You are on page 1of 1443

Command Name: Mode: Syntax:

aaa accounting connection h323 router(config)#

aaa accounting connection h323 {stop-only | start-stop} radius no aaa accounting connection h323 {stop-only | start-stop} radius Syntax Description:
stoponly Sends a stop accounting notice at the end of the requested user process.

startstop

Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server.

radius

Use only the RADIUS security protocol with this command.

Command Description: To define the accounting method list H.323 with RADIUS as a method with either stop-only or start-stop accounting options, use the aaa accounting connection h323 command in global configuration mode. Use the no form of this command to disable the use of this accounting method list. Example: router(config)#aaa accounting connection h323 stop-only radius router(config)#aaa accounting connection h323 start-stop radius Misconceptions: none Related commands: aaa accounting aaa authentication aaa new-model

radius-server host tacacs-server host Sample Configurations: aaa new model gw-accounting h323 aaa accounting connection h323 start-stop radius

Command Name: Mode: Syntax:

aaa accounting delay-start router(config)#

aaa accounting delay-start no aaa accounting delay-start Syntax Description: This command has no arguments or keywords. Command Description: To delay generation of accounting "start" records until the user IP address is established, use the aaa accounting delay-start command in global configuration mode. To disable this functionality, use the no form of this command. Example: router(config)# aaa accounting delay-start Misconceptions: none Related commands: aaa accounting aaa authentication ppp aaa authorization aaa new-model radius-server host tacacs-server host Sample Configurations: aaa new-model aaa authentication ppp default radius aaa accounting network default start-stop radius aaa accounting delay-start radius-server host 172.16.0.0 non-standard radius-server key rad123

Command Name: Mode: Syntax: aaa accounting nested no aaa accounting nested Syntax Description:

aaa accounting nested router(config)#

This command has no arguments or keywords. Command Description: To specify that NETWORK records be generated, or nested, within EXEC start and stop records for PPP users who start EXEC terminal sessions, use the aaa accounting nested command in global configuration mode. Use the no form of this command to allow sending records for users with a NULL username. Example: router(config)#aaa accounting nested Misconceptions: none Related commands: aaa accounting Sample Configurations:

Command Name: Mode: Syntax:

aaa accounting resource start-stop group router(config)#

aaa accounting resource method-list start-stop [broadcast] group groupname no aaa accounting resource method-list start-stop [broadcast] group groupname Syntax Description:
method-list Method used for accounting services. Use one of the following options:

default: Uses the listed accounting methods that follow this argument as the default list of methods for accounting services. string: Character string used to name the list of accounting methods.

broadcast

(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.

group groupname

Specifies the server group to be used for accounting services. The following are valid server group names:

string: Character string used to name a server group. radius: Uses list of all RADIUS hosts. tacacs+: Uses list of all TACACS+ hosts.

Command Description: To enable full resource accounting, which will generate both a "start" record at call setup and a "stop" record at call termination, use the aaa accounting resource start-stop group command in global configuration mode. To disable full resource accounting, use the no form of this command. Usage Guidelines Use the aaa accounting resource start-stop group command to send a "start" record at each call setup followed with a corresponding "stop" record at the call disconnect. There is a separate

"call setup-call disconnect "start-stop" accounting record tracking the progress of the resource connection to the device, and a separate "user authentication start-stop accounting" record tracking the user management progress. These two sets of accounting records are interlinked by using a unique session ID for the call. You may want to use this command to manage and monitor wholesale customers from one source of data reporting, such as accounting records. Example: router(config)#aaa accounting resource default start-stop group radius Misconceptions: none Related commands: aaa accounting start-stop failure Sample Configurations: aaa aaa aaa aaa aaa aaa aaa aaa new-model authentication login AOL group radius local authentication ppp default group radius local authorization exec AOL group radius if-authenticated authorization network default group radius if-authenticated accounting exec default start-stop group radius accounting network default start-stop group radius accounting resource default start-stop group radius

Command Name: Mode: Syntax:

aaa accounting resource stop-failure group router(config)#

aaa accounting resource method-list stop-failure [broadcast] group groupname no aaa accounting resource method-list stop-failure [broadcast] group groupname Syntax Description:
method-list Method used for accounting services. Use one of the following options:

default: Uses the listed accounting methods that follow this argument as the default list of methods for accounting services. string: Character string used to name the list of accounting methods.

broadcast

(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.

group groupname

Group to be used for accounting services. Use one of the following options:

string: Character string used to name a server group. radius: Uses list of all RADIUS hosts. tacacs+: Uses list of all TACACS+ hosts.

Command Description: To enable resource failure stop accounting support, which will generate a "stop" record at any point prior to user authentication only if a call is terminated, use the aaa accounting resource stop-failure group command in global configuration mode. To disable resource failure stop accounting, use the no form of this command.

Example: router(config)# aaa accounting resource default stop-failure group radius

Misconceptions: none Related commands: aaa accounting resource start-stop group Sample Configurations: aaa aaa aaa aaa aaa aaa aaa aaa new-model authentication login AOL group radius local authentication ppp default group radius local authorization exec AOL group radius if-authenticated authorization network default group radius if-authenticated accounting exec default start-stop group radius accounting network default start-stop group radius accounting resource default stop-failure group radius

Command Name: aaa accounting send stop-record authentication failure Mode: Syntax: aaa accounting send stop-record authentication failure no aaa accounting send stop-record authentication failure Syntax Description: This command has no arguments or keywords. Command Description: To generate accounting stop records for users who fail to authenticate at login or during session negotiation, use the aaa accounting send stop-record authentication failure command in global configuration mode. Use the no form of this command to stop generating records for users who fail to authenticate at login or during session negotiation. Example: router(config)# aaa accounting send stop-record authentication failure Misconceptions: none Related commands: aaa accounting Sample Configurations: router(config)#

Command Name: Mode: Syntax:

aaa accounting suppress null-username router(config)#

aaa accounting suppress null-username no aaa accounting suppress null-username

Syntax Description: This command has no arguments or keywords. Command Description: To prevent the Cisco IOS software from sending accounting records for users whose username string is NULL, use the aaa accounting suppress null-username global configuration command. Use the no form of this command to allow sending records for users with a NULL username.

Example: router(config)#aaa accounting suppress null-username Misconceptions: none Related commands: aaa accounting Sample Configurations:

Command Name: Mode: Syntax:

aaa accounting update router(config)#

aaa accounting update {[newinfo] [periodic number]} no aaa accounting Syntax Description:
newinfo Causes an interim accounting record to be sent to the accounting server whenever there is new accounting information to report relating to the user in question.

periodic

Causes an interim accounting record to be sent to the accounting server periodically, as defined by the argument number.

number

Integer specifying number of minutes.

Command Description: To enable periodic interim accounting records to be sent to the accounting server, use the aaa accounting update command in global configuration mode. Use the no form of this command to disable interim accounting updates. Usage Guidelines When aaa accounting update is activated, the Cisco IOS software issues interim accounting records for all users on the system. If the keyword newinfo is used, interim accounting records will be sent to the accounting server every time there is new accounting information to report. An example of this would be when IPCP completes IP address negotiation with the remote peer. The interim accounting record will include the negotiated IP address used by the remote peer. When used with the keyword periodic, interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the accounting record is sent. Both of these keywords are mutually exclusive, meaning that whichever keyword is configured last takes precedence over the previous configuration. For example, if you configure aaa accounting update periodic, and then configure aaa accounting update newinfo, all users currently logged in will continue to generate periodic interim accounting records. All new users will generate accounting records based on the newinfo algorithm.

Caution Using the aaa accounting update periodic command can cause heavy congestion when many users are logged in to the network. Example: router(config)# aaa accounting update newinfo Misconceptions: none Related commands: aaa accounting accounting aaa accounting update ppp accounting aaa accounting send stop-record authentication failure aaa dnis map accounting network group accounting (gatekeeper) Sample Configurations:

Command Name: Mode: Syntax

aaa accounting router(config)#

aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | wait-start | stoponly | none} [method1 [method2...] ] no aaa accounting {system | network | exec | commands level} Syntax Description: system Performs accounting for all system-level events not associated with users, such as reloads. Runs accounting for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA. Runs accounting for EXEC session (user shells). This keyword might return user profile information such as autocommand information. Provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin. Runs accounting for all commands at the specified privilege level. Specific command level to track for accounting. Valid entries are 0 through 15. Uses the listed accounting methods that follow this argument as the default list of methods for accounting services. Character string used to name the list of accounting methods. Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting notice was received by the accounting server. As in start-stop, sends both a start and a stop accounting notice to the accounting server. However, if you use the wait-start keyword, the requested user service does not begin until the start accounting notice is acknowledged. A stop accounting notice is also sent.

network

exec

connection

commands level default list-name start-stop

wait-start

stop-only none method1 [method2...]

Sends a stop accounting notice at the end of the requested user process. Disables accounting services on this line or interface. At least one of the methods. group radius- uses the list of all RADIUS servers for authentication. group tacacs+- Uses the list of all TACACS+ servers for authentication. group group-name- uses a subset of RADIUS of TACACS+ servers for authentication as defined by the aaa group sever radius or aaa group tacacs+ command.

Command Description: To enable AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting global configuration command. Use the no form of this command to disable accounting. Example: router(config)#aaa accounting exec start-stop tacacs+ Sets AAA accounting for EXEC processes on the NAS to record the start and stop time of the session against the TACACS+ database. router(config)#aaa accounting network start-stop tacacs+ Sets AAA accounting for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA protocol to record the start and stop time of the session against the TACACS+ database.

Misconceptions: This command can be used with TACACS or extended TACACS. Related commands: aaa authentication ppp aaa authorization aaa new-model

Sample Configurations: aaa new-model aaa authentication login default tacacs+ aaa authentication login no_tacacs enable aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ enable secret 5 $1$x1EE$33AXd2VTVvhbWL0A37tQ3. enable password 7 15141905172924 ! username admin password 7 094E4F0A1201181D19 ! interface Serial2 ppp authentication pap ! tacacs-server host 10.1.1.4 tacacs-server key ciscosecure ! line con 0 login authentication no_tacacs

Command Name: Mode: Syntax:

aaa dnis map accounting network group router(config)#

aaa dnis map dnis-number accounting network [none | start-stop | stop-only] group server-group-name no aaa dnis map dnis-number accounting network [none | startstop | stop-only] group server-group-name Syntax Description:
dnisnumber Number of the DNIS.

none

(Optional) Indicates that the defined security server group will not send accounting notices.

start-stop

(Optional) Indicates that the defined security server group will send a start-accounting notice at the beginning of a process and a stop-accounting notice at the end of a process. The start-accounting record is sent in the background. (The requested user process begins regardless of whether the start accounting notice was received by the accounting server.)

stop-only

(Optional) Indicates that the defined security server group will send a stop-accounting notice at the end of the requested user process.

servergroupname

Character string used to name a group of security servers associated in a server group.

Command Description: To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group (this server group will be used for AAA accounting), use the aaa dnis map accounting network group command in global configuration mode. To remove DNIS mapping from the named server group, use the no form of this command.

Example: The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for accounting requests for users dialing in with DNIS 7777. router(config)#aaa dnis map enable router(config)#aaa dnis map 7777 accounting network group group1 Misconceptions: none Related commands: aaa dnis map authentication ppp group aaa dnis map enable aaa group server aaa new-model radius-server host Sample Configurations: aaa group server radius isp server 1.0.0.1 server 1.0.0.2 aaa group server tacacs+ isp_customer server 3.0.0.1 aaa dnis map enable aaa dnis map 7777 accounting network start-stop broadcast group isp group isp_customer radius-server host 1.0.0.1 radius-server host 1.0.0.2 radius-server key key_1 tacacs-server host 3.0.0.1 key key_2

Command Name: Mode: Syntax:

aaa session-mib router(config)#

aaa session-mib disconnect no aaa session-mib disconnect Syntax Description:


disconnect Enables authentication, authorization, and accounting (AAA) session MIB disconnect

Command Description: To enable disconnect by using Simple Network Management Protocol (SNMP), use the aaa session-mib global configuration mode command. To disable this function, use the no form of this command. Usage Guidelines Use the aaa session-mib command to terminate authenticated client connections using SNMP. You must enable the disconnect keyword with this command. Otherwise, the network management station cannot perform set operations and disconnect users; it can only poll the table. Example: router(config)#aaa session-mib disconnect Misconceptions: none Related commands: none Sample Configurations:

aaa aaa aaa aaa aaa

new-model authentication ppp default group radius authorization network default group radius accounting network default start-stop group radius session-mib disconnect

Command Name: Mode: Syntax: accounting no accounting Syntax Description:

accounting (gatekeeper) router(config)#

This command has no arguments or keywords. Command Description: To enable the accounting on the gatekeeper, use the accounting command in gatekeeper configuration mode. To disable accounting, use the no form of this command. Usage Guidelines Specify a RADIUS server before using the accounting command. Example: The following example enables the gateway to report user activity to the RADIUS server in the form of connection accounting records: The following example enables the gateway to report user activity to the RADIUS server in the form of connection accounting records: router(config)#aaa accounting connection start-stop group radius router(config)gatekeeper router(config-gk)accounting Misconceptions: none Related commands: aaa new-model radius-server host radius-server key Sample Configurations:

Command Name: Mode: Syntax:

accounting router(config-line)

accounting {arap | commands level | connection | exec} [default | list-name] no accounting {arap | commands level | connection | exec} [default | list-name] Syntax Description:
arap Enables accounting on lines configured for AppleTalk Remote Access Protocol (ARAP).

commands level

Enables accounting on the selected lines for all commands at the specified privilege level. Valid privilege level entries are 0 through 15.

connection

Enables both CHAP and PAP, and performs PAP authentication before CHAP.

exec

Enables accounting for all system-level events not associated with users, such as reloads on the selected lines.

default

(Optional) The name of the default method list, created with the aaa accounting command.

list-name

(Optional) Specifies the name of a list of accounting methods to use. If no list name is specified, the system uses the default. The list is created with the aaa accounting command.

Command Description: To enable authentication, authorization, and accounting (AAA) accounting services to a specific line or group of lines, use the accounting command in line configuration mode. To disable AAA accounting services, use the no form of this command. Example: The following example enables command accounting services (for level 15) using the accounting method list named charlie on line 10: router(config)#line 10 router(config-line) accounting commands 15 charlie

Misconceptions: none Related commands: aaa accounting Sample Configurations:

Command Name: Mode: Syntax: debug aaa accounting

debug aaa accounting router#

no debug aaa accounting Syntax Description: This command has no arguments or keywords. Command Description: To display information on accountable events as they occur, use the debug aaa accounting privileged EXEC command. To disable debugging output, use the no form of the command. Usage Guidelines The information displayed by the debug aaa accounting command is independent of the accounting protocol used to transfer the accounting information to a server. Use the debug tacacs and debug radius protocol-specific commands to get more detailed information about protocol-level issues. You can also use the show accounting command to step through all active sessions and to print all the accounting records for actively accounted functions. The show accounting command allows you to display the active "accountable events" on the system. It provides systems administrators a quick look at what is happening, and may also be useful for collecting information in the event of a data loss of some kind on the accounting server. The show accounting command displays additional data on the internal state of the authentication, authorization, and accounting (AAA) security system if debug aaa accounting is turned on as well. Example: Router# debug aaa accounting Misconceptions: none Related commands: debug aaa authentication debug aaa authorization debug radius

debug tacacs show accounting Sample Configurations: Router# debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14

Command Name: Mode: Syntax:

ppp accounting router(config-if)

ppp accounting default no ppp accounting

Syntax Description:
default The name of the method list is created with the aaa accounting command.

Command Description: To enable authentication, authorization, and accounting (AAA) accounting services on the selected interface, use the ppp accounting command in interface configuration mode. To disable AAA accounting services, use the no form of this command. Usage Guidelines After you enable the aaa accounting command and define a named accounting method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for accounting services to take place. Use the ppp accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected interface. Example: The following example enables accounting on asynchronous interface 4 and uses the accounting method list named charlie: router(config)#interface async 4 router(config-if)#encapsulation ppp router(config-if)#ppp accounting charlie Misconceptions: none Related commands: aaa accounting Sample Configurations:

Command Name: Mode: Syntax: show accounting no show accounting Syntax Description:

show accounting router#

This command has no arguments or keywords. Command Description: To step through all active sessions and to print all the accounting records for actively accounted functions, use the show accounting command in EXEC mode. Use the no form of this command to disable viewing and printing accounting records. Usage Guidelines The show accounting command allows you to display the active accountable events on the network. It provides system administrators with a quick look at what is going on, and it also can help collect information in the event of a data loss on the accounting server. The show accounting command displays additional data on the internal state of authentication, authorization, and accounting (AAA) if debug aaa accounting is activated. Example: router#show accounting Misconceptions: none Related commands: aaa accounting show line show users

Sample Configurations: Router# show accounting Active Accounted actions on Interface Serial0:19, User jdoe Priv 1 Task ID 15, Network Accounting record, 00:00:18 Elapsed task_id=15 timezone=PDT service=ppp mlp-links-max=4 mlp-linkscurrent=4 protocol=ip addr=9.0.0.2 mlp-sess-id=1 Active Accounted actions on Interface Serial0:20, User jdoe Priv 1 Task ID 13, Network Accounting record, 00:00:49 Elapsed task_id=13 timezone=PDT service=ppp mlp-links-max=4 mlp-linkscurrent=4 protocol=ip addr=9.0.0.2 mlp-sess-id=1 Active Accounted actions on Interface Serial0:21, User jdoe Priv 1 Task ID 11, Network Accounting record, 00:01:19 Elapsed task_id=11 timezone=PDT service=ppp mlp-links-max=4 mlp-linkscurrent=4 protocol=ip addr=9.0.0.2 mlp-sess-id=1 Active Accounted actions on Interface Serial0:22, User jdoe Priv 1 Task ID 9, Network Accounting record, 00:01:20 Elapsed task_id=9 timezone=PDT service=ppp mlp-links-max=4 mlp-linkscurrent=4 mlp-sess-id=1 protocol=ip addr=9.0.0.2 Active Accounted actions on , User (not logged in) Priv 0 Task ID 1, Resource-management Accounting record, 06:21:47 Elapsed task_id=1 timezone=PDT rm-protocol-version=1.0 service=resource-management protocol=nas-status event=nas-start reason=reload Overall Accounting Traffic Starts Stops Updates Active Drops Exec 0 0 0 0 0 Network 8 4 0 4 0 Connect 0 0 0 0 0 Command 0 0 0 0 0 R-mgmt 1 0 0 1 0 System 0 0 0 0 0 User creates:21, frees:9, Acctinfo mallocs:15, frees:6 Users freed with accounting unaccounted for:0 Queue length:0

Command Name: Mode: Syntax:

aaa authentication arap router(config)#

aaa authentication arap {default | list-name} method1 [method2...] no aaa authentication arap {default | list-name} method1 [method2...]

Syntax Description:
default Uses the listed methods that follow this argument as the default list of methods when a user logs in.

list-name

Character string used to name the following list of authentication methods tried when a user logs in.

method1 [method2...]

At least one of the keywords described in below.

guest

Allows guest logins. This method must be the first method listed, but it can be followed by other methods if it does not succeed.

auth-guest

Allows guest logins only if the user has already logged in to EXEC. This method must be the first method listed, but can be followed by other methods if it does not succeed.

line

Uses the line password for authentication.

local

Uses the local username database for authentication.

local-case

Uses case-sensitive local username authentication.

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

Command Description: To enable an authentication, authorization, and accounting (AAA) authentication method for AppleTalk Remote Access (ARA), use the aaa authentication arap command in global configuration mode. To disable this authentication, use the no form of this command. Usage Guidelines The list names and default that you set with the aaa authentication arap command are used with the arap authentication command. Note that ARAP guest logins are disabled by default when you enable AAA. To allow guest logins, you must use either the guest or auth-guest method listed. You can only use one of these methods; they are mutually exclusive. Create a list by entering the aaa authentication arap list-name method command, where listname is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods the authentication algorithm tries in the given sequence. To create a default list that is used if no list is specified in the arap authentication command, use the default keyword followed by the methods you want to be used in default situations. The additional methods of authentication are used only if the previous method returns an error, not if it fails. Use the more system:running-config command to view currently configured lists of authentication methods. Example: The following example creates a list called MIS-access, which first tries TACACS+ authentication and then none: router(config)#aaa authentication arap MIS-access group tacacs+ none The following example creates the same list, but sets it as the default list that is used for all ARA protocol authentications if no other list is specified: router(config)#aaa authentication arap default group tacacs+ none

Misconceptions: If the default list is not set, only the local user database is checked. This has the same effect as the following command: aaa authentication arap default local

Related commands: aaa new-model Sample Configurations:

Command Name: Mode: Syntax:

aaa authentication banner router(config)#

aaa authentication banner dstringd no aaa authentication banner Syntax Description: d Any delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

string

Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.

Command Description: To configure a personalized banner that will be displayed at user login, use the aaa authentication banner command in global configuration mode. To remove the banner, use the no form of this command. Usage Guidelines Use the aaa authentication banner command to create a personalized message that appears when a user logs in to the system. This message or banner will replace the default message for user login. To create a login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

Example: The following example configures a login banner (in this case, the phrase "Unauthorized use is prohibited.") that will be displayed when a user logs in to the system. In this case, the asterisk (*) symbol is used as the delimiter. (RADIUS is specified as the default login authentication method.) router(config)#aaa authentication banner *Unauthorized use is prohibited.* Misconceptions: none Related commands: aaa authentication fail-message Sample Configurations: aaa new-model aaa authentication banner *Unauthorized use is prohibited.* aaa authentication login default group radius

Command Name:

aaa authentication enable default

Mode: Syntax:

Router(config)#

aaa authentication enable default method1 [method2...] no aaa authentication enable default method1 [method2...]

Syntax Description: method At least one of the keywords described in the table below. enable line none Uses the enable password for authentication. Uses the line password for authentication. Uses no authentication.

group tacacs+ Uses the list of all TACACS+ to provide authentication services. group radius Uses the list of all RADIUS to provide authentication services. group | group-name Command Description: To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default global configuration command. Use the no form of this command to disable this authorization method. Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the server group group-name.

Usage Guidelines
Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged command level. Method keywords are described in the table below. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line. If a default authentication routine is not set for a function, the default is none and no authentication is performed. Use the show running-config command to view currently configured lists of authentication methods.

Example:
To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default command in global configuration mode as shown in this figure.

router(config)#aaa authentication enable default group tacacs+ Misconceptions: The additional methods of authentication are used if the previous method fails. Related commands: aaa authorization aaa new-model enable password Sample Configurations: aaa new-model ! ! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139 memory-size iomem 15 ip subnet-zero Configuration for a line: ! line con 0 password 7 094A5C0617115716040316 login authentication console-in line 1 password 7 0602062040031C0A000501 login authentication tty-in

modem InOut modem autoconfigure type usr_sportster no exec transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 password 7 045A0F0B062F014A001809 line vty 0 4 password 7 045E080E0078 login authentication is-in ! ! end

Command Name: Mode: Syntax:

aaa authentication fail-message router(config)#

aaa authentication fail-message dstringd no aaa authentication fail-message Syntax Description:


d The delimiting character at the beginning and end of the string that notifies the system that the string is to be displayed as the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

string

Any group of characters, excluding the one used as the delimiter. The maximum number of characters that you can display is 2996.

Command Description: To configure a personalized banner that will be displayed when a user fails login, use the aaa authentication fail-message command in global configuration mode. To remove the failed login message, use the no form of this command. Usage Guidelines Use the aaa authentication fail-message command to create a personalized message that appears when a user fails login. This message will replace the default message for failed login. To create a failed-login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner. Example: The failed-login message will display when a user tries to log in to the system and fails. (RADIUS is specified as the default login authentication method.) In this example, the asterisk (*) is used as the delimiting character. router(config)#aaa authentication fail-message *Failed login. Try again.*

Misconceptions: none Related commands: aaa authentication banner Sample Configurations: aaa aaa aaa aaa new-model authentication banner *Unauthorized use is prohibited.* authentication fail-message *Failed login. Try again.* authentication login default group radius

Command Name: Mode: Syntax:

aaa authentication login router(config)#

aaa authentication login {default [method2...]

| list-name} method1

no aaa authentication login {default [method2...] Syntax Description:

| list-name} method1

default listname method

Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. Character string used to name the following list of authentication methods activated when a user logs in. At least one of the keywords described in the table: aaa authentication login Methods.

