list \"SGBP\" that is to be used by SGBP users:\r\nRouter(config)# sgbp aaa authentication list SGBP\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 50 of 144\n\nCommand Description\r\naaa authentication\r\nppp\r\nSpecifies one or more AAA authentication methods for use on serial interfaces that are\r\nrunning PPP.\r\naaa authentication\r\nsgbp\r\nSpecifies one or more AAA authentication methods for SGBP.\r\nppp authentication\r\nEnables at least one PPP authentication protocol and to specifies the order in which\r\nthe protocols are selected on the interface.\r\nshow (cs-server)\r\nTo display the public key infrastructure (PKI) certificate server configuration, use the show command in\r\ncertificate server configuration mode.\r\nshow\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nCertificate server configuration (cs-server)\r\nCommand History\r\nRelease Modification\r\n12.3(4)T This command was introduced.\r\nUsage Guidelines\r\nYou must configure the crypto pki server command with the name of the certificate server in order to enter\r\ncertificate server configuration mode and configure this command.\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 51 of 144\n\nCommand Description\r\nauto-rollover Enables the automated CA certificate rollover functionality.\r\ncdp-url Specifies a CDP to be used in certificates that are issued by the certificate server.\r\ncrl (cs-server) Specifies the CRL PKI CS.\r\ncrypto pki server\r\nEnables a CS and enters certificate server configuration mode, or immediately\r\ngenerates shadow CA credentials\r\ndatabase archive\r\nSpecifies the CA certificate and CA key archive format--and the password--to encrypt\r\nthis CA certificate and CA key archive file.\r\ndatabase level Controls what type of data is stored in the certificate enrollment database.\r\ndatabase url Specifies the location where database entries for the CS is stored or published.\r\ndatabase username\r\nSpecifies the requirement of a username or password to be issued when accessing the\r\nprimary database location.\r\ndefault (cs-server) Resets the value of the CS configuration command to its default.\r\ngrant auto rollover\r\nEnables automatic granting of certificate reenrollment requests for a Cisco IOS\r\nsubordinate CA server or RA mode CA.\r\ngrant auto\r\ntrustpoint\r\nSpecifies the CA trustpoint of another vendor from which the Cisco IOS certificate\r\nserver automatically grants certificate enrollment requests.\r\ngrant none Specifies all certificate requests to be rejected.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 52 of 144\n\nCommand Description\r\ngrant ra-auto Specifies that all enrollment requests from an RA be granted automatically.\r\nhash (cs-server)\r\nSpecifies the cryptographic hash function the Cisco IOS certificate server uses to sign\r\ncertificates issued by the CA.\r\nissuer-name Specifies the DN as the CA issuer name for the CS.\r\nlifetime (cs-server) Specifies the lifetime of the CA or a certificate.\r\nmode ra Enters the PKI server into RA certificate server mode.\r\nmode sub-cs Enters the PKI server into sub-certificate server mode\r\nredundancy (cs-server)\r\nSpecifies that the active CS is synchronized to the standby CS.\r\nserial-number (cs-server)\r\nSpecifies whether the router serial number should be included in the certificate request.\r\nshutdown (cs-server)\r\nAllows a CS to be disabled without removing the configuration.\r\nshow (ca-trustpool)\r\nTo display the public key infrastructure (PKI) trustpool policy of the router, use the show command in ca-trustpool\r\nconfiguration mode.\r\nshow\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 53 of 144\n\nCommand Modes\r\nCa-trustpool configuration (ca-trustpool)\r\nCommand History\r\nRelease Modification\r\n15.2(2)T This command was introduced.\r\n15.1(1)SY This command was integrated into Cisco IOS 15.1(1)SY.\r\nUsage Guidelines\r\nBefore you can use this command, you must enable the crypto pki trustpool policy command, which enters ca-trustpool configuration mode.\r\nExamples\r\nRouter(config)# crypto pki trustpool policy\r\nRouter(ca-trustpool)# show\r\n Chain validation will stop at the first CA certificate in the pool\r\n Trustpool CA certificates will expire 12:58:31 PST Apr 5 2012\r\n Trustpool policy revocation order: crl\r\n Certficate matching is disabled\r\n Policy Overrides:\r\nRelated Commands\r\nCommand Description\r\ncabundle url Configures the URL from which the PKI trustpool CA bundle is downloaded.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 54 of 144\n\nCommand Description\r\nchain-validation\r\nEnables chain validation from the peer's certificate to the root CA certificate in the\r\nPKI trustpool.\r\ncrl Specifes the CRL query and cache options for the PKI trustpool.\r\ncrypto pki trustpool\r\nimport\r\nManually imports (downloads) the CA bundle into the PKI trustpool to update or\r\nreplace the existing CA bundle.\r\ncrypto pki trustpool\r\npolicy\r\nConfigures PKI trustpool policy parameters.\r\ndefault Resets the value of a ca-trustpool configuration command to its default.\r\nmatch Enables the use of certificate maps for the PKI trustpool.\r\nocsp Specifies OCSP settings for the PKI trustpool.\r\nrevocation-check Disables revocation checking when the PKI trustpool policy is being used.\r\nshow crypto pki\r\ntrustpool\r\nDisplays the PKI trustpool certificates of the router and optionally shows the PKI\r\ntrustpool policy.\r\nsource interface\r\nSpecifies the source interface to be used for CRL retrieval, OCSP status, or the\r\ndownloading of a CA certificate bundle for the PKI trustpool.\r\nstorage\r\nSpecifies a file system location where PKI trustpool certificates are stored on the\r\nrouter.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 55 of 144\n\nCommand Description\r\nvrf Specifies the VRF instance to be used for CRL retrieval.\r\nshow aaa attributes\r\nTo display the mapping between an authentication, authorization, and accounting (AAA) attribute number and the\r\ncorresponding AAA attribute name, use the show aaa attributes command in EXEC configuration mode.\r\nshow aaa attributes [protocol radius]\r\nSyntax Description\r\nprotocol\r\nradius\r\n(Optional) Displays the mapping between a RADIUS attribute and a AAA attribute name\r\nand number.\r\nCommand Modes\r\nEXEC\r\nCommand History\r\nRelease Modification\r\n12.2(4)T This command was introduced.\r\n12.2(11)T The protocol radius keyword was added.\r\n12.3(14)T\r\nT.38 fax relay call statistics were made available to Call Detail Records (CDRs) through Vendor-Specific Attributes (VSAs) and added to the call log.\r\nExamples\r\nThe following example is sample output for the show aaa attributes command. In this example, all RADIUS\r\nattributes that have been enabled are displayed.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 56 of 144\n\nRouter# show aaa attributes protocol radius\r\nAAA ATTRIBUTE LIST:\r\n Type=1 Name=disc-cause-ext Format=Enum\r\n Protocol:RADIUS\r\n Non-Standard Type=195 Name=Ascend-Disconnect-Cau Format=Enum\r\n Cisco VSA Type=1 Name=Cisco AVpair Format=String\r\n Type=2 Name=Acct-Status-Type Format=Enum\r\n Protocol:RADIUS\r\n IETF Type=40 Name=Acct-Status-Type Format=Enum\r\n Type=3 Name=acl Format=Ulong\r\n Protocol:RADIUS\r\n IETF Type=11 Name=Filter-Id Format=Binary\r\n Type=4 Name=addr Format=IPv4 Address\r\n Protocol:RADIUS\r\n IETF Type=8 Name=Framed-IP-Address Format=IPv4 Addre\r\n Type=5 Name=addr-pool Format=String\r\n Protocol:RADIUS\r\n Non-Standard Type=218 Name=Ascend-IP-Pool Format=Ulong\r\n Type=6 Name=asyncmap Format=Ulong\r\n Protocol:RADIUS\r\n Non-Standard Type=212 Name=Ascend-Asyncmap Format=Ulong\r\n Type=7 Name=Authentic Format=Enum\r\n Protocol:RADIUS\r\n IETF Type=45 Name=Authentic Format=Enum\r\n Type=8 Name=autocmd Format=String\r\nThe following example is sample output for the show aaa attributes command. In this example, all the T.38 fax\r\nrelay statistics are displayed.\r\nRouter# show aaa attributes\r\n!\r\nType=485 Name=originating-line-info Format=Ulong\r\n Type=486 Name=charge-number Format=String\r\n Type=487 Name=transmission-medium-req Format=Ulong\r\n Type=488 Name=redirecting-number Format=String\r\n Type=489 Name=backward-call-indicators Format=String\r\n Type=490 Name=remote-media-udp-port Format=Ulong\r\n Type=491 Name=remote-media-id Format=String\r\n Type=492 Name=supp-svc-xfer-by Format=String\r\n Type=493 Name=faxrelay-start-time Format=String\r\n Type=494 Name=faxrelay-max-jit-buf-depth Format=String\r\n Type=495 Name=faxrelay-jit-buf-ovflow Format=String\r\n Type=496 Name=faxrelay-mr-hs-mod Format=String\r\n Type=497 Name=faxrelay-init-hs-mod Format=String\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 57 of 144\n\nType=498 Name=faxrelay-num-pages Format=String\r\n Type=499 Name=faxrelay-direction Format=String\r\n Type=500 Name=faxrelay-ecm-in-use Format=String\r\n Type=501 Name=faxrelay-encap-prot Format=String\r\n Type=502 Name=faxrelay-nsf-country-code Format=String\r\n Type=503 Name=faxrelay-nsf-manuf-code Format=String\r\n Type=504 Name=faxrelay-fax-success Format=String\r\n Type=505 Name=faxrelay-tx-packets Format=String\r\n Type=506 Name=faxrelay-rx-packets Format=String\r\nThe table below provides an alphabetical listing of the fields displayed in the output of the show aaa attributes\r\ncommand displaying T.38 statistics and a description of each field.\r\nTable 1. show aaa attributes Field Descriptions\r\nField Description\r\nFormat=Ulong Format type is ULong.\r\nFormat=String Format type is string.\r\nName=backward-call-indicators Backward call indicator.\r\nName=charge-number Charge number.\r\nName=faxrelay-direction Direction of fax relay.\r\nName=faxrelay-ecm-in-use Error correction mode in use for the fax relay.\r\nName=faxrelay-encap-prot Encapsulation protocol for fax relay.\r\nName=faxrelay-fax-success Fax relay success.\r\nName=faxrelay-init-hs-mod Fax relay initial high-speed modulation.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 58 of 144\n\nField Description\r\nName=faxrelay-jit-buf-ovflow Fax relay jitter buffer overflow.\r\nName=faxrelay-max-jit-buf-depth Fax relay maximum jitter buffer depth.\r\nName=faxrelay-mr-hs-mod Fax relay most recent high speed modulation.\r\nName=faxrelay-num-pages Fax relay number of fax pages.\r\nName=faxrelay-nsf-country-code Fax relay Nonstandard Facilities (NSF) country code.\r\nName=faxrelay-nsf-manuf-code Fax relay NSF manufacturers code.\r\nName=faxrelay-rx-packets Fax relay received packets\r\nName=faxrelay-start-time Fax relay start time.\r\nName=faxrelay-tx-packets Fax relay transmitted packets.\r\nName=originating-line-info Originating line information.\r\nName=redirecting-number Redirecting number.\r\nName=remote-media-id Remote media ID.\r\nName=remote-media-udp-port Remote media UDP port.\r\nName=supp-svc-xfer-by Supplementary service transfer.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 59 of 144\n\nField Description\r\nName=transmission-medium-req Transmission medium requirement.\r\nType= Type of fax relay string.\r\nRelated Commands\r\nCommand Description\r\ndebug voip\r\naaa\r\nEnables debugging messages for gateway authentication, authorization, and accounting\r\n(AAA) to be sent to the system console.\r\nshow aaa cache filterserver\r\nTo display the cache status, use the show aaa cache filterserver command in user EXEC or privileged EXEC\r\nmode.\r\nshow aaa cache filterserver {acl | pending}\r\nSyntax Description\r\nacl Shows the contents of the access control cache at the last refresh.\r\npending\r\nShows the contents of the pending call cache, which references filters that have not received a\r\nresponse from the RADIUS server.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 60 of 144\n\nRelease Modification\r\n12.2(13)T This command was introduced.\r\n12.2(28)SB This command was integrated into Cisco IOS Release 12.2(28)SB.\r\n12.4T The acl and pending keywords were added.\r\n12.2(33)SRC This command was integrated into Cisco IOS Release 12.2(33)SRC.\r\nUsage Guidelines\r\nThe show aaa cache filterserver command shows how many times a particular filter has been referenced or\r\nrefreshed. This function may be used in administration to determine which filters are actually being used.\r\nExamples\r\nThe following is sample output for the show aaa cache filterserver command using the acl and pending keywords:\r\nRouter# show aaa cache filterserver acl\r\nFilter Server Age Expires Refresh Access-Control-Lists\r\n--------------------------------------------------------------------------------\r\naol 10.2.3.4 0 1440 100 ip in icmp drop\r\n ip out icmp drop\r\n ip out forward tcp dstip 10.2.3.4\r\nmsn 10.2.3.4 N/A Never 2 ip in tcp drop\r\nmsn2 10.2.3.4 N/A Never 2 ip in tcp drop\r\nvone 10.2.3.4 N/A Never 0 ip in tcp drop\r\nThe following is sample output for the show aaa cache filterserver command using the pending keyword:\r\nRouter# show aaa cache filterserver pending\r\n \r\nAAA pending cache:\r\nFilter Age Expires Refresh\r\n--------------------------------------------------------------------------------\r\nmyfilter N/A Never N/A call 0x501802D8 (00000085)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 61 of 144\n\nThe table below describes the significant fields shown in the display.\r\nTable 2. show aaa cache filterserver Field Descriptions\r\nField Description\r\nFilter Filter name\r\nServer RADIUS server IP address\r\nAge When to expire a cache entry (in minutes)\r\nExpires Number of minutes in which a cache entry will expire\r\nRefresh Number of times a cache has been refreshed\r\nAccess-Control-Lists Access control list (ACL) of the server\r\nRelated Commands\r\nCommand Description\r\naaa authorization cache\r\nfilterserver\r\nEnables AAA authorization caches and the downloading of ACL\r\nconfigurations from a RADIUS filter server.\r\nshow aaa cache group\r\nTo display all the cache entries stored by the authentication, authorization, and accounting (AAA) cache, use the\r\nshow aaa cache group command in privileged EXEC mode.\r\nshow aaa cache group name {all | profile name}\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 62 of 144\n\nname Text string representing a cache server group.\r\nall Displays all server group profile details.\r\nprofile name Displays the specified individual server group profile details.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(28)SB This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2(33)SXI This command was integrated into Cisco IOS Release 12.2(33)SXI.\r\n12.4(20)T This command was integrated into Cisco IOS Release 12.4(20)T.\r\n15.0(1)M This command was integrated into Cisco IOS Release 15.0(1)M.\r\nCisco IOS XE Release 2.3 This command was integrated into Cisco IOS XE Release 2.3.\r\nUsage Guidelines\r\nUse the show aaa cache group command to display all cache entries for a specific group.\r\nExamples\r\nThe following example shows how to display all cache entries for a group. The fields are self-explanatory.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 63 of 144\n\nRouter# show aaa cache group sg1\r\n----------------------------------------------------------\r\n Entries in Profile dB SG1 for exact match\r\n----------------------------------------------------------\r\nProfile: .*user*\r\nUpdated: 00:00:33\r\nParse User: Y\r\nAuthen User: Y\r\n 6462F2F0 0 00000001 service-type(253) 4 2\r\n 6462F304 0 00000001 Framed-Protocol(66) 4 1\r\n 6462F318 0 00000009 policy-directive(339) 29 apply service internet_bronze\r\nProfile: .*internet*\r\nUpdated: 00:00:33\r\nParse User: Y\r\nAuthen User: Y\r\n 64630088 0 00000001 service-type(253) 4 5\r\n 6463009C 0 00000009 ssg-service-info(350) 16 IBronze Internet\r\n 646300B0 0 00000001 timeout(313) 4 90(5A)\r\n----------------------------------------------------------\r\n Entries in Profile dB SG1 for regexp match\r\n----------------------------------------------------------\r\nProfile: .