Command Description:

To set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication. Usage Guidelines The default and optional list names created with the aaa authentication login command are used with the login authentication command. Create a list by entering the aaa authentication login list-name method command for a particular protocol, where list-name is any character string used to name this list (such as MISaccess). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. Method keywords are described in the table. If no list is specified on an interface with the login authentication command, a default list to be used can be specified with the default keyword followed by the methods. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods. Table: aaa authentication login Methods Keyword enable krb5 line local none group radius group tacacs+ krb5-telnet group | groupname local-case Description Uses the enable password for authentication. Uses Kerberos 5 for authentication. Uses the line password for authentication. Uses the local username database for authentication. Uses no authentication. Uses the list of all RADIUS to provide authentication services. Uses the list of all TACACS+ to provide authentication services. Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router. Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the server group group-name. Uses case-sensitive local username authentication

Example: Use the aaa authentication login command in global configuration mode as shown below to configure telnet and console lines. router(config)# aaa authentication login default enable router(config)# aaa authentication login console-in local router(config)# aaa authentication login tty-in line Misconceptions: This command cannot be used with TACACS or extended TACACS. Related commands: aaa new-model login authentication

Sample Configurations: aaa new-model !

! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139 memory-size iomem 15 ip subnet-zero Configuration for a line: ! line con 0 password 7 094A5C0617115716040316 login authentication console-in line 1 password 7 0602062040031C0A000501 login authentication tty-in modem InOut modem autoconfigure type usr_sportster no exec transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 password 7 045A0F0B062F014A001809 line vty 0 4 password 7 045E080E0078 login authentication is-in ! !
end

Command Name: Mode: Syntax:

aaa authentication nasi router(config)#

aaa authentication nasi {default | list-name} method1 [method2...] no aaa authentication nasi {default | list-name} method1 [method2...] Syntax Description:
default Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in.

list-name

Character string used to name the list of authentication methods activated when a user logs in.

method1 [method2...]

At least one of the methods described in below.

Keyword enable

Description Uses the enable password for authentication.

line

Uses the line password for authentication.

local

Uses the local username database for authentication.

local-case

Uses case-sensitive local username authentication.

none

Uses no authentication.

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

group groupname

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

Command Description: To specify authentication, authorization, and accounting (AAA) authentication for Netware Asynchronous Services Interface (NASI) clients connecting through the access server, use the aaa authentication nasi command in global configuration mode. To disable authentication for NASI clients, use the no form of this command. Usage Guidelines The default and optional list names that you create with the aaa authentication nasi command are used with the nasi authentication command. Create a list by entering the aaa authentication nasi command, where list-name is any character string that names the list (such as MIS-access). The method argument identifies the list of methods the authentication algorithm tries in the given sequence. Method keywords are described above. To create a default list that is used if no list is assigned to a line with the nasi authentication command, use the default argument followed by the methods that you want to use in default situations. The remaining methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line. If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods. Example: The following example creates an AAA authentication list called list1. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication. router(config)#aaa authentication nasi list1 group tacacs+ enable none

The following example creates the same list, but sets it as the default list that is used for all login authentications if no other list is specified: router(config)#aaa authentication nasi default group tacacs+ enable none Misconceptions: If the default list is not set, only the local user database is selected. This has the same effect as the following command: aaa authentication nasi default local

Related commands: aaa authentication nasi default local Sample Configurations: Sample configuration on the NAS for a DNIS-based exec-VPDN asynchronous call using RADIUS AAA: st-5300-c2#sh run Building configuration... Current configuration: ! version 12.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname st-5300-c2 ! no logging buffered aaa new-model aaa group server radius Exec-VPDN-Login-Servers server 171.69.71.85 auth-port 1645 acct-port 1646 ! aaa authentication login Exec-VPDN-login group Exec-VPDN-LoginServers aaa authentication ppp Exec-VPDN-ppp if-needed group Exec-VPDNLogin-Servers aaa authorization network default group Exec-VPDN-Login-Servers aaa authorization network no_author none aaa dnis map enable

aaa dnis map 56114 authentication login group Exec-VPDN-LoginServers

Command Name: Mode: Syntax:

aaa authentication password-prompt router(config)#

aaa authentication password-prompt text-string no aaa authentication password-prompt text-string Syntax Description:
textstring String of text that will be displayed when the user is prompted to enter a password. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your password:").

Command Description: To change the text displayed when users are prompted for a password, use the aaa authentication password-prompt command in global configuration mode. To return to the default password prompt text, use the no form of this command. Usage Guidelines Use the aaa authentication password-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a password. This command changes the password prompt for the enable password as well as for login passwords that are not supplied by remote security servers. The no form of this command returns the password prompt to the default value: username: The aaa authentication password-prompt command does not change any dialog that is supplied by a remote TACACS+ server. The aaa authentication password-prompt command works when RADIUS is used as the login method. The password prompt that is defined in the command will be shown even when the RADIUS server is unreachable. The aaa authentication password-prompt command does not work with TACACS+. TACACS+ supplies the network access server (NAS) with the password prompt to display to the users. If the TACACS+ server is reachable, the NAS gets the password prompt from the server and uses that prompt instead of the one defined in the aaa authentication password-prompt command. If the TACACS+ server is not reachable, the password prompt that is defined in the aaa authentication password-prompt command may be used. Example: The following example changes the text for the password prompt:

router(config)#aaa authentication password-prompt "Enter your password now:" Misconceptions: There is no user-defined text-string, and the password prompt appears as "Password." Related commands: aaa authentication username-prompt aaa new-model enable password Sample Configurations:

Command Name: Mode: Syntax:

aaa authentication ppp router(config)#

aaa authentication ppp {default | list-name} method1 [method2...] no aaa authentication ppp {default | list-name} method1 [method2...] Syntax Description: default list-name method1 [method2...] Command Description: To specify one or more AAA authentication methods for use on interfaces running Point-to-Point Protocol (PPP), use the aaa authentication ppp global configuration command. Use the no form of this command to disable authentication. Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. Character string used to name the following list of authentication methods tried when a user logs in. At least one of the keywords described in the table below.

Usage Guidelines
The lists created with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface. Create a list by entering the aaa authentication ppp list-name method command, where listname is any character Character string used to name the list of authentication methods activated when a user logs in.. The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. Up to four methods can be entered. Method keywords are described in table below. The additional methods of authentication are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error. If authentication is not specifically set for a function, the default is none and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods.

Table: aaa authentication ppp Methods Keyword if-needed krb5 local-case local group | groupname none Description Does not authenticate if user has already been authenticated on a TTY line Uses Kerberos 5 for authentication (can only be used for PAP authentication) Uses case-sensitive local username authentication Uses the local username database for authentication Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the server group group-name Uses no authentication

Example: To specify one or more AAA authentication methods for use on serial interfaces running PPP, use the aaa authentication ppp command in global configuration mode as shown below. router(config)#aaa authen ppp default local router(config)#aaa authen ppp dial-in local none Misconceptions: none

Related commands: aaa new-model ppp authentication Sample Configurations: aaa new-model ! ! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139

memory-size iomem 15 ip subnet-zero Configuration for a line: ! line con 0 password 7 094A5C0617115716040316 login authentication console-in line 1 password 7 0602062040031C0A000501 login authentication tty-in modem InOut modem autoconfigure type usr_sportster no exec transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 password 7 045A0F0B062F014A001809 line vty 0 4 password 7 045E080E0078 login authentication is-in ! !
end

Command Name: Mode: Syntax:

aaa authentication username-prompt router(config)#

aaa authentication username-prompt text-string no aaa authentication username-prompt text-string Syntax Description:
textstring String of text that will be displayed when the user is prompted to enter a username. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your name:").

Command Description: To change the text displayed when users are prompted to enter a username, use the aaa authentication username-prompt command in global configuration mode. To return to the default username prompt text, use the no form of this command. Use the aaa authentication username-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a username. The no form of this command returns the username prompt to the default value: Username: Some protocols (for example, TACACS+) have the ability to override the use of local username prompt information. Using the aaa authentication username-prompt command will not change the username prompt text in these instances. Example: The following example changes the text for the username prompt: router(config)#aaa authentication username-prompt "Enter your name here:" Misconceptions: none Related commands: aaa authentication password-prompt aaa new-model enable password

Sample Configurations:

Command Name: Mode: Syntax:

aaa dnis map authentication login group router(config)#

aaa dnis map dnis-number authentication login group servergroup-name no aaa dnis map dnis-number authentication login group servergroup-name Syntax Description:
dnis-number Number of the DNIS.

server-group-name

Character string used to name a group of security servers associated in a server group.

Command Description: To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group for the login service (this server group will be used for AAA authentication), use the aaa dnis map authentication login group command in global configuration mode. To unmap this DNIS number from the defined server group, use the no form of this command. Usage Guidelines This command lets you assign a DNIS number to a particular AAA server group; thus, the server group can process the AAA authentication requests for login service for users dialing into the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping. Example: The following example shows how to map DNIS number 7777 to the RADIUS server group called group1. group1 will use RADIUS server 172.30.0.0 for AAA authentication requests for login service for users dialing in with DNIS 7777. router(config)#aaa dnis map enable router(config)#aaa dnis map 7777 authentication login group group1

Misconceptions: none Related commands: aaa dnis map accounting network group aaa dnis map enable aaa group aaa new-model radius-server host Sample Configurations: aaa new-model radius-server host 172.30.0.0 auth-port 1645 key cisco1 aaa group server radius group1 server 172.30.0.0 exit aaa dnis map enable aaa dnis map 7777 authentication login group group1

Command Name: Mode: Syntax:

aaa dnis map authentication ppp group router(config)#

aaa dnis map dnis-number authentication ppp group server-groupname no aaa dnis map dnis-number authentication ppp group servergroup-name Syntax Description:
dnis-number Number of the DNIS.

server-group-name

Character string used to name a group of security servers associated in a server

Command Description: To map a Dialed Number Information Service (DNIS) number to a particular authentication server group (this server group will be used for authentication, authorization, and accounting (AAA) authentication), use the aaa dnis map authentication ppp group command in global configuration mode. To remove the DNIS number from the defined server group, use the no form of this command. This command lets you assign a DNIS number to a particular AAA server group, so that the server group can process authentication requests for users dialing in to the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping. Example: The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for authentication requests for users dialing in with DNIS 7777. router(config)#aaa dnis map enable router(config)#aaa dnis map 7777 authentication ppp group group1 Misconceptions: none

Related commands: aaa dnis map accounting network accounting network group aaa dnis map enable aaa group server aaa new-model radius-server host Sample Configurations: aaa new-model radius-server host 172.30.0.0 auth-port 1645 key cisco1 aaa group server radius group1 server 172.30.0.0 aaa dnis map enable aaa dnis map 7777 authentication ppp group group1

Command Name: Mode: Syntax:

aaa pod server router(config)#

aaa pod server [port port number] [auth-type {any | all | session-key}] server-key [encryption-type] string no aaa pod server Syntax Description:
port port number (Optional) Network access server User Datagram Protocol (UDP) port to use for packet of disconnect (POD) requests. Default value is 1700.

auth-type

(Optional) Type of authorization required for disconnecting sessions. If no authentication type is specified, auth-type is the default.

any

(Optional) Session that matches all of the attributes sent in the POD packet is disconnected. The POD packet may contain one or more of four key attributes (user-name, framed-IP-address, session-ID, and session-key).

all

(Optional) Only a session that matches all four key attributes is disconnected. The default is all.

sessionkey

(Optional) Session with a matching session-key attribute is disconnected. All other attributes are ignored.

server-key

Configures the shared-secret text string.

encryptiontype

(Optional) Single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using an encryption algorithm defined by Cisco.

string

Shared-secret text string that is shared between the network access server and the client workstation. This shared-secret string must be the same on both systems.

Command Description: To enable inbound user sessions to be disconnected when specific session attributes are presented, use the aaa pod server command in global configuration mode. To disable this feature, use the no form of this command. Usage Guidelines To disconnect a session, the values in one or more of the key fields in the POD request must match the values for a session on one of the network access server ports. Which values must match depends on the auth-type attribute defined in the command. If no auth-type attribute is specified, all three values must match. If no match is found, all connections remain intact and an error response is returned. The key fields are as follows:

An h323-conf-id vendor-specific attribute (VSA) with the same content as received from the gateway for this call. An h323-call-origin VSA with the same content as received from the gateway for the leg of interest. A 16-byte Message Digest 5 (MD5) hash value that is carried in the authentication field of the POD request.

Example:

The following example enables POD and sets the secret key to "xyz123":
router(config)#aaa pod server server-key xyz123 Misconceptions: none Related commands: aaa accounting delay-start aaa accounting debug aaa pod radius-server host Sample Configurations: Router# show running-configuration ! aaa authentication login h323 group radius aaa authorization exec h323 group radius aaa accounting update newinfo aaa accounting connection h323 start-stop group radius aaa pod server server-key cisco

aaa session-id common

Command Name: Mode: Syntax: aaa preauth no aaa preauth Syntax Description:

aaa preauth router(config)#

This command has no arguments or keywords. Command Description: To enter authentication, authorization, and accounting (AAA) preauthentication configuration mode, use the aaa preauth command in global configuration mode. To disable preauthentication, use the no form of this command. Usage Guidelines To enter AAA preauthentication configuration mode, use the aaa preauth command. To configure preauthentication, use a combination of the aaa preauth commands: group, clid, ctype, dnis, and dnis bypass. You must configure the group command. You must also configure one or more of the clid, ctype, dnis, or dnis bypass commands. In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server. You can use the clid, ctype, or dnis commands to define the list of the preauthentication elements. For each preauthentication element, you can also define options such as password (for all the elements, the default password is cisco). If you specify multiple elements, the preauthentication process will be performed on each element according to the order of the elements that you configure with the preauthentication commands. In this case, more than one RADIUS preauthentication profile is returned, but only the last preauthentication profile will be applied to the authentication and authorization later on, if applicable. Example: The following sample enables DNIS preauthentication using a RADIUS server and the password Ascend-DNIS: router(config)#aaa preauth

Misconceptions: none

Related commands: dnis (aaa preauthentication) group isdn guard-timer Sample Configurations: The following sample enables DNIS preauthentication using a RADIUS server and the password Ascend-DNIS: aaa preauth dnis password Ascend-DNIS

Command Name: Mode: Syntax:

aaa processes router(config)#

aaa processes number no aaa processes number Syntax Description:


number Specifies the number of background processes allocated for AAA requests for PPP. Valid entries are 1 to 2147483647.

Command Description: To allocate a specific number of background processes to be used to process authentication, authorization, and accounting (AAA) authentication and authorization requests for PPP, use the aaa processes command in global configuration mode. To restore the default value for this command, use the no form of this command. Usage Guidelines Use the aaa processes command to allocate a specific number of background processes to simultaneously handle multiple AAA authentication and authorization requests for PPP. Previously, only one background process handled all AAA requests for PPP, so only one new user could be authenticated or authorized at a time. This command configures the number of processes used to handle AAA requests for PPP, increasing the number of users that can be simultaneously authenticated or authorized. The argument number defines the number of background processes earmarked to process AAA authentication and authorization requests for PPP. This argument also defines the number of new users that can be simultaneously authenticated and can be increased or decreased at any time. Example: Ten background processes have been allocated to handle AAA requests for PPP. router(config)# aaa processes 10 Misconceptions: none Related commands:

show ppp queues

Sample Configurations: The following examples shows the aaa processes command within a standard AAA configuration. The authentication method list "dialins" specifies RADIUS as the method of authentication, then (if the RADIUS server does not respond) local authentication will be used on serial lines using PPP. Ten background processes have been allocated to handle AAA requests for PPP. aaa new-model aaa authentication ppp dialins group radius local aaa processes 10 interface 5 encap ppp ppp authentication pap dialins

Command Name: Mode: Syntax:

access-profile router>

access-profile [merge | replace] [ignore-sanity-checks] Syntax Description:


merge (Optional) Like the default form of the command, this option removes existing ACLs while retaining other existing authorization attributes for the interface. However, using this option also installs per-user authorization attributes in addition to the existing attributes. (The default form of the command installs only new ACLs.) The per-user authorization attributes come from all attribute-value pairs defined in the authentication, authorization, and accounting (AAA) per-user configuration (the user's authorization profile). The resulting authorization attributes of the interface are a combination of the previous and new configurations.

replace

(Optional) This option removes existing ACLs and all other existing authorization attributes for the interface. A complete new authorization configuration is then installed, using all AV pairs defined in the AAA per-user configuration. This option is not normally recommended because it initially deletes all existing configurations, including static routes. This could be detrimental if the new user profile does not reinstall appropriate static routes and other critical information.

ignoresanitychecks

(Optional) Enables you to use any AV pairs, whether or not they are valid.

Command Description: To apply your per-user authorization attributes to an interface during a PPP session, use the access-profile command in privileged EXEC mode. Use the default form of the command (no keywords) to cause existing access control lists (ACLs) to be removed and ACLs defined in your per-user configuration to be installed. Usage Guidelines Remote users can use this command to activate double authentication for a PPP session. Double authentication must be correctly configured for this command to have the desired effect.

You should use this command when remote users establish a PPP link to gain local network access. After you have been authenticated with CHAP (Challenge Handshake Authentication Protocol) or PAP (Password Authentication Protocol), you will have limited authorization. To activate double authentication and gain your appropriate user network authorization, you must open a Telnet session to the network access server and execute the access-profile command. (This command could also be set up as an autocommand, which would eliminate the need to enter the command manually.) This command causes all subsequent network authorizations to be made in your username instead of in the remote host's username. Any changes to the interface caused by this command will stay in effect for as long as the interface stays up. These changes will be removed when the interface goes down. This command does not affect the normal operation of the router or the interface. The default form of the command, access-profile, causes existing ACLs to be unconfigured (removed), and new ACLs to be installed. The new ACLs come from your per-user configuration on an AAA server (such as a TACACS+ server). The ACL replacement constitutes a reauthorization of your network privileges. The default form of the command can fail if your per-user configuration contains statements other than ACL AV pairs. Any protocols with non-ACL statements will be deconfigured, and no traffic for that protocol can pass over the PPP link. The access-profile merge form of the command causes existing ACLs to be unconfigured (removed) and new authorization information (including new ACLs) to be added to the interface. This new authorization information consists of your complete per-user configuration on an AAA server. If any of the new authorization statements conflict with existing statements, the new statements could "override" the old statements or be ignored, depending on the statement and applicable parser rules. The resulting interface configuration is a combination of the original configuration and the newly installed per-user configuration. The access-profile replace form of the command causes the entire existing authorization configuration to be removed from the interface, and the complete per-user authorization configuration to be added. This per-user authorization

Invalid AV pair types


addr addr-pool zonelist tunnel-id ip-addresses x25-addresses frame-relay

source-ip

Example: The following example activates double authentication for a remote user. This example assumes that the access-profile command was not configured as an autocommand. The remote user runs a terminal emulation application to Telnet to the corporate network access server, a Cisco AS5200 universal access server local host named "hqnas." The remote user, named Bob, has the username "BobUser." The following example replaces ACLs on the local host PPP interface. The ACLs previously applied to the interface during PPP authorization are replaced with ACLs defined in the per-user configuration AV pairs. The remote user establishes a Telnet session to the local host and logs in: login: BobUser Password: <welcome> hqnas> access-profile Bob is reauthenticated when he logs in to hqnas, because hqnas is configured for login AAA authentication using the corporate RADIUS server. When Bob enters the access-profile command, he is reauthorized with his per-user configuration privileges. This causes the access lists and filters in his per-user configuration to be applied to the network access server interface. After the reauthorization is complete, Bob is automatically logged out of the Cisco AS5200 local host. Misconceptions: none Related commands: connect telnet Sample Configurations:

Command Name: Mode: Syntax:

arap authentication router(config-line)#

arap authentication {default | list-name} [one-time] no arap authentication {default | list-name}

Syntax Description:
default Default list created with the aaa authentication arap command.

list-name

Indicated list created with the aaa authentication arap command.

one-time

(Optional) Accepts the username and password in the username field.

Command Description: To enable authentication, authorization, and accounting (AAA) authentication for AppleTalk Remote Access Protocol (ARAP) on a line, use the arap authentication command in line configuration mode. To disable authentication for an ARAP line, use the no form of the command Usage Guidelines This command is a per-line command that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). You create defaults and lists with the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default keyword. Before issuing this command, create a list of authentication processes by using the aaa authentication arap global configuration command. Example: The following example specifies that the TACACS+ authentication list called MIS-access is used on ARAP line 7: router(config)#line 7 router(config-line)#arap authentication MIS-access

Misconceptions: ARAP authentication uses the default set with aaa authentication arap command. If no default is set, the local user database is checked Related commands: aaa authentication arap Sample Configurations:

Command Name: Mode: Syntax:

clear ip trigger-authentication router#

clear ip trigger-authentication Syntax Description: This command has no arguments or keywords. Command Description: To clear the list of remote hosts for which automated double authentication has been attempted, use the clear ip trigger-authentication command in privileged EXEC mode. Example: The following example clears the remote host table: router# clear ip trigger-authentication Misconceptions: none Related commands: show ip trigger authentication Sample Configurations: Router# show ip trigger-authentication Trigger-authentication Host Table: Remote Host Time Stamp 172.21.127.114 2940514234 router# clear ip trigger-authentication router# show ip trigger-authentication router#

Command Name: Mode: Syntax:

dnis (aaa preauthentication) router(config-preauth)#

dnis [if-avail | required] [accept-stop] [password string] no dnis [if-avail | required] [accept-stop] [password string] Syntax Description:
if-avail (Optional) Implies that if the switch provides the data, RADIUS must be reachable and must accept the string in order for preauthentication to pass. If the switch does not provide the data, preauthentication passes.

required

(Optional) Implies that the switch must provide the associated data, that RADIUS must be reachable, and that RADIUS must accept the string in order for preauthentication to pass. If these three conditions are not met, preauthentication fails.

accept-stop

(Optional) Prevents subsequent preauthentication elements from being tried once preauthentication has succeeded for a call element.

password string

(Optional) Password to use in the Access-Request packet. The default is cisco.

Command Description: To preauthenticate calls on the basis of the Dialed Number Identification Service (DNIS) number, use the dnis authentication, authorization, and accounting (AAA) preauthentication configuration command. To remove the dnis command from your configuration, use the no form of this command. You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, then this is the order of the conditions considered in the preauthentication process. In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.

Example: The following example enables DNIS preauthentication using a RADIUS server and the password Ascend-DNIS: router(config)#aaa preauth router(config-preauth)#group radius router(config-preauth)#dnis password Ascend-DNIS Misconceptions: none Related commands: aaa preauth group isdn guard-timer Sample Configurations:

Command Name: Mode: Syntax:

group router(config-preauth)#

group {tacacs+ server-group} no group {tacacs+ server-group} Syntax Description:


tacacs+ Uses a TACACS+ server for authentication.

server-group

Name of the server group to use for authentication.

Command Description: To specify the authentication, authorization, and accounting (AAA) TACACS+ server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command. You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass). Example: The following example enables Dialed Number Identification Service (DNIS) preauthentication using the abc123 server group and the password aaa-DNIS: router(config)#aaa preauth router(config-preauth)#group abc123 router(config-preauth)#dnis password aaa-DNIS Misconceptions: none Related commands: aaa preauth dnis (aaa preauthentication)

Sample Configurations: aaa preauth group abc123 dnis password aaa-DNIS

Command Name: Mode: Syntax:

ip trigger-authentication (interface) router(config-if)#

ip trigger-authentication no ip trigger-authentication Syntax Description: This command has no arguments or keywords. Command Description: To specify automated double authentication at an interface, use the ip trigger-authentication command in interface configuration mode. To turn off automated double authentication at an interface, use the no form of this command. Usage Guidelines Configure this command on the local router or network access server that remote users dial into. Use this command only if the local device has already been configured to provide double authentication and if automated double authentication has been enabled with the ip triggerauthentication (global) command. This command causes double authentication to occur automatically when users dial into the interface. Example: The following example turns on automated double authentication at the ISDN BRI interface BRI0: router(config-if)#ip trigger-authentication Misconceptions: none Related commands: ip trigger-authentication (global) Sample Configurations: interface BRI0

ip trigger-authentication encapsulation ppp ppp authentication chap

Command Name: Mode: Syntax:

ip trigger-authentication (global) router(config)#

ip trigger-authentication [timeout seconds] [port number] no ip trigger-authentication Syntax Description:


timeout seconds (Optional) Specifies how frequently the local device sends a User Datagram Protocol (UDP) packet to the remote host to request the user's username and password (or PIN). The default is 90 seconds. See "The Timeout Keyword" in the Usage Guidelines section for details.

port number

(Optional) Specifies the UDP port to which the local router should send the UPD packet requesting the user's username and password (or PIN). The default is port 7500. See "The Port Keyword" in the Usage Guidelines section for details.

Command Description: To enable the automated part of double authentication at a device, use the ip triggerauthentication command in global configuration mode. To disable the automated part of double authentication, use the no form of this command. Usage Guidelines Configure this command on the local device (router or network access server) that remote users dial in to. Use this command only if the local device has already been configured to provide double authentication; this command enables automation of the second authentication of double authentication. The Timeout Keyword During the second authentication stage of double authenticationwhen the remote user is authenticatedthe remote user must send a username and password (or PIN) to the local device. With automated double authentication, the local device sends a UDP packet to the remote user's host during the second user-authentication stage. This UDP packet triggers the remote host to launch a dialog box requesting a username and password (or PIN). If the local device does not receive a valid response to the UDP packet within a timeout period, the local device will send another UDP packet. The device will continue to send UDP packets at the timeout intervals until it receives a response and can authenticate the user.

By default, the UDP packet timeout interval is 90 seconds. Use the timeout keyword to specify a different interval. (This timeout also applies to how long entries will remain in the remote host table; see the show ip trigger-authentication command for details.) The Port Keyword As described in the previous section, the local device sends a UDP packet to the remote user's host to request the user's username and password (or PIN). This UDP packet is sent to UDP port 7500 by default. (The remote host client software listens to UDP port 7500 by default.) If you need to change the port number because port 7500 is used by another application, you should change the port number using the port keyword. If you change the port number you need to change it in both placesboth on the local device and in the remote host client software. Example: The following example globally enables automated double authentication and sets the timeout to 120 seconds: router(config)#ip trigger-authentication timeout 120 Misconceptions: none Related commands: ip trigger-authentication (interface) show ip trigger-authentication Sample Configurations:

Command Name: Mode: Syntax:

login authentication router(config-line)#

login authentication {default | list-name} no login authentication {default | list-name} Syntax Description:
default Uses the default list created with the aaa authentication login command.

list-name

Uses the indicated list created with the aaa authentication login command.

Command Description: To enable authentication, authorization, and accounting (AAA) authentication for logins, use the login authentication command in line configuration mode. To return to the default specified by the aaa authentication login command, use the no form of this command. Usage Guidelines This command is a per-line command used with AAA that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). Caution If you use a list-name value that was not configured with the aaa authentication login command, you will disable login on this line. Entering the no version of login authentication has the same effect as entering the command with the default keyword. Before issuing this command, create a list of authentication processes by using the global configuration aaa authentication login command. Example: The following example specifies that the default AAA authentication is to be used on line 4: router(config)#line 4 router(config-line)login authentication default

The following example specifies that the AAA authentication list called list1 is to be used on line 7: router(config)line 7 router(config-line)login authentication list1 Misconceptions: none

Related commands: aaa authentication login Sample Configurations:

Command Name: Mode: Syntax:

nasi authentication router(config-ling)#

nasi authentication {default | list-name} no nasi authentication {default | list-name} Syntax Description:
default Uses the default list created with the aaa authentication nasi command.

list-name

Uses the list created with the aaa authentication nasi command.

Command Description: To enable authentication, authorization, and accounting (AAA) authentication for NetWare Asynchronous Services Interface (NASI) clients connecting to a router, use the nasi authentication command in line configuration mode. To return to the default, as specified by the aaa authentication nasi command, use the no form of the command. Usage Guidelines This command is a per-line command used with AAA authentication that specifies the name of a list of authentication methods to try at login. If no list is specified, the default list is used, even if it is not specified in the command line. (You create defaults and lists with the aaa authentication nasi command.) Entering the no form of this command has the same effect as entering the command with the default argument. Caution If you use a list-name value that was not configured with the aaa authentication nasi command, you will disable login on this line. Before issuing this command, create a list of authentication processes by using the aaa authentication nasi global configuration command. Example: The following example specifies that the default AAA authentication be used on line 4: router(config)#line 4 router(config-line)#nasi authentication default

The following example specifies that the AAA authentication list called list1 be used on line 7: router(config)#line 7 router(config-ling)#nasi authentication list1 Misconceptions: none Related commands: aaa authentication nasi ipx nasi-server enable show ipx nasi connections show ipx spx-protocol Sample Configurations:

Command Name: Mode: Syntax:

ppp authentication router(config-if)#

ppp authentication {protocol1 [protocol2...]} [if-needed] [listname | default] [callin] [one-time] no ppp authentication Syntax Description:
protocol1 [protocol2...] Specify at least one of the keywords described in below.

chap

Enables CHAP on a serial interface.

ms-chap

Enables Microsoft's version of CHAP (MS-CHAP) on a serial interface.

pap

Enables PAP on a serial interface.

if-needed

(Optional) Used with TACACS and extended TACACS. Does not perform CHAP or PAP authentication if the user has already provided authentication. This option is available only on asynchronous interfaces.

list-name

(Optional) Used with AAA. Specifies the name of a list of methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command.

default

(Optional) The name of the method list is created with the aaa authentication ppp command.

callin

(Optional) Specifies authentication on incoming (received) calls only.

one-time

(Optional) Accepts the username and password in the username field.

Command Description:

To enable Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) or both and to specify the order in which CHAP and PAP authentication are selected on the interface, use the ppp authentication command in interface configuration mode. To disable this authentication, use the no form of this command. Usage Guidelines When you enable CHAP or PAP authentication (or both), the local router requires the remote device to prove its identity before allowing data traffic to flow. PAP authentication requires the remote device to send a name and a password, which is checked against a matching entry in the local username database or in the remote security server database. CHAP authentication sends a challenge message to the remote device. The remote device encrypts the challenge value with a shared secret and returns the encrypted value and its name to the local router in a Response message. The local router attempts to match the remote device's name with an associated secret stored in the local username or remote security server database; it uses the stored secret to encrypt the original challenge and verify that the encrypted values match. You can enable CHAP, MS-CHAP, or PAP in any order. If you enable all three methods, the first method specified is requested during link negotiation. If the peer suggests using the second method, or refuses the first method, the second method is tried. Some remote devices support only one method. Base the order in which you specify methods on the remote device's ability to correctly negotiate the appropriate method, and on the level of data line security you require. PAP usernames and passwords are sent as clear text strings, which can be intercepted and reused. Caution If you use a list-name value that was not configured with the aaa authentication ppp command, you will disable PPP on this interface. Example: The following example enables CHAP on asynchronous interface 4 and uses the authentication list MIS-access: router(config)#interface async 4 router(config-if)encapsulation ppp router(config-if)ppp authentication chap MIS-access Misconceptions: none Related commands: aaa authentication ppp aaa new-model autoselect encapsulation username

Sample Configurations: The following example is a sample NAS configuration for AAA and incoming modem calls: interface Serial0:15 no ip address isdn switch-type primary-net5 isdn incoming-voice modem ! interface Async1 ip address 7.0.0.10 255.0.0.0 encapsulation ppp async default routing async mode interactive no peer default ip address ppp authentication chap ! line 1 modem InOu transport preferred none transport input all autoselect ppp
!

Command Name: Mode: Syntax:

ppp chap hostname router(config-if)#

ppp chap hostname hostname no ppp chap hostname hostname Syntax Description:
hostname The name sent in the CHAP challenge.

Command Description: To create a pool of dialup routers that all appear to be the same host when authenticating with Challenge Handshake Authentication Protocol (CHAP), use the ppp chap hostname command in interface configuration mode. To disable this function, use the no form of the command. Usage Guidelines The ppp chap hostname command allows you to specify a common alias for all routers in a rotary group to use so that only one username must be configured on the dialing routers. This command is normally used with local CHAP authentication (when the router authenticates to the peer), but it can also be used for remote CHAP authentication. Example: The following example identifies dialer interface 0 as the dialer rotary group leader and specifies "ppp" as the encapsulation method used by all member interfaces. This example shows that CHAP authentication is used on received calls only and the username ISPCorp will be sent in all CHAP challenges and responses. router(config)#interface dialer 0 router(config-if)#encapsulation ppp router(config-if)#ppp authentication chap callin router(congig-if)#ppp chap hostname ISPCorp Misconceptions: none Related commands:

aaa ppp ppp ppp ppp

authentication ppp authentication chap password chap refuse chap wait

Sample Configurations: The following shows a sample configuration for voice and data on the same B-channel when configuring ISDN. class-map match-all VoIP-RTP match ip dscp ef ! class-map match-all VoIP-SIG match ip dscp af31 ! policy-map voice-and-data class VoIP-RTP priority 40 ! class VoIP-SIG bandwidth 8 ! interface BRI0/0 encapsulation ppp dialer pool-member 1 ppp authentication chap ! interface Dialer1 encapsulation ppp bandwidth 64 ! dialer pool 1 dialer remote-name routerB-dialer1 dialer-group 1 dialer string 12345678 service-policy output voice-and-data ! ppp authentication chap ppp chap hostname routerA-dialer1 ppp chap password cisco ppp multilink ppp multilink fragment-delay 10 ! ppp multilink interleave

! ip rtp header-compression

Command Name: Mode: Syntax:

ppp chap password router(config-if)#

ppp chap password secret no ppp chap password secret Syntax Description:
secret The secret used to compute the response value for any CHAP challenge from an unknown peer.

Command Description: To enable a router calling a collection of routers that do not support this command (such as routers running older Cisco IOS software images) to configure a common Challenge Handshake Authentication Protocol (CHAP) secret password to use in response to challenges from an unknown peer, use the ppp chap password command in interface configuration mode. To disable the PPP CHAP password, use the no form of this command. Usage Guidelines This command allows you to replace several username and password configuration commands with a single copy of this command on any dialer interface or asynchronous group interface. This command is used for remote CHAP authentication only (when routers authenticate to the peer) and does not affect local CHAP authentication. Example: The commands in the following example specify ISDN BRI number 0. The method of encapsulation on the interface is PPP. If a CHAP challenge is received from a peer whose name is not found in the global list of usernames, the encrypted secret 7 1267234591 is decrypted and used to create a CHAP response value. router(config)#interface bri 0 router(config-if)#encapsulation ppp router(config-if)#ppp chap password 7 1234567891 Misconceptions: none Related commands:

aaa ppp ppp ppp ppp

authentication ppp authentication chap hostname chap refuse chap wait

Sample Configurations: The following shows a sample configuration for voice and data on the same B-channel when configuring ISDN. class-map match-all VoIP-RTP match ip dscp ef ! class-map match-all VoIP-SIG match ip dscp af31 ! policy-map voice-and-data class VoIP-RTP priority 40 ! class VoIP-SIG bandwidth 8 ! interface BRI0/0 encapsulation ppp dialer pool-member 1 ppp authentication chap ! interface Dialer1 encapsulation ppp bandwidth 64 ! dialer pool 1 dialer remote-name routerB-dialer1 dialer-group 1 dialer string 12345678 service-policy output voice-and-data ! ppp authentication chap ppp chap hostname routerA-dialer1 ppp chap password cisco ppp multilink ppp multilink fragment-delay 10 ! ppp multilink interleave

Command Name: Mode: Syntax:

ppp chap refuse router(config-if)#

ppp chap refuse [callin] no ppp chap refuse [callin] Syntax Description:
callin (Optional) This keyword specifies that the router will refuse to answer CHAP authentication challenges received from the peer, but will still require the peer to answer any CHAP challenges the router sends.

Command Description: To refuse Challenge Handshake Authentication Protocol (CHAP) authentication from peers requesting it, use the ppp chap refuse command in interface configuration mode. To allow CHAP authentication, use the no form of this command. Usage Guidelines This command specifies that CHAP authentication is disabled for all calls, meaning that all attempts by the peer to force the user to authenticate using CHAP will be refused. If the callin keyword is used, CHAP authentication is disabled for incoming calls from the peer, but will still be performed on outgoing calls to the peer. If outbound Password Authentication Protocol (PAP) has been enabled (using the ppp pap sentusername command), PAP will be suggested as the authentication method in the refusal packet. Example: The following example specifies ISDN BRI number 0. The method of encapsulation on the interface is PPP. This example disables CHAP authentication from occurring if a peer calls in requesting CHAP authentication. router(config)#interface bri 0 router(config-if)#encapsulation ppp router(config-if)#ppp chap refuse Misconceptions: none

Related commands: aaa authentication ppp ppp authentication ppp chap hostname ppp chap password ppp chap wait Sample Configurations:

Command Name: Mode: Syntax:

ppp chap wait router(config-if)#

ppp chap wait secret no ppp chap wait secret Syntax Description:
secret The secret used to compute the response value for any CHAP challenge from an unknown peer.

Command Description: To specify that the router will not authenticate to a peer requesting Challenge Handshake Authentication Protocol (CHAP) authentication until after the peer has authenticated itself to the router, use the ppp chap wait command in interface configuration mode. To allow the router to respond immediately to an authentication challenge, use the no form of this command. Usage Guidelines This command (which is enabled by default) specifies that the router will not authenticate to a peer requesting CHAP authentication until the peer has authenticated itself to the router. The no form of this command specifies that the router will respond immediately to an authentication challenge. Example: The following example specifies ISDN BRI number 0. The method of encapsulation on the interface is PPP. This example disables the default, meaning that users do not have to wait for peers to complete CHAP authentication before authenticating themselves. router(config)#interface bri 0 router(config-if)#encapsulation ppp router(config-if)#no ppp chap wait Misconceptions: none Related commands: aaa authentication ppp ppp authentication

ppp chap hostname ppp chap password ppp chap refuse Sample Configurations:

Command Name: Mode: Syntax: ppp pap refuse no ppp pap refuse Syntax Description:

ppp pap refuse router(config-if)#

This command has no arguments or keywords. Command Description: To refuse a peer request to authenticate remotely with PPP using Password Authentication Protocol, use the ppp pap refuse interface configuration command. To disable the refusal, use the no form of this command. This is a per-interface command. Example: The following example shows how to enable the ppp pap command to refuse a peer request for remote authentication: router(config)#interface dialer 0 router(config-if)encapsulation ppp router(config-if)ppp pap refuse Misconceptions: none Related commands: aaa authentication ppp encapsulation ppp ppp authentication ppp pap sent-username Sample Configurations:

Command Name: Mode: Syntax:

ppp pap sent-username router(config-if)#

pap sent-username username password password no ppp pap sent-username Syntax Description:
username Username sent in the PAP authentication request.

password

Password sent in the PAP authentication request.

password

Must contain from 1 to 25 uppercase and lowercase alphanumeric characters.

Command Description: To reenable remote Password Authentication Protocol (PAP) support for an interface and use the sent-username and password in the PAP authentication request packet to the peer, use the ppp pap sent-username command in interface configuration mode. To disable remote PAP support, use the no form of this command. Usage Guidelines Use this command to reenable remote PAP support (for example, to respond to the peer's request to authenticate with PAP) and to specify the parameters to be used when sending the PAP authentication request. This is a per-interface command. You must configure this command for each interface. Example: The following example identifies dialer interface 0 as the dialer rotary group leader and specify PPP as the method of encapsulation used by the interface. Authentication is by CHAP or PAP on received calls only. ISPCorp is the username sent to the peer if the peer requires the router to authenticate with PAP. router(config)#interface dialer0 router(config-if)#encapsulation ppp router(config-if)#ppp authentication chap pap callin router(config-if)#ppp chap hostname ISPCorp

router(config-if)#ppp pap sent username ISPCorp password 7 fjhfeu

Misconceptions: none Related commands: aaa ppp ppp ppp authentication ppp authentication chap hostname chap password

Sample Configurations: crypto isakmp policy 10 authentication pre-share ! crypto isakmp key pre-shared address 10.1.1.5 ! crypto ipsec transform-set strong esp-des esp-sha-hmac ! crypto map vpn 10 ipsec-isakmp set peer 10.1.1.5 set transform-set strong match address 102 ! interface ATM0/0 no ip address atm vc-per-vp 256 no atm ilmi-keepalive pvc 0/35 oam-pvc 0 encapsulation aal5mux ppp Virtual-Template1 ! dsl operating-mode auto no fair-queue crypto map vpn ! interface FastEthernet0/1 ip address 1.1.1.1 255.255.255.0 duplex 100 speed full ! interface Virtual-Template1

ip address 10.1.100.101 255.255.255.0 ppp pap sent-username 2621a password 7 045802150C2E crypto map vpn ! ip classless ! ip route 2.2.2.0 255.255.255.0 10.1.1.5 ip route 10.1.1.0 255.255.255.0 10.1.100.1 ! access-list 102 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 ! end

Command Name: Mode: Syntax:

show ip trigger-authentication router#

show ip trigger-authentication Syntax Description: This command has no arguments or keywords. Command Description: To view the list of remote hosts for which automated double authentication has been attempted, use the show ip trigger-authentication command in privileged EXEC mode. Usage Guidelines Whenever a remote user needs to be user-authenticated in the second stage of automated double authentication, the local device sends a User Datagram Protocol (UDP) packet to the remote user's host. When the UDP packet is sent, the user's host IP address is added to a table. If additional UDP packets are sent to the same remote host, a new table entry is not created; instead, the existing entry is updated with a new time stamp. This remote host table contains a cumulative list of host entries; entries are deleted after a timeout period or after you manually clear the table using the clear ip trigger-authentication command. You can change the timeout period with the ip trigger-authentication (global) command. Use this command to view the list of remote hosts for which automated double authentication has been attempted. Example: Router# show ip trigger-authentication Misconceptions: none Related commands: clear ip trigger-authentication Sample Configurations: Router# show ip trigger-authentication Trigger-authentication Host Table:

Remote Host 172.21.127.114

Time Stamp 2940514234

Command Name: Mode: Syntax: show ppp queues Syntax Description:

show ppp queues router#

This command has no arguments or keywords. Command Description: To monitor the number of requests processed by each authentication, authorization, and accounting (AAA) background process, use the show ppp queues command in privileged EXEC mode. The fields and description are listed below for the command show ppp queues.
Field Description

Proc #

Identifies the background process allocated by the aaa processes command to handle AAA requests for PPP. All of the data in this row relates to this process.

pid=

Identification number of the background process.

authens=

Number of authentication requests the process has performed.

avg. rtt=

Average delay (in seconds) until the authentication request was completed.

authors=

Number of authorization requests the process has performed.

queue len=

Current queue length.

max len=

Maximum length the queue ever reached.

Usage Guidelines

Use the show ppp queues command to display the number of requests handled by each AAA background process, the average amount of time it takes to complete each request, and the requests still pending in the work queue. This information can help you balance the data load between the network access server and the AAA server. This command displays information about the background processes configured by the aaa processes global configuration command. Each line in the display contains information about one of the background processes. If there are AAA requests in the queue when you enter this command, the requests will be printed as well as the background process data. Example: Router# show ppp queues Misconceptions: none Related commands: aaa processes Sample Configurations: Router# show ppp queues Proc #0 pid=73 authens=59 avg. rtt=118s. authors=160 avg. rtt=94s. Proc #1 pid=74 authens=52 avg. rtt=119s. authors=127 avg. rtt=115s. Proc #2 pid=75 authens=69 avg. rtt=130s. authors=80 avg. rtt=122s. Proc #3 pid=76 authens=44 avg. rtt=114s. authors=55 avg. rtt=106s. Proc #4 pid=77 authens=70 avg. rtt=141s. authors=76 avg. rtt=118s. Proc #5 pid=78 authens=64 avg. rtt=131s. authors=97 avg. rtt=113s. Proc #6 pid=79 authens=56 avg. rtt=121s. authors=57 avg. rtt=117s. Proc #7 pid=80 authens=43 avg. rtt=126s. authors=54 avg. rtt=105s. Proc #8 pid=81 authens=139 avg. rtt=141s. authors=120 avg. rtt=122s. Proc #9 pid=82 authens=63 avg. rtt=128s. authors=199 avg. rtt=80s. queue len=0 max len=499

Command Name: Mode: Syntax:

timeout login response router(config-line)#

timeout login response seconds no timeout login response seconds Syntax Description:
seconds Integer that determines the number of seconds the system will wait for login input before timing out. Available settings are from 1 to 300 seconds.

Command Description: To specify how long the system will wait for login input (such as username and password) before timing out, use the timeout login response command in line configuration mode. To set the timeout value to 0 seconds, use the no form of this command. Example: The following example changes the login timeout value to 60 seconds: router(config)#line 10 router(config-line)#timeout login response 60 Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

aaa authorization config-commands router(config)#

aaa authorization config-commands no aaa authorization config-commands Syntax Description: This command has no arguments or keywords. Command Description: To reestablish the default created when the aaa authorization commands command was issued, use the aaa authorization config-commands command in global configuration mode. To disable authentication, authorization, and accounting (AAA) configuration command authorization, use the no form of this command. Usage Guidelines If aaa authorization commands level method command is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using the no aaa authorization config-commands command stops the network access server from attempting configuration command authorization. After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands. Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command. Example: The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled: router(config)#aaa new-model router(config)#aaa authorization command 15 group tacacs+ none router(config)#no aaa authorization config-commands Misconceptions:

none Related commands: aaa authorization Sample Configurations: aaa authentication login default none aaa authentication enable default none aaa authentication ppp default group radius aaa authorization config-commands aaa authorization network default local aaa session-id common enable password cisco !

Command Name: Mode: Syntax:

aaa authorization reverse-access router(config)#

aaa authorization reverse-access {group radius | group tacacs+} no aaa authorization reverse-access {group radius | group tacacs+} Syntax Description:
group radius Specifies that the network access server will request authorization from a RADIUS security server before allowing a user to establish a reverse Telnet session.

group tacacs+

Specifies that the network access server will request authorization from a TACACS+ security server before allowing a user to establish a reverse Telnet session.

Command Description: To configure a network access server to request authorization information from a security server before allowing a user to establish a reverse Telnet session, use the aaa authorization reverseaccess command in global configuration mode. To restore the default value for this command, use the no form of this command. Usage Guidelines Telnet is a standard terminal emulation protocol used for remote terminal connection. Normally, you log in to a network access server (typically through a dialup connection) and then use Telnet to access other network devices from that network access server. There are times, however, when it is necessary to establish a reverse Telnet session. In reverse Telnet sessions, the Telnet connection is established in the opposite directionfrom inside a network to a network access server on the network periphery to gain access to modems or other devices connected to that network access server. Reverse Telnet is used to provide users with dialout capability by allowing them to open Telnet sessions to modem ports attached to a network access server. It is important to control access to ports accessible through reverse Telnet. Failure to do so could, for example, allow unauthorized users free access to modems where they can trap and divert incoming calls or make outgoing calls to unauthorized destinations. Authentication during reverse Telnet is performed through the standard AAA login procedure for Telnet. Typically the user has to provide a username and password to establish either a Telnet or

reverse Telnet session. This command provides an additional (optional) level of security by requiring authorization in addition to authentication. When this command is enabled, reverse Telnet authorization can use RADIUS or TACACS+ to authorize whether or not this user is allowed reverse Telnet access to specific asynchronous ports, after the user successfully authenticates through the standard Telnet login procedure. Example: router(config)# aaa authorization reverse-access default group tacacs+ Misconceptions: none Related commands: aaa authorization Sample Configurations: The following example causes the network access server to request authorization information from a TACACS+ security server before allowing a user to establish a reverse Telnet session: aaa new-model aaa authentication login default group tacacs+ aaa authorization reverse-access default group tacacs+ ! tacacs-server host 172.31.255.0 tacacs-server timeout 90 tacacs-server key goaway

Command Name: Mode: Syntax:

aaa authorization router(config)#

aaa authorization {network | exec | commands level | reverseaccess | configuration} {default | list-name} method1 [method2...] no aaa authorization {network | exec | commands level | reverseaccess | configuration} {default | list-name} method1 [method2...]