*internet*,\r\nUpdated: 00:00:33\r\nParse User: Y\r\nAuthen User: Y\r\n 64630088 0 00000001 service-type(253) 4 5\r\n 6463009C 0 00000009 ssg-service-info(350) 16 IBronze Internet\r\n 646300B0 0 00000001 timeout(313) 4 90(5A)\r\nProfile: .*user*,\r\nUpdated: 00:00:34\r\nParse User: Y\r\nAuthen User: Y\r\n 6462F2F0 0 00000001 service-type(253) 4 2\r\n 6462F304 0 00000001 Framed-Protocol(66) 4 1\r\n 6462F318 0 00000009 policy-directive(339) 29 apply service internet_bronze\r\nRelated Commands\r\nCommand Description\r\nclear aaa cache\r\ngroup\r\nClears individual entries or all entries in the cache.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 64 of 144\n\nCommand Description\r\ndebug aaa cache\r\ngroup\r\nDebugs the caching mechanism and ensures that entries are being cached from AAA\r\nserver responses and are being found when queried.\r\nshow aaa common-criteria policy\r\nTo display the common criteria security policy details, use the show aaa common-criteria policy command in\r\nprivileged EXEC mode.\r\nshow aaa common-criteria policy {name policy-name | all}\r\nSyntax Description\r\nname policy-name Specifies the password security details for a specific policy.\r\nall Specifies the password security details for all configured policies.\r\nCommand Modes\r\n        Privileged EXEC (#)\r\n      \r\nCommand History\r\nRelease Modification\r\n15.0(2)SE This command was introduced.\r\nUsage Guidelines\r\nUse the show aaa common-criteria policy command to display the security policy details for a specific policy or\r\nfor all configured policies.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 65 of 144\n\nThe following is sample output from the show aaa common-criteria policy command:\r\nDevice# show aaa common-criteria policy name policy1\r\nPolicy name: policy1\r\nMinimum length: 1\r\nMaximum length: 64\r\nUpper Count: 20\r\nLower Count: 20\r\nNumeric Count: 5\r\nSpecial Count: 2\r\nNumber of character changes 4\r\nValid forever. User tied to this policy will not expire.\r\n \r\nThe following is sample output from the show aaa common-criteria policy all command:\r\nDevice# show aaa common-criteria policy all\r\n==========================================================\r\nPolicy name: policy1\r\nMinimum length: 1\r\nMaximum length: 64\r\nUpper Count: 20\r\nLower Count: 20\r\nNumeric Count: 5\r\nSpecial Count: 2\r\nNumber of character changes 4\r\nValid forever. User tied to this policy will not expire.\r\n==========================================================\r\nPolicy name: policy2\r\nMinimum length: 1\r\nMaximum length: 34\r\nUpper Count: 10\r\nLower Count: 5\r\nNumeric Count: 4\r\nSpecial Count: 2\r\nNumber of character changes 4\r\nValid forever. User tied to this policy will not expire.\r\n===========================================================\r\n \r\nThe following table describes the significant fields shown in the display.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 66 of 144\n\nTable 3. show aaa common-criteria policy all Field Descriptions\r\nField Description\r\nPolicy name Name of the configured security policy.\r\nMinimum length Minimum length of the password.\r\nMaximum length Maximum length of the password.\r\nUpper Count Number of uppercase characters.\r\nLower Count Number of lowercase characters.\r\nNumeric Count Number of numeric characters.\r\nSpecial Count Number of special characters.\r\nNumber of character changes Number of changed characters between old and new passwords.\r\nRelated Commands\r\nCommand Description\r\naaa common-criteria\r\npolicy\r\nConfigures an authentication, authorization, and accounting (AAA) common\r\ncriteria security policy.\r\ndebug aaa common-criteria\r\nEnables debugging for AAA common criteria password security policies.\r\nshow aaa dead-criteria\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 67 of 144\n\nTo display dead-criteria detection information for an authentication, authorization, and accounting (AAA) server,\r\nuse the show aaa dead-criteria command in privileged EXEC mode.\r\nshow aaa dead-criteria {security-protocol ip-address} [auth-port port-number] [acct-port port-number]\r\n[server-group-name]\r\nSyntax Description\r\nsecurity-protocolSecurity protocol of the specified AAA server. Currently, the only protocol that is\r\nsupported is RADIUS.\r\nip-address IP address of the specified AAA server.\r\nauth-port (Optional) Authentication port for the RADIUS server that was specified.\r\nport-number (Optional) Number of the authentication port. The default is 1645 (for a RADIUS server).\r\nacct-port (Optional) Accounting port for the RADIUS server that was specified.\r\nport-number (Optional) Number of the accounting port. The default is 1646 (for a RADIUS server).\r\nserver-group-name(Optional) Server group with which the specified server is associated. The default is\r\n\"radius\" (for a RADIUS server).\r\nCommand Default\r\nCurrently, the port-number argument for the auth-port keyword and the port-number argument for the acct-port\r\nkeyword default to 1645 and 1646, respectively. The default for the server-group-name argument is radius.\r\nCommand Modes\r\nPrivileged EXEC\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 68 of 144\n\nRelease Modification\r\n12.3(6) This command was introduced.\r\n12.3(7)T This command was integrated into Cisco IOS Release 12.3(7)T.\r\nUsage Guidelines\r\nMultiple RADIUS servers having the same IP address can be configured on a router. The auth-port and acct-port\r\nkeywords are used to differentiate the servers. The dead-detect interval of a server that is associated with a\r\nspecified server group can be obtained by using the server-group-name keyword. (The dead-detect interval and\r\nretransmit values of a RADIUS server are set on the basis of the server group to which the server belongs. The\r\nsame server can be part of multiple server groups.)\r\nExamples\r\nThe following example shows that dead-criteria-detection information has been requested for a RADIUS server at\r\nthe IP address 172.19.192.80:\r\nRouter# show aaa dead-criteria radius 172.19.192.80 radius\r\nRADIUS Server Dead Critieria:\r\n=============================\r\nServer Details:\r\n Address : 172.19.192.80\r\n Auth Port : 1645\r\n Acct Port : 1646\r\nServer Group : radius\r\nDead Criteria Details:\r\n Configured Retransmits : 62\r\n Configured Timeout : 27\r\n Estimated Outstanding Transactions: 5\r\n Dead Detect Time : 25s\r\n Computed Retransmit Tries: 22\r\n Statistics Gathered Since Last Successful Transaction\r\n=====================================================\r\nMax Computed Outstanding Transactions: 5\r\nMax Computed Dead Detect Time: 25s\r\nMax Computed Retransmits : 22\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 69 of 144\n\nThe \"Max Computed Dead Detect Time\" is displayed in seconds. The other fields shown in the display are self-explanatory.\r\nRelated Commands\r\nCommand Description\r\ndebug aaa dead-criteria\r\ntransactions\r\nDisplays AAA dead-criteria transaction values.\r\nradius-server dead-criteria\r\nForces one or both of the criteria--used to mark a RADIUS server as dead--to\r\nbe the indicated constant.\r\nshow aaa server-private Displays the status of all private RADIUS servers.\r\nshow aaa servers\r\nDisplays information about the number of packets sent to and received from\r\nAAA servers.\r\nshow aaa local user lockout\r\nTo display a list of all locked-out users, use the show aaa local user lockout command in privileged EXEC mode.\r\nshow aaa local user lockout\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nNames of locked-out users are not displayed.\r\nCommand Modes\r\nPrivileged EXEC\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 70 of 144\n\nRelease Modification\r\n12.3(14)T This command was introduced.\r\nUsage Guidelines\r\nThis command can be used only by users having root privilege.\r\nExamples\r\nThe following output of the show aaa local user lockout command illustrates that user1 is locked out:\r\nRouter# show aaa local user lockout\r\n Local-user Lock time\r\n user1 04:28:49 UTC Sat Jun 19 2004\r\nThe fields in the output example are self-explanatory.\r\nRelated Commands\r\nCommand Description\r\naaa local authentication attempts\r\nmax-fail\r\nSpecifies the maximum number of unsuccessful authentication attempts\r\nbefore a user is locked out.\r\nclear aaa local user fail-attempts Clears the unsuccessful login attempts of a user.\r\nclear aaa local user lockout Unlocks the locked-out user.\r\nshow aaa memory\r\nTo display the output of the AAA data structure memory tracing information, use the show aaa memory command\r\nin user EXEC or privileged EXEC mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 71 of 144\n\nNote\r\nThe command may cause high load on the device.\r\nshow aaa memory [detailed [component [line]] | stats {all | attr_list | cursor | event | request | summary}]\r\nSyntax Description\r\ndetailed\r\n(Optional) Displays information about the status of various AAA data structures actively used\r\nby AAA clients and statistics of data structure usage.\r\ncomponent (Optional) Displays information about a specified component.\r\nline (Optional) Displays the substring to match in the component name.\r\nstats (Optional) Displays data-structure memory statistics.\r\nall (Optional) Displays memory statistics.\r\nattr_list (Optional) Displays the attribute list usage statistics.\r\ncursor (Optional) Displays the cursor usage statistics.\r\nevent (Optional) Displays the event usage statistics.\r\nrequest (Optional) Displays the request usage statistics.\r\nsummary (Optional) Displays the data-structure usage summary.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 72 of 144\n\nPrivileged EXEC (#\r\nCommand History\r\nRelease Modification\r\n12.4(24)T This command was introduced in a release earlier than IOS Release 12.4(24)T.\r\n12.2(33)SXI\r\nThis command was integrated into a release earlier than Cisco IOS Release\r\n12.2(33)SXI. The stats keyword is not supported in this release.\r\n12.2(33)SRC\r\nThis command was integrated into a release earlier than Cisco IOS Release\r\n12.2(33)SRC. The stats keyword is not supported in this release.\r\nCisco IOS XE\r\nRelease 2.1\r\nThis command was integrated into Cisco IOS XE Release 2.1.\r\nUsage Guidelines\r\nUse the show aaa memory to display the status of various AAA data structures actively used by AAA clients and\r\nstatistics of data structure usage.\r\nExamples\r\nThe following is sample output from the show aaa memory detailed command:\r\nRouter# show aaa memory detailed\r\nAAA (accounting) In-use Asked-For/Allocated Count Size Cfg/Max\r\n ----------------------------------------------------------------------------\r\n aaa_acct_rec : -- --/-- -- 72 --/--\r\n aaa_acct_rec_node : -- --/-- -- 24 --/--\r\n AAA (attribute) In-use Asked-For/Allocated Count Size Cfg/Max\r\n ----------------------------------------------------------------------------\r\n aaa_attr : -- --/-- -- 16 --/--\r\n aaa_attr_list : -- --/-- -- 20 --/--\r\n AAA (database) In-use Asked-For/Allocated Count Size Cfg/Max\r\n ----------------------------------------------------------------------------\r\n hash_elt : -- --/-- -- 64 --/--\r\n aaa_acct_db : -- --/-- -- 160 --/--\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 73 of 144\n\naaa_db_elt_chunk : 128 61568/912 2 64 2048/0\r\n aaa_uid_hash_table_str : 4096 4096/4148 1 4096 --/--\r\n Total : 4224 65664/5060 3 -- --/--\r\n AAA (misc) In-use Asked-For/Allocated Count Size Cfg/Max\r\n ----------------------------------------------------------------------------\r\n aaa_interface : -- --/-- -- 280 --/--\r\n aaa_idb_name : -- --/-- -- 232 --/--\r\n aaa_general_db : -- --/-- -- 644 --/--\r\n aaa_chunks : -- 0/0 -- 28 200/0\r\n aaa_interface_struct : 560 560/664 2 280 --/--\r\n Total : 560 560/664 2 -- --/--\r\n RADIUS In-use Asked-For/Allocated Count Size Cfg/Max\r\n ----------------------------------------------------------------------------\r\n Total allocated: 0.004 Mb, 5 Kb, 5724 bytes\r\nAAA Low Memory Statistics:\r\n__________________________\r\n Authentication low-memory threshold : 3%\r\n Accounting low-memory threshold : 2%\r\n AAA Unique ID Failure : 0\r\n Local server Packet dropped : 0\r\n CoA Packet dropped : 0\r\n PoD Packet dropped : 0\r\nThe following is sample output from the show aaa memory stats all command:\r\nRouter# show aaa memory stats all\r\nAAA Memory trace summary:\r\n--------------------------------------------------------------------------------\r\nTYPE mallocs frees failures active max-usage\r\n--------------------------------------------------------------------------------\r\nAAA_ATTR_L 41 40 0 1 6\r\nAAA_CURSOR 88 88 0 0 2\r\nAAA_EVENT 5 5 0 0 1\r\nAAA_REQUES 2 2 0 0 1\r\n--------------------------------------------------------------------------------\r\nAAA_ATTR_LIST data-structure active allocations trace:\r\n-----------------------------------------------------------------\r\n Allocator-PC AAA API Active Mallocs\r\n-----------------------------------------------------------------\r\n 0x01956360 aaa_attr_list_alloc 1\r\n-----------------------------------------------------------------\r\nAAA_CURSOR data-structure active allocations trace:\r\n-----------------------------------------------------------------\r\n Allocator-PC AAA API Active Mallocs\r\n-----------------------------------------------------------------\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 74 of 144\n\n-----------------------------------------------------------------\r\nAAA_EVENT data-structure active allocations trace:\r\n-----------------------------------------------------------------\r\n Allocator-PC AAA API Active Mallocs\r\n-----------------------------------------------------------------\r\n-----------------------------------------------------------------\r\nAAA_REQUEST data-structure active allocations trace:\r\n-----------------------------------------------------------------\r\n Allocator-PC AAA API Active Mallocs\r\n-----------------------------------------------------------------\r\n-----------------------------------------------------------------\r\nThe table below describes the significant fields in the display.\r\nTable 4. show aaa memory stats all Field Descriptions\r\nField Description\r\nTYPE AAA data structure type.\r\nmallocs Total number of data structures allocated.\r\nfrees Total number of data structures freed.\r\nfailures Total number of data structure allocations failed.\r\nactive Total number of actively used data structures.\r\nmax-usage Maximum number of active allocations of data structure at any point.\r\nThe following is sample output from the show aaa memory stats with the attr_list keyword:\r\nRouter# show aaa memory stats attr_list\r\nAAA_ATTR_LIST data-structure active allocations trace:\r\n-----------------------------------------------------------------\r\n Allocator-PC AAA API Active Mallocs\r\n-----------------------------------------------------------------\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 75 of 144\n\n0x01956360 aaa_attr_list_alloc 1\r\n-----------------------------------------------------------------\r\nThe table below describes the significant fields in the display.\r\nTable 5. show aaa memory stats attr_list Field Descriptions\r\nField Description\r\nAllocator-PC AAA client that allocated a active data structure\r\nAAA API AAA API called by the client for an actively allocated data structure.\r\nActive Mallocs Number of active allocations from a client PC.