Syntax Description:
network Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA.

exec

Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information.

commands

Runs authorization for all commands at the specified privilege level.

level

Specific command level that should be authorized. Valid entries are 0 through 15.

reverseaccess

Runs authorization for reverse access connections, such as reverse Telnet.

configuration

Downloads the configuration from the AAA server.

default

Uses the listed authorization methods that follow this argument as the default list of methods for authorization.

list-name

Character string used to name the list of authorization methods.

method1

One of the keywords listed below.

[method2...]

Keyword group groupname ifauthenticated None Local krb5-instance

Description Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ commands. Allows the user to access the requested function if the user is authenticated. No authorization is performed. Uses the local database for authorization. Uses the instance defined by the kerberos instance map command.

Command Description: Use the aaa authorization commands to restrict access to a network. Cisco NAS are configured to perform authorization using the aaa authorization commands. You can configure Cisco Secure ACS to perform authorization tasks with NAS. The per-user security policy determines how authorization is configured. Method lists are specific to the type of authorization being requested. Example:
To set parameters that restrict user access to a network, use the aaa authorization command in global configuration mode as shown below. AAA authorization commands 1 alpha localUses local user name database to authorize the use of all level 1 commands. AAA authorization commands 15 bravo localUses the local database to authorize the use of all level 15 commands. AAA authorization network charlie local noneUses the local database to authorize the use of all network services such as Serial Line Interface Protocol (SLIP), PPP, and ARAP. If the local server is not available, this command performs no authorization, and the user can use all network services. AAA author exec delta ifauthenticatedLets the user run the exec process if the user is already authenticated.

router(config)# aaa authorization commands 1 alpha local router(config)# aaa authorization commands 15 bravo local router(config)# aaa authorization network charlie local none Misconceptions: This command can be used with TACACS or extended TACACS. Related commands:

aaa accounting aaa new-model Sample Configurations:

aaa new-model aaa authentication login default tacacs+ aaa authentication login no_tacacs enable aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ enable secret 5 $1$x1EE$33AXd2VTVvhbWL0A37tQ3. enable password 7 15141905172924 ! username admin password 7 094E4F0A1201181D19 ! interface Serial2 ppp authentication pap ! tacacs-server host 10.1.1.4 tacacs-server key ciscosecure ! line con 0 login authentication no_tacacs

Command Name: Mode: Syntax:

aaa dnis map authorization network group router(config)#

aaa dnis map dnis-number authorization network group servergroup-name no aaa dnis map dnis-number authorization network group servergroup-name

Syntax Description:
dnis-number Number of the DNIS.

server-group-name

Character string used to name a group of security servers functioning within a server group.

Command Description: To map a Dialed Number Identification Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group (the server group that will be used for AAA authorization), use the aaa dnis map authorization network group global configuration command. To unmap this DNIS number from the defined server group, use the no form of this command. Usage Guidelines This command lets you assign a DNIS number to a particular AAA server group so that the server group can process authorization requests for users dialing in to the network using that particular DNIS number. To use this command, you must first enable AAA, define a AAA server group, and enable DNIS mapping. Example: router(config)# aaa dnis map 7777 authorization network group Misconceptions: none Related commands: aaa new-model

aaa dnis map accounting network group aaa dnis map authentication ppp group aaa dnis map enable aaa group server radius-server host Sample Configurations: The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for authorization requests for users dialing in with DNIS 7777: ! aaa new-model radius-server host 172.30.0.0 auth-port 1645 key cisco1 aaa group server radius group1 server 172.30.0.0 aaa dnis map enable aaa dnis map 7777 authorization network group group1 !

Command Name: Mode: Syntax:

authorization router(config-line)#

authorization {arap | commands level | exec | reverse-access} [default | list-name] no authorization {arap | commands level | exec | reverse-access} [default | list-name] Syntax Description:
arap Enables authorization for lines configured for AppleTalk Remote Access (ARA) protocol.

commands

Enables authorization on the selected lines for all commands at the specified privilege level.

level

Specific command level to be authorized. Valid entries are 0 through 15.

exec

Enables authorization to determine if the user is allowed to run an EXEC shell on the selected lines.

reverseaccess

Enables authorization to determine if the user is allowed reverse access privileges.

default

(Optional) The name of the default method list, created with the aaa authorization command.

list-name

(Optional) Specifies the name of a list of authorization methods to use. If no list name is specified, the system uses the default. The list is created with the aaa authorization command.

Command Description: To enable authentication, authorization, and accounting (AAA) authorization for a specific line or group of lines, use the authorization command in line configuration mode. To disable authorization, use the no form of this command. Usage Guidelines After you enable the aaa authorization command and define a named authorization method list (or use the default method list) for a particular type of authorization, you must apply the defined

lists to the appropriate lines for authorization to take place. Use the authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines. Example: The following example enables command authorization (for level 15) using the method list named charlie on line 10: router(config)#line 10 router(config-line)#authorization commands 15 charlie Misconceptions: none Related commands: aaa authorization Sample Configurations:

Command Name: Mode: Syntax:

ppp authorization router(config-if)

ppp authorization [default | list-name] no ppp authorization

Syntax Description:
default (Optional) The name of the method list is created with the aaa authorization command.

listname

(Optional) Specifies the name of a list of authorization methods to use. If no list name is specified, the system uses the default. The list is created with the aaa authorization command.

Command Description: To enable authentication, authorization, and accounting (AAA) authorization on the selected interface, use the ppp authorization command in interface configuration mode. To disable authorization, use the no form of this command. Usage Guidelines After you enable the aaa authorization command and define a named authorization method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for authorization to take place. Use the ppp authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected interface. Example: The following example enables authorization on asynchronous interface 4 and uses the method list named charlie: router(config)#interface async 4 router(config-if)encapsulation ppp router(config-if)#ppp authorization charlie Misconceptions: none Related commands:

aaa authorization

Sample Configurations: Named Method List Configuration Example aaa new-model aaa authentication login admins local aaa authentication ppp dialins group radius local aaa authorization network scoobee group radius local aaa accounting network charley start-stop group radius username root password ALongPassword radius-server host Alcatraz radius-server key myRaDiUSpassWoRd interface group-async 1 group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization scoobee ppp accounting charley

Command Name: Mode: Syntax:

username router(config)#

username name {nopassword | password password | password encryption-type encrypted-password} username name password secret username name [access-class number] username name [autocommand command] username name [callback-dialstring telephone-number] username name [callback-rotary rotary-group-number] username name [callback-line [tty] line-number [ending-linenumber]] username name dnis username name [nocallback-verify] username name [noescape] [nohangup] username name [privilege level] username name user-maxlinks number Syntax Description:
name Host name, server name, user ID, or command name. The name argument can be only one word. Blank spaces and quotation marks are not allowed.

nopassword

No password is required for this user to log in. This is usually most useful in combination with the autocommand keyword.

password

Specifies a possibly encrypted password for this username.

password

Password a user enters.

encryption-type

Single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco-defined encryption algorithm.

encryptedpassword

Encrypted password a user enters.

password

Password to access the name argument. A password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.

secret

For CHAP authentication: specifies the secret for the local router or the remote device. The secret is encrypted when it is stored on the local router. The secret can consist of any string of up to 11 ASCII characters. There is no limit to the number of username and password combinations that can be specified, allowing any number of remote devices to be authenticated.

access-class

(Optional) Specifies an outgoing access list that overrides the access list specified in the access-class line configuration command. It is used for the duration of the user's session.

number

(Optional) Access list number.

autocommand

(Optional) Causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.

command

(Optional) The command string. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.

callbackdialstring

(Optional) For asynchronous callback only: permits you to specify a telephone number to pass to the DCE device.

telephonenumber

(Optional) For asynchronous callback only: telephone number to pass to the DCE device.

callback-rotary

(Optional) For asynchronous callback only: permits you to specify a rotary group number. The next available line in the rotary group is selected.

rotary-groupnumber

(Optional) For asynchronous callback only: integer between 1 and 100 that identifies the group of lines on which you want to enable a specific username for callback.

callback-line

(Optional) For asynchronous callback only: specific line on which you enable a specific username for callback.

tty

(Optional) For asynchronous callback only: standard asynchronous line.

line-number

(Optional) For asynchronous callback only: relative number of the terminal line (or the first line in a contiguous group) on which you want to enable a specific username for callback. Numbering begins with zero.

ending-linenumber

(Optional) Relative number of the last line in a contiguous group on which you want to enable a specific username for callback. If you omit the keyword (such as tty), then line-number and ending-line-number are absolute rather than relative line numbers.

dnis

Do not require password when obtained via DNIS.

nocallbackverify

(Optional) Authentication not required for EXEC callback on the specified line.

noescape

(Optional) Prevents a user from using an escape character on the host to which that user is connected.

nohangup

(Optional) Prevents Cisco IOS software from disconnecting the user after an automatic command (set up with the autocommand keyword) has completed. Instead, the user gets another EXEC prompt.

privilege

(Optional) Sets the privilege level for the user.

level

(Optional) Number between 0 and 15 that specifies the privilege level for the user.

user-maxlinks

Limit the user's number of inbound links.

number

User-maxlinks limit for inbound links.

Command Description: To establish a username-based authentication system, use the username command in global configuration mode. Example: router(config)#username admin password 7 15100A0F0F6A2F2B2721 router(config)#username isgroup password 7 000B070E01494B02002E5E router(config)#username remotes password 7 1059060B0E120009090139 Misconceptions: none Related commands: aaa accounting suppress null-username aaa authentication username-prompt ppp pap sent-username Sample Configurations: aaa new-model ! ! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139

Command Name:

aaa authentication enable default

Mode: Syntax:

Router(config)#

aaa authentication enable default method1 [method2...] no aaa authentication enable default method1 [method2...]

Syntax Description: method At least one of the keywords described in the table below.

Command Description: To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default global configuration command. Use the no form of this command to disable this authorization method.

Usage Guidelines
Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged command level. Method keywords are described in the table below. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line. If a default authentication routine is not set for a function, the default is none and no authentication is performed. Use the show running-config command to view currently configured lists of authentication methods. Table: aaa authentication enable Default Methods Keyword enable line none group tacacs+ group radius Description Uses the enable password for authentication. Uses the line password for authentication. Uses no authentication. Uses the list of all TACACS+ to provide authentication services. Uses the list of all RADIUS to provide authentication services.

group | groupname Example:

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the server group group-name.

To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default command in global configuration mode as shown in this figure.

router(config)#aaa authentication enable default group tacacs+ Misconceptions: The additional methods of authentication are used if the previous method fails. Related commands: aaa authorization aaa new-model enable password Sample Configurations: aaa new-model ! ! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139 memory-size iomem 15 ip subnet-zero Configuration for a line: ! line con 0 password 7 094A5C0617115716040316 login authentication console-in line 1 password 7 0602062040031C0A000501

login authentication tty-in modem InOut modem autoconfigure type usr_sportster no exec transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 password 7 045A0F0B062F014A001809 line vty 0 4 password 7 045E080E0078 login authentication is-in ! ! end

Command Name: Mode: Syntax:

aaa authentication login router(config)#

aaa authentication login {default [method2...]

| list-name} method1

no aaa authentication login {default [method2...] Syntax Description:

| list-name} method1

default listname method

Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. Character string used to name the following list of authentication methods activated when a user logs in. At least one of the keywords described in the table: aaa authentication login Methods.

Command Description:

To set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication. Usage Guidelines The default and optional list names created with the aaa authentication login command are used with the login authentication command. Create a list by entering the aaa authentication login list-name method command for a particular protocol, where list-name is any character string used to name this list (such as MISaccess). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. Method keywords are described in the table. If no list is specified on an interface with the login authentication command, a default list to be used can be specified with the default keyword followed by the methods. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods. Table: aaa authentication login Methods Keyword enable krb5 line local none group radius group tacacs+ krb5-telnet group | groupname local-case Description Uses the enable password for authentication. Uses Kerberos 5 for authentication. Uses the line password for authentication. Uses the local username database for authentication. Uses no authentication. Uses the list of all RADIUS to provide authentication services. Uses the list of all TACACS+ to provide authentication services. Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router. Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the server group group-name. Uses case-sensitive local username authentication

Example: Use the aaa authentication login command in global configuration mode as shown below to configure telnet and console lines. router(config)# aaa authentication login default enable router(config)# aaa authentication login console-in local router(config)# aaa authentication login tty-in line Misconceptions: This command cannot be used with TACACS or extended TACACS. Related commands: aaa new-model login authentication

Sample Configurations: aaa new-model !

! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139 memory-size iomem 15 ip subnet-zero Configuration for a line: ! line con 0 password 7 094A5C0617115716040316 login authentication console-in line 1 password 7 0602062040031C0A000501 login authentication tty-in modem InOut modem autoconfigure type usr_sportster no exec transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 password 7 045A0F0B062F014A001809 line vty 0 4 password 7 045E080E0078 login authentication is-in ! !
end

Command Name: Mode: Syntax:

aaa authentication ppp router(config)#

aaa authentication ppp {default | list-name} method1 [method2...] no aaa authentication ppp {default | list-name} method1 [method2...] Syntax Description: default list-name method1 [method2...] Command Description: To specify one or more AAA authentication methods for use on interfaces running Point-to-Point Protocol (PPP), use the aaa authentication ppp global configuration command. Use the no form of this command to disable authentication. Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. Character string used to name the following list of authentication methods tried when a user logs in. At least one of the keywords described in the table below.

Usage Guidelines
The lists created with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface. Create a list by entering the aaa authentication ppp list-name method command, where listname is any character Character string used to name the list of authentication methods activated when a user logs in.. The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. Up to four methods can be entered. Method keywords are described in table below. The additional methods of authentication are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error. If authentication is not specifically set for a function, the default is none and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods.

Table: aaa authentication ppp Methods Keyword if-needed krb5 local-case local group | groupname none Description Does not authenticate if user has already been authenticated on a TTY line Uses Kerberos 5 for authentication (can only be used for PAP authentication) Uses case-sensitive local username authentication Uses the local username database for authentication Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the server group group-name Uses no authentication

Example: To specify one or more AAA authentication methods for use on serial interfaces running PPP, use the aaa authentication ppp command in global configuration mode as shown below. router(config)#aaa authen ppp default local router(config)#aaa authen ppp dial-in local none Misconceptions: none

Related commands: aaa new-model ppp authentication Sample Configurations: aaa new-model ! ! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139

memory-size iomem 15 ip subnet-zero Configuration for a line: ! line con 0 password 7 094A5C0617115716040316 login authentication console-in line 1 password 7 0602062040031C0A000501 login authentication tty-in modem InOut modem autoconfigure type usr_sportster no exec transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 password 7 045A0F0B062F014A001809 line vty 0 4 password 7 045E080E0078 login authentication is-in ! !
end

Command Name: Mode: Syntax:

aaa authorization router(config)#

aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...] no aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...]

Syntax Description: auth-proxy network exec commands config-commands configuration ipmobile level reverse-access default list-name method1 [method2...] Command Description: Use the aaa authorization commands to restrict access to a network. Cisco NAS are configured to perform authorization using the aaa authorization commands. You can configure Cisco Secure ACS to perform authorization tasks with NAS. The per-user security policy determines how authorization is configured. Method keywords are described in the table below. For Authentication Proxy Services. Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP. Runs authorization to determine if the user is allowed to run an EXEC shell. Runs authorization for all commands at the specified privilege level. For configuration mode commands. Downloads the configuration from the AAA server. For Mobile IP services. Specific command level that should be authorized. Valid entries are 0 through 15. Runs authorization for reverse access connections, such as reverse Telnet. Uses the listed authorization methods that follow this argument as the default list of methods for authorization. Character string used to name the list of authorization methods. One of the keywords listed in the table below.

Table: AAA Authorization Methods Keyword group groupname Description Uses a subset of RADIUS or TACACS+ servers forauthentication as defined by the aaa group server radiusor aaa group server tacacs+ commands.

if-authenticated Allows the user to access the requested function if the user is authenticated. No authorization is performed. None Local krb5-instance Uses the local database for authorization. Uses the instance defined by the kerberos instance map command.

Method lists are specific to the type of authorization being requested. AAA supports four different types of authorization: Example:
To set parameters that restrict user access to a network, use the aaa authorization command in global configuration mode as shown below. AAA authorization commands 1 alpha localUses local user name database to authorize the use of all level 1 commands. AAA authorization commands 15 bravo localUses the local database to authorize the use of all level 15 commands. AAA authorization network charlie local noneUses the local database to authorize the use of all network services such as Serial Line Interface Protocol (SLIP), PPP, and ARAP. If the local server is not available, this command performs no authorization, and the user can use all network services. AAA author exec delta ifauthenticatedLets the user run the exec process if the user is already authenticated.

router(config)# aaa authorization commands 1 alpha local router(config)# aaa authorization commands 15 bravo local router(config)# aaa authorization network charlie local none Misconceptions: This command can be used with TACACS or extended TACACS. Related commands: aaa accounting aaa new-model Sample Configurations:

Command name: Mode: Syntax:

aaa new-model router(config)# aaa new-model no aaa new-model

Syntax Description: This command has no arguments or keywords Command Description: To enable the AAA access control model, issue the aaa new-model global configuration command. Use the no form of this command to disable the AAA access control model. Example: The following example initializes AAA: router (config) #aaa new-model Misconceptions: None

Related Commands: aaa accounting aaa aunthentication arap aaa authentication enable default aaa authentication login aaa authentication ppp aaa authorization Sample Configuration: aaa new-model ! ! aaa authentication login default enable aaa authentication login console-in local aaa authentication login is-in local aaa authentication login tty-in line aaa authentication ppp dial-in if-needed local aaa session-id common enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ enable password 7 06020026144A061E ! username admin password 7 15100A0F0F6A2F2B2721 username isgroup password 7 000B070E01494B02002E5E username remotes password 7 1059060B0E120009090139

Command Name: Mode: Syntax: debug aaa accounting no debug aaa accounting Syntax Description:

debug aaa accounting router#

This command has no arguments or keywords. Command Description: Use this command to trouble shoot problems and to display information on accountable events as they occur, use the debug aaa accounting privileged exec command as shown in the figure. Use the no debug aaa accounting form of the command to disable this debug mode. The sample configuration shows output from the debug aaa accounting command. The information displayed by the debug aaa accounting command is independent of the accounting protocol used to transfer the accounting information to a server. Use the debug tacacs and debug radius protocol-specific commands to get more detailed information about protocol-level issues. You can also use the show accounting command to step through all active sessions and to print all the accounting records for actively accounted functions. The show accounting command enables you to display the active accountable events on the system. It provides systems administrators a quick look at what is happening, and may also be useful for collecting information in the event of a data loss on the accounting server. The show accounting command displays additional data on the internal state of the AAA security system if debug aaa accounting active as well. Example: router# debug aaa accounting Misconceptions: none Related commands: debug aaa authentication debug aaa authorization debug aaa accounting

Sample Configurations:

Actual debug output

router# debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14

Command Name: Mode: Syntax:

debug aaa authentication router# debug aaa authentication no debug aaa authentication

Syntax Description: This command has no arguments or keywords. Command Description:


Use this command to troubleshoot problems and to display information on AAA/TACACS+ authentication, use the debug aaa authentication privileged exec command as shown in the figure. Use the no debug aaa authentication form of the command to disable this debug mode.

Example: router# debug aaa authentication Misconceptions: none Related commands: debug aaa authentication debug aaa authorization debug aaa accounting Sample Configurations: Actual debug output

router# debug aaa authentication 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login

(user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS

Command Name: Mode: Syntax: debug aaa authorization no debug aaa authorization Syntax Description:

debug aaa authorization router#

This command has no arguments or keywords. Command Description: Use this command to troubleshoot problems and to display information on AAA/TACACS+ authorization, use the debug aaa authorization privileged exec command. Use the no debug aaa authorization form of the command to disable this debug mode. The sample configuration shows the output from the debug aaa authorization command where an exec authorization for user carrel is performed: On the first line, the username carrel is authorized. On the second and third lines, the attribute value (AV) pairs are authorized. The debug output displays a line for each AV pair that is authenticated. The display indicates the authorization method used. The final line in the display indicates the status of the authorization process, which, in this case, has failed.

The aaa authorization command causes a request packet containing a series of AV pairs to be sent to the TACACS daemon as part of the authorization process. The daemon responds in one of the following three ways: Accepts the request as is. Makes changes to the request. Refuses the request, thereby refusing authorization.

The AV pairs associated with the debug aaa authorization command that may appear in the debug output are described as follows: service=arapAuthorization for the ARA protocol is being requested. service=shellAuthorization for exec startup and command authorization is being requested. service=pppAuthorization for PPP is being requested. service=slipAuthorization for SLIP is being requested. protocol=lcpAuthorization for LCP is being requested (lower layer of PPP).

protocol=ipUsed with service=slip and service=slip to indicate which protocol layer is being authorized. protocol=ipxUsed with service=ppp to indicate which protocol layer is being authorized. protocol=atalkUsed with service=ppp or service=arap to indicate which protocol layer is being authorized. protocol=vinesUsed with service=ppp for VINES over PPP. protocol=unknownUsed for undefined or unsupported conditions. cmd=xUsed with service=shell, if cmd=NULL, this is an authorization request to start an exec. If cmd is not NULL, this is a command authorization request and will contain the name of the command being authorized. For example, cmd=telnet. cmd-arg=xUsed with service=shell. When performing command authorization, the name of the command is given by a cmd=x pair for each argument listed. For example, cmd-arg=archie.sura.net. acl=xUsed with service=shell and service=arap. For ARA, this pair contains an access list number. For service=shell, this pair contains an access class number. For example, acl=2. inacl=xUsed with service=ppp and protocol=ip. Contains an IP input access list for SLIP or PPP/IP. For example, inacl=2. outacl=xUsed with service=ppp and protocol=ip. Contains an IP output access list for SLIP or PPP/IP. For example, outacl=4. addr=xUsed with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=172.30.23.11. routing=xUsed with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false. For example, routing=true. timeout=xUsed with service=arap. The number of minutes before an ARA session disconnects. For example, timeout=60. autocmd=xUsed with service=shell and cmd=NULL. Specifies an autocommand to be executed at exec startup. For example, autocmd=telnet yxz.com. noescape=xUsed with service=shell and cmd=NULL. Specifies a noescape option to the username configuration command. Can be either true or false. For example, noescape=true. nohangup=xUsed with service=shell and cmd=NULL. Specifies a nohangup option to the username configuration command. Can be either true or false. For example, nohangup=false. priv-lvl=xUsed with service=shell and cmd=NULL. Specifies the current privilege level for command authorization as a number from 0 to 15. For example, priv-lvl=15. zonelist=xUsed with service=arap. Specifies an AppleTalk zonelist for ARA. For example, zonelist=5. addr-pool=xUsed with service=ppp and protocol=ip. Specifies the name of a local pool from which to get the address of the remote host.

Example: router# debug aaa authorization Misconceptions: Related commands: debug aaa authentication debug aaa authorization debug aaa accounting Sample Configurations: Actual debug output none

router# debug aaa authorization 2:23:21: AAA/AUTHOR (0): user='carrel' 2:23:21: AAA/AUTHOR (0): send AV service=shell 2:23:21: AAA/AUTHOR (0): send AV cmd* 2:23:21: AAA/AUTHOR (342885561): Method=TACACS+ 2:23:21: AAA/AUTHOR/TAC+ (342885561): user=carrel 2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV service=shell 2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV cmd* 2:23:21: AAA/AUTHOR (342885561): Post authorization status = FAIL

Command Name: Mode: Syntax:

aaa dnis map authorization network group router(config)#

aaa dnis map dnis-number authorization network group servergroup-name no aaa dnis map dnis-number authorization network group servergroup-name Syntax Description:
dnis-number Number of the DNIS.

server-group-name

Character string used to name a group of security servers functioning within a server group.