\r\nThe following is sample output from the show aaa memory stats cursor command:\r\nRouter# show aaa memory stats cursor\r\nAAA_CURSOR data-structure active allocations trace:\r\n-----------------------------------------------------------------\r\n Allocator-PC AAA API Active Mallocs\r\n-----------------------------------------------------------------\r\nThe following is sample output from the show aaa memory stats event command:\r\nRouter# show aaa memory stats event\r\nAAA_EVENT data-structure active allocations trace:\r\n-----------------------------------------------------------------\r\n Allocator-PC AAA API Active Mallocs\r\n-----------------------------------------------------------------\r\n-----------------------------------------------------------------\r\nThe following is sample output from the show aaa memory stats request command:\r\nRouter# show aaa memory stats request\r\nAAA_REQUEST data-structure active allocations trace:\r\n-----------------------------------------------------------------\r\n Allocator-PC AAA API Active Mallocs\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 76 of 144\n\n-----------------------------------------------------------------\r\n-----------------------------------------------------------------\r\nshow aaa method-lists\r\nTo display all the named method lists defined in the authentication, authorization, and accounting (AAA)\r\nsubsystem, use the show aaa method-lists command in user EXEC or privileged EXEC mode.\r\nshow aaa method-lists {accounting | all | authentication | authorization}\r\nSyntax Description\r\naccounting Displays method lists defined for accounting services.\r\nall Displays method lists defined for all services.\r\nauthentication Displays method lists defined for authentication services.\r\nauthorization Displays method lists defined for authorization services.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(8)T This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2(33)SXH This command was integrated into Cisco IOS Release 12.2(33)SXH.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 77 of 144\n\nRelease Modification\r\nCisco IOS XE Release 2.1 This command was integrated into Cisco IOS XE Release 2.1.\r\nExamples\r\nThe following example shows how to display method lists for the accounting services:\r\nRouter# show aaa method-lists accounting\r\nacct queue=AAA_ML_ACCT_SHELL\r\nname=Permanent None valid=TRUE id=0 Action=NOT_SET :state=ALIVE\r\nacct queue=AAA_ML_ACCT_AUTH_PROXY\r\n name=default valid=TRUE id=0 Action=START STOP :state=DEAD : SERVER_GROUP tac+\r\nacct queue=AAA_ML_ACCT_NET\r\n name=methodtest valid=TRUE id=BA000002 Action=START STOP :state=DEAD :\r\n name=tunnel valid=TRUE id=48000003 Action=START STOP :state=DEAD : SERVER_GROs\r\n name=session valid=TRUE id=5C000004 Action=START STOP :state=DEAD : SERVER_GRs\r\nacct queue=AAA_ML_ACCT_CONN\r\nacct queue=AAA_ML_ACCT_SYSTEM\r\n name= valid=TRUE id=82000005 Action=START STOP :state=DEAD : SERVER_GROUP rads\r\nacct queue=AAA_ML_ACCT_RESOURCE\r\nacct queue=AAA_ML_ACCT_RM\r\npermanent lists\r\nThe table below describes the significant fields shown in the display.\r\nTable 6. show aaa method-lists accounting Field Descriptions\r\nField Description\r\nacct queue Specifies the type of service for which the method lists are defined.\r\nname Name of the method list for the specified AAA service.\r\nvalid Identifies the validity of the method-lists.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 78 of 144\n\nField Description\r\nid A unique identifier for the specified AAA method list.\r\nAction\r\nSpecifies the type of action to be performed on accounting records. One of the\r\nfollowing types of actions is displayed: Start-stop, Stop-only or None.\r\nstate\r\nDescribes the current state of the AAA server. There are two possible states:\r\nDEAD--Indicates that the server is currently presumed dead and, in the case of\r\nfailovers, this server will be skipped unless it is the last server in the group.\r\nALIVE--Indicates that the server is currently considered alive and attempts will\r\nbe made to communicate with it.\r\nSERVER_GROUP Name of the server group, RADIUS hosts or TACTACS+ hosts.\r\nThe following example shows how to display method lists for authentication services.\r\nThe table below describes the significant fields shown in the display.\r\nRouter# show aaa method-lists authentication\r\nauthen queue=AAA_ML_AUTHEN_LOGIN\r\n name=default valid=TRUE id=0 :state=DEAD : SERVER_GROUP radius\r\nauthen queue=AAA_ML_AUTHEN_ENABLE\r\n name=default valid=TRUE id=0 :state=ALIVE : SERVER_GROUP tacacs+ ENABLE NONE\r\nauthen queue=AAA_ML_AUTHEN_PPP\r\nauthen queue=AAA_ML_AUTHEN_SGBP\r\nauthen queue=AAA_ML_AUTHEN_ARAP\r\n name=default valid=TRUE id=0 :state=DEAD : SERVER_GROUP tacacs+\r\n name=MIS-access valid=TRUE id=FF000006 :state=DEAD : SERVER_GROUP tacacs+\r\nauthen queue=AAA_ML_AUTHEN_DOT1X\r\n name=default valid=TRUE id=0 :state=DEAD : SERVER_GROUP radius\r\nauthen queue=AAA_ML_AUTHEN_EAPOUDP\r\n name=default valid=TRUE id=0 :state=ALIVE : ENABLE SERVER_GROUP radius\r\nauthen queue=AAA_ML_AUTHEN_8021X\r\npermanent lists\r\n name=Permanent Enable None valid=TRUE id=0 :state=ALIVE : ENABLE NONE\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 79 of 144\n\nname=Permanent Enable valid=TRUE id=0 :state=ALIVE : ENABLE\r\n name=Permanent None valid=TRUE id=0 :state=ALIVE : NONE\r\n name=Permanent Local valid=TRUE id=0 :state=ALIVE : LOCAL\r\nThe following example shows how to display method lists for authorization services. The table below describes\r\nthe significant fields shown in the display.\r\nRouter# show aaa method-lists authorization\r\nauthor queue=AAA_ML_AUTHOR_SHELL\r\nauthor queue=AAA_ML_AUTHOR_NET\r\n name=method1 valid=TRUE id=12000001 :state=ALIVE : NONE\r\n name=mygroup valid=TRUE id=6D000007 :state=ALIVE : SERVER_GROUP radius LOCAL\r\n name=list11 valid=TRUE id=6C000009 :state=DEAD : SERVER_GROUP radius\r\nauthor queue=AAA_ML_AUTHOR_CONN\r\n name=default valid=TRUE id=0 :state=ALIVE : SERVER_GROUP tacacs+\r\nauthor queue=AAA_ML_AUTHOR_IPMOBILE\r\nauthor queue=AAA_ML_AUTHOR_RM\r\nauthor queue=AAA_ML_AUTHOR_CONFIG\r\nauthor queue=AAA_ML_AUTHOR_AUTH_PROXY\r\n name=default valid=TRUE id=0 :state=ALIVE : SERVER_GROUP tacacs+\r\nauthor queue=AAA_ML_AUTHOR_PREAUTH\r\nauthor queue=AAA_ML_AUTHOR_FLTSV\r\n name=default valid=TRUE id=0 :state=DEAD : SERVER_GROUP grp1\r\nname=group valid=TRUE id=48000008 :state=ALIVE : SERVER_GROUP tacacs+ NONE\r\npermanent lists\r\n name=local-list valid=TRUE id=0 :state=ALIVE : LOCAL\r\nThe following example shows how to display method lists for all the services. The table below describes the\r\nsignificant fields shown in the display.\r\nRouter# show aaa method-lists all\r\nauthen queue=AAA_ML_AUTHEN_LOGIN\r\n name=default valid=TRUE id=0 :state=ALIVE : SERVER_GROUP tacacs+\r\nauthen queue=AAA_ML_AUTHEN_ENABLE\r\n name=default valid=TRUE id=0 :state=ALIVE : SERVER_GROUP tacacs+ ENABLE NONE\r\nauthen queue=AAA_ML_AUTHEN_PPP\r\nauthen queue=AAA_ML_AUTHEN_SGBP\r\nauthen queue=AAA_ML_AUTHEN_ARAP\r\n name=default valid=TRUE id=0 :state=ALIVE : SERVER_GROUP tacacs+\r\n name=MIS-access valid=TRUE id=FF000006 :state=ALIVE : SERVER_GROUP tacacs+\r\nauthen queue=AAA_ML_AUTHEN_DOT1X\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 80 of 144\n\nname=default valid=TRUE id=0 :state=DEAD : SERVER_GROUP radius\r\nauthen queue=AAA_ML_AUTHEN_EAPOUDP\r\n name=default valid=TRUE id=0 :state=ALIVE : ENABLE SERVER_GROUP radius\r\nauthen queue=AAA_ML_AUTHEN_8021X\r\npermanent lists\r\n name=Permanent Enable None valid=TRUE id=0 :state=ALIVE : ENABLE NONE\r\n name=Permanent Enable valid=TRUE id=0 :state=ALIVE : ENABLE\r\n name=Permanent None valid=TRUE id=0 :state=ALIVE : NONE\r\n name=Permanent Local valid=TRUE id=0 :state=ALIVE : LOCAL\r\nauthor queue=AAA_ML_AUTHOR_SHELL\r\nauthor queue=AAA_ML_AUTHOR_NET\r\n name=method1 valid=TRUE id=12000001 :state=ALIVE : NONE\r\n name=mygroup valid=TRUE id=6D000007 :state=ALIVE : SERVER_GROUP radius LOCAL\r\n name=list11 valid=TRUE id=6C000009 :state=DEAD : SERVER_GROUP radius\r\nauthor queue=AAA_ML_AUTHOR_CONN\r\n name=default valid=TRUE id=0 :state=ALIVE : SERVER_GROUP tacacs+\r\nauthor queue=AAA_ML_AUTHOR_IPMOBILE\r\nauthor queue=AAA_ML_AUTHOR_RM\r\nauthor queue=AAA_ML_AUTHOR_CONFIG\r\nauthor queue=AAA_ML_AUTHOR_AUTH_PROXY\r\n name=default valid=TRUE id=0 :state=ALIVE : SERVER_GROUP tacacs+\r\nauthor queue=AAA_ML_AUTHOR_PREAUTH\r\nauthor queue=AAA_ML_AUTHOR_FLTSV\r\n name=default valid=TRUE id=0 :state=DEAD : SERVER_GROUP grp1\r\nname=group valid=TRUE id=48000008 :state=ALIVE : SERVER_GROUP tacacs+ NONE\r\npermanent lists\r\n name=local-list valid=TRUE id=0 :state=ALIVE : LOCAL\r\nacct queue=AAA_ML_ACCT_SHELL\r\nacct queue=AAA_ML_ACCT_AUTH_PROXY\r\n name=default valid=TRUE id=0 Action=START STOP :state=ALIVE : SERVER_GROUP ta+\r\nacct queue=AAA_ML_ACCT_NET\r\n name=methodtest valid=TRUE id=BA000002 Action=START STOP :state=DEAD :\r\n name=tunnel valid=TRUE id=48000003 Action=START STOP :state=DEAD : SERVER_GROs\r\n name=session valid=TRUE id=5C000004 Action=START STOP :state=DEAD : SERVER_GRs\r\nacct queue=AAA_ML_ACCT_CONN\r\nacct queue=AAA_ML_ACCT_SYSTEM\r\n name= valid=TRUE id=82000005 Action=START STOP :state=DEAD : SERVER_GROUP rads\r\nacct queue=AAA_ML_ACCT_RESOURCE\r\nacct queue=AAA_ML_ACCT_RM\r\npermanent lists\r\n name=Permanent None valid=TRUE id=0 Action=NOT_SET :state=ALIVE\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 81 of 144\n\nCommand Description\r\naaa accounting\r\nEnables AAA accounting of requested services for billing or security purposes when\r\nyou use RADIUS or TACACS+.\r\naaa authentication\r\narap\r\nEnables a AAA authentication method for ARA.\r\naaa authorization Sets parameters that restricts user access to a network.\r\nshow aaa service-profiles\r\nTo display the service profiles downloaded and stored by an authentication, authorization, and accounting (AAA)\r\nsession, use the show aaa service-profiles command in user EXEC or privileged EXEC mode.\r\nshow aaa service-profiles\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n15.0(1)S This command was introduced.\r\nExamples\r\nThe following is sample output from the show aaa service-profiles command. The field description is self-explantory.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 82 of 144\n\nRouter# show aaa service-profiles\r\nService Name: example.com\r\nRelated Commands\r\nCommand Description\r\naaa service-profiles Configures the service profile parameters for a AAA session.\r\nshow aaa servers\r\nTo display the status and number of packets that are sent to and received from all public and private\r\nauthentication, authorization, and accounting (AAA) RADIUS servers as interpreted by the AAA Server MIB, use\r\nthe show aaa servers command in user EXEC or privileged EXEC mode.\r\nshow aaa servers [private | public]\r\nSyntax Description\r\nprivate (Optional) Displays private AAA servers only, which are also displayed by the AAA Server MIB.\r\npublic (Optional) Displays public AAA servers only, which are also displayed by the AAA Server MIB.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nprivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(6)T This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 83 of 144\n\nRelease Modification\r\n12.3(7)T This command was integrated into Cisco IOS Release 12.3(7)T.\r\n12.2(33)SRE This command was integrated into Cisco IOS Release 12.2(33)SRE.\r\n15.1(1)S\r\nThis command was modified. Support for private RADIUS servers in CISCO-AAA-SERVER-MIB was added.\r\n15.1(4)M\r\nThis command was modified. Support for private RADIUS servers in CISCO-AAA-SERVER-MIB was added.\r\n15.2(4)S1\r\nThis command was modified. Support for displaying the estimated outstanding and throttled\r\ntransactions (access and accounting) in the command output was added.\r\nUsage Guidelines\r\nOnly RADIUS servers are supported by the show aaa servers command.\r\nThe command displays information about packets sent and received for all AAA transaction types--authentication,\r\nauthorization, and accounting.\r\nExamples\r\nThe following is sample output from the show aaa servers private command. Only the first four lines of the\r\ndisplay pertain to the status of private RADIUS servers, and the output fields in this part of the display are\r\ndescribed in the table below.\r\nRouter# show aaa servers private\r\nRADIUS: id 24, priority 1, host 172.31.164.120, auth-port 1645, acct-port 1646\r\n State: current UP, duration 375742s, previous duration 0s\r\n Dead: total time 0s, count 0\r\n Quarantined: No\r\n Authen: request 5, timeouts 1, failover 0, retransmission 1\r\n Response: accept 4, reject 0, challenge 0\r\n Response: unexpected 0, server error 0, incorrect 0, time 14ms\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 84 of 144\n\nTransaction: success 4, failure 0\r\n Throttled: transaction 0, timeout 0, failure 0\r\n Author: request 0, timeouts 0, failover 0, retransmission 0\r\n Response: accept 0, reject 0, challenge 0\r\n Response: unexpected 0, server error 0, incorrect 0, time 0ms\r\n Transaction: success 0, failure 0\r\n Throttled: transaction 0, timeout 0, failure 0\r\n Account: request 5, timeouts 0, failover 0, retransmission 0\r\n Request: start 3, interim 0, stop 2\r\n Response: start 3, interim 0, stop 2\r\n Response: unexpected 0, server error 0, incorrect 0, time 12ms\r\n Transaction: success 5, failure 0\r\n Throttled: transaction 0, timeout 0, failure 0\r\n Elapsed time since counters last cleared: 4d8h22m\r\n Estimated Outstanding Access Transactions: 0\r\n Estimated Outstanding Accounting Transactions: 0\r\n Estimated Throttled Access Transactions: 0\r\n Estimated Throttled Accounting Transactions: 0\r\n Maximum Throttled Transactions: access 0, accounting 0\r\n Requests per minute past 24 hours:\r\n high - 8 hours, 22 minutes ago: 0\r\n low - 8 hours, 22 minutes ago: 0\r\n average: 0\r\nThe table below describes the significant fields in the display.\r\nTable 7. show aaa servers Field Descriptions\r\nField Description\r\nid A unique identifier for all AAA servers defined on the router.\r\npriority Order of use for servers within a group.\r\nhost IP address of the private RADIUS server host.\r\nauth-port\r\nUDP destination port on the AAA server that is used for authentication and authorization\r\nrequests. The default value is 1645.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 85 of 144\n\nField Description\r\nacct-port\r\nUDP destination port on the AAA server that is used for accounting requests. The default value\r\nis 1646.\r\nState\r\nDescribes the current state of the AAA server; the duration, in seconds, that the server has been\r\nin that state; and the duration, in seconds, that the server was in the previous state.\r\nThe following states are possible:\r\nDEAD--Indicates that the server is currently down and, in the case of failovers, this\r\nserver will be omitted unless it is the last server in the group.\r\nduration--Indicates the amount of time the server is assumed to be in the current state,\r\neither UP or DEAD.\r\nprevious duration--Indicates the amount of time the server was considered to be in the\r\nprevious state.\r\nUP--Indicates that the server is currently considered alive and attempts will be made to\r\ncommunicate with it.\r\nDead\r\nIndicates the number of times that this server has been marked dead, and the cumulative\r\namount of time, in seconds, that it spent in that state.\r\nAuthen Provides information about authentication packets that were sent to and received from the\r\nserver, and authentication transactions that were successful or that failed. The following\r\ninformation may be reported in this field:\r\nrequest--Number of authentication requests that were sent to the AAA server.\r\ntimeouts--Number of timeouts (no responses) that were observed when a transmission\r\nwas sent to this server.\r\nResponse--Provides statistics about responses that were observed from this server and\r\nincludes the following reports:\r\nunexpected--Number of unexpected responses. A response is considered\r\nunexpected when it is received after the timeout period for the packet has\r\nexpired. This may happen if the link to the server is severely congested, for\r\nexample. An unexpected response can also be produced when a server generates\r\na response for no apparent reason.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 86 of 144\n\nField Description\r\nserver error--Number of server errors. This category is a “catchall” for error\r\npackets that do not fall into one of the previous categories.\r\nincorrect--Number of incorrect responses. A response is considered incorrect if it\r\nis of the wrong format than the one expected by the protocol. This frequently\r\nhappens when an incorrect server key is configured on the router.\r\ntime--Time (in milliseconds) taken to respond to an authentication packets.\r\nTransaction: These fields provide information about authentication, authorization, and\r\naccounting transactions related to the server. A transaction is defined as a request for\r\nauthentication, authorization, or accounting information that is sent by the AAA\r\nmodule, or by an AAA client (such as PPP) to an AAA protocol (RADIUS or\r\nTACACS+), which may involve multiple packet transmissions and retransmissions.\r\nTransactions may require packet retransmissions to one or more servers in a single\r\nserver group, to verify success or failure. Success or failure is reported to AAA by the\r\nRADIUS and TACACS+ protocols as follows\r\nsuccess--Incremented when a transaction is successful.\r\nfailure--Incremented when a transaction fails; for example, packet\r\nretransmissions to another server in the server group failed or did not succeed. A\r\nnegative response to an Access-Request, such as Access-Reject, is considered to\r\nbe a successful transaction.\r\nAuthor\r\nThe fields in this category are similar to those in the Authen: fields. An important difference,\r\nhowever, is that because authorization information is carried in authentication packets for the\r\nRADIUS protocol, these fields are not incremented when using RADIUS.\r\nAccount\r\nThe fields in this category are similar to those in the Authen: fields, but provide accounting\r\ntransaction and packet statistics.\r\nElapsed\r\ntime since\r\ncounters\r\nlast cleared\r\nDisplays the time in days, hours, and minutes that have passed since the counters were last\r\ncleared.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 87 of 144\n\nNote\r\nIn case of Intelligent Services Gateway (ISG), the estimated outstanding accounting transactions will\r\ntake some time to become zero. This is because there is a constant churn in the interim accounting\r\nrequests.\r\nThe fields in the output of the show aaa servers command are mapped to Simple Network Management Protocol\r\n(SNMP) objects in the Cisco AAA-SERVER-MIB and are used in SNMP reporting. The first line of the sample\r\noutput of the show aaa servers command (RADIUS: id 24, priority 1, host 172.31.164.120, auth-port 1645, acct-port 1646) is mapped to the Cisco AAA-SERVER-MIB as follows:\r\nid maps to casIndex\r\npriority maps to casPriority\r\nhost maps to casAddress\r\nauth-port maps to casAuthenPort\r\nacct-port maps to casAcctPort\r\nMapping the following set of objects listed in the Cisco AAA-SERVER-MIB map to fields displayed by the show\r\naaa servers command is more straightforward. For example, the casAuthenRequests field corresponds to the\r\nAuthen: request portion of the report, casAuthenRequestTimeouts corresponds to the Authen: timeouts portion of\r\nthe report, and so on.\r\ncasAuthenRequests\r\ncasAuthenRequestTimeouts\r\ncasAuthenUnexpectedResponses\r\ncasAuthenServerErrorResponses\r\ncasAuthenIncorrectResponses\r\ncasAuthenResponseTime\r\ncasAuthenTransactionSuccesses\r\ncasAuthenTransactionFailures\r\ncasAuthorRequests\r\ncasAuthorRequestTimeouts\r\ncasAuthorUnexpectedResponses\r\ncasAuthorServerErrorResponses\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 88 of 144\n\ncasAuthorIncorrectResponses\r\ncasAuthorResponseTime\r\ncasAuthorTransactionSuccesses\r\ncasAuthorTransactionFailures\r\ncasAcctRequests\r\ncasAcctRequestTimeouts\r\ncasAcctUnexpectedResponses\r\ncasAcctServerErrorResponses\r\ncasAcctIncorrectResponses\r\ncasAcctResponseTime\r\ncasAcctTransactionSuccesses\r\ncasAcctTransactionFailures\r\ncasState\r\ncasCurrentStateDuration\r\ncasPreviousStateDuration\r\ncasTotalDeadTime\r\ncasDeadCount\r\nTo locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator\r\nfound at the following URL: http://www.cisco.com/go/mibs.\r\nRelated Commands\r\nCommand Description\r\nradius-server dead-criteriaForces one or both of the criteria--used to mark a RADIUS server as dead--to be\r\nthe indicated constant.\r\nserver-private Associates a particular private RADIUS server with a defined server group.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 89 of 144\n\nshow aaa subscriber profile\r\nTo display all the subscriber profiles under the specified namestring in the authentication, authorization, and\r\naccounting (AAA) subsystem, use the show aaa subscriber profile command in user EXEC or privileged EXEC\r\nmode.\r\nshow aaa subscriber profile profile-name\r\nSyntax Description\r\nprofile-name The AAA subscriber profile name.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(8)T This command was introduced.\r\n12.2(31)SB1 This command was integrated into Cisco IOS Release 12.2(31)SB1.\r\n12.2(33)SXH This command was integrated into Cisco IOS Release 12.2(33)SXH.\r\nUsage Guidelines\r\nThis command display all the subscriber profile CLIs under the specified namestring. If no namestring is\r\nspecified, all the subscriber profiles in the subscriber profile database will be displayed.\r\nExamples\r\nThe following example shows how to display subscriber profile information:\r\nRouter# show aaa subscriber profile db\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 90 of 144\n\n----------------------------------------------------------\r\n Entries in Profile dB subscribers for exact match\r\n----------------------------------------------------------\r\nProfile: prof1\r\nUpdated: 00:00:55\r\nParse User: N\r\nAuthen User: N\r\nQuery Count: 4\r\n 6897DBDC 0 0000000A service-name(381) 8 service1, service none, protocol ne\r\n----------------------------------------------------------\r\n Entries in Profile dB subscribers for regexp match\r\n----------------------------------------------------------\r\nNo entries found for regexp match\r\nThe table below describes the significant fields shown in the display.\r\nTable 8. show aaa subscriber profile Descriptions\r\nField Description\r\nProfile Indicates the subscriber profile specified.\r\nUpdated Time elapsed since profile last updated.\r\nParse User Identifies this entry as a regexp.\r\nAuthen\r\nUser\r\nIdentifies if entry matches require authentication.\r\nQuery\r\nCount\r\nUsage Counters. Indicates the number of times Profile dB successfully found an entry when\r\nqueried for.\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 91 of 144\n\nCommand Description\r\naaa authorization subscriber-serviceConfigures local subscriber profiles which are used after the existing\r\nmethods are exhausted.\r\nsubscriber profile Configures service-related information under a particular subscriber profile.\r\nshow aaa user\r\nTo display attributes related to an authentication, authorization, and accounting (AAA) session, use the show aaa\r\nuser command in privileged EXEC mode.\r\nshow aaa user {all | unique-id}\r\nSyntax Description\r\nall Displays information about all users of which AAA currently has knowledge.\r\nunique-id Displays information about this user only.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(4)T This command was introduced.\r\n12.2(31)ZV1\r\nThis command was modified to display the user name first and then the accounting\r\ndata and was implemented on the Cisco 10000 series router for the PRE3.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 92 of 144\n\nRelease Modification\r\nCisco IOS XE\r\nRelease 2.4\r\nThis command was integrated into Cisco IOS XE Release 2.4.\r\nUsage Guidelines\r\nWhen a user logs into a Cisco router and uses AAA, a unique ID is assigned to the session. Throughout the life of\r\nthe session, various attributes that are related to the session are collected and stored internally within a AAA\r\ndatabase. These attributes can include the IP address of the user, the protocol being used to access the router (such\r\nas PPP or Serial Line Internet Protocol [SLIP]), the speed of the connection, and the number of packets or bytes\r\nthat are received or transmitted.\r\nThe output of this command:\r\nProvides a snapshot of various subdatabases that are associated with a AAA unique ID. Some of the more\r\nimportant ones are listed in the table below.\r\nShows various AAA call events that are associated with a particular session. For example, when a session\r\ncomes up, the events generally recorded are CALL START, NET UP, and IP Control Protocol UP (IPCP\r\nUP).\r\nProvides a snapshot of the dynamic attributes that are associated with a particular session. (Dynamic\r\nattributes are those that keep changing values throughout the life of the session.) Some of the more\r\nimportant ones are listed in the table below.\r\nThe unique ID of a session can be obtained from the output of the show aaa sessions command.\r\nNote\r\nThis command does not provide information for all users who are logged into a device, but only for\r\nthose who have been authenticated or authorized using AAA or only for those whose sessions are\r\nbeing accounted for by the AAA module.\r\nNote\r\nWhen you use the all keyword, a large amount of output may be produced, depending on the number\r\nof users who are logged into the device at any time.\r\nExamples\r\nThe following example shows that information is requested for all users:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 93 of 144\n\nRouter# show aaa user all\r\nThe following example shows that information is requested for user 5:\r\nRouter# show aaa user 5\r\nThe following is sample output from the show aaa user command. The session information displayed is for a PPP\r\nover Ethernet over Ethernet (PPPoEoE) session.\r\nRouter# show aaa user 3\r\nLoad for five secs: 0%/0%; one minute: 0%; five minutes: 0%\r\nTime source is hardware calendar, *20:32:49.199 PST Wed Dec 17\r\n2003\r\n Unique id 3 is currently in use.\r\n Accounting:\r\n log=0x20C201\r\n Events recorded :\r\n CALL START\r\n NET UP\r\n IPCP_PASS\r\n INTERIM START\r\n VPDN NET UP\r\n update method(s) :\r\n NONE\r\n update interval = 0\r\n Outstanding Stop Records : 0\r\n Dynamic attribute list:\r\n 63CCF138 0 00000001 connect-progress(30) 4 LAN Ses Up\r\n 63CCF14C 0 00000001 pre-session-time(239) 4 3(3)\r\n 63CCF160 0 00000001 nas-tx-speed(337) 4 102400000(61A8000)\r\n 63CCF174 0 00000001 nas-rx-speed(33) 4 102400000(61A8000)\r\n 63CCF188 0 00000001 elapsed_time(296) 4 2205(89D)\r\n 63CCF19C 0 00000001 bytes_in(97) 4 6072(17B8)\r\n 63CCF1B0 0 00000001 bytes_out(223) 4 6072(17B8)\r\n 63CCF1C4 0 00000001 pre-bytes-in(235) 4 86(56)\r\n 63CCF1D8 0 00000001 pre-bytes-out(236) 4 90(5A)\r\n 63CCF1EC 0 00000001 paks_in(98) 4 434(1B2)\r\n 63CCF244 0 00000001 paks_out(224) 4 434(1B2)\r\n 63CCF258 0 00000001 pre-paks-in(237) 4 7(7)\r\n 63CCF26C 0 00000001 pre-paks-out(238) 4 9(9)\r\n No data for type EXEC\r\n No data for type CONN\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 94 of 144\n\nNET: Username=peer1\r\n Session Id=00000003 Unique Id=00000003\r\n Start Sent=1 Stop Only=N\r\n stop_has_been_sent=N\r\n Method List=63B4A10C : Name = default\r\n Attribute list:\r\n 63CCF138 0 00000001 session-id(293) 4 3(3)\r\n 63CCF14C 0 00000001 Framed-Protocol(62) 4 PPP\r\n 63CCF160 0 00000001 protocol(241) 4 ip\r\n 63CCF174 0 00000001 addr(5) 4 70.0.0.1\r\n No data for type CMD\r\n No data for type SYSTEM\r\n No data for type RM CALL\r\n No data for type RM VPDN\r\n No data for type AUTH PROXY\r\n No data for type IPSEC-TUNNEL\r\n No data for type RESOURCE\r\n No data for type 10\r\n No data for type CALL\r\nDebg: No data available\r\nRadi: 641AACAC\r\nInterface:\r\n TTY Num = -1\r\n Stop Received = 0\r\n Byte/Packet Counts till Call Start:\r\n Start Bytes In = 106 Start Bytes Out = 168\r\n Start Paks In = 3 Start Paks Out = 4\r\n Byte/Packet Counts till Service Up:\r\n Pre Bytes In = 192 Pre Bytes Out = 258\r\n Pre Paks In = 10 Pre Paks Out = 13\r\n Cumulative Byte/Packet Counts :\r\n Bytes In = 6264 Bytes Out = 6330\r\n Paks In = 444 Paks Out = 447\r\n StartTime = 19:56:01 PST Dec 17 2003\r\n AuthenTime = 19:56:04 PST Dec 17 2003\r\n Component = PPoE\r\nAuthen: service=PPP type=CHAP method=RADIUS\r\nKerb: No data available\r\nMeth: No data available\r\nPreauth: No Preauth data.\r\nGeneral:\r\n Unique Id = 00000003\r\n Session Id = 00000003\r\n Attribute List:\r\n 63CCF180 0 00000001 port-type(156) 4 PPP over Ethernet\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 95 of 144\n\n63CCF194 0 00000009 interface(152) 7 0/0/0/0\r\nPerU: No data available\r\nThe table below lists the significant fields shown in the display.\r\nTable 9. show aaa user Field Descriptions\r\nField Description\r\nEXEC Exec-Accounting database.\r\nNET Network Accounting database.\r\nCMD Command Accounting database.\r\nPre Bytes In Bytes that were received before the call was authenticated.\r\nPre Bytes Out Bytes that were transmitted before the call was authenticated.\r\nPre Paks In Packets that were received before the call was authenticated.\r\nPre Paks Out Packets that were transmitted before the call was authenticated.\r\nBytes In Bytes that were received after the call was authenticated.\r\nBytes Out Bytes that were transmitted after the call was authenticated.\r\nPaks In Packets that were received after the call was authenticated.\r\nPaks Out Packets that were transmitted after the call was authenticated.\r\nAuthen Authentication database.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 96 of 144\n\nField Description\r\nGeneral General database.\r\nPerU Per-User database.\r\nRelated Commands\r\nCommand Description\r\nshow aaa sessions Displays information about AAA sessions as seen in the AAA Session MIB.\r\nshow access-group mode interface\r\nTo display the Access Contol List (ACL) configuration on a Layer 2 interface, use the show access-group mode\r\ninterface command in privileged EXEC mode.\r\nshow access-group mode interface [interface interface-number]\r\nSyntax Description\r\ntype\r\n(Optional) Interface type; valid values are fastethernet , gigabitethernet , tengigabitethernet , and\r\nport-channel\r\nnumber (Optional) Interface number.\r\nCommand Default\r\nThis command has no default settings.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 97 of 144\n\nRelease Modification\r\n12.2(33)SXH This command was introduced.\r\nUsage Guidelines\r\nThe valid values for the port number depend on the chassis used.\r\nExamples\r\nThis example shows how to display the ACL configuration mode on Fast Ethernet interface 6/1:\r\nRouter# show access-group mode interface fastethernet 6/1\r\nInterface FastEthernet6/1:\r\n Access group mode is: merge\r\nRouter#\r\nRelated Commands\r\nCommand Description\r\naccess-group mode Specifies the override modes and the nonoverride modes.\r\nshow access-lists compiled\r\nTo display a table showing Turbo Access Control Lists (ACLs), use the show access-lists compiled command in\r\nuser EXEC or privileged EXEC mode.