Command Description: To map a Dialed Number Identification Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group (the server group that will be used for AAA authorization), use the aaa dnis map authorization network group global configuration command. To unmap this DNIS number from the defined server group, use the no form of this command. Usage Guidelines This command lets you assign a DNIS number to a particular AAA server group so that the server group can process authorization requests for users dialing in to the network using that particular DNIS number. To use this command, you must first enable AAA, define a AAA server group, and enable DNIS mapping. Example: router(config)#aaa dnis map 7777 authorization network group group1 Misconceptions: none

Related commands:

aaa new-model aaa dnis map accounting network group aaa dnis map authentication ppp group aaa dnis map enable aaa group server radius-server host

Sample Configurations: The following sample configuration maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for authorization requests for users dialing in with DNIS 7777: aaa new-model radius-server host 172.30.0.0 auth-port 1645 key cisco1 aaa group server radius group1 server 172.30.0.0 aaa dnis map enable aaa dnis map 7777 authorization network group group1

Command Name: Mode: Syntax:

authorization router(config-line)#

authorization {arap | commands level | exec | reverse-access} [default | list-name] no authorization {arap | commands level | exec | reverse-access} [default | list-name] Syntax Description:
arap Enables authorization for lines configured for AppleTalk Remote Access (ARA) protocol.

commands

Enables authorization on the selected lines for all commands at the specified privilege level.

level

Specific command level to be authorized. Valid entries are 0 through 15.

exec

Enables authorization to determine if the user is allowed to run an EXEC shell on the selected lines.

reverseaccess

Enables authorization to determine if the user is allowed reverse access privileges.

default

(Optional) The name of the default method list, created with the aaa authorization command.

list-name

(Optional) Specifies the name of a list of authorization methods to use. If no list name is specified, the system uses the default. The list is created with the aaa authorization command.

Command Description: To enable authentication, authorization, and accounting (AAA) authorization for a specific line or group of lines, use the authorization command in line configuration mode. To disable authorization, use the no form of this command. Usage Guidelines After you enable the aaa authorization command and define a named authorization method list (or use the default method list) for a particular type of authorization, you must apply the defined

lists to the appropriate lines for authorization to take place. Use the authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines. Example: The following example enables command authorization (for level 15) using the method list named charlie on line 10: router(config)#line 10 router(config-line)#authorization commands 15 charlie Misconceptions: none Related commands: aaa authorization Sample Configurations:

Command Name: Mode: Syntax: clear kerberos creds Syntax Description:

clear kerberos creds router#

This command has no arguments or keywords. Command Description: To delete the contents of the credentials cache, use the clear kerberos creds command in privileged EXEC mode. Example: router#clear kerberos creds Misconceptions: none Related commands: show kerberos creds Sample Configurations: router# show kerberos creds Default Principal: chet@cisco.com Valid Starting Expires Service Principal 18-Dec-1995 16:21:07 19-Dec-1995 00:22:24 krbtgt/CISCO.COM@CISCO.COM router# clear kerberos creds router# show kerberos creds No Kerberos credentials. router#

Command Name: Mode: Syntax:

kerberos clients mandatory router(config)#

kerberos clients mandatory no kerberos clients mandatory Syntax Description: This command has no arguments or keywords. Command Description: To cause the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server, use the kerberos clients mandatory command in global configuration mode. To make Kerberos optional, use the no form of this command. Example: The following example causes the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server: router(config)#kerberos clients mandatory Misconceptions: none Related commands: kerberos credentials forward Sample Configurations:

Command Name: Mode: Syntax:

kerberos credentials forward router(config)#

kerberos credentials forward no kerberos credentials forward Syntax Description: This command has no arguments or keywords. Command Description: To force all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication, use the kerberos credentials forward command in global configuration mode. To turn off forwarding of Kerberos credentials, use the no form of this command. Example: The following example forces all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication: router(config)#kerberos credentials forward Misconceptions: none

Related commands: connect rlogin rsh telnet Sample Configurations: ! clock timezone PST -8 clock summer-time PDT recurring aaa new-model aaa authentication login default krb5 aaa authentication login console none

aaa authentication ppp local local enable password sMudgKin ! username chet-2500 password 7 sMudgkin username chet-3000 password 7 sMudgkin username chetin password 7 sMudgkin kerberos local-realm CISCO.COM kerberos server CISCO.COM 172.71.54.14 kerberos credentials forward !

Command Name: Mode: Syntax:

kerberos instance map router(config)#

kerberos instance map instance privilege-level no kerberos instance map instance Syntax Description:
instance Name of a Kerberos instance.

privilegelevel

The privilege level at which a user is set if the user's Kerberos principal contains the matching Kerberos instance. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges.

Command Description: To map Kerberos instances to Cisco IOS privilege levels, use the kerberos instance map command in global configuration mode. To remove a Kerberos instance map, use the no form of this command. Use this command to create user instances with access to administrative commands. Example: The following example sets the privilege level to 15 for authenticated Kerberos users with the admin instance in Kerberos realm: router(config)#kerberos instance map admin 15 Misconceptions: none Related commands: aaa authorization Sample Configurations: aaa new-model aaa authentication login default krb5-telnet krb5 aaa authentication login console none

aaa authentication ppp default krb5 local aaa authorization exec default krb5-instance enable password sMudgKin ! username chet-2500 password 7 sMudgkin username chet-3000 password 7 sMudgkin username chetin password 7 sMudgkin ip domain-name cisco.com ip name-server 192.168.0.0 kerberos local-realm CISCO.COM kerberos srvtab entry host/chet-2500.cisco.com@CISCO.COM 0 832015393 1 1 8 7 sMudgkin kerberos server CISCO.COM 172.71.54.14 kerberos instance map admin 15 kerberos instance map restricted 3 kerberos credentials forward clock timezone PST -8 clock summer-time PDT recurring

Command Name: Mode: Syntax:

kerberos local-realm router(config)#

kerberos local-realm kerberos-realm no kerberos local-realm Syntax Description:


kerberosrealm The name of the default Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase characters.

Command Description: To specify the Kerberos realm in which the router is located, use the kerberos local-realm command in global configuration mode. To remove the specified Kerberos realm from this router, use the no form of this command. Usage Guidelines The router can be located in more than one realm at a time. However, there can only be one instance of Kerberos local-realm. The realm specified with this command is the default realm. Example: The following example specify the Kerberos realm in which the router is located as EXAMPLE.COM: router(config)#kerberos local-realm EXAMPLE.COM Misconceptions: none Related commands: kerberos kerberos kerberos kerberos kerberos preauth realm server srvtab entty srvtab remote

Sample Configurations:

aaa new-model aaa authentication login default krb5-telnet krb5 aaa authentication login console none aaa authentication ppp default krb5 local aaa authorization exec default krb5-instance enable password sMudgKin ! username chet-2500 password 7 sMudgkin username chet-3000 password 7 sMudgkin username chetin password 7 sMudgkin ip domain-name cisco.com ip name-server 192.168.0.0 kerberos local-realm CISCO.COM kerberos srvtab entry host/chet-2500.cisco.com@CISCO.COM 0 832015393 1 1 8 7 sMudgkin kerberos server CISCO.COM 172.71.54.14 kerberos instance map admin 15 kerberos instance map restricted 3 kerberos credentials forward clock timezone PST -8 clock summer-time PDT recurring

Command Name: Mode: Syntax:

kerberos preauth router(config)#

kerberos preauth [encrypted-unix-timestamp | encrypted-kerberostimestamp | none] no kerberos preauth Syntax Description:


encrypted-unixtimestamp (Optional) Use an encrypted UNIX timestamp as a quick authentication method when communicating with the KDC.

encrypted-kerberostimestamp

(Optional) Use the RFC1510 kerberos timestamp as a quick authentication method when communicating with the KDC.

none

(Optional) Do not use Kerberos preauthentication.

Command Description: To specify a preauthentication method to use to communicate with the key distribution center (KDC), use the kerberos preauth command in global configuration mode. To disable Kerberos preauthentication, use the no form of this command. Usage Guidelines It is more secure to use a preauthentication for communications with the KDC. However, communication with the KDC will fail if the KDC does not support this particular version of kerberos preauth. If that happens, turn off the preauthentication with the none option. The no form of this command is equivalent to using the none keyword. Example: The following example enables Kerberos preauthentication: router(config)#kerberos preauth encrypted-unix-timestamp Misconceptions: none

Related commands: kerberos kerberos kerberos kerberos local-realm server srvtab entry srvtab remote

Sample Configurations:

Command Name: Mode: Syntax:

kerberos realm router(config)#

kerberos realm {dns-domain | host} kerberos-realm no kerberos realm {dns-domain | host} kerberos-realm Syntax Description:
dns-domain Name of a DNS domain or host.

host

Name of a DNS host.

kerberos-realm

Name of the Kerberos realm to which the specified domain or host belongs

Command Description: To map a host name or Domain Name System (DNS) domain to a Kerberos realm, use the kerberos realm command in global configuration mode. To remove a Kerberos realm map, use the no form of this command. Usage Guidelines DNS domains are specified with a leading dot (.) character; host names cannot begin with a dot (.) character. There can be multiple entries of this line. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase characters. The router can be located in more than one realm at a time. Kerberos realm names must be in all uppercase characters. Example: The following example maps the domain name "example.com" to the Kerberos realm, EXAMPLE.COM: router(config)#kerberos realm .example.com EXAMPLE.COM Misconceptions: none

Related commands: kerberos kerberos kerberos kerberos local-realm server srvtab entry srvtab remote

Sample Configurations:

Command Name: Mode:

kerberos server router(config)#

Syntax: kerberos server kerberos-realm {hostname | ip-address} [portnumber] no kerberos server kerberos-realm {hostname | ip-address} Syntax Description:
kerberosrealm Name of the Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters.

hostname

Name of the host functioning as a Kerberos server for the specified Kerberos realm (translated into an IP address at the time of entry).

ip-address

IP address of the host functioning as the Kerberos server for the specified Kerberos realm.

port-number

(Optional) Port that the key distribution center (KDC) monitors (defaults to 88).

Command Description: To specify the location of the Kerberos server for a given Kerberos realm, use the kerberos server command in global configuration mode. To remove a Kerberos server for a specified Kerberos realm, use the no form of this command. Example: The following example specifies 192.168.47.66 as the Kerberos server for the Kerberos realm EXAMPLE.COM: router(config)#kerberos server EXAMPLE.COM 192.168.47.66 Misconceptions: none Related commands: kerberos local-realm

kerberos server kerberos srvtab entry kerberos srvtab remote

Sample Configurations: ! clock timezone PST -8 clock summer-time PDT recurring aaa new-model aaa authentication login default krb5 aaa authentication login console none aaa authentication ppp local local enable password sMudgKin ! username chet-2500 password 7 sMudgkin username chet-3000 password 7 sMudgkin username chetin password 7 sMudgkin kerberos local-realm CISCO.COM kerberos server CISCO.COM 172.71.54.14 kerberos credentials forward

Command Name: Mode: Syntax:

kerberos srvtab entry router(config)#

kerberos srvtab entry kerberos-principal principal-type timestamp key-version number key-type key-length encryptedkeytab no kerberos srvtab entry kerberos-principal principal-type Syntax Description:
principal A service on the router.

principal-type

Version of the Kerberos SRVTAB.

timestamp

Number representing the date and time the SRVTAB entry was created.

key-version number

Version of the encryption key format.

key-type

Type of encryption used.

key-length

Length, in bytes, of the encryption key.

encryptedkeytab

Secret key the router shares with the key distribution center (KDC). It is encrypted with the private Data Encryption Standard (DES) key (if available) when you write out your configuration.

Command Description: To retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration, use the kerberos srvtab entry command in global configuration mode. To remove a SRVTAB entry from the router's configuration, use the no form of this command. Usage Guidelines When you use the kerberos srvtab remote command to copy the SRVTAB file from a remote host (generally the KDC), it parses the information in this file and stores it in the router's running

configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with a private DES key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory router configuration command to write the router's running configuration to NVRAM. If you reload a configuration, with a SRVTAB encrypted with a private DES key, on to a router that does not have a private DES key defined, the router displays a message informing you that the SRVTAB entry has been corrupted, and discards the entryp. Password = "goaway" User-Service-Type = Shell-User cisco-avpair = "raccess:port#1=site1/tty2" An empty "raccess:port#1=nasname1/tty2" clause permits a user to have unconditional access to network access server ports for reverse Telnet. If no "raccess:port#1=nasname1/tty2" clause exists, the user is denied access to any port for reverse Telnet. For more information about configuring RADIUS, refer to the chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide. Example: router(config)Tkerberos srvtab entry host/chet2500.cisco.com@CISCO.COM 0 832015393 1 1 8 7 sMudgkin Misconceptions: none Related commands: none Sample Configurations: ! clock timezone PST -8 clock summer-time PDT recurring aaa new-model aaa authentication login default krb5-telnet krb5 aaa authentication login console none aaa authentication ppp local local enable password sMudgKin ! username chet-2500 password 7 sMudgkin username chet-3000 password 7 sMudgkin username chetin password 7 sMudgkin

kerberos local-realm CISCO.COM kerberos srvtab entry host/chet-2500.cisco.com@CISCO.COM 0 832015393 1 1 8 7 sMudgkin kerberos server CISCO.COM 172.71.54.14 kerberos credentials forward

Command Name: Mode: Syntax:

ppp authorization router(config-if)

ppp authorization [default | list-name] no ppp authorization

Syntax Description:
default (Optional) The name of the method list is created with the aaa authorization command.

listname

(Optional) Specifies the name of a list of authorization methods to use. If no list name is specified, the system uses the default. The list is created with the aaa authorization command.

Command Description: To enable authentication, authorization, and accounting (AAA) authorization on the selected interface, use the ppp authorization command in interface configuration mode. To disable authorization, use the no form of this command. Usage Guidelines After you enable the aaa authorization command and define a named authorization method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for authorization to take place. Use the ppp authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected interface. Example: The following example enables authorization on asynchronous interface 4 and uses the method list named charlie: router(config)#interface async 4 router(config-if)encapsulation ppp router(config-if)#ppp authorization charlie Misconceptions: none Related commands:

aaa authorization

Sample Configurations: Named Method List Configuration Example aaa new-model aaa authentication login admins local aaa authentication ppp dialins group radius local aaa authorization network scoobee group radius local aaa accounting network charley start-stop group radius username root password ALongPassword radius-server host Alcatraz radius-server key myRaDiUSpassWoRd interface group-async 1 group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization scoobee ppp accounting charley

Command Name: Mode: Syntax:

aaa attribute router(config-aaa-user)#

aaa attribute {clid | dnis} attribute-value no aaa attribute {clid | dnis} attribute-value Syntax Description:
clid Adds CLID attribute values to the user profile.

dnis

Adds DNIS attribute values to the user profile.

attribute-value

Specifies a name for CLID or DNIS attribute values.

Command Description: To add calling line identification (CLID) and dialed number identification service (DNIS) attribute values to a user profile, use the aaa attribute command in AAA-user configuration mode. To remove this command from your configuration, use the no form of this command. Usage Guidlines Use the aaa attribute command to add CLID or DNIS attribute values to a named user profile, which is created by using the aaa user profile command. The CLID or DNIS attribute values can be associated with the record that is going out with the user profile (via the test aaa group command), thereby providing the RADIUS server with access to CLID or DNIS information when the server receives a RADIUS record. Example: The following example shows how to add CLID and DNIS attribute values to the user profile "cat": router(config)#aaa user profile cat router(config-aaa-user)#aaa attribute clid clidval router(config-aaa-user)#aaa attribute dnis dnisval Misconceptions:

none Related commands: aaa user profile test aaa group Sample Configurations:

Command Name: Mode: Syntax:

aaa group server radius router(config)#

aaa group server radius group-name no aaa group server radius group-name Syntax Description:
group-name Character string used to name the group of servers.

Command Description: To group different RADIUS server hosts into distinct lists and distinct methods, enter the aaa group server radius command in global configuration mode. To remove a group server from the configuration list, enter the no form of this command. Usage Guidelines The authentication, authorization, and accounting (AAA) server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service. A group server is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A group server is used in conjunction with a global server host list. The group server lists the IP addresses of the selected server hosts. Example: router(config)#aaa group server radius radgroup1 Misconceptions: none Related commands: aaa accounting aaa authentication login aaa authorization aaa new-model radius-server host Sample Configurations:

The following example shows the configuration of an AAA group server named radgroup1 that comprises three member servers: aaa group server radius radgroup1 server 1.1.1.1 auth-port 1700 acct-port 1701 server 2.2.2.2 auth-port 1702 acct-port 1703 server 3.3.3.3 auth-port 1705 acct-port 1706

Command Name: Mode: Syntax:

aaa nas port extended router(config)#

aaa nas port extended no aaa nas port extended Syntax Description: This command has no arguments or keywords. Command Description: To replace the NAS-Port attribute with RADIUS IETF attribute 26 and to display extended field information, use the aaa nas port extended command in global configuration mode. To display no extended field information, use the no form of this command. Usage Guidelines On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as NAS-Port = 20101 due to the 16-bit field size limitation associated with RADIUS IETF NASPort attribute. In this case, the solution is to replace the NAS-Port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). Cisco's vendor ID is 9, and the Cisco-NAS-Port attribute is subtype 2. Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command. The standard NAS-Port attribute (RADIUS IETF attribute 5) will continue to be sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port command. When this command is configured, the standard NAS-Port attribute will no longer be sent. Example: router(config)#aaa nas port extended Misconceptions: none Related commands:

radius-server extended-portnames radius-server vsa send Sample Configurations: aaa new-model aaa authentication login CONSOLE none aaa authentication login RADIUS_LIST group radius aaa authentication login TAC_PLUS group tacacs+ enable aaa authentication login V.120 none aaa authentication enable default enable group tacacs+ aaa authentication ppp RADIUS_LIST if-needed group radius aaa authorization exec RADIUS_LIST group radius if-authenticated aaa authorization exec V.120 none aaa authorization network default group radius if-authenticated aaa authorization network RADIUS_LIST if-authenticated group radius aaa authorization network V.120 group radius if-authenticated aaa accounting suppress null-username aaa accounting exec default start-stop group radius aaa accounting commands 0 default start-stop group radius aaa accounting network default start-stop group radius aaa accounting connection default start-stop group radius aaa accounting system default start-stop group radius aaa preauth dnis password Cisco-DNIS aaa nas port extended

Command Name: Mode: Syntax:

aaa user profile router(config)#

aaa user profile profile-name no aaa user profile profile-name Syntax Description:
profile-name Character string used to name the user profile.

Command Description: To create an authentication, authorization, and accounting (AAA) named user profile, use the aaa user profile command in global configuration mode. To remove a user profile from the configuration, use the no form of this command. Usage Guidelines Use the aaa user profile command to create a AAA user profile. Used in conjunction with the aaa attribute command, which adds calling line identification (CLID) and dialed number identification service (DNIS) attribute values, the user profile can be associated with the record that is sent to the RADIUS server (via the test aaa group command), which provides the RADIUS server with access to CLID or DNIS attribute information when the server receives a RADIUS record. Example: router(config)#aaa user profile prfl1 Misconceptions: none Related commands: aaa attribute test aaa group Sample Configurations: The following example shows how to configure a dnis = dnisvalue user profile named "prfl1":

aaa user profile prfl1 aaa attribute dnis aaa attribute dnis dnisvalue no aaa attribute clid

Command Name: Mode: Syntax:

accounting (server-group) router(config-sg radius)#

accounting [accept | reject] listname Syntax Description:


accept (Optional) Indicates that all attributes will be rejected except for required attributes and the attributes specified in the listname.

reject

(Optional) Indicates that all attributes will be accepted except for the attributes specified in the listname.

listname

Defines the given name for the accept or reject list.

Command Description: To specify an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request, use the accounting command in server-group configuration mode. Usage Guidelines An accept or reject list (also known as a filter) for RADIUS accounting allows users to send only the accounting attributes their business requires, thereby reducing unnecessary traffic and allowing users to customize their own accounting data. Only one filter per server group may be used for RADIUS accounting. Note The listname argument must be the same as the listname argument defined in the radiusserver attribute list, which is used with the radius-server attribute 11 direction default command to add to an accept or reject list. Example: Router(config-sg radius)#accounting accept usage-only Misconceptions: none

Related commands:

aaa group server radius aaa new-model aaa authentication aaa authorization authorization (server-group) radius-server attribute 11 direction default radius-server attribute list Sample Configurations: The following example shows how to specify the accept list "usage-only" for RADIUS accounting: aaa new-model aaa authentication ppp default group radius-sg aaa authorization network default group radius-sg aaa group server radius radius-sg server 1.1.1.1 accounting accept usage-only ! radius-server host 1.1.1.1 key mykey1 radius-server attribute list usage-only attribute 1,40,42-43,46

Command Name: Mode:

attribute (server-group) router(config-sg radius)#

Syntax: attribute value1 [value2 [value3]...] no attribute value1 [value2 [value3]...] Syntax Description:
value1 [value2 [value3]...] Specifies which attributes to include in an accept or reject list. The value can be a single integer, such as 7, or a range of numbers, such as 56 to 59. At least one attribute

Command Description: To add attributes to an accept or reject list, use the attribute command in server-group configuration mode. To remove attributes from the list, use the no form of this command. Usage Guidelines Used in conjunction with the radius-server attribute list command (which defines the list name), the attribute command can be used to add attributes to an accept or reject list (also known as a filter). Filters are used to prevent the NAS from receiving and processing unwanted attributes for authorization or accounting. The attribute command can be used multiple times to add attributes to a filter. However, if a required attribute is specified in a reject list, the NAS will override the command and accept the attribute. Required attributes are as follows:

For authorization: 6 (Service-Type) 7 (Framed-Protocol) For accounting:


o o o o o o

4 (NAS-IP-Address) 40 (Acct-Status-Type) 41 (Acct-Delay-Time) 44 (Acct-Session-ID)

Example: router(config-sg radius)#attribute


12,217,6-10,13

router(config-sg radius)#attribute

64-69,218

Misconceptions: none

Related commands: accounting (server-group) authorication (server-group) radius-server attribute list Sample Configurations: The following example shows how to add attributes 12, 217, 6 to 10, 13, 64 to 69, and 218 to the list name "standard": radius-server attribute list standard attribute 12,217,6-10,13 attribute 64-69,218

Command Name: Mode:

authorization (server-group) router(config-sg radius)#

Syntax: authorization [accept | reject] listname Syntax Description:


accept (Optional) Indicates that all attributes will be rejected except for required attributes and the attributes specified in the listname.

reject

(Optional) Indicates that all attributes will be accepted except for the attributes specified in the listname.

listname

Defines the given name for the accept or reject list.

Command Description: To specify an accept or reject list for attributes that are returned in an Access-Accept packet from the RADIUS server, use the authorization command in server-group configuration mode. Usage Guidelines An accept or reject list (also known as a filter) for RADIUS authorization allows users to configure the network access server (NAS) to restrict the use of specific attributes, thereby preventing the NAS from processing unwanted attributes. Only one filter per server group may be used for RADIUS authorization. Note The listname argument must be the same as the listname argument defined in the radiusserver attribute list, which is used with the radius-server attribute 11 direction default command to add to an accept or reject list. Example: router(config-sg radius)# Misconceptions: none Related commands:
authorization accept min-author

aaa group server radius aaa new-model aaa authentication ppp aaa authorization accounting (server-group) radius-server attribute 11 direction default radius-server attribute list Sample Configurations: aaa new-model aaa authentication ppp default group radius-sg aaa authorization network default group radius-sg aaa group server radius radius-sg server 1.1.1.1 authorization accept min-author ! radius-server host 1.1.1.1 key mykey1 radius-server attribute list min-author attribute 6-7

Command Name: Mode: Syntax:

call guard-timer router(config-controller)#

call guard-timer milliseconds [on-expiry {accept | reject}] no call guard-timer milliseconds [on-expiry {accept | reject}] Syntax Description:
milliseconds Specifies the number of milliseconds to wait for a response from the RADIUS server.

on-expiry accept

(Optional) Accepts the call if a response is not received from the RADIUS server within the specified time.

on-expiry reject

(Optional) Rejects the call if a response is not received from the RADIUS server within the specified time.