\r\nshow access-lists compiled\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nUser EXEC\r\nPrivileged EXEC\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 98 of 144\n\nCommand History\r\nRelease Modification\r\n12.0(6)S This command was introduced.\r\n12.1(1)E This command was introduced for Cisco 7200 series routers.\r\n12.1(5)T This command was integrated into Cisco IOS Release 12.1(5)T.\r\n12.1(4)E This command was implemented on the Cisco 7100 series routers.\r\n12.2(14)S This command was integrated into Cisco IOS Release 12.2(14)S.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a\r\nspecific 12.2SX release of this train depends on your feature set, platform, and platform\r\nhardware.\r\nCisco IOS XE\r\nRelease 2.2\r\nThis command was integrated into Cisco IOS XE Release 2.2.\r\nUsage Guidelines\r\nThis command is used to display the status and condition of the Turbo ACL tables associated with each access list.\r\nThe Turbo ACL feature processes access lists more expediently, providing faster functionality for routers equipped\r\nwith the feature. The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first\r\nmatch requirements. Packet headers are used to access these tables in a small, fixed number of lookups,\r\nindependently of the existing number of ACL entries. The memory usage is displayed for each table; large and\r\ncomplex access lists may require substantial amounts of memory. If the memory usage is greater than the memory\r\navailable, you can disable the Turbo ACL feature so that memory exhaustion does not occur, but the acceleration\r\nof the access lists is not then enabled.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 99 of 144\n\nExamples\r\nThe following is partial sample output from the show access-lists compiled command:\r\nRouter# show access-lists compiled\r\nCompiled ACL statistics:\r\n12 ACLs loaded, 12 compiled tables\r\n ACL State Tables Entries Config Fragment Redundant Memory\r\n1 Operational 1 2 1 0 0 1Kb\r\n2 Operational 1 3 2 0 0 1Kb\r\n3 Operational 1 4 3 0 0 1Kb\r\n4 Operational 1 3 2 0 0 1Kb\r\n5 Operational 1 5 4 0 0 1Kb\r\n9 Operational 1 3 2 0 0 1Kb\r\n20 Operational 1 9 8 0 0 1Kb\r\n21 Operational 1 5 4 0 0 1Kb\r\n101 Operational 1 15 9 7 2 1Kb\r\n102 Operational 1 13 6 6 0 1Kb\r\n120 Operational 1 2 1 0 0 1Kb\r\n199 Operational 1 4 3 0 0 1Kb\r\nFirst level lookup tables:\r\nBlock Use Rows Columns Memory used\r\n 0 TOS/Protocol 6/16 12/16 66048\r\n 1 IP Source (MS) 10/16 12/16 66048\r\n 2 IP Source (LS) 27/32 12/16 132096\r\n 3 IP Dest (MS) 3/16 12/16 66048\r\n 4 IP Dest (LS) 9/16 12/16 66048\r\n 5 TCP/UDP Src Port 1/16 12/16 66048\r\n 6 TCP/UDP Dest Port 3/16 12/16 66048\r\n 7 TCP Flags/Fragment 3/16 12/16 66048\r\nThe table below describes the significant fields shown in the display.\r\nTable 10. show access-lists compiled Field Descriptions\r\nField Description\r\nState Describes the state of each Turbo ACL table.\r\nOperational--The access list has been compiled by the Turbo ACL feature, and matching to this\r\naccess list is performed through the Turbo ACL tables at high speed.\r\nOther possible values in the State field are as follows:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 100 of 144\n\nField Description\r\nUnsuitable--The access list is not suitable for compiling, perhaps because it has time-range enabled entries, evaluate references, or dynamic entries.\r\nDeleted--No entries are in this access list.\r\nBuilding--The access list is being compiled. Depending on the size and complexity of\r\nthe list, and the load on the router, the building process may take a few seconds.\r\nOut of memory--An access list cannot be compiled because the router has exhausted its\r\nmemory.\r\nEntries\r\nNumber of ACL entries being used for the compilation. This number is effectively (Config +\r\nFragment - Redundant).\r\nConfig Number of ACL lines from the configuration itself.\r\nFragment\r\nIn order to handle IP fragments for entries that have Layer 4 information in them (for example,\r\nTCP port numbers), TurboACL generates extra ACL entries that match only IP fragments.\r\nThese are used in the compilation, but do not appear in the configuration.\r\nRedundant\r\nNumber of entries that are covered by an earlier entry, and therefore are redundant. These\r\nentries are not used in the compilation. Redundant entries come mainly from two sources; the\r\nconfig itself might contain redundant entries, often as a result of a poorly maintained, large\r\nACL. More typically, when TurboACL adds extra entries for IP fragments, often these entries\r\nare redundant because other added fragment entries cover them.\r\nRelated Commands\r\nCommand Description\r\naccess-list compiled Enables the Turbo ACL feature.\r\naccess-list (extended) Provides extended access lists that allow more detailed access lists.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 101 of 144\n\nCommand Description\r\naccess-list (standard) Creates a standard access list.\r\nclear access-list counters Clears the counters of an access list.\r\nclear access-temp Manually clears a temporary access list entry from a dynamic access list.\r\nip access-list Defines an IP access list by name.\r\nshow ip access-lists Displays the contents of all current IP access lists.\r\nshow access-lists\r\nTo display the contents of current access lists, use the show access-lists command in user EXEC or privileged\r\nEXEC mode.\r\nshow access-lists [access-list-number | access-list-name]\r\nSyntax Description\r\naccess-list-number(Optional) Number of the access list to display. The system displays all access lists by\r\ndefault.\r\naccess-list-name (Optional) Name of the IP access list to display.\r\nCommand Default\r\nThe system displays all access lists.\r\nCommand Modes\r\nUser EXEC\r\nPrivileged EXEC\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 102 of 144\n\nCommand History\r\nRelease Modification\r\n10.0 This command was introduced.\r\n12.0(6)S The output was modified to identify the compiled ACLs.\r\n12.1(1)E This command was implemented on the Cisco 7200 series.\r\n12.1(5)T The command output was modified to identify compiled ACLs.\r\n12.1(4)E This command was implemented on the Cisco 7100 series.\r\n12.2(2)T The command output was modified to show information for IPv6 access lists.\r\n12.2(14)S This command was integrated into Cisco IOS Release 12.2(14)S.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nThe show access-lists command is used to display the current ACLs operating in the router. Each access list is\r\nflagged using the Compiled indication if it is operating as an accelerated ACL.\r\nThe display also shows how many packets have been matched against each entry in the ACLs, enabling the user to\r\nmonitor the particular packets that have been permitted or denied. This command also indicates whether the\r\naccess list is running as a compiled access list.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 103 of 144\n\nThe following is sample output from the show access-lists command when access list 101 is specified:\r\nRouter# show access-lists 101\r\nExtended IP access list 101\r\n permit tcp host 198.92.32.130 any established (4304 matches) check=5\r\n permit udp host 198.92.32.130 any eq domain (129 matches)\r\n permit icmp host 198.92.32.130 any\r\n permit tcp host 198.92.32.130 host 171.69.2.141 gt 1023\r\n permit tcp host 198.92.32.130 host 171.69.2.135 eq smtp (2 matches)\r\n permit tcp host 198.92.32.130 host 198.92.30.32 eq smtp\r\n permit tcp host 198.92.32.130 host 171.69.108.33 eq smtp\r\n permit udp host 198.92.32.130 host 171.68.225.190 eq syslog\r\n permit udp host 198.92.32.130 host 171.68.225.126 eq syslog\r\n deny ip 150.136.0.0 0.0.255.255 224.0.0.0 15.255.255.255\r\n deny ip 171.68.0.0 0.1.255.255 224.0.0.0 15.255.255.255 (2 matches) check=1\r\n deny ip 172.24.24.0 0.0.1.255 224.0.0.0 15.255.255.255\r\n deny ip 192.82.152.0 0.0.0.255 224.0.0.0 15.255.255.255\r\n deny ip 192.122.173.0 0.0.0.255 224.0.0.0 15.255.255.255\r\n deny ip 192.122.174.0 0.0.0.255 224.0.0.0 15.255.255.255\r\n deny ip 192.135.239.0 0.0.0.255 224.0.0.0 15.255.255.255\r\n deny ip 192.135.240.0 0.0.7.255 224.0.0.0 15.255.255.255\r\n deny ip 192.135.248.0 0.0.3.255 224.0.0.0 15.255.255.255\r\nAn access list counter counts how many packets are allowed by each line of the access list. This number is\r\ndisplayed as the number of matches. Check denotes how many times a packet was compared to the access list but\r\ndid not match.\r\nThe following is sample output from the show access-lists command when the Turbo Access Control List (ACL)\r\nfeature is configured on all of the following access lists.\r\nNote\r\nThe permit and deny information displayed by the show access-lists command may not be in the\r\nsame order as that entered using the access-list command.\r\nRouter# show access-lists\r\nStandard IP access list 1 (Compiled)\r\n deny any\r\nStandard IP access list 2 (Compiled)\r\n deny 192.168.0.0, wildcard bits 0.0.0.255\r\n permit any\r\nStandard IP access list 3 (Compiled)\r\n deny 0.0.0.0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 104 of 144\n\ndeny 192.168.0.1, wildcard bits 0.0.0.255\r\n permit any\r\nStandard IP access list 4 (Compiled)\r\n permit 0.0.0.0\r\n permit 192.168.0.2, wildcard bits 0.0.0.255\r\nThe following is sample output from the show access-lists command that shows information for IPv6 access lists\r\nwhen IPv6 is configured on the network:\r\nRouter# show access-lists\r\nIPv6 access list list2\r\n deny ipv6 FEC0:0:0:2::/64 any sequence 10\r\n permit ipv6 any any sequence 20\r\nRelated Commands\r\nCommand Description\r\naccess-list (IP extended) Defines an extended IP access list.\r\naccess-list (IP standard) Defines a standard IP access list.\r\nclear access-list counters Clears the counters of an access list.\r\nclear access-template Clears a temporary access list entry from a dynamic access list manually.\r\nip access-list Defines an IP access list by name.\r\nshow ip access-lists Displays the contents of all current IP access lists.\r\nshow ipv6 access-list Displays the contents of all current IPv6 access lists.\r\nshow access-session fqdn\r\nTo display the FQDN configurations, use the show access-session fqdn command in EXEC mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 105 of 144\n\nshow access-session fqdn { passthru-domain-list | list-domain list-domain | fqdn-maps}\r\nSyntax Description\r\npassthru-domain-list Displays the lists of domains for the access session.\r\nlist-domain list-domain Displays all the domains in the list.\r\nfqdn-maps Displays mapping of FQDN ACL to the domain name list.\r\nCommand Default\r\nNone\r\nCommand Modes\r\nUser EXEC\r\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\nThis command was introduced.\r\nExamples\r\nThis example shows how to display the lists of domains for the access session:\r\n# sh access-sess fqdn passthru-domain-list\r\nDomain-name-lists\r\n----------------------------\r\nabc\r\nThis example shows how to display the domains in the list for the access session:\r\n# sh access-sess fqdn list-domain abc\r\nDomain's associated with the list\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 106 of 144\n\n-----------------------------------------\r\nabc\r\ngoogle\r\nshow accounting\r\nThe show accounting command is replaced by the show aaa user command. See the show aaa user command for\r\nmore information.\r\nshow appfw\r\nTo display application firewall policy information, use the show appfw command in user EXEC or privileged\r\nEXEC mode.\r\nshow appfw {configuration | dns [cache [policy policy-name]] | name appfw-name}\r\nSyntax Description\r\nconfiguration Displays configuration information for configured policies.\r\ndns\r\nDisplays IP addresses resolved by the Domain Name System (DNS) server of the applicable\r\ninstant messenger application.\r\ncache (Optional) Displays IP addresses related to the DNS server.\r\npolicy (Optional) Displays information for the specified policy.\r\npolicy-name Name of the policy.\r\nname Displays information about the specified application firewall.\r\nappfw-name Name of an application firewall.\r\nCommand Default\r\nIf no policies are specified, information for all policies is displayed.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 107 of 144\n\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\n12.4(4)T\r\nThis command was modified. The dns and cache keywords were added to support instant\r\nmessenger traffic inspection.\r\n12.4(24)T\r\nThis command was modified in a release earlier than Cisco IOS Release 12.4(24)T. The name\r\nkeyword and appfw-name argument were added.\r\nUsage Guidelines\r\nUse this command to display information regarding the application firewall policy configuration or the IP\r\naddresses of the DNS cache.\r\nUse the show appfw command in conjunction with the show ip inspect config command to display the complete\r\nfirewall configuration.\r\nIf you do not specify a policy using the policy policy-name option, the IP addresses gathered for all DNS names\r\nand policies are displayed.\r\nExamples\r\nThis following output for the show appfw configuration command displays the configuration for the inspection\r\nrule \"mypolicy,\" which is applied to all incoming HTTP traffic on FastEthernet interface 0/0. In this example, all\r\navailable HTTP inspection parameters have been defined.\r\nRouter# show appfw configuration\r\n \r\nApplication Firewall Rule configuration\r\n Application Policy name mypolicy\r\n Application http\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 108 of 144\n\nstrict-http action allow alarm\r\n content-length minimum 0 maximum 1 action allow alarm\r\n content-type-verification match-req-rsp action allow alarm\r\n max-header-length request length 1 response length 1 action allow alarm\r\n max-uri-length 1 action allow alarm\r\n port-misuse default action allow alarm\r\n request-method rfc default action allow alarm\r\n request-method extension default action allow alarm\r\n transfer-encoding default action allow alarm\r\nThe table below describes the significant fields shown in the display.\r\nTable 11. show appfw configuration Field Descriptions\r\nField Description\r\nApplication Policy name Name of the application policy.\r\nstrict-http action allow alarm Allows HTTP messages to pass through the firewall.\r\ncontent-length minimum 0 maximum 1\r\naction allow alarm\r\nAllows HTTP traffic having the maximum message size of 1 to\r\npass through the firewall.\r\ncontent-type-verification match-req-rsp\r\naction allow alarm\r\nAllows HTTP traffic after verifying the content type of the\r\nHTTP response against the accept field of the HTTP request.\r\nmax-header-length request length 1\r\nresponse length 1 action allow alarm\r\nAllows the alarm to pass through the firewall if both the\r\nmaximum header length request and the response is 1.\r\nmax-uri-length 1 action allow alarm\r\nAllows HTTP traffic if the uniform resource identifier (URI)\r\nlength in the request message is 1.\r\nport-misuse default action allow alarm\r\nAllows HTTP traffic through the firewall for all the default\r\napplications in the HTTP message.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 109 of 144\n\nField Description\r\nrequest-method rfc default action allow\r\nalarm\r\nAllows HTTP traffic for RFC 2616 supported methods.\r\nrequest-method extension default action\r\nallow alarm\r\nAllows HTTP traffic for all the extension methods.\r\ntransfer-encoding default action allow\r\nalarm\r\nAllows HTTP traffic for all types of transfer encoded messages.\r\nRelated Commands\r\nCommand Description\r\nshow ip inspect config Displays firewall configuration and session information.\r\nshow ase\r\nNote\r\nEffective with Cisco IOS Release 12.4(24), the show ase command is not available in Cisco IOS\r\nsoftware.\r\nTo display the Automatic Signature Extraction (ASE) run-time status or detected signatures, use the show ase\r\ncommand in privileged EXEC mode.\r\nshow ase [dispersion-table num-entries-to-display | prevalence-table num-entries-to-display | signatures |\r\nspecial-case-table num-entries-to-display | statistics]\r\nSyntax Description\r\ndispersion-table (Optional) Displays the dispersion table.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 110 of 144\n\nnum-entries-to-display\r\n(Optional) The number of table entries to be displayed. The range is from 0 to\r\n4294967295.\r\nprevalence-table (Optional) Displays the prevalence table.\r\nsignatures (Optional) Displays the detected ASE signatures.\r\nspecial-case-table (Optional) Displays the special case table.\r\nstatistics (Optional) Displays the address description table staistics.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(15)T This command was introduced.\r\n12.4(24) This command was removed.\r\nUsage Guidelines\r\nUse the show ase command without any keywords to display the run-time status. Use the show ase command with\r\nthe signatures keyword to display the detected ASE signatures.\r\nThis command is used on the Cisco 1800, 2800, and 7200 series routers, Cisco 7301 router, and Integrated\r\nServices Routers (ISRs) as ASE sensors.\r\nExamples\r\nThe following example output displays the ASE run-time status:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 111 of 144\n\nNote\r\nThe ASE collector must be started in order for the ASE run-time status information to be displayed.\r\nRouter# show ase\r\nASE Information:\r\nCollector IP: 10.10.10.3\r\nTIDP Group : 10\r\nStatus : Online\r\nPackets inspected: 1105071\r\nAddress Dispersion Threshold: 20\r\nPrevalence Threshold: 10\r\nSampling set to: 1 in 64\r\nAddress Dispersion Inactivity Timer: 3600s\r\nPrevalence Table Refresh Time: 60s\r\nThe table below describes the significant fields shown in the display.\r\nTable 12. show ase Field Descriptions\r\nField Description\r\nCollector IP The IP address of the ASE collector.\r\nTIDP Group\r\nThreat Information Distribution Protocol (TIDP) group used for exchange between the\r\nASE sensor and ASE collector.\r\nStatus\r\nThe four states are:\r\nConnected --The ASE sensor has connected with the ASE collector, but it has\r\nnot completed initialization.\r\nEnabled --The ASE feature is enabled in global configuration mode, but the\r\nASE sensor has not connected with the ASE collector.\r\nNot Enabled --The ASE feature is not enabled in global configuration mode.\r\nOnline --The ASE is ready for inspecting traffic.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 112 of 144\n\nField Description\r\nPackets inspected Total number of packets inspected on this ASE collector.\r\nAddress Dispersion\r\nThreshold\r\nNumber of IP address occurrences that are permitted by the ASE sensor before this\r\nsignature is considered an anomaly.\r\nNote\r\n \r\nThe Address Dispersion Threshold is configured on the ASE collector.\r\nThis information is shown on the ASE sensor (this router) for\r\ninformational purposes.\r\nPrevalence\r\nThreshold\r\nThe number of signature occurrences that are permitted before this signature is\r\nconsidered an anomaly. The default threshold is 10 seconds.\r\nSampling set to\r\nA sampling value that sets the chance for which a signature is being inspected. For\r\nexample, 1 in 64 is less than 1 in 32 chances.\r\nAddress Dispersion\r\nInactivity Timer\r\nNumber of seconds that a signature does not occur. After this interval elapses, the\r\nsignature is purged from the Address Dispersion table.\r\nPrevalence Table\r\nRefresh Time\r\nNumber of seconds that the ASE sensor has before it clears the occurrence table. If a\r\nsignature does not occur for the Prevalence Threshold during a refresh, then the\r\nPrevalence Threshold is not considered.\r\nThe following example output displays the detected ASE signatures:\r\nRouter# show ase signature\r\nAutomatic Signature Extraction Detected Signatures\r\n==================================================\r\nSignature Hash: 0x1E4A2076AAEA19B1, Offset: 54, Dest Port: TCP 135,\r\nSignature: 05 00 00 03 10 00 00 00 F0 00 10 00 01 00 00 00 B8 00 00 00 00 00 03 00 01 00 00 00 00 00 00 00 00 00\r\nSignature Hash: 0x24EC60FB1CF9A800, Offset: 72, Dest Port: TCP 445,\r\nSignature: 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 00 00 00 00 62 00 02 50 43 20 4E 45 54 57 4F 52 4B 20 50\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 113 of 144\n\nSignature Hash: 0x0B0275535FFF480C, Offset: 54, Dest Port: TCP 445,\r\nSignature: 00 00 00 85 FF 53 4D 42 72 00 00 00 00 18 53 C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 00\r\nRelated Commands\r\nCommand Description\r\nase collector\r\nEnters the ASE collector server IP address so that the ASE sensor has IP connectivity\r\nto the ASE collector.\r\nase group Identifies the TIDP group number for the ASE feature.\r\nase enable Enables the ASE feature on a specified interface.\r\nase signature\r\nextraction\r\nEnables the ASE feature globally on the router.\r\nclear ase signature Clears ASE signatures that were detected on the router.\r\ndebug ase Provides error, log, messaging, reporting, status, and timer information.\r\nshow audit\r\nTo display the contents of an audit file, use the show audit command in privileged EXEC mode.\r\nshow audit [filestat]\r\nSyntax Description\r\nfilestat\r\n(Optional) Displays the rollover counter for the circular buffer and the number of messages that are\r\nreceived.\r\nThe rollover counter, which indicates the number of times circular buffer has been overwritten, is\r\nreset when the audit filesize is changed (via the audit filesize command).\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 114 of 144\n\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\n12.2(18)S This command was introduced.\r\n12.0(27)S This feature was integrated into Cisco IOS Release 12.0(27)S.\r\n12.2(25)S The filestat keyword was added.\r\n12.2(27)SBC This command was integrated into Cisco IOS Release 12.2(27)SBC.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific\r\n12.2SX release of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nThe audit file is a fixed file size in the disk file system. The audit file contains syslog messages (also known as\r\nhashes), which monitor changes that are made to your router. A separate hash is maintained for each of the\r\nfollowing areas: running version, running configuration, startup configuration, file system, and hardware\r\nconfiguration. The show audit command will display any changes that are made to any of these areas.\r\nNote\r\nAudit logs are enabled by default and cannot be disabled.\r\nExamples\r\nThe following example is sample output from the show audit command:\r\nRouter# show audit\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 115 of 144\n\n*Sep 14 18:37:31.535:%AUDIT-1-RUN_VERSION:Hash:\r\n24D98B13B87D106E7E6A7E5D1B3CE0AD User:\r\n*Sep 14 18:37:31.583:%AUDIT-1-RUN_CONFIG:Hash:\r\n4AC2D776AA6FCA8FD7653CEB8969B695 User:\r\n*Sep 14 18:37:31.595:%AUDIT-1-STARTUP_CONFIG:Hash:\r\n95DD497B1BB61AB33A629124CBFEC0FC User:\r\n*Sep 14 18:37:32.107:%AUDIT-1-FILESYSTEM:Hash:\r\n330E7111F2B526F0B850C24ED5774EDE User:\r\n*Sep 14 18:37:32.107:%AUDIT-1-HARDWARE_CONFIG:Hash:\r\n32F66463DDA802CC9171AF6386663D20 User:\r\nThe table below describes the significant fields shown in the display.\r\nTable 13. show audit Field Descriptions\r\nField Description\r\nAUDIT-1-RUN_VERSION:Hash:\r\n24D98B13B87D106E7E6A7E5D1B3CE0AD User:\r\nRunning version, which is a hash\r\nof the information that is\r\nprovided in the output of the\r\nshow version command: running\r\nversion, ROM information,\r\nBOOTLDR information, system\r\nimage file, system and processor\r\ninformation, and configuration\r\nregister contents.\r\nAUDIT-1-RUN_CONFIG:Hash:\r\n4AC2D776AA6FCA8FD7653CEB8969B695 User:\r\nRunning configuration, which is\r\na hash of the running\r\nconfiguration.\r\nAUDIT-1-STARTUP_CONFIG:Hash:\r\n95DD497B1BB61AB33A629124CBFEC0FC User:\r\nStartup configuration, which is a\r\nhash of the contents of the files\r\non NVRAM, which includes the\r\nstartup-config, private-config,\r\nunderlying-config, and persistent-data.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 116 of 144\n\nField Description\r\nAUDIT-1-FILESYSTEM:Hash:\r\n330E7111F2B526F0B850C24ED5774EDE User:\r\nFile system, which is a hash of\r\nthe dir information on all of the\r\nflash file systems, which includes\r\nbootflash and any other flash file\r\nsystems on the router.\r\nAUDIT-1-HARDWARE_CONFIG:Hash:32F66463DDA802CC9171AF6386663D20 User:\r\nHardware configuration, which is\r\na hash of platform-specific\r\ninformation that is generally\r\nprovided in the output of the\r\nshow diag command.\r\nRelated Commands\r\nCommand Description\r\naudit filesize Changes the size of the audit file.\r\naudit interval Changes the time interval that is used for calculating hashes.\r\nshow authentication interface\r\nTo display information about the Auth Manager for a given interface, use the show authentication interface\r\ncommand in privileged EXEC mode.\r\nshow authentication interface type number\r\nSyntax Description\r\ntype Interface type. For more information, use the question mark (?) online help function.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 117 of 144\n\nnumber\r\nInterface number. For more information about the numbering syntax for your networking device,\r\nuse the question mark (?) online help function.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(33)SXI This command was introduced.\r\n15.2(2)T This command was integrated into Cisco IOS Release 15.2(2)T.\r\nUsage Guidelines\r\nUse the show authentication interface command to display information about the Auth Manager for a given\r\ninterface.\r\nExamples\r\nThe following is sample output from the show authentication interface command:\r\nSwitch# show authentication interface g1/0/23\r\nClient list:\r\n MAC Address Domain Status Handle Interface\r\n 000e.84af.59bd DATA Authz Success 0xE0000000 GigabitEthernet1/0/23\r\nAvailable methods list:\r\n Handle Priority Name\r\n 3 0 dot1x\r\nRunnable methods list:\r\n Handle Priority Name\r\n 3 0 dot1x\r\nThe table below describes the significant fields shown in the display. Other fields are self-explanatory.\r\nTable 14. show authentication interface Field Descriptions\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 118 of 144\n\nField Description\r\nMAC Address The MAC address of the client.\r\nDomain The domain of the client--either DATA or voice.\r\nStatus\r\nThe status of the authentication session. The possible values are:\r\nAuthc Failed--an authentication method has run for this session and\r\nauthentication failed.\r\nAuthc Success--an authentication method has run for this session and\r\nauthentication was successful.\r\nAuthz Failed--a feature has failed and the session has terminated.\r\nAuthz Success--all features have been applied to the session and the session is\r\nactive.\r\nIdle--this session has been initialized but no authentication methods have run.\r\nThis is an intermediate state.\r\nNo methods--no authentication method has provided a result for this session.\r\nRunning--an authentication method is running for this session.\r\nInterface The type and number of the authentication interface.\r\nAvailable methods\r\nlist\r\nSummary information for the authentication methods available on the interface.\r\nRunnable methods\r\nlist\r\nSummary information for the authentication methods that can run on the interface.\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 119 of 144\n\nCommand Description\r\nshow authentication\r\nregistrations\r\nDisplays information about the authentication methods that are registered\r\nwith the Auth Manager.\r\nshow authentication\r\nsessions\r\nDisplays information about the current Auth Manager sessions.\r\nshow authentication registrations\r\nTo display information about the authentication methods that are registered with the Auth Manager, use the show\r\nauthentication registrations command in privileged EXEC mode.\r\nshow authentication registrations\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(33)SXI This command was introduced.\r\n15.2(2)T This command was integrated into Cisco IOS Release 15.2(2)T.\r\nUsage Guidelines\r\nUse the show authentication re gistrations command to display information about all methods registered with the\r\nAuth Manager.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 120 of 144\n\nThe following is sample output for the show authentication registrations command:\r\nSwitch# show authentication registrations\r\nAuth Methods registered with the Auth Manager:\r\n Handle Priority Name\r\n 3 0 dot1x\r\n 2 1 mab\r\n 1 2 webauth\r\nThe table below describes the significant fields shown in the display.\r\nTable 15. show authentication registrations Field Descriptions\r\nField Description\r\nPriority\r\nThe priority of the method. If the priority for authentication methods has not been configured with\r\nthe authentication priority command, then the default priority is displayed. The default from\r\nhighest to lowest is dot1x, mab, and webauth.\r\nName The name of the authentication method. The values can be dot1x, mab, or webauth.\r\nRelated Commands\r\nCommand Description\r\nshow authentication interface Displays information about the Auth Manager for a given interface.\r\nshow authentication sessions Displays information about current Auth Manager sessions.\r\nshow authentication sessions\r\nTo display information about current Auth Manager sessions, use the show authentication sessions command in\r\nprivileged EXEC mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 121 of 144\n\nNote\r\nEffective with Cisco IOS Release 12.2(33)SXI, the show dot1x command is supplemented by the\r\nshow authentication sessions command. The show dot1x command is reserved for displaying output\r\nspecific to the use of the 802.1X authentication method. The show authentication sessions command\r\ndisplays information for all authentication methods and authorization features.\r\nCisco IOS XE Release 3SE and Later Releases\r\nshow authentication sessions [ [database] | [handle handle-number | interface type number | mac mac-address |\r\nmethod method-name [interface type number] | session-id session-id]] [details]\r\nAll Other Releases\r\nshow authentication sessions [handle handle-number | interface type number | mac mac-address | method\r\nmethod-name interface type number | session-id session-id]\r\nSyntax Description\r\ndatabase\r\n(Optional) Displays session data stored in the session database. This keyword allows you to\r\nsee information like the VLAN ID, which is not cached internally. A warning message\r\ndisplays if data stored in the session database does not match the internally cached data.\r\nhandle\r\nhandle-id\r\n(Optional) Specifies the particular handle for which to display Auth Manager information.\r\ninterface\r\ntype number\r\n(Optional) Specifies a particular interface type and number for which Auth Manager\r\ninformation is to be displayed. To display the valid keywords and arguments for interfaces,\r\nuse the question mark (?) online help function.\r\nmac mac-address\r\n(Optional) Specifies the particular MAC address for which you want to display information.\r\nmethod\r\nmethod-name\r\n(Optional) Specifies the particular authentication method for which to display Auth Manager\r\ninformation. Valid methods are one of the following:\r\ndot1x —IEEE 802.1X authentication method.\r\nmab —MAC authentication bypass (MAB) method.\r\nwebauth —Web authentication method.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 122 of 144\n\nIf you specify a method, you can also specify an interface.