Command Description: To set a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request, use the call guard-timer controller configuration command. To remove the call guard-timer command from your configuration file, use the no form of this command. Example: router(config-controller)# call guard-timer 20000 on-expiry accept Misconceptions: none Related commands: aaa preauth Sample Configurations:

The following example shows a guard timer that is set at 20000 milliseconds. A call will be accepted if the RADIUS server has not responded to a preauthentication request when the timer expires. controller T1 0 framing esf clock source line primary linecode b8zs ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis cas-custom 0 call guard-timer 20000 on-expiry accept aaa preauth group radius dnis required

Command Name: Mode: Syntax:

clid router(config-preauth)#

clid [if-avail | required] [accept-stop] [password password] no clid [if-avail | required] [accept-stop] [password password] Syntax Description:
if-avail (Optional) Implies that if the switch provides the data, RADIUS must be reachable and must accept the string in order for preauthentication to pass. If the switch does not provide the data, preauthentication passes.

required

(Optional) Implies that the switch must provide the associated data, that RADIUS must be reachable, and that RADIUS must accept the string in order for preauthentication to pass. If these three conditions are not met, preauthentication fails.

accept-stop

(Optional) Prevents subsequent preauthentication elements such as ctype or dnis from being tried once preauthentication has succeeded for a call element.

password password

(Optional) Defines the password for the preauthentication element.

Command Description: To preauthenticate calls on the basis of the Calling Line Identification (CLID) number, use the clid authentication, authorization, and accounting (AAA) preauthentication configuration command. To remove the clid command from your configuration, use the no form of this command.\ Usage Guidelines You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process. In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server. Example:

The following example specifies that incoming calls be preauthenticated on the basis of the CLID number: router(config-preauth)#aaa preauth router(config-preauth)#group radius router(config-preauth)#clid required Misconceptions: none Related commands: ctype dnis (AAA preauthentication configuration) dnis bypass (AAA preauthentication configuration) group (AAA preauthentication configuration) Sample Configurations:

Command Name: Mode: Syntax:

ctype router(config-preauth)#

ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120] no ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120] Syntax Description:
if-avail (Optional) Implies that if the switch provides the data, RADIUS must be reachable and must accept the string in order for preauthentication to pass. If the switch does not provide the data, preauthentication passes.

required

(Optional) Implies that the switch must provide the associated data, that RADIUS must be reachable, and that RADIUS must accept the string in order for preauthentication to pass. If these three conditions are not met, preauthentication fails.

accept-stop

(Optional) Prevents subsequent preauthentication elements such as clid or dnis from being tried once preauthentication has succeeded for a call element.

password password

(Optional) Defines the password for the preauthentication element.

digital

(Optional) Specifies "digital" as the call type for preauthentication.

speech

(Optional) Specifies "speech" as the call type for preauthentication.

v.110

(Optional) Specifies "v.110" as the call type for preauthentication.

v.120

(Optional) Specifies "v.120" as the call type for preauthentication.

Command Description: To preauthenticate calls on the basis of the call type, use the ctype authentication, authorization, and accounting (AAA) preauthentication configuration command. To remove the ctype command from your configuration, use the no form of this command.

Usage Guidelines You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process. In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server. Set up the RADIUS preauthentication profile with the call type string as the username and with the password that is defined in the ctype command as the password. Table 13 shows the call types that you may use in the preauthentication profile. Table 13 Preauthentication Call Types Call Type String ISDN Bearer Capabilities Unrestricted digital, restricted digital. digital speech v.110 v.120 Example: The following example specifies that incoming calls be preauthenticated on the basis of the call type: router(config-preauth)#aaa preauth router(config-preauth)#group radius router(config-preauth)#ctype required Misconceptions: none Related commands: clid dnis (AAA preauthentication configuration) dnis bypass (AAA preauthentication configuration) group (AAA preauthentication configuration) Sample Configurations: Speech, 3.1 kHz audio, 7 kHz audio. Anything with V.110 user information layer. Anything with V.120 user information layer.

Command Name: Mode: Syntax: deadtime minutes no deadtime Syntax Description:


minutes

deadtime router(config-sg radius)#

Length of time, in minutes, for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).

Command Description: To configure deadtime within the context of RADIUS server groups, use the deadtime server group configuration command. To set deadtime to 0, use the no form of this command. Usage Guidelines Use this command to configure the deadtime value of any RADIUS server group. The value of deadtime set in the server groups will override the server that is configured globally. If deadtime is omitted from the server group configuration, the value will be inherited from the master list. If the server group is not configured, the default value (0) will apply to all servers in the group. Example: router(config-sg radius)#deadtime Misconceptions: none Related commands: radius-server deadtime Sample Configurations: aaa group server radius group1 server 1.1.1.1 auth-port 1645 acct-port 1646 server 2.2.2.2 auth-port 2000 acct-port 2001 deadtime 1
1

Command Name: Mode: Syntax:

dialer aaa router(config-line)

dialer aaa suffix string password string no dialer aaa password suffix string password string Syntax Description:
suffix string Defines a suffix for authentication.

password string

Defines a nondefault password for authentication.

Command Description: To allow a dialer to access the authentication, authorization, and accounting (AAA) server for dialing information, use the dialer aaa command in interface configuration mode. To disable this function, use the no form of this command. Usage Guidelines This command is required for large scale dial-out and Layer 2 Tunneling Protocol (L2TP) dialout functionality. With this command, you can specify suffix, password, or both. If you do not specify a password, the default password will be "cisco." Example: This example shows a user sending out packets from interface Dialer1 with a destination IP address of 1.1.1.1. The username in the access-request message is "1.1.1.1@ciscoDoD" and the password is "cisco." interface dialer1 dialer aaa dialer aaa suffix @ciscoDoD password cisco Misconceptions: none Related commands: accept dialout dialer congestion-threshold

dial vpdn Sample Configurations:

Command Name: Mode: Syntax:

dnis (aaa preauthentication) router(config-preauth)#

dnis [if-avail | required] [accept-stop] [password string] no dnis [if-avail | required] [accept-stop] [password string] Syntax Description:
if-avail (Optional) Implies that if the switch provides the data, RADIUS must be reachable and must accept the string in order for preauthentication to pass. If the switch does not provide the data, preauthentication passes.

required

(Optional) Implies that the switch must provide the associated data, that RADIUS must be reachable, and that RADIUS must accept the string in order for preauthentication to pass. If these three conditions are not met, preauthentication fails.

accept-stop

(Optional) Prevents subsequent preauthentication elements from being tried once preauthentication has succeeded for a call element.

password string

(Optional) Password to use in the Access-Request packet. The default is cisco.

Command Description: To preauthenticate calls on the basis of the Dialed Number Identification Service (DNIS) number, use the dnis authentication, authorization, and accounting (AAA) preauthentication configuration command. To remove the dnis command from your configuration, use the no form of this command. You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, then this is the order of the conditions considered in the preauthentication process. In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.

Example: The following example enables DNIS preauthentication using a RADIUS server and the password Ascend-DNIS: router(config)#aaa preauth router(config-preauth)#group radius router(config-preauth)#dnis password Ascend-DNIS Misconceptions: none Related commands: clid ctype dnis bypass (AAA preauthentication configuration) group (AAA preauthentication configuration) Sample Configurations:

Command Name: Mode: Syntax Description:

dnis bypass (aaa preauthentication) router(config-preauth)#

dnis bypass {dnis-group-name} no dnis bypass {dnis-group-name} Syntax Description


dnis-group-name Name of the defined DNIS group.

Command Description: To specify a group of DNIS (Dialed Number Identification Service) numbers that will be bypassed for preauthentication, use the dnis bypass AAA preauthentication configuration command. To remove the dnis bypass command from your configuration, use the no form of this command. Usage Guidelines Before using this command, you must first create a DNIS group with the dialer dnis group command. Example: router(config-preauth)#dnis bypass hawaii Misconceptions: none Related Commands: dialer dnis group dnis (AAA preauthentication configuration) Sample Configuration: The following example specifies that preauthentication be performed on all DNIS numbers except for two DNIS numbers (12345 and 12346), which have been defined in the DNIS group called hawaii: aaa preauth group radius

dnis required dnis bypass hawaii dialer dnis group hawaii number 12345 number 12346

Command Name: Mode: Syntax:


group server-group no group server-group

group (AAA preauthentication configuration) router(config-preauth)#

Syntax Description:
server-group Specifies a AAA RADIUS server group.

Command Description:

To specify the authentication, authorization, and accounting (AAA) RADIUS server group to use for preauthentication, use the group AAA preauthentication configuration command. To remove the group command from your configuration, use the no form of this command. Usage Guidelines You must configure a RADIUS server group with the aaa group server radius command in global configuration mode before using the group command in AAA preauthentication configuration mode. You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass). Example: router(config-preauth)#group maestro Misconceptions: none Related commands: aaa group server radius clid ctype dnis (aaa preauthentication configuration) dnis bypass (aaa preauthentication configuration)

Sample Configurations: aaa group server radius maestro server 1.1.1.1 server 2.2.2.2 server 3.3.3.3 ! aaa preauth group maestro dnis required

Command Name: Mode: Syntax:

ip radius source-interface router(config)#

ip radius source-interface subinterface-name no ip radius source-interface

Syntax Description:
subinterface-name Name of the interface that RADIUS uses for all of its outgoing packets.

Command Description: To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface command in global configuration mode. To prevent RADIUS from using the IP address of a specified interface for all outgoing RADIUS packets, use the no form of this command. Usage Guidelines Use this command to set a subinterface's IP address to be used as the source address for all outgoing RADIUS packets. This address is used as long as the interface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses. This command is especially useful in cases where the router has many interfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address. The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state. Example: The following example makes RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets:
ip radius source-interface s2

Misconceptions: none

Related commands: ip tacacs source-interface ip telnet source-interface ip tftp source-interface Sample Configurations:

Command Name: Mode: Syntax:

radius-server attribute 188 format non-standard router(config)#

radius-server attribute 188 format non-standard no radius-server attribute 188 format non-standard Syntax Description: This command has no arguments or keywords. Command Description: To send the number of remaining links in the multilink bundle in the accounting-request packet, use the radius-server attribute 188 format non-standard global configuration command. To disable the sending of the number of links in the multilink bundle in the accounting-request packet, use the no form of this command. Use this command to send attribute 188 in accounting "start" and "stop" records. Example: The following example shows a configuration that sends RADIUS attribute 188 in accountingrequest packets: router(config)#radius-server attribute 188 format non-standard Misconceptions: RADIUS attribute 188 is not sent in accounting "start" and "stop" records. Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

radius-server attribute 32 include-in-access-req router(config)#

radius-server attribute 32 include-in-access-req [format] no radius-server attribute 32 include-in-access-req Syntax Description:


format (Optional) A string sent in attribute 32 containing an IP address (%i), a hostname (%h), or a domain name (%d).

Command Description: To send RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request, use the radius-server attribute 32 include-in-access-req global configuration command. To disable sending RADIUS attribute 32, use the no form of this command. Usage Guidelines Using the radius-server attribute 32 include-in-access-req makes it possible to identify the network access server (NAS) manufacturer to the RADIUS server by sending RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request. If you configure the format argument, the string sent in attribute 32 will include an IP address, a hostname, or a domain name; otherwise, the Fully Qualified Domain Name (FQDN) is sent by default. Example: The following example shows a configuration that sends RADIUS attribute 32 in the accessrequest with the format configured to identify a Cisco NAS: router(config)#radius-server attribute 32 include-in-access-req format cisco %h.%d %i ! The following string will be sent in attribute 32 (NASIdentifier). "cisco router.nlab.cisco.com 10.0.1.67" Misconceptions: none Related commands:

none Sample Configurations:

Command Name: Mode: Syntax:

radius-server attribute 44 extend-with-addr router(config)#

radius-server attribute 44 extend-with-addr no radius-server attribute 44 extend-with-addr Syntax Description: This command has no arguments or keywords. Command Description: To add the accounting IP address before the existing session ID, use the radius-server attribute 44 extend-with-addr command in global configuration mode. To remove this command from your configuration, use the no form of this command. Usage Guidelines The radius-server attribute 44 extend-with-addr command adds Acct-Session-Id (attribute 44) before the existing session ID (NAS-IP-Address). When multiple network access servers (NAS) are being processed by one offload server, enable this command on all NASs and the offload server to ensure a common and unique session ID. Note This command should be enabled only when offload servers are used. Example: router(config)# radius-server attribute 44 extend-with-addr Misconceptions: none Related commands: radius-server attribute 44 include-in-access-req radius-server attribute 44 sync-with-client Sample Configurations:
The following example shows how to configure unique session IDs among NASs:

aaa new-model aaa authentication ppp default group radius

radius-server host 10.100.1.34 radius-server attribute 44 extend-with-addr

Command Name: Mode: Syntax:

radius-server attribute 44 include-in-access-req router(config)#

radius-server attribute 44 include-in-access-req no radius-server attribute 44 include-in-access-req Syntax Description: This command has no arguments or keywords. Command Description: To send RADIUS attribute 44 (Accounting Session ID) in access request packets before user authentication (including requests for preauthentication), use the radius-server attribute 44 include-in-access-req global configuration command. To remove this command from your configuration, use the no form of this command. Usage Guidelines There is no guarantee that the Accounting Session IDs will increment uniformly and consistently. In other words, between two calls, the Accounting Session ID can increase by more than one. Example: router(config)#radius-server attribute 44 include-in-access-req Misconceptions: none Related commands: none Sample Configurations: The following example shows a configuration that sends RADIUS attribute 44 in access-request packets: aaa new-model aaa authentication ppp default group radius radius-server host 10.100.1.34 radius-server attribute 44 include-in-access-req

Command Name: Mode: Syntax:

radius-server attribute 44 sync-with-client router(config)#

radius-server attribute 44 sync-with-client no radius-server attribute 44 sync-with-client Syntax Description: This command has no arguments or keywords. Command Description: To configure the offload server to synchronize accounting session information with the network access server (NAS) clients, use the radius-server attribute 44 sync-with-client command in global configuration mode. To disable this functionality, use the no form of this command. Usage Guidelines Use the radius-server attribute 44 sync-with-client command to allow the offload server to synchronize accounting session information with the NAS clients. The NAS-IP-Address, the Acct-Session-Id, and the Class attribute are transmitted from the client to the offload server via Layer 2 Forwarding (L2F) options. Example: The following example shows how to configure the offload server to synchronize accounting session information with the NAS clients: router(config)#radius-server attribute 44 sync-with-client Misconceptions: none Related commands: radius-server attribute 44 extend-with-addr radius-server attribute 44 include-in-access-req Sample Configurations:

Command Name: Mode: Syntax:

radius-server attribute 55 include-in-acct-req router(config)#

radius-server attribute 55 include-in-acct-req no radius-server attribute 55 include-in-acct-req Syntax Description: This command has no arguments or keywords. Command Description: To send the RADIUS attribute 55 (Event-Timestamp) in accounting packets, use the radiusserver attribute 55 include-in-acct-req command in global configuration mode. To remove this command from your configuration, use the no form of this command. Usage Guidelines Use the radius-server attribute 55 include-in-acct-req command to send RADIUS attribute 55 (Event-Timestamp) in accounting packets. The Event-Timestamp attribute records the time that the event occurred on the NAS; the timestamp sent in attribute 55 is in seconds since January 1, 1970 00:00 UTC. Note Before the Event-Timestamp attribute can be sent in accounting packets, you must configure the clock on the router. (For information on setting the clock on your router, refer to section "Performing Basic System Management" in the chapter "System Management " of the Cisco IOS Configuration Fundamentals Configuration Guide.) To avoid configuring the clock on the router every time the router is reloaded, you can enable the clock calendar-valid command. (For information on this command, refer to the chapter "Basic System Management Commands" in the Cisco IOS Configuration Fundamentals Command Reference. Example: The following example shows how to enable your router to send the Event-Timestamp attribute in accounting packets. (To see whether the Event-Timestamp was successfully enabled, use the debug radius command.) router(config)#radius-server attribute 55 include-in-acct-req Misconceptions: none

Related commands: clock calendar-valid clock set Sample Configurations: radius-server host 192.168.254.100 auth-port 1645 acct-port 1646 timeout 10 retransmit 3 key cisco radius-server retransmit 3 radius-server attribute 44 include-in-access-req radius-server attribute 55 include-in-acct-req call rsvp-sync ! mgcp profile default ! dial-peer cor custom !! gatekeeper shutdown ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 password cisco !
end

Command Name: Mode: Syntax:

radius-server attribute 69 clear router(config)#

radius-server attribute 69 clear no radius-server attribute 69 clear Syntax Description: This command has no arguments or keywords. Command Description: To receive none encrypted tunnel passwords in attribute 69 (Tunnel-Password), use the radiusserver attribute 69 clear global configuration command. To disable this feature and receive encrypted tunnel passwords, use the no form of this command. Usage Guidelines Use the radius-server attribute 69 clear command to receive nonencrypted tunnel passwords, which are sent in RADIUS attribute 69 (Tunnel-Password). This command allows tunnel passwords to be sent in a "string" encapsulated format, rather than the standard tag/salt/string format, which enables the encrypted tunnel password. Some RADIUS servers do not encrypt Tunnel-Password; however the current NAS (network access server) implementation will decrypt a non-encrypted password that causes authorization failures. Because nonencrypted tunnel passwords can be sent in attribute 69, the NAS will no longer decrypt tunnel passwords. Note Once this command is enabled, all tunnel passwords received will be nonencrypted until the command is manually disabled. Example: The following example shows how to enable attribute 69 to receive nonencrypted tunnel passwords. (To see whether the Tunnel-Password process is successful, use the debug radius command.) router(config)#radius-server attribute 69 clear Misconceptions: RADIUS attribute 69 is not sent and encrypted tunnel passwords are sent. Related commands:

none Sample Configurations:

Command Name: Mode: Syntax:

radius-server attribute 8 include-in-access-req router(config)#

radius-server attribute 8 include-in-access-req no radius-server attribute 8 include-in-access-req Syntax Description: This command has no arguments or keywords. Command Description: To send the IP address of a user to the RADIUS server in the access request, use the radiusserver attribute 8 include-in-access-req global configuration command. To disable sending of the user IP address to the RADIUS server during authentication, use the no form of this command. Usage Guidelines Using the radius-server attribute 8 include-in-access-req command makes it possible for a network access server (NAS) to provide the RADIUS server with a hint of the user IP address in advance of user authentication. An application can be run on the RADIUS server to use this hint and build a table (map) of user names and addresses. Using the mapping information, service applications can begin preparing user login information to have available upon successful user authentication. When a network device dials in to a NAS that is configured for RADIUS authentication, the NAS begins the process of contacting the RADIUS server in preparation for user authentication. Typically, the IP address of the dial-in host is not communicated to the RADIUS server until after successful user authentication. Communicating the device IP address to the server in the RADIUS access request allows other applications to begin to take advantage of that information. As the NAS is setting up communication with the RADIUS server, the NAS assigns an IP address to the dial-in host from a pool of IP addresses configured at the specific interface. The NAS sends the IP address of the dial-in host to the RADIUS server as attribute 8. At that time, the NAS sends other user information, such as the username, to the RADIUS server. After the RADIUS server receives the user information from the NAS, it has two options:

If the user profile on the RADIUS server already includes attribute 8, the RADIUS server can override the IP address sent by the NAS with the IP address defined as attribute 8 in the user profile. The address defined in the user profile is returned to the NAS.

If the user profile does not include attribute 8, the RADIUS server can accept attribute 8 from the NAS, and the same address is returned to the NAS.

The address returned by the RADIUS server is saved in memory on the NAS for the life of the session. If the NAS is configured for RADIUS accounting, the accounting start packet sent to the RADIUS server includes the same IP address as in attribute 8. All subsequent accounting packets, updates (if configured), and "stop" packets will also include the same IP address as in attribute 8. Note Configuring the NAS to send the host IP address in the RADIUS access request assumes that the login host is configured to request an IP address from the NAS server. It also assumes that the login host is configured to accept an IP address from the NAS. In addition, the NAS must be configured with a pool of network addresses at the interface supporting the login hosts.

Example: router(config)# radius-server attribute 8 include-in-access-req Misconceptions: none Related commands: none Sample Configurations: aaa new-model aaa authentication login default group radius aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting network default start-stop group radius ! ip address-pool local ! interface Async1 peer default ip address pool async1-pool ! ip local pool async1-pool 209.165.200.225 209.165.200.229 ! radius-server host 172.31.71.146 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server attribute 8 include-in-access-req radius-server key radhost

Command Name: Mode: Syntax:

radius-server attribute list router(config)#

radius-server attribute list listname Syntax Description:


listname Specifies a name for an accept or reject list.

Command Description: To define an accept or reject list name, use the radius-server attribute list command in global configuration mode. Usage Guidelines A user may configure an accept or reject list with a selection of attributes on the network access server (NAS) for authorization or accounting so that unwanted attributes are not accepted and processed. The radius-server attribute list command allows users to specify a name for an accept or reject list. This command is used in conjunction with the radius-server attribute 11 direction default command, which adds attributes to an accept or reject list. Note The listname argument must be the same as the listname argument defined in the accounting or authorization configuration command. Example: router(config)#radius-server attribute list bad-author Misconceptions: none Related commands: aaa group server radius accounting (server-group) radius-server attribute 11 direction default authorization (server-group) radius-server host

Sample Configurations: The following example shows how to configure the reject list "bad-author" for RADIUS authorization and accept list "usage-only" for RADIUS accounting: aaa new-model aaa authentication ppp default group radius-sg aaa authorization network default group radius-sg aaa group server radius radius-sg server 1.1.1.1 authorization reject bad-author accounting accept usage-only ! radius-server host 1.1.1.1 key mykey1 radius-server attribute list usage-only attribute 1,40,42-43,46 ! radius-server attribute list bad-author attribute 22,27-28,56-59

Command Name: Mode: Syntax: Syntax Description:

radius-server attribute nas-port extended router(config)#

Command Description: The radius-server attribute nas-port extended command is replaced by the radius-server attribute nas-port format command. See the description of the radius-server attribute nasport format command in this chapter for more information.

Example:

Misconceptions:

Related commands:

Sample Configurations:

Command Name: Mode: Syntax:

radius-server attribute nas-port format router(config)#

radius-server attribute nas-port format format no radius-server attribute nas-port format format Syntax Description:
format NAS-Port format. Possible values for the format argument are as follows: aStandard NAS-Port format bExtended NAS-Port format cShelf-slot NAS-Port format dPPP extended NAS-Port format

Command Description: To select the NAS-Port format used for RADIUS accounting features, and to restore the default NAS-Port format, use the radius-server attribute nas-port format global configuration command. If the no form of this command is used, attribute 5 (NAS-Port) will no longer be sent to the RADIUS server. Usage Guidelines The radius-server attribute nas-port format command configures RADIUS to change the size and format of the NAS-Port attribute field (RADIUS IETF attribute 5). The following NAS-Port formats are supported:

Standard NAS-Port formatThis 16-bit NAS-Port format indicates the type, port, and channel of the controlling interface. This is the default format used by Cisco IOS software. Extended NAS-Port formatThe standard NAS-Port attribute field is expanded to 32 bits. The upper 16 bits of the NAS-Port attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface that is undergoing authentication. Shelf-slot NAS-Port formatThis 16-bit NAS-Port format supports expanded hardware models requiring shelf and slot entries.

PPP extended NAS-Port formatThis NAS-Port format uses 32 bits to indicate the interface, VPI, and VCI for PPP over ATM and PPPoE over ATM, and the interface and VLAN ID for PPPoE over IEEE 802.1Q VLANs.