\r\nsession-id\r\nsession-id\r\n(Optional) Specifies the particular session for which to display Auth Manager information.\r\ndetails\r\n(Optional) Displays detailed information for each session instead of displaying a single-line\r\nsummary for sessions.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(33)SXH Support for this command was introduced.\r\n12.2(33)SXI\r\nThis command was changed to add the handle handle keyword and argument and\r\nadd information to the output.\r\n15.2(2)T This command was integrated into Cisco IOS Release 15.2(2)T.\r\nCisco IOS XE Release\r\n3.2SE\r\nThis command was modified. The database and details keywords were added.\r\nUsage Guidelines\r\nUse the show authentication sessions command to display information about all current Auth Manager sessions.\r\nTo display information about specific Auth Manager sessions, use one or more of the keywords.\r\nExamples\r\nThe following example shows how to display all authentication sessions on the switch:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 123 of 144\n\nDevice# show authentication sessions\r\nInterface MAC Address Method Domain Status Session ID\r\nGi1/48 0015.63b0.f676 dot1x DATA Authz Success 0A3462B1000000102983C05C\r\nGi1/5 000f.23c4.a401 mab DATA Authz Success 0A3462B10000000D24F80B58\r\nGi1/5 0014.bf5d.d26d dot1x DATA Authz Success 0A3462B10000000E29811B94\r\nThe following example shows how to display all authentication sessions on an interface:\r\nDevice# show authentication sessions interface GigabitEthernet3/0/2 details\r\n Interface: GigabitEthernet3/0/2\r\n IIF-ID: 0x1055240000001F6\r\n MAC Address: 0010.0010.0001\r\n IPv6 Address: Unknown\r\n IPv4 Address: 192.0.2.1\r\n User-Name: auto601\r\n Status: Authorized\r\n Domain: DATA\r\n Oper host mode: single-host\r\n Oper control dir: both\r\n Session timeout: N/A\r\n Common Session ID: AC14FC0A0000101200E28D62\r\n Acct Session ID: Unknown\r\n Handle: 0xDB003227\r\n Current Policy: dot1x_dvlan_reauth_hm\r\nLocal Policies:\r\n Template: CRITICAL_VLAN (priority 150)\r\n Vlan Group: Vlan: 130\r\nMethod status list:\r\n Method State\r\n dot1x Authc Failed\r\nThe following example shows how to display the authentication session for a specified session ID:\r\nDevice# show authentication sessions session-id 0B0101C70000004F2ED55218\r\n Interface: GigabitEthernet9/2\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 124 of 144\n\nMAC Address: 0000.0000.0011\r\n IP Address: 192.0.2.254\r\n Username: johndoe\r\n Status: Authz Success\r\n Domain: DATA\r\n Oper host mode: multi-host\r\n Oper control dir: both\r\n Authorized By: Critical Auth\r\n Vlan policy: N/A\r\n Session timeout: N/A\r\n Idle timeout: N/A\r\n Common Session ID: 0B0101C70000004F2ED55218\r\n Acct Session ID: 0x00000003\r\n Handle: 0x91000001\r\nRunnable methods list:\r\n Method State\r\n mab Authc Success\r\n dot1x Not run\r\nThe following examples show how to display all clients authorized by the specified authentication method:\r\nDevice# show authentication sessions method mab\r\nNo Auth Manager contexts match supplied criteria\r\nDevice# show authentication sessions method dot1x\r\nInterface MAC Address Domain Status Session ID\r\nGi9/2 0000.0000.0011 DATA Authz Success 0B0101C70000004F2ED55218\r\nThe table below describes the significant fields shown in the displays.\r\nTable 16. show authentication sessions Field Descriptions\r\nField Description\r\nInterface The type and number of the authentication interface.\r\nMAC\r\nAddress\r\nThe MAC address of the client.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 125 of 144\n\nField Description\r\nDomain The name of the domain, either DATA or VOICE.\r\nStatus\r\nThe status of the authentication session. The possible values are:\r\nAuthc Failed—An authentication method has run for this session and authentication\r\nfailed.\r\nAuthc Success—An authentication method has run for this session and authentication\r\nwas successful.\r\nAuthz Failed—A feature has failed and the session has terminated.\r\nAuthz Success—All features have been applied to the session and the session is\r\nactive.\r\nIdle—This session has been initialized but no authentication methods have run. This is\r\nan intermediate state.\r\nNo methods—No authentication method has provided a result for this session.\r\nRunning—An authentication method is running for this session.\r\nHandle The context handle.\r\nState\r\nThe operating states for the reported authentication sessions. The possible values are:\r\nNot run—The method has not run for this session.\r\nRunning—The method is running for this session.\r\nFailed over—The method has failed and the next method is expected to provide a\r\nresult.\r\nSuccess—The method has provided a successful authentication result for the session.\r\nAuthc Failed—The method has provided a failed authentication result for the session.\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 126 of 144\n\nCommand Description\r\nshow access-sessions Displays information about session aware networking sessions.\r\nshow authentication\r\nregistrations\r\nDisplays information about the authentication methods that are registered\r\nwith the Auth Manager.\r\nshow authentication\r\nstatistics\r\nDisplays statistics for Auth Manager sessions.\r\nshow dot1x\r\nDisplays details for an identity profile specific to the use of the 802.1X\r\nauthentication method.\r\nshow auto secure config\r\nTo display AutoSecure configurations, use the show auto secure config command in privileged EXEC mode.\r\nshow auto secure config\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\n12.3(1) This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 127 of 144\n\nRelease Modification\r\n12.3(15)\r\nAutosecure disables the configuration of the autosec_iana_reserved_block,\r\nautosec_private_block, or autosec_complete_bogon access control lists (acls), and application-to-edge interfaces. Output for these acls is no longer shown in the show output.\r\n12.2(28)SB This command was integrated into Cisco IOS Release 12.2(28)SB.\r\nExamples\r\nThe following sample output from the show auto secure config command shows what has been enabled and\r\ndisabled via the auto secure command:\r\nRouter# show auto secure config\r\nno service finger\r\nno service pad\r\nno service udp-small-servers\r\nno service tcp-small-servers\r\nservice password-encryption\r\nservice tcp-keepalives-in\r\nservice tcp-keepalives-out\r\nno cdp run\r\nno ip bootp server\r\nno ip http server\r\nno ip finger\r\nno ip source-route\r\nno ip gratuitous-arps\r\nno ip identd\r\nsecurity passwords min-length 6\r\nsecurity authentication failure rate 10 log\r\nenable secret 5 $1$CZ6G$GkGOnHdNJCO3CjNHHyTUA.\r\naaa new-model\r\naaa authentication login local_auth local\r\nline console 0\r\n login authentication local_auth\r\n exec-timeout 5 0\r\n transport output telnet\r\nline aux 0\r\n login authentication local_auth\r\n exec-timeout 10 0\r\n transport output telnet\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 128 of 144\n\nline vty 0 4\r\n login authentication local_auth\r\n transport input telnet\r\nip domain-name cisco.com\r\ncrypto key generate rsa general-keys modulus 1024\r\nip ssh time-out 60\r\nip ssh authentication-retries 2\r\nline vty 0 4\r\n transport input ssh telnet\r\nservice timestamps debug datetime localtime show-timezone msec\r\nservice timestamps log datetime localtime show-timezone msec\r\nlogging facility local2\r\nlogging trap debugging\r\nservice sequence-numbers\r\nlogging console critical\r\nlogging buffered\r\ninterface FastEthernet0/1\r\n no ip redirects\r\n no ip proxy-arp\r\n no ip unreachables\r\n no ip directed-broadcast\r\n no ip mask-reply\r\n no mop enabled\r\n!\r\ninterface FastEthernet1/0\r\n no ip redirects\r\n no ip proxy-arp\r\n no ip unreachables\r\n no ip directed-broadcast\r\n no ip mask-reply\r\n no mop enabled\r\n!\r\ninterface FastEthernet1/1\r\n no ip redirects\r\n no ip proxy-arp\r\n no ip unreachables\r\n no ip directed-broadcast\r\n no ip mask-reply\r\n no mop enabled\r\n!\r\ninterface FastEthernet0/0\r\n no ip redirects\r\n no ip proxy-arp\r\n no ip unreachables\r\n no ip directed-broadcast\r\n no ip mask-reply\r\n no mop enabled\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 129 of 144\n\n!\r\nip cef\r\ninterface FastEthernet0/0\r\n ip verify unicast reverse-path\r\nip inspect audit-trail\r\nip inspect dns-timeout 7\r\nip inspect tcp idle-time 14400\r\nip inspect udp idle-time 1800\r\nip inspect name autosec_inspect cuseeme timeout 3600\r\nip inspect name autosec_inspect ftp timeout 3600\r\nip inspect name autosec_inspect http timeout 3600\r\nip inspect name autosec_inspect rcmd timeout 3600\r\nip inspect name autosec_inspect realaudio timeout 3600\r\nip inspect name autosec_inspect smtp timeout 3600\r\nip inspect name autosec_inspect tftp timeout 30\r\nip inspect name autosec_inspect udp timeout 15\r\nip inspect name autosec_inspect tcp timeout 3600\r\naccess-list 100 deny ip any any\r\ninterface FastEthernet0/0\r\n ip inspect autosec_inspect out\r\n ip access-group 100 in\r\nRelated Commands\r\nCommand Description\r\nauto secure Secures the management and forwarding planes of the router.\r\nshow call admission statistics\r\nTo monitor the global Call Admission Control (CAC) configuration parameters and the behavior of CAC, use the\r\nshow call admission statistics command in user EXEC or privileged EXEC mode.\r\nshow call admission statistics\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nUser EXEC\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 130 of 144\n\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\n12.3(8)T This command was introduced.\r\n12.2(18)SXD1 This command was integrated into Cisco IOS Release 12.2(18)SXD1.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2(33)SXH This command was integrated into Cisco IOS Release 12.2(33)SXH.\r\nExamples\r\nThe following is sample output from the show call admission statistics command:\r\nRouter# show call admission statistics\r\n \r\nTotal Call admission charges: 0, limit 25\r\nTotal calls rejected 12, accepted 51\r\nLoad metric: charge 0, unscaled 0\r\nThe table below describes the significant fields shown in the display.\r\nTable 17. show call admission statistics Field Descriptions\r\nField Description\r\nTotal call\r\nadmission charges\r\nPercentage of system resources being charged to the system. If you configured a\r\nresource limit, SA requests are dropped when this field is equal to that limit.\r\nlimit\r\nMaximum allowed number of total call admission charges. Valid values are 0 to\r\n100000.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 131 of 144\n\nField Description\r\nTotal calls rejected Number of SA requests that were not accepted.\r\naccepted Number of SA requests that were accepted.\r\nunscaled Not related to IKE. This value always is 0.\r\nRelated Commands\r\nCommand Description\r\ncall admission limit\r\nInstructs IKE to drop calls when a specified percentage of system resources are\r\nbeing consumed.\r\ncrypto call admission\r\nlimit\r\nSpecifies the maximum number of IKE SA requests allowed before IKE begins\r\nrejecting new IKE SA requests.\r\nshow class-map type inspect\r\nTo display Layer 3 and Layer 4 or Layer 7 (application-specific) inspect type class maps and their matching\r\ncriteria, use the show class-map type inspect command in privileged EXEC mode.\r\nshow class-map type inspect [protocol-name] [class-map-name]\r\nSyntax Description\r\nprotocol-name (Optional) Layer 7 application-specific class map. The supported protocols are as follows:\r\naol --America Online Instant Messenger (IM)\r\nedonkey --eDonkey peer-to-peer (P2P)\r\nfasttrack --FastTrack traffic P2P\r\ngnutella --Gnutella Version 2 traffic P2P\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 132 of 144\n\nh323 --H323 protocol\r\nhttp --HTTP\r\nicq --I Seek You (ICQ) IM\r\nimap --Internet Message Access Protocol (IMAP)\r\nkazaa2 --Kazaa Version 2 P2P\r\nmsnmsgr --MSN Messenger IM protocol\r\npop3 --Post Office Protocol, Version 3 (POP 3)\r\nsip --SMDS Interface Protocol (SIP)\r\nsmtp --Simple Mail Transfer Protocol (SMTP)\r\nsunrpc --SUN Remote Procedure Call (SUNRPC)\r\nwinmsgr --Windows IM\r\nymsgr --Yahoo IM\r\nclass-map-name(Optional) Name of the inspect type class map. The name can be a maximum of 40\r\nalphanumeric characters.\r\nCommand Default\r\nInformation for all inspect type class maps is displayed.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 133 of 144\n\nRelease Modification\r\n12.4(9)T\r\nThis command was modified. The following keywords were added: edonkey ,\r\nfasttrack , gnutella , kazaa2 , aol , msnmsgr , ymsgr .\r\n12.4(20)T This command was modified. The following keywords were added: icq and winmsgr .\r\nCisco IOS XE\r\nRelease 2.1\r\nThis command was modified. It was integrated into Cisco IOS XE Release 2.1. The\r\nprotocol-name argument is not supported.\r\nUsage Guidelines\r\nUse the show class-map type inspect command to display class maps for a particular inspect type class map.\r\nExamples\r\nThe following is sample output from the show class-map type inspect command with all class maps:\r\nRouter# show class-map type inspect\r\nClass Map type inspect match-all classe0 (id 7)\r\n Match access-group 34\r\n Class Map type inspect match-all c1 (id 5)\r\n Match access-group 101\r\n Match protocol http\r\n Class Map type inspect match-all class1 (id 1)\r\n Match none\r\nThe following is sample output from the show class-map type inspect with the class map classe0 specified:\r\nRouter# show class-map type inspect classe0\r\n Class Map type inspect match-all classe0 (id 7)\r\n Match access-group 34\r\nThe table below describes the significant fields shown in the display.\r\nTable 18. show class-map type inspect Field Descriptions\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 134 of 144\n\nField Description\r\nClass\r\nMap\r\nInspect type class maps being displayed. Output is displayed for each configured class map. The\r\nchoice for implementing class matches (for example, match-all) appears next to the traffic class.\r\nMatch\r\nMatch criteria specified for the class map.\r\nFor inspect type class maps without any protocols specified, the criteria are access-group , class-map , protocol , and user-group .\r\nFor inspect type class maps with protocols specified, the criteria are no and service .\r\nRelated Commands\r\nCommand Description\r\nshow class-map type port-filter Displays port-filter class maps and their matching criteria.\r\nshow class-map type urlfilter\r\nTo display URL filter class maps and their matching criteria, use the show class-map type urlfilter command in\r\nprivileged EXEC mode.\r\nshow class-map type urlfilter [trend | n2h2 | websense] [class-map-name]\r\nSyntax Description\r\ntrend (Optional) Specifies Trend Micro class maps.\r\nn2h2 (Optional) Specifies SmartFilter class maps.\r\nwebsense (Optional) Specifies Websense class maps.\r\nclass-map-name (Optional) Name of the URL filter class map.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 135 of 144\n\nCommand Default\r\nInformation for all local URL filter class maps is displayed.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(15)XZ This command was introduced.\r\n12.4(20)T This command was integrated into Cisco IOS Release 12.4(20)T.\r\nUsage Guidelines\r\nUse the show class-map type urlfilter command to display all local URL filter class maps and their matching\r\ncriteria. To display class maps for a particular URL filtering server type--Trend Micro, SmartFilter or Websense--\r\ninclude the appropriate keyword. To display the matching criteria for a particular class map, specify the class map\r\nname.\r\nExamples\r\nThe following is sample output from the show class-map type urlfilter command when three local URL filtering\r\nclass maps have been configured:\r\nRouter# show class-map type urlfilter\r\n \r\n Class Map type urlfilter match-any untrusted-domain-class (id 1)\r\n Match server-domain urlf-glob untrusted-domain-param\r\n \r\n Class Map type urlfilter match-any trusted-domain-class (id 2)\r\n Match server-domain urlf-glob trusted-domain-param\r\n \r\n Class Map type urlfilter match-any keyword-class (id 4)\r\n Match url-keyword urlf-glob keyword-param\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 136 of 144\n\nThe following is sample output from the show class-map type urlfilter trend command when one Trend Micro\r\nURL filtering class map has been configured:\r\nRouter# show class-map type urlfilter trend\r\n Class Map type urlfilter trend match-any drop-category (id 3)\r\n Match url category Adult-Mature-Content\r\n Match url category Gambling\r\n Match url category Personals-Dating\r\nThe following is sample output from the show class-map type urlfilter websense command:\r\nRouter# show class-map type urlfilter websense\r\n Class Map type urlfilter websense match-any websense-map (id 5)\r\n Match server-response any\r\nThe table below describes the significant fields shown in the display.\r\nTable 19. show class-map type urlfilter Field Descriptions\r\nField Description\r\nClass\r\nMap\r\nURL filtering class map being displayed. Output is displayed for each configured class map of the\r\ntype of URL filtering specified--trend , n2h2 , or websense . The default URL filtering type is local\r\n. The choice for implementing class matches (for example, match-any) appears next to the traffic\r\nclass.\r\nMatch\r\nMatch criteria specified for the class map.\r\nFor local URL filtering class maps, the criteria are server-domain urlf-glob parameter maps and the\r\nurl-keyword urlf-glob parameter map.\r\nFor Trend-Micro URL filtering class maps, the criteria are url-category and url-reputation .\r\nFor SmartFilter and Websense class maps, the match criterion is server-response any .\r\nshow clock detail\r\nTo display the clock details for Cisco IOS public key infrastructure (PKI), use the show clock detail command in\r\nEXEC mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 137 of 144\n\nshow clock detail\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nEXEC\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Fuji 16.9.1 This command was introduced.\r\nExamples\r\nThe following example is sample output for the show clock detail command:\r\nRouter # show clock detail\r\n07:07:35.514 IST Sun Jun 3 2018\r\nTime source is user configuration\r\nshow content-scan\r\nNote\r\nEffective with Cisco IOS Release 15.4(2)T, the show content-scan command is replaced by the show\r\ncws command. See the show cws command for more information.\r\nTo display content scan information, use the show content-scan command in user EXEC or privileged EXEC\r\nmode.\r\nshow content-scan {session {active [detail | egress-vrf vrf-number | ingress-vrf vrf-number | ip-addr ip-address\r\n[all]] | history sessions} | statistics [all | detailed | failures | memory-usage] | summary}\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 138 of 144\n\nsession Displays content-scan session information.\r\nactive Displays active sessions.\r\ndetail (Optional) Displays content-scan session details.\r\negress-vrf\r\n(Optional) Displays information about the virtual routing and forwarding (VRF) instance\r\nat the egress interface.\r\nvrf-number (Optional) Egress or ingress VRF ID. Valid values are from 0 to 1024.\r\nigress-vrf (Optional) Displays information about the VRF instance at the ingress interface.\r\nip-addr ip-address\r\n(Optional) Displays information about the specified IP address.\r\nall (Optional) Displays information about all sessions.\r\nhistory Displays information about terminated sessions.\r\nsessions Number of sessions. Valid values are from 1 to 512.\r\nstatistics Displays statistics of the content scanned.\r\ndetailed (Optional) Displays detailed statistics of the content scanned.\r\nfailures (Optional) Displays content-scan failure statistics.\r\nmemory-usage (Optional) Displays content-scan memory usage statistics.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 139 of 144\n\nsummary Displays a summary of the content scan information.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n15.2(1)T1 This command was introduced.\r\n15.2(4)M This command was modified. The detailed, failures, and memory-usage keywords were added.\r\n15.4(1)T\r\nThis command was modified. The detail, egress-vrf, ingress-vrf, ip-addr, and all keywords and\r\nthe vrf-number and ip-address arguments were added.\r\n15.4(2)T This command was replaced by the show cws command.\r\nUsage Guidelines\r\nCloud Web Security provides content scanning of HTTP and secure HTTP (HTTPS) traffic and malware\r\nprotection services to web traffic. The content-scanning process redirects client web traffic to the cloud web\r\nsecurity servers. These servers scan the web traffic content and allow or block traffic based on compliance with\r\nthe configured policies and thus protect clients from malware. Content scanning is enabled on an Internet-facing\r\nWAN interface to protect the web traffic that goes out. Use the show content-scan command to view content-scan\r\ninformation.\r\nThe show content-scan session history command displays information about a maximum of 512 terminated\r\nsessions.\r\nExamples\r\nThe following is sample output from the show content-scan session history command:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 140 of 144\n\nDevice# show content-scan session history 6\r\nProtocol Source\r\nHTTP 192.168.100.2:1347 209.165.201.104:80 (102:45)\r\nHTTP 192.168.100.2:1326 209.165.201.106:80 (206:11431) www\r\nHTTP 192.168.100.2:1324 209.165.201.105:80 (206:11449) www\r\nHTTP 192.168.100.2:1318 209.165.201.105:80 (206:11449) www\r\nHTTP 192.168.100.2:1316 209.165.201.104:80 (206:11449) www\r\nHTTP 192.168.100.2:1315 10.254.145.107:80 (575:1547) al\r\n \r\nThe following table describes the significant fields shown in the display.\r\nTable 20. show content-scan session history Field Descriptions\r\nField Description\r\nProtocol Protocol used for content scanning.\r\nSource IP address of the source with the port number.\r\nDestination IP address of the destination with the port number.\r\nURI Uniform Resource Identifier (URI) that identifies a name or a resource on the Internet.\r\nTime Duration of time when a session was terminated.\r\nThe following is sample output from the show content-scan statistics command:\r\nDevice# show content-scan statistics\r\nCurrent HTTP sessions: 3\r\nCurrent HTTPS sessions: 0\r\nTotal HTTP sessions: 11\r\nTotal HTTPS sessions: 0\r\nWhite-listed sessions: 0\r\nTime of last reset: 00:01:58\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 141 of 144\n\nThe following table describes the fields shown in the display.\r\nTable 21. show content-scan statistics Field Descriptions\r\nField Description\r\nCurrent HTTP\r\nsessions\r\nNumber of current HTTP sessions.\r\nCurrent\r\nHTTPS\r\nsessions\r\nNumber of current secure HTTP (HTTPS) sessions.\r\nTotal HTTP\r\nsessions\r\nTotal number of HTTP sessions.\r\nTotal HTTPS\r\nsessions\r\nTotal number of HTTPS sessions.\r\nWhite-listed\r\nsessions\r\nNumber of sessions that are on the allowed list. An allowed list is an approved list of\r\nentities that are provided a particular privilege, service, mobility, access, or recognition.\r\nAllowed listing means to grant access.\r\nTime of last\r\nreset\r\nDuration of time since sessions were last reset.\r\nThe following is sample output from the show content-scan statistics failures command:\r\nDevice# show content-scan statistics failures\r\nReset during proxy Mode: 0\r\nHTTPS reconnect failures: 0\r\nBuffer enqueue failures: 0\r\nBuffer length exceeded: 0\r\nParticle coalesce failures: 0\r\nL4F failures: 0\r\nLookup failures: 0\r\nMemory failures: 0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 142 of 144\n\nTower unreachable: 0\r\nResets sent: 0\r\nThe following table describes the significant fields shown in the display.\r\nTable 22. show content-scan statistics failures Field Descriptions\r\nField Description\r\nReset during\r\nproxy Mode\r\nReset messages that are received when content scan is in proxy mode.\r\nHTTPS\r\nreconnect\r\nfailures\r\nConnection failures while reconnecting to HTTPS.\r\nBuffer enqueue\r\nfailures\r\nBuffering queue failures. When a packet fails to reach its destination, the packet is\r\nbuffered in a queue for a retry. This queue to which packets are buffered can fail, and this\r\nfailure is added to the statistics.\r\nBuffer length\r\nexceeded\r\nPackets that exceed the buffer length.\r\nParticle coalesce\r\nfailures\r\nPacket defragmentation failures. When content scan receives packet fragments, these\r\nfragments are joined together or coalesced, and any failures during the coalescing are\r\nadded to the statistics.\r\nL4F failures\r\nNote\r\n \r\nWe recommend that you inform TAC, if this counter increments rapidly.\r\nLookup failures\r\nContent-scan entry lookup failures. During normal packet flows, content scan entries are\r\nchecked at certain points. When such a lookup fails (when it was not expected to fail), it\r\nis added to the statistics.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 143 of 144\n\nField Description\r\nMemory failures\r\nMemory failures in the content scan subsystem (can be malloc, chunk_malloc, list, and so\r\non).\r\nTower\r\nunreachable\r\nContent-scan tower unreachable during packet flows.\r\nResets sent\r\nPacket processing errors. During packet processing, if errors are encountered, reset\r\nmessages are sent to end hosts.\r\nThe following sample output from the show content-scan session active egress-vrf command:\r\nDevice# show content-scan session active egress-vrf 1\r\nProtocol Source Destination Bytes Time\r\nHTTP [0]: 10.1.1.1:25176 10.2.2.1:80 (262:10495) 00:00:00\r\n URI: 10.2.2.1\r\n Username/usergroup(s): /\r\nRelated Commands\r\nCommand Description\r\ncontent-scan out Enables content scanning on an egress interface.\r\ndebug content-scan Enables content-scan debugging.\r\nBack to Top\r\nSource: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674\r\nPage 144 of 144\n\n https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674  \nFP Specifies the ESP. \nR0 Specifies slot 0 of the Route Processor (RP).\nR1 Specifies slot 1 of the RP. \nRP Specifies the RP. \nactive Specifies the active instance of the processor.\nstandby Specifies the standby instance of the processor.\ndebug Sets debug messages for ALGs. \nemergency Sets emergency messages for ALGs.\nerror Sets error messages for ALGs. \ninfo Sets informational messages for ALGs.\nnoise Sets the maximum message level for ALGs.\nnotice Sets notice messages for ALGs. \nverbose Sets detailed debug messages for ALGs.\nwarning Sets warning messages for ALGs.\nCommand Default   \n   Page 23 of 144",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674"
	],
	"report_names": [
		"sec-cr-s2.html#wp1896741674"
	],
	"threat_actors": [
		{
			"id": "9aa9b489-a297-4dbd-8601-8fc0370201a6",
			"created_at": "2022-10-25T16:07:23.696796Z",
			"updated_at": "2026-04-10T02:00:04.71508Z",
			"deleted_at": null,
			"main_name": "Group5",
			"aliases": [
				"G0043"
			],
			"source_name": "ETDA:Group5",
			"tools": [
				"Atros2.CKPN",
				"Bladabindi",
				"DroidJack",
				"Jorik",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"Zurten",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cf0704ab-99e4-44d7-96d9-3cba91339229",
			"created_at": "2022-10-25T15:50:23.485375Z",
			"updated_at": "2026-04-10T02:00:05.332806Z",
			"deleted_at": null,
			"main_name": "Group5",
			"aliases": [
				"Group5"
			],
			"source_name": "MITRE:Group5",
			"tools": [
				"njRAT",
				"NanoCore"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "094d8210-4c64-4457-ad97-a94fc7af7630",
			"created_at": "2023-01-06T13:46:38.98103Z",
			"updated_at": "2026-04-10T02:00:03.170376Z",
			"deleted_at": null,
			"main_name": "Group5",
			"aliases": [
				"G0043"
			],
			"source_name": "MISPGALAXY:Group5",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb",
			"created_at": "2023-01-06T13:46:38.393409Z",
			"updated_at": "2026-04-10T02:00:02.955738Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"Cloaked Ursa",
				"TA421",
				"Blue Kitsune",
				"BlueBravo",
				"IRON HEMLOCK",
				"G0016",
				"Nobelium",
				"Group 100",
				"YTTRIUM",
				"Grizzly Steppe",
				"ATK7",
				"ITG11",
				"COZY BEAR",
				"The Dukes",
				"Minidionis",
				"UAC-0029",
				"SeaDuke"
			],
			"source_name": "MISPGALAXY:APT29",
			"tools": [
				"SNOWYAMBER",
				"HALFRIG",
				"QUARTERRIG"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "47a8f6c7-5b29-4892-8f47-1d46be71714f",
			"created_at": "2025-08-07T02:03:24.599925Z",
			"updated_at": "2026-04-10T02:00:03.720795Z",
			"deleted_at": null,
			"main_name": "BRONZE FLEETWOOD",
			"aliases": [
				"APT5 ",
				"DPD ",
				"Keyhole Panda ",
				"Mulberry Typhoon ",
				"Poisoned Flight ",
				"TG-2754 "
			],
			"source_name": "Secureworks:BRONZE FLEETWOOD",
			"tools": [
				"Binanen",
				"Comfoo",
				"Gh0st RAT",
				"Isastart",
				"Leouncia",
				"Marade",
				"OrcaRAT",
				"PCShare",
				"Protux",
				"Skeleton Key",
				"SlyPidgin",
				"VinSelf"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270",
			"created_at": "2022-10-25T16:07:23.341684Z",
			"updated_at": "2026-04-10T02:00:04.549917Z",
			"deleted_at": null,
			"main_name": "APT 29",
			"aliases": [
				"APT 29",
				"ATK 7",
				"Blue Dev 5",
				"BlueBravo",
				"Cloaked Ursa",
				"CloudLook",
				"Cozy Bear",
				"Dark Halo",
				"Earth Koshchei",
				"G0016",
				"Grizzly Steppe",
				"Group 100",
				"ITG11",
				"Iron Hemlock",
				"Iron Ritual",
				"Midnight Blizzard",
				"Minidionis",
				"Nobelium",
				"NobleBaron",
				"Operation Ghost",
				"Operation Office monkeys",
				"Operation StellarParticle",
				"SilverFish",
				"Solar Phoenix",
				"SolarStorm",
				"StellarParticle",
				"TEMP.Monkeys",
				"The Dukes",
				"UNC2452",
				"UNC3524",
				"Yttrium"
			],
			"source_name": "ETDA:APT 29",
			"tools": [
				"7-Zip",
				"ATI-Agent",
				"AdFind",
				"Agentemis",
				"AtNow",
				"BEATDROP",
				"BotgenStudios",
				"CEELOADER",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobalt Strike",
				"CobaltStrike",
				"CosmicDuke",
				"Cozer",
				"CozyBear",
				"CozyCar",
				"CozyDuke",
				"Danfuan",
				"EnvyScout",
				"EuroAPT",
				"FatDuke",
				"FoggyWeb",
				"GeminiDuke",
				"Geppei",
				"GoldFinder",
				"GoldMax",
				"GraphDrop",
				"GraphicalNeutrino",
				"GraphicalProton",
				"HAMMERTOSS",
				"HammerDuke",
				"LOLBAS",
				"LOLBins",
				"LiteDuke",
				"Living off the Land",
				"MagicWeb",
				"Mimikatz",
				"MiniDionis",
				"MiniDuke",
				"NemesisGemina",
				"NetDuke",
				"OnionDuke",
				"POSHSPY",
				"PinchDuke",
				"PolyglotDuke",
				"PowerDuke",
				"QUIETEXIT",
				"ROOTSAW",
				"RegDuke",
				"Rubeus",
				"SNOWYAMBER",
				"SPICYBEAT",
				"SUNSHUTTLE",
				"SeaDaddy",
				"SeaDask",
				"SeaDesk",
				"SeaDuke",
				"Sharp-SMBExec",
				"SharpView",
				"Sibot",
				"Solorigate",
				"SoreFang",
				"TinyBaron",
				"WINELOADER",
				"WellMail",
				"WellMess",
				"cobeacon",
				"elf.wellmess",
				"reGeorg",
				"tDiscoverer"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434474,
	"ts_updated_at": 1775792252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/afd48999ebf13c8fd373213e65ef93bd383d7392.pdf",
		"text": "https://archive.orkl.eu/afd48999ebf13c8fd373213e65ef93bd383d7392.txt",
		"img": "https://archive.orkl.eu/afd48999ebf13c8fd373213e65ef93bd383d7392.jpg"
	}
}