Example: In the following example, a RADIUS server is identified, and the NAS-Port field is set to the PPP extended format: router(config)#radius-server host 172.31.5.96 auth-port 1645 acct-port 1646 router(config)#radius-server attribute nas-port format d Misconceptions: none Related commands: vpdn aaa attribute nas-port vpdn-nas Sample Configurations: ip radius source-interface Ethernet0/0/0 #! #radius-server configure-nas #radius-server host 192.168.2.50 auth-port 1812 acct-port 1813 #radius-server retransmit 3 #radius-server timeout 60 #radius-server deadtime 2 #radius-server attribute 25 nas-port format d #radius-server attribute nas-port format d #radius-server key cisco #radius-server vsa send accounting #radius-server vsa send authentication

Command Name: Mode: Syntax:

radius-server challenge-noecho router(config)#

radius-server challenge-noecho no radius-server challenge-noecho Syntax Description: This command has no arguments or keywords. Command Description: To prevent user responses to Access-Challenge packets from being displayed on the screen, use the radius-server challenge-noecho global configuration command. To return to the default condition, use the no form of this command. Usage Guidelines This command applies to all users. When the radius-server challenge-noecho command is configured, user responses to Access-Challenge packets are not displayed unless the Prompt attribute in the user profile is set to echo on the RADIUS server. The Prompt attribute in a user profile overrides the radius-server challenge-noecho command for the individual user Example: The following example stops all user responses from displaying on the screen: router(config)#radius-server challenge-noecho Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

radius-server configure-nas router(config)#

radius-server configure-nas no radius-server configure-nas Syntax Description: This command has no arguments or keywords. Command Description: To have the Cisco router or access server query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the device starts up, use the radius-server configure-nas command in global configuration mode. To discontinue the query of the RADIUS server, use the no form of this command. Usage Guidelines Use the radius-server configure-nas command to have the Cisco router query the vendorproprietary RADIUS server for static routes and IP pool definitions when the router first starts up. Some vendor-proprietary implementations of RADIUS let the user define static routes and IP pool definitions on the RADIUS server instead of on each individual network access server in the network. As each network access server starts up, it queries the RADIUS server for static route and IP pool information. This command enables the Cisco router to obtain static routes and IP pool definition information from the RADIUS server. Note Because the radius-server configure-nas command is performed when the Cisco router starts up, it will not take effect until you issue a copy system:running-config nvram:startupconfig command. Example: The following example shows how to tell the Cisco router or access server to query the vendorproprietary RADIUS server for already-defined static routes and IP pool definitions when the device first starts up: router(config)#radius-server configure-nas Misconceptions: none

Related commands: radius-server host non-standard Sample Configurations: #ip radius source-interface Ethernet0/0/0 #! #radius-server configure-nas #radius-server host 192.168.2.50 auth-port 1812 acct-port 1813 #radius-server retransmit 3 #radius-server timeout 60 #radius-server deadtime 2 #radius-server attribute 25 nas-port format d #radius-server attribute nas-port format d #radius-server key cisco #radius-server vsa send accounting #radius-server vsa send authentication

Command Name: Mode: Syntax:

radius-server deadtime router(config)#

radius-server deadtime minutes no radius-server deadtime Syntax Description:


minutes Length of time, in minutes, for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).

Command Description: To improve RADIUS response times when some servers might be unavailable, use the radiusserver deadtime command in global configuration mode to cause the unavailable servers to be skipped immediately. To set dead-time to 0, use the no form of this command. Usage Guidelines Use this command to cause the Cisco IOS software to mark as "dead" any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as "dead" is skipped by additional requests for the duration of minutes or unless there are no servers not marked "dead." Example: The following example specifies five minutes deadtime for RADIUS servers that fail to respond to authentication requests: router(config)#radius-server deadtime 5 Misconceptions: none Related commands: deadtime (server-group configuration) radius-server host radius-server retransmit radius-server timeout

Sample Configurations: ip radius source-interface Ethernet0/0/0 #! #radius-server configure-nas #radius-server host 192.168.2.50 auth-port 1812 acct-port 1813 #radius-server retransmit 3 #radius-server timeout 60 #radius-server deadtime 2 #radius-server attribute 25 nas-port format d #radius-server attribute nas-port format d #radius-server key cisco #radius-server vsa send accounting #radius-server vsa send authentication

Command Name: Mode: Syntax:

radius-server directed-request router(config)#

radius-server directed-request [restricted] no radius-server directed-request [restricted]

Syntax Description:
restricted (Optional) Prevents the user from being sent to a secondary server if the specified server is not available.

Command Description: To allow users logging into a Cisco netword access server (NAS) to select a RADIUS server for authentication, use the radius-server directed-request global configuration command. To disable the directed-request feature, use the no form of this command. Usage Guidelines The radius-server directed-request command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with this command enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server. Disabling the radius-server directed-request command causes the whole string, both before and after the "@" symbol, to be sent to the default RADIUS server. The router queries the list of servers, starting with the first one in the list. It sends the whole string, and accepts the first response that it gets from the server. Use the radius-server directed-request restricted command to limit the user to the RADIUS server identified as part of the username. The no radius-server directed-request command causes the entire username string to be passed to the default RADIUS server. Example: router(config)#radius-server directed-request Misconceptions:

none Related commands: none Sample Configurations: The following example verifies that the RADIUS server is selected based on the directed request: aaa new-model aaa authentication login default radius radius-server host 192.168.1.1 radius-server host 172.16.56.103 radius-server host 172.31.40.1 radius-server directed-request

Command Name: Mode: Syntax:

radius-server extended-portnames router(config)#

Syntax Description:

Command Description: The radius-server extended-portnames command is replaced by the radius-server attribute nas-port format command. See the description of the radius-server attribute nas-port format command. Example:

Misconceptions:

Related commands:

Sample Configurations:

Command Name: Mode: Syntax:

radius-server host non-standard router(config)#

radius-server host {hostname | ip-address} non-standard no radius-server host {hostname | ip-address} non-standard Syntax Description:
hostname DNS name of the RADIUS server host.

ip-address

IP address of the RADIUS server host.

Command Description: To identify that the security server is using a vendor-proprietary implementation of RADIUS, use the radius-server host non-standard command in global configuration mode. This command tells the Cisco IOS software to support nonstandard RADIUS attributes. To delete the specified vendor-proprietary RADIUS host, use the no form of this command. Usage Guidelines The radius-server host non-standard command enables you to identify that the RADIUS server is using a vendor-proprietary implementation of RADIUS. Although an IETF draft standard for RADIUS specifies a method for communicating information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. This command enables the Cisco IOS software to support the most common vendor-proprietary RADIUS attributes. Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard command. Example: The following example specifies a vendor-proprietary RADIUS server host named alcatraz: router(config)#radius-server host alcatraz non-standard Misconceptions: none Related commands: radius-server configure-nas

radius-server host Sample Configurations:

Command Name: Mode: Syntax:

radius-server host router(config)#

radius-server host {hostname | ip-address} [auth-port portnumber] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias{hostname | ip-address}] no radius-server host {hostname | ip-address}

Syntax Description:
hostname Domain Name System (DNS) name of the RADIUS server host.

ip-address

IP address of the RADIUS server host.

auth-port

(Optional) Specifies the UDP destination port for authentication requests.

portnumber

(Optional) Port number for authentication requests; the host is not used for authentication if set to 0. If unspecified, the port number defaults to 1645.

acct-port

(Optional) Specifies the UDP destination port for accounting requests.

portnumber

(Optional) Port number for accounting requests; the host is not used for accounting if set to 0. If unspecified, the port number defaults to 1646.

timeout

(Optional) The time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used. Enter a value in the range 1 to 1000.

seconds

(Optional) Specifies the timeout value. Enter a value in the range 1 to 1000. If no timeout value is specified, the global value is used.

retransmit

(Optional) The number of times a RADIUS request is re-sent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the

radius-server retransmit command.

retries

(Optional) Specifies the retransmit value. Enter a value in the range 1 to 100. If no retransmit value is specified, the global value is used.

key

(Optional) Specifies the authentication and encryption key used between the router and the RADIUS daemon running on this RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used. The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

string

(Optional) Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. This key must match the encryption used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

alias

(Optional) Allows up to eight aliases per line for any given RADIUS server.

Command Description: To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command. Usage Guidelines You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order in which you specify them. If no host-specific timeout, retransmit, or key values are specified, the global values apply to each host. Example: The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication: router(config)#radius-server host host1

The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1: router(config)#radius-server host host1 auth-port 1612 acct-port 1616 Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line. The following example specifies the host with IP address 172.29.39.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets "rad123" as the encryption key, matching the key on the RADIUS server: router(config)#radius-server host 172.29.39.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123 To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting: router(config)#radius-server host host1.example.com auth-port 0 router(config)#radius-server host host2.example.com acct-port 0 The following example specifies four aliases on the RADIUS server with IP address 172.1.1.1: router(config)#radius-server host 172.1.1.1 acct-port 1645 authport 1646 router(config)#radius-server host 172.1.1.1 alias 172.16.2.1 172.17.3.1 172.16.4.1 Misconceptions: none Related commands: aaa accounting aaa authentication ppp aaa authorization ppp ppp authentication radius-server key radius-server retransmit radius-server timeout username

Sample Configurations: The following example shows how to configure the NAS to send static route download requests to the servers specified by the method list named "foo": aaa new-model aaa group server radius rad1 server 2.2.2.2 auth-port 1645 acct-port 1646 ! aaa group server tacacs+ tac1 server 3.3.3.3 ! aaa authorization configuration default group radius aaa authorization configuration foo group rad1 group tac1 aaa route download 1 authorization foo tacacs-server host 3.3.3.3 tacacs-server key cisco tacacs-server administration ! radius-server host 2.2.2.2 auth-port 1645 acct-port 1646 radius-server key cisco

Command Name: Mode: Syntax:

radius-server key router(config)#

radius-server key {0 string | 7 string | string} no radius-server key Syntax Description:


0 string Specifies that an unencrypted key will follow. The unencrypted (cleartext) shared key.

7 string

Specifies that a hidden key will follow. The hidden shared key.

string

The unencrypted (cleartext) shared key.

Command Description: To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key command in global configuration mode. To disable the key, use the no form of this command. Usage Guidlines After enabling authentication, authorization, and accounting (AAA) authentication with the aaa new-model command, you must set the authentication and encryption key using the radiusserver key command. Note Specify a RADIUS key after you issue the aaa new-model command. The key entered must match the key used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key. Example: The following example sets the authentication and encryption key to "dare to go":

router(config)#radius-server key dare to go The following example sets the authentication and encryption key to "anykey." The 7 specifies that a hidden key will follow. router(config)#service password-encryption router(config)#radius-server key 7 anykey After you save your configuration and use the show-running config command, an encrypted key will be displayed as follows: show running-config ! ! radius-server key 7 19283103834782sda !The leading 7 indicates that the following text is encrypted. Misconceptions: none Related commands: aaa accounting aaa authentication ppp ppp ppp authentication radius-server host service password-encryption username Sample Configurations: The following example shows how to configure the NAS to send static route download requests to the servers specified by the method list named "foo": aaa new-model aaa group server radius rad1 server 2.2.2.2 auth-port 1645 acct-port 1646 ! aaa group server tacacs+ tac1 server 3.3.3.3 ! aaa authorization configuration default group radius aaa authorization configuration foo group rad1 group tac1 aaa route download 1 authorization foo tacacs-server host 3.3.3.3 tacacs-server key cisco

tacacs-server administration ! radius-server host 2.2.2.2 auth-port 1645 acct-port 1646 radius-server key cisco

Command Name: Mode: Syntax:

radius-server optional-passwords router(config)#

radius-server optional-passwords no radius-server optional-passwords Syntax Description: This command has no arguments or keywords. Command Description: To specify that the first RADIUS request to a RADIUS server be made without password verification, use the radius-server optional-passwords command in global configuration mode. To restore the default, use the no form of this command. Usage Guidelines When the user enters the login name, the login request is transmitted with the name and a zerolength password. If accepted, the login procedure completes. If the RADIUS server refuses this request, the server software prompts for a password and tries again when the user supplies a password. The RADIUS server must support authentication for users without passwords to make use of this feature. Example: The following example configures the first login to not require RADIUS verification: router(config)#radius-server optional-passwords Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

radius-server retransmit router(config)#

radius-server retransmit retries no radius-server retransmit Syntax Description:


retries Maximum number of retransmission attempts. The default is 3 attempts.

Command Description: To specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up, use the radius-server retransmit command in global configuration mode. To disable retransmission, use the no form of this command. The Cisco IOS software tries all servers, allowing each one to time out before increasing the retransmit count. Example: The following example specifies a retransmit counter value of five times: router(config)#radius-server retransmit 5 Misconceptions: none Related commands: none Sample Configurations: The following example shows a NAS configuration that sends the IP address of the dial-in host to the RADIUS server in the RADIUS access request. The NAS is configured for RADIUS authentication, authorization, and accounting (AAA). A pool of IP addresses (async1-pool) has been configured and applied at interface Async1. aaa new-model aaa authentication login default group radius

aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting network default start-stop group radius ! ip address-pool local ! interface Async1 peer default ip address pool async1-pool ! ip local pool async1-pool 209.165.200.225 209.165.200.229 ! radius-server host 172.31.71.146 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server attribute 8 include-in-access-req radius-server key radhost

Command Name: Mode: Syntax:

radius-server timeout router(config)#

radius-server timeout seconds no radius-server timeout Syntax Description:


seconds Number that specifies the timeout interval, in seconds. The default is 5 seconds.

Command Description: To set the interval for which a router waits for a server host to reply, use the radius-server timeout command in global configuration mode. To restore the default, use the no form of this command. Example: The following example changes the interval timer to 10 seconds: router(config)#radius-server timeout 10 Misconceptions: none Related commands: radius-server host radius-server key Sample Configurations:

Command Name: Mode: Syntax:

radius-server unique-ident router(config)#

radius-server unique-ident number no radius-server unique-ident number+1 Syntax Description:


number Acct-Session-Id string

Command Description: To assign a unique accounting session identification (Acct-Session-Id), use the radius-server unique-ident command in global configuration mode. To disable this command, use the no form of this command. Usage Guidlines Use the radius-server unique-ident command to ensure that RADIUS Acct-Session-IDs are unique across Cisco IOS boots. After the router parses this command, radius-server uniqueident n+1 is written to RAM; thereafter, the Acct-Session-ID attribute will have its higher order eight bits set to n+1 in all accounting records. After the router is reloaded, it will parse the radius-server unique-ident n+1 command, and the radius-server unique-ident n+2 will be written to NVRAM. Thus, the Cisco IOS configuration is automatically written to NVRAM after the router reboots. Note radius-server unique-ident 255 has the same functionality as radius-server unique-ident 0; thus, radius-server unique-ident 1 is written to NVRAM when either number (255 or 0) is used. Example: The following example shows how to define the Acct-Session-Id to 1. In this example, the AcctSession-ID begins as "acct-session-id = 01000008," but after enabling this command and rebooting the router, the Acct-Session-ID becomes "acct-session-id = 02000008" because the value increments by one and is updated in the system configuration. router(config)#radius-server unique-ident 1 Misconceptions: none

Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

radius-server vsa send router(config)#

radius-server vsa send [accounting | authentication] no radius-server vsa send [accounting | authentication] Syntax Description:
accounting (Optional) Limits the set of recognized vendor-specific attributes to only accounting attributes.

authentication

(Optional) Limits the set of recognized vendor-specific attributes to only authentication attributes.

Command Description: To configure the network access server to recognize and use vendor-specific attributes, use the radius-server vsa send command in global configuration mode. To restore the default, use the no form of this command. Usage Guidelines The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The radiusserver vsa send command enables the network access server to recognize and use both accounting and authentication vendor-specific attributes. Use the accounting keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just accounting attributes. Use the authentication keyword with the radius-server vsa send command to limit the set of recognized vendor-specific attributes to just authentication attributes. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendortype 1, which is named "cisco-avpair." The value is a string with the following format: protocol : attribute sep value *
"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional

attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example, the following AV pair causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment): cisco-avpair= "ip:addr-pool=first" The following example causes a "NAS Prompt" user to have immediate access to EXEC commands. cisco-avpair= "shell:priv-lvl=15" Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about vendor-IDs and VSAs, refer to RFC 2138, Remote Authentication Dial-In User Service (RADIUS). Example: The following example configures the network access server to recognize and use vendorspecific accounting attributes: router(config)#radius-server vsa send accounting Misconceptions: none Related commands: aaa nas port extended Sample Configurations: radius-server radius-server radius-server radius-server radius-server radius-server radius-server radius-server radius-server host 10.6.20.60 auth-port 1708 acct-port 1709 host 10.6.20.60 auth-port 1704 acct-port 1705 host 10.6.20.60 auth-port 1698 acct-port 1699 host 10.6.43.255 auth-port 1645 acct-port 1646 host 10.6.37.10 auth-port 1645 acct-port 1646 retransmit 3 key cisco vsa send accounting vsa send authentication

Command Name: Mode: Syntax:

server (radius) router(config-sg-radius)#

server ip-address [auth-port port-number] [acct-port portnumber] no server ip-address [auth-port port-number] [acct-port portnumber] Syntax Description:
ip-address IP address of the RADIUS server host.

auth-port port-number

(Optional) Specifies the User Datagram Protocol (UDP) destination port for authentication requests. The port-number argument specifies the port number for authentication requests. The host is not used for authentication if this value is set to 0.

acct-port port-number

(Optional) Specifies the UDP destination port for accounting requests. The port number argument specifies the port number for accounting requests. The host is not used for accounting services if this value is set to 0.

Command Description: To configure the IP address of the RADIUS server for the group server, use the server command in server-group configuration mode. To remove the associated server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command. Usage Guidelines Use the server command to associate a particular server with a defined group server. There are two different ways in which you can identify a server, depending on the way you want to offer AAA services. You can identify the server simply by using its IP address, or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords. When you use the optional keywords, the network access server identifies RADIUS security servers and host instances associated with a group server on the basis of their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries on the same RADIUS server are configured for the same servicefor example, accountingthe second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide

accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.) Example: router(config-sg-radius)#server 172.20.0.1 auth-port 2000 acctport 2001 Misconceptions: none Related commands: aaa group server aaa new-model radius-server host Sample Configurations: aaa new-model aaa authentication ppp default group group1 aaa group server radius group1 server 172.20.0.1 auth-port 1000 acct-port aaa group server radius group2 server 172.20.0.1 auth-port 2000 acct-port 2001 radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 radius-server host 172.10.0.1 auth-port 1645 acct-port 1646

Command Name: Mode: Syntax:

show aaa attributes router>

show aaa attributes [protocol radius] Syntax Description:


protocol radius (Optional) Displays the mapping between a RADIUS attribute and a AAA attribute name and number.

Command Description: To display the mapping between an authentication, authorization, and accounting (AAA) attribute number and the corresponding AAA attribute name, use the show aaa attributes command in EXEC configuration mode. Example: router>show aaa attributes Misconceptions: none Related commands: none Sample Configurations: The following example is sample output for the show aaa attributes command. In this example, all RADIUS attributes that have been enabled are displayed. router# show aaa attributes protocol radius AAA ATTRIBUTE LIST: Type=1 Name=disc-cause-ext Format=Enum Protocol:RADIUS Non-Standard Type=195 Name=Ascend-Disconnect-Cau Format=Enum Cisco VSA Type=1 Name=Cisco AVpair Format=String Type=2 Name=Acct-Status-Type Format=Enum Protocol:RADIUS IETF Type=40 Name=Acct-Status-Type Format=Enum

Type=3 Name=acl Format=Ulong Protocol:RADIUS IETF Type=11 Name=Filter-Id Format=Binary Type=4 Name=addr Format=IPv4 Address Protocol:RADIUS IETF Type=8 Name=Framed-IP-Address Format=IPv4 Addre Type=5 Name=addr-pool Format=String Protocol:RADIUS Non-Standard Type=218 Name=Ascend-IP-Pool Format=Ulong Type=6 Name=asyncmap Format=Ulong Protocol:RADIUS Non-Standard Type=212 Name=Ascend-Asyncmap Format=Ulong Type=7 Name=Authentic Format=Enum Protocol:RADIUS IETF Type=45 Name=Authentic Format=Enum Type=8 Name=autocmd Format=String

Command Name: Mode: Syntax:

show radius statistics router>

show radius statistics Syntax Description: This command has no arguments or keywords. Command Description: To display the RADIUS statistics for accounting and authentication packets, use the show radius statistics EXEC command. The show radius statistics Field Descriptions are listed below.
Auth. Acct. Both Statistics for authentication packets. Statistics for accounting packets. Combined statistics for authentication and accounting packets.

Maximum inQ Maximum number of entries allowed in the queue, that holds the RADIUS messages not length yet sent. Maximum waitQ length Maximum number of entries allowed in the queue, that holds the RADIUS messages that have been sent and are waiting for a response.

Maximum Maximum number of entries allowed in the queue, that holds the messages that have doneQ length received a response and will be forwarded to the code that is waiting for the messages. Total responses seen Packets with responses Packets without responses Average response delay Number of RADIUS responses seen from the server. In addition to the expected packets, this includes repeated packets and packets that do not have a matching message in the waitQ. Number of packets that received a response from the RADIUS server.

Number of packets that never received a response from any RADIUS server.

Average time from when the packet was first transmitted to when it received a response. If the response timed out and the packet was sent again, this value includes the timeout. If the packet never received a response, this is not included in the average.

Maximum response delay Number of RADIUS timeouts Duplicate ID detects

Maximum delay observed while gathering average response delay information.

Number of times a server did not respond, and the RADIUS server re-sent the packet.

RADIUS has a maximum of 255 unique IDs. In some instances there can be more than 255 outstanding packets. When a packet is received, the doneQ is searched from the oldest entry to the youngest. If the IDs are the same, further techniques are used to see if this response matches this entry. If it is determined that this does not match, the duplicate ID detect counter is increased.

Example: router# show radius statistics Misconceptions: none Related commands: radius-server host radius-server retransmit radius-server timeout Sample Configurations: The following example is sample output for the show radius statistics command: router# show radius statistics Auth. Acct. Both Maximum inQ length: NA NA 1 Maximum waitQ length: NA NA 1 Maximum doneQ length: NA NA 1 Total responses seen: 3 0 3 Packets with responses: 3 0 3 Packets without responses: 0 0 0 Average response delay(ms): 5006 0 5006 Maximum response delay(ms): 15008 0 15008 Number of Radius timeouts: 3 0 3
Duplicate ID detects: 0 0 0

Command Name: Mode: Syntax:

test aaa group router#

test aaa group {group-name | radius} username password new-code [profile profile-name] Syntax Description:
group-name Subset of RADIUS servers that are used as defined by the server group group-name.

radius

Uses RADIUS servers for authentication.

username

Specifies a name for the user.

password

Character string that specifies the password.

new-code

The code path through the new code, which supports a CLID or DNIS user profile association with a RADIUS server.

profile profilename

(Optional) Identifies the user profile specified in the aaa user profile command. To associate a user profile with the RADIUS server, the user profile name must be identified.

Command Description: To associate a dialed number identification service (DNIS) or calling line identification (CLID) user profile with the record that is sent to the RADIUS server, use the test aaa group command in privileged EXEC mode. Example: router# test aaa group radius user1 pass new-code profile prfl1 Misconceptions: none

Related commands: aaa attribute aaa user profile Sample Configurations: The following sample shows how to configure a dnis = dnisvalue user profile named "prfl1" and associate it with a test aaa group command: aaa user profile prfl1 aaa attribute dnis aaa attribute dnis dnisvalue no aaa attribute clid ! Attribute not found. aaa attribute clid clidvalue no aaa attribute clid exit ! test aaa group radius user1 pass new-code profile prfl1

Command Name: Mode: Syntax:

vpdn aaa attribute nas-port vpdn-nas router(config)#

vpdn aaa attribute nas-port vpdn-nas no vpdn aaa attribute nas-port vpdn-nas Syntax Description: This command has no arguments or keywords. Command Description: To enable the L2TP network server (LNS) to send PPP extended NAS-Port format values from the L2TP access concentrator (LAC) to the RADIUS server for accounting, use the vpdn aaa attribute nas-port vpdn-nas global configuration command. To prevent the LNS from sending PPP extended NAS-Port format values, use the no form of this command. Usage Guidelines The PPP extended NAS-Port format enables the NAS-Port and NAS-Port-Type attributes to provide port details to the RADIUS server when PPP over ATM, PPP over Ethernet (PPPoE) over ATM, or PPPoE over 802.1Q VLANs is used. The vpdn aaa attribute nas-port vpdn-nas command should be configured on the LNS only. The radius-server attribute nas-port format command with the d keyword must also be configured on the LNS and the L2TP access concentrator (LAC), and the LAC and LNS must both be Cisco routers. Example: router(config)# vpdn aaa attribute nas-port vpdn-nas Misconceptions: The LNS will not send PPP extended NAS-Port format values to the RADIUS server by default. Related commands: radius-server attribute nas-port format Sample Configurations:

In the following example, the LNS is configured to recognize and forward PPP extended NASPort format values to the RADIUS server. PPP extended NAS-Port format must also be configured on the LAC for this configuration to be effective. vpdn enable no vpdn logging ! vpdn-group L2TP-tunnel accept-dialin protocol l2tp virtual-template 1 terminate-from hostname lac1 local name lns1 ! aaa new-model aaa authentication ppp default local group radius aaa authorization network default local group radius aaa accounting network default start-stop group radius radius-server host 171.79.79.76 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server attribute nas-port format d radius-server key lns123 ! vpdn aaa attribute nas-port vpdn-nas

aaa group server tacacs+


To group different server hosts into distinct lists and distinct methods, use the aaa group server tacacs+ command in global configuration mode. To remove a server group from the configuration list, use the no form of this command. aaa group server tacacs+ group-name no aaa group server tacacs+ group-name

Syntax Description
tacacs+ Uses only the TACACS+ server hosts.

group-name

Character string used to name the group of servers.

Defaults
No default behavior or values.

Command Modes
Global configuration

Command History
Release 12.0(5)T Modification This command was introduced.

Usage Guidelines
The authentication, authorization, and accounting (AAA) server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service. A server group is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A server group is used in conjunction

with a global server host list. The server group lists the IP addresses of the selected server hosts.

Examples
The following example shows the configuration of an AAA group server named tacgroup1 that comprises three member servers: aaa group server tacacs+ tacgroup1 server 1.1.1.1 server 2.2.2.2 server 3.3.3.3

Related Commands
Command aaa accounting Description Enables AAA accounting of requested services for billing or security.

aaa authentication login

Enables AAA accounting of requested services for billing or security purposes.

aaa authorization

Sets parameters that restrict user access to a network.

aaa new-model

Enables the AAA access control model.

tacacs-server host

Specifies a TACACS+ host.

ip tacacs source-interface
To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration mode. To disable use of the specified interface IP address, use the no form of this command. ip tacacs source-interface subinterface-name no ip tacacs source-interface

Syntax Description
subinterface-name Name of the interface that TACACS+ uses for all of its outgoing packets.

Defaults
No default behavior or values.

Command Modes
Global configuration

Command History
Release 10.0 Modification This command was introduced.

Usage Guidelines
Use this command to set a subinterface's IP address for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses. This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address. The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.

Examples
The following example makes TACACS+ use the IP address of subinterface s2 for all outgoing TACACS+ packets: ip tacacs source-interface s2

Related Commands
Command ip radius sourceinterface Description Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.

ip telnet sourceinterface

Allows a user to select an address of an interface as the source address for Telnet connections.

ip tftp sourceinterface

Allows a user to select the interface whose address will be used as the source address for TFTP connections.

server (TACACS+)
To configure the IP address of the TACACS+ server for the group server, use the server command in TACACS+ group server configuration mode. To remove the IP address of the RADIUS server, use the no form of this command. server ip-address no server ip-address

Syntax Description
ip-address IP address of the selected server.

Defaults
No default behavior or values.

Command Modes
TACACS+ group server configuration

Command History
Release 12.0(5)T Modification This command was introduced.

Usage Guidelines
You must configure the aaa group server tacacs command before configuring this command. Enter the server command to specify the IP address of the TACACS+ server. Also configure a matching tacacs-server host entry in the global list. If there is no response from the first host entry, the next host entry is tried.

Examples
The following example shows server host entries configured for the RADIUS server: aaa new-model

aaa authentication ppp default group g1 aaa group server tacacs+ g1 server 1.0.0.1 server 2.0.0.1 tacacs-server host 1.0.0.1 tacacs-server host 2.0.0.1

Related Commands
Command aaa new-model Description Enables the AAA access control model.

aaa server group

Groups different server hosts into distinct lists and distinct methods.

tacacs-server host

Specifies a RADIUS server host.

show tacacs
To display statistics for a TACACS+ server, use the show tacacs command in EXEC configuration mode. show tacacs

Syntax Description
This command has no arguments or keywords.

Defaults
No default behavior or values.

Command Modes
EXEC

Command History
Release 11.2 Modification This command was introduced.

Examples
The following example is sample output for the show tacacs command:
Router# show tacacs Tacacs+ Server : 172.19.192.80/49 Socket opens: 3 Socket closes: 3 Socket aborts: 0 Socket errors: 0 Socket Timeouts: 0 Failed Connect Attempts: 0 Total Packets Sent: 7 Total Packets Recv: 7 Expected Replies: 0 No current connection

Table 18 describes the significant fields shown in the display.

Table 18: show tacacs Field Descriptions

Field Tacacs+ Server

Description IP address of the TACACS+ server.

Socket opens

Number of successful TCP socket connections to the TACACS+ server.

Socket closes

Number of successfully closed TCP socket attempts.

Socket aborts

Number of premature TCP socket closures to the TACACS+ server; that is, the peer did not wait for a reply from the server after a the peer sent its request.

Socket errors

Any other socket read or write errors, such as incorrect packet format and length.

Failed Connect Attempts

Number of failed TCP socket connections to the TACACS+ server.

Total Packets Sent

Number of packets sent to the TACACS+ server.

Total Packets Recv

Number of packets received from the TACACS+ server.

Expected replies

Number of outstanding replies from the TACACS+ server.

Related Commands
Command tacacs-server host Description Specifies a TACACS+ host.

tacacs-server directed-request
To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-request command in global configuration mode. To send the entire string to the TACACS+ server, use the no form of this command. tacacs-server directed-request [restricted] [no-truncate] no tacacs-server directed-request

Syntax Description
restricted (Optional) Restrict queries to directed request servers only.

no-truncate

(Optional) Do not truncate the @hostname from the username.

Defaults
Enabled

Command Modes
Global configuration

Command History
Release 11.1 Modification This command was introduced.

Usage Guidelines

This command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with the directed-request feature enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server. Disabling tacacs-server directed-request causes the whole string, both before and after the "@" symbol, to be sent to the default TACACS+ server. When the directed-request feature is disabled, the router queries the list of servers, starting with the first one in the list, sending the whole string, and accepting the first response that it gets from the server. The tacacs-server directed-request command is useful for sites that have developed their own TACACS+ server software that parses the whole string and makes decisions based on it. With tacacs-server directed-request enabled, only configured TACACS+ servers can be specified by the user after the "@" symbol. If the host name specified by the user does not match the IP address of a TACACS+ server configured by the administrator, the user input is rejected. Use no tacacs-server directed-request to disable the ability of the user to choose between configured TACACS+ servers and to cause the entire string to be passed to the default server.

Examples
The following example enables tacacs-server directed-request so that the entire user input is passed to the default TACACS+ server:
no tacacs-server directed-request

tacacs-server host
To specify a TACACS+ host, use the tacacs-server host command in global configuration mode. To delete the specified name or address, use the no form of this command. tacacs-server host hostname [port integer] [timeout integer] [key string] no tacacs-server host hostname

Syntax Description
hostname Name or IP address of the host.

port

(Optional) Specify a server port number. This option overrides the default, which is port 49.

integer

(Optional) Port number of the server. Valid port numbers range from 1 to 65535.

timeout

(Optional) Specify a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.

integer

(Optional) Integer value, in seconds, of the timeout interval.

key

(Optional) Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only.

string

(Optional) Character string specifying authentication and encryption key.

Defaults
No TACACS+ host is specified.

Command Modes
Global configuration

Command History
Release 10.0 Modification This command was introduced.

Usage Guidelines
You can use multiple tacacs-server host commands to specify additional hosts. The Cisco IOS software searches for hosts in the order in which you specify them. Use the port, timeout, and key options only when running a AAA/TACACS+ server. Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual routers.

Examples
The following example specifies a TACACS+ host named Sea_Change:
tacacs-server host Sea_Change

The following example specifies that, for authentication, authorization, and accounting (AAA) confirmation, the router consults the TACACS+ server host named Sea_Cure on port number 51. The timeout value for requests on this connection is three seconds; the encryption key is a_secret.
tacacs-server host Sea_Cure port 51 timeout 3 key a_secret

Related Commands

Command aaa authentication

Description Specify or enable AAA authentication.

aaa authorization

Sets parameters that restrict user access to a network.

aaa accounting

Enables AAA accounting of requested services for billing or security.

ppp

Starts an asynchronous connection using PPP.

slip

Starts a serial connection to a remote host using SLIP.

tacacs-server key

Sets the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon.

tacacs-server key
To set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. To disable the key, use the no form of this command. tacacs-server key key no tacacs-server key [key]

Syntax Description
key Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon.

Defaults
No default behavior or values.

Command Modes
Global configuration

Command History
Release 11.1 Modification This command was introduced.

Usage Guidelines

After enabling authentication, authorization, and accounting (AAA) with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command. The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

Examples
The following example sets the authentication and encryption key to "dare to go":
tacacs-server key dare to go

Related Commands
Command aaa new-model Description Enables the AAA access control model.

tacacs-server host

Specifies a TACACS+ host.

Command Name: Mode: Syntax:

access-enable router>

access-enable [host] [timeout minutes] Syntax Description:


host (Optional) Tells the software to enable access only for the host from which the Telnet session originated. If not specified, the software allows all hosts on the defined network to gain access. The dynamic access list contains the network mask to use for enabling the new network.

timeout minutes

(Optional) Specifies an idle timeout for the temporary access list entry. If the access list entry is not accessed within this period, it is automatically deleted and requires the user to authenticate again. The default is for the entries to remain permanently. We recommend that this value equal the idle timeout set for the WAN connection.

Command Description: To enable the router to create a temporary access list entry in a dynamic access list, use the access-enable EXEC command. Usage Guidelines This command enables the lock-and-key access feature. You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the temporary access list entry will remain, even after the user terminates the session. Use the autocommand command with the access-enable command to cause the access-enable command to execute when a user opens a Telnet session into the router. Example: The following example causes the software to create a temporary access list entry and tells the software to enable access only for the host from which the Telnet session originated. If the access list entry is not accessed within 2 minutes, it is deleted. router(config)#autocommand access-enable host timeout 2 Misconceptions:

none Related commands: access-list (IP extended) autocommand show ip accounting Sample Configurations: This example shows how to configure lock-and-key access, with authentication occurring locally at the router. Lock-and-key is configured on the Ethernet 0 interface. interface ethernet0 ip address 172.18.23.9 255.255.255.0 ip access-group 101 in access-list 101 permit tcp any host 172.18.21.2 eq telnet access-list 101 dynamic mytestlist timeout 120 permit ip any any line vty 0 login local autocommand access-enable timeout 5

Command Name: Mode: Syntax:

access-list dynamic-extend router(config)#

access-list dynamic-extend no access-list dynamic-extend Syntax Description: This command has no arguments or keywords. Command Description: To allow the absolute timer of the dynamic access control list (ACL) to be extended an additional six minutes, use the access-list dynamic-extend command in global configuration mode. To disable this functionality, use the no form of this command. Usage Guidelines When you try to create a Telnet session to the router to re-authenticate yourself by using the lock-and-key function, use the access-list dynamic-extend command to extend the absolute timer of the dynamic ACL by six minutes. The router must already be configured with the lock-and-key feature, and you must configure the extension before the ACL expires. Example: router(config)# access-list dynamic-extend Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

access-template router#

access-template [access-list-number | name] [dynamic-name] [source] [destination] [timeout minutes] Syntax Description:
access-listnumber (Optional) Number of the dynamic access list.

name

(Optional) Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.

dynamicname

(Optional) Name of a dynamic access list.

source

(Optional) Source address in a dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access-list entry.

destination

(Optional) Destination address in a dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access-list entry.

timeout minutes

(Optional) Specifies a maximum time limit for each entry within this dynamic list. This is an absolute time, from creation, that an entry can reside in the list. The default is an infinite time limit and allows an entry to remain permanently.

Command Description: To manually place a temporary access list entry on a router to which you are connected, use the access-template privileged EXEC command. Usage Guidlines This command provides a way to enable the lock-and-key access feature.

You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the dynamic access list will remain, even after the user has terminated the session. Example: The following example enables IP access on incoming packets in which the source address is 172.29.1.129 and the destination address is 192.168.52.12. All other source and destination pairs are discarded. router#access-template 101 payroll host 172.29.1.129 host 192.168.52.12 timeout 2 Misconceptions: none Related commands: access-list (IP extended) autocommand clear access-template show ip accounting Sample Configurations:

Command Name: Mode: Syntax:

clear access-template router#

clear access-template [access-list-number | name] [dynamic-name] [source] [destination] Syntax Description:


access-listnumber (Optional) Number of the dynamic access list from which the entry is to be deleted.

name

(Optional) Name of an IP access list from which the entry is to be deleted. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.

dynamicname

(Optional) Name of the dynamic access list from which the entry is to be deleted.

source

(Optional) Source address in a temporary access list entry to be deleted.

destination

(Optional) Destination address in a temporary access list entry to be deleted.

Command Description: To manually clear a temporary access list entry from a dynamic access list, use the clear accesstemplate privileged EXEC command. Example: The following example clears any temporary access list entries with a source of 172.20.1.12 from the dynamic access list named vendor: router#clear access-template vendor 172.20.1.12 Misconceptions: none

Related commands: access-list (IP extended) access-template show ip accounting Sample Configurations:

Command Name: Mode: Syntax: evaluate name no evaluate name Syntax Description:
name

evaluate router(config-ext-nacl)#

The name of the reflexive access list that you want evaluated for IP traffic entering your internal network. This is the name defined in the permit (reflexive) command.

Command Description: To nest a reflexive access list within an access list, use the evaluate command in access-list configuration mode. To remove a nested reflexive access list from the access list, use the no form of this command. Usage Guidlines This command is used to achieve reflexive filtering, a form of session filtering. Before this command will work, you must define the reflexive access list using the permit (reflexive) command. This command nests a reflexive access list within an extended named IP access list. If you are configuring reflexive access lists for an external interface, the extended named IP access list should be one which is applied to inbound traffic. If you are configuring reflexive access lists for an internal interface, the extended named IP access list should be one which is applied to outbound traffic. (In other words, use the access list opposite of the one used to define the reflexive access list.) This command allows IP traffic entering your internal network to be evaluated against the reflexive access list. Use this command as an entry (condition statement) in the IP access list; the entry "points" to the reflexive access list to be evaluated. As with all access list entries, the order of entries is important. Normally, when a packet is evaluated against entries in an access list, the entries are evaluated in sequential order, and when a match occurs, no more entries are evaluated. With a reflexive access list nested in an extended access list, the extended access list entries are evaluated sequentially up to the nested entry, then the reflexive access list entries are evaluated sequentially, and then the remaining entries in the

extended access list are evaluated sequentially. As usual, after a packet matches any of these entries, no more entries will be evaluated. Example: router(config-ext-nacl)#evaluate tcptraffic Misconceptions: none Related commands: ip access-list ip reflexive-list timeout permit (reflexive) Sample Configurations: The following ample shows reflexive filtering at an external interface. This example defines an extended named IP access list inboundfilters, and applies it to inbound traffic at the interface. The access list definition permits all Border Gateway Protocol and Enhanced Interior Gateway Routing Protocol traffic, denies all Internet Control Message Protocol traffic, and causes all Transmission Control Protocol traffic to be evaluated against the reflexive access list tcptraffic. If the reflexive access list tcptraffic has an entry that matches an inbound packet, the packet will be permitted into the network. tcptraffic only has entries that permit inbound traffic for existing TCP sessions. interface Serial 1 description Access to the Internet via this interface ip access-group inboundfilters in ! ip access-list extended inboundfilters permit bgp any any permit eigrp any any deny icmp any any evaluate tcptraffic

Command Name: Mode: Syntax:

ip reflexive-list timeout router(config)#

ip reflexive-list timeout seconds no ip reflexive-list timeout Syntax Description:


seconds Specifies the number of seconds to wait (when no session traffic is being detected) before temporary access list entries expire. Use a positive integer from 0 to 2,147,483. The default is 300 seconds.

Command Description: To specify the length of time that reflexive access list entries will continue to exist when no packets in the session are detected, use the ip reflexive-list timeout command in global configuration mode. To reset the timeout period to the default timeout, use the no form of this command. Usage Guidelines This command is used with reflexive filtering, a form of session filtering. This command specifies when a reflexive access list entry will be removed after a period of no traffic for the session (the timeout period). With reflexive filtering, when an IP upper-layer session begins from within your network, a temporary entry is created within the reflexive access list, and a timer is set. Whenever a packet belonging to this session is forwarded (inbound or outbound) the timer is reset. When this timer counts down to zero without being reset, the temporary reflexive access list entry is removed. The timer is set to the timeout period. Individual timeout periods can be defined for specific reflexive access lists, but for reflexive access lists that do not have individually defined timeout periods, the global timeout period is used. The global timeout value is 300 seconds by default; however, you can change the global timeout to a different value at any time using this command. This command does not take effect for reflexive access list entries that were already created when the command is entered; this command only changes the timeout period for entries created after the command is entered. Example:

The following example sets the global timeout period for reflexive access list entries to 120 seconds: ip reflexive-list timeout 120 Misconceptions: none Related commands: evaluate ip access-list permit (reflexive) Sample Configurations: interface Serial 1 description Access to the Internet via this interface ip access-group inboundfilters in ip access-group outboundfilters out ! ip reflexive-list timeout 120 ! ip access-list extended outboundfilters permit tcp any any reflect tcptraffic ! ip access-list extended inboundfilters permit bgp any any permit eigrp any any deny icmp any any evaluate tcptraffic

Command Name: Mode: Syntax:

permit (reflexive) router(config-ext-nacl)#

permit protocol source source-wildcard destination destinationwildcard reflect name [timeout seconds] no permit protocol source-wildcard destination destinationwildcard reflect name

Syntax Description:
protocol Name or number of an IP protocol. It can be one of the keywords gre, icmp, ip, ipinip, nos, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including Internet Control Message Protocol, Transmission Control Protocol, and User Datagram Protocol), use the keyword ip.

source

Number of the network or host from which the packet is being sent. There are three other ways to specify the source: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines"). Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

sourcewildcard

Wildcard bits (mask) to be applied to source. There are three other ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines"). Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

Number of the network or host to which the packet is being sent. There are three other ways to specify the destination: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for the destination and destination-

wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines"). Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.

destinationwildcard

Wildcard bits to be applied to the destination. There are three other ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a destination and destinationwildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines"). Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.

reflect

Identifies this access list as a reflexive access list.

name

Specifies the name of the reflexive access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists. The name can be up to 64 characters long.

timeout seconds

(Optional) Specifies the number of seconds to wait (when no session traffic is being detected) before entries expire in this reflexive access list. Use a positive integer from 0 32 to 2 -1. If not specified, the number of seconds defaults to the global timeout value.

Command Description: To create a reflexive access list and to enable its temporary entries to be automatically generated, use the permit command in access-list configuration mode. To delete the reflexive access list (if only one protocol was defined) or to delete protocol entries from the reflexive access list (if multiple protocols are defined), use the no form of this command. Usage Guidelines This command is used to achieve reflexive filtering, a form of session filtering. For this command to work, you must also nest the reflexive access list using the evaluate command. This command creates a reflexive access list and triggers the creation of entries in the same reflexive access list. This command must be an entry (condition statement) in an extended named IP access list.

If you are configuring reflexive access lists for an external interface, the extended named IP access list should be one which is applied to outbound traffic. If you are configuring reflexive access lists for an internal interface, the extended named IP access list should be one which is applied to inbound traffic. IP sessions that originate from within your network are initiated with a packet exiting your network. When such a packet is evaluated against the statements in the extended named IP access list, the packet is also evaluated against this reflexive permit entry. As with all access list entries, the order of entries is important, because they are evaluated in sequential order. When an IP packet reaches the interface, it will be evaluated sequentially by each entry in the access list until a match occurs. If the packet matches an entry prior to the reflexive permit entry, the packet will not be evaluated by the reflexive permit entry, and no temporary entry will be created for the reflexive access list (session filtering will not be triggered). The packet will be evaluated by the reflexive permit entry if no other match occurs first. Then, if the packet matches the protocol specified in the reflexive permit entry, the packet is forwarded and a corresponding temporary entry is created in the reflexive access list (unless the corresponding entry already exists, indicating the packet belongs to a session in progress). The temporary entry specifies criteria that permits traffic into your network only for the same session. Characteristics of Reflexive Access List Entries This command enables the creation of temporary entries in the same reflexive access list that was defined by this command. The temporary entries are created when a packet exiting your network matches the protocol specified in this command. (The packet "triggers" the creation of a temporary entry.) These entries have the following characteristics:

The entry is a permit entry. The entry specifies the same IP upper-layer protocol as the original triggering packet. The entry specifies the same source and destination addresses as the original triggering packet, except the addresses are swapped. If the original triggering packet is TCP or UDP, the entry specifies the same source and destination port numbers as the original packet, except the port numbers are swapped. If the original triggering packet is a protocol other than TCP or UDP, port numbers do not apply, and other criteria are specified. For example, for ICMP, type numbers are used: the temporary entry specifies the same type number as the original packet (with only one exception: if the original ICMP packet is type 8, the returning ICMP packet must be type 0 to be matched).

The entry inherits all the values of the original triggering packet, with exceptions only as noted in the previous four bullets.

IP traffic entering your internal network will be evaluated against the entry, until the entry expires. If an IP packet matches the entry, the packet will be forwarded into your network. The entry will expire (be removed) after the last packet of the session is matched. If no packets belonging to the session are detected for a configurable length of time (the timeout period), the entry will expire. Example: The following example defines a reflexive access list tcptraffic, in an outbound access list that permits all Border Gateway Protocol and Enhanced Interior Gateway Routing Protocol traffic and denies all ICMP traffic. This example is for an external interface (an interface connecting to an external network). First, the interface is defined and the access list is applied to the interface for outbound traffic. router(config)#interface Serial 1 router(config-if)#ip access-group outboundfilters out Next, the outbound access list is defined and the reflexive access list tcptraffic is created with a reflexive permit entry. router(config)ip access-list extended outboundfilters router(config-ext-nacl)# permit tcp any any reflect tcptraffic Misconceptions: If this command is not configured, no reflexive access lists will exist, and no session filtering will occur. If this command is configured without specifying a timeout value, entries in this reflexive access list will expire after the global timeout period. Related commands: evaluate ip access-list ip reflexive-list timeout Sample Configurations: interface Serial 1 description Access to the Internet via this interface ip access-group inboundfilters in ip access-group outboundfilters out ! ip reflexive-list timeout 120 !

ip access-list extended outboundfilters permit tcp any any reflect tcptraffic ! ip access-list extended inboundfilters permit bgp any any permit eigrp any any deny icmp any any evaluate tcptraffic

Command Name: Mode: Syntax:

absolute router(config-time-range)#

absolute [start time date] [end time date] no absolute Syntax Description:
start time date (Optional) Absolute time and date that the permit or deny statement of the associated access list starts going into effect. The time is expressed in 24-hour notation, in the form of hours:minutes. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m. The date is expressed in the format day month year. The minimum start is 00:00 1 January 1993. If no start time and date are specified, the permit or deny statement is in effect immediately.

end time date

(Optional) Absolute time and date that the permit or deny statement of the associated access list is no longer in effect. Same time and date format as described for the start keyword. The end time and date must be after the start time and date. The maximum end time is 23:59 31 December 2035. If no end time and date are specified, the associated permit or deny statement is in effect indefinitely.

Command Description: To specify an absolute time when a time range is in effect, use the absolute time-range configuration command. To remove the time limitation, use the no form of this command. Usage Guidelines Time ranges are used by IP and IPX extended access lists. Time ranges are applied to the permit or deny statements found in these access lists. The absolute command is one way to specify when a time range is in effect. Another way is to specify a periodic length of time with the periodic command. Use either of these commands after the time-range command, which enables time-range configuration mode and specifies a name for the time range. Only one absolute entry is allowed per time-range command. If a time-range command has both absolute and periodic values specified, then the periodic items are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached. Note All time specifications are interpreted as local time. To ensure that the time range entries take effect at the desired times, the software clock should be synchronized using the Network Time Protocol (NTP), or some other authoritative time source.

Example: The following example configures an access list named northeast, which references a time range named xyz. The access list and time range together permit traffic on Ethernet interface 0 starting at noon on January 1, 2001 and going forever. time-range xyz absolute start 12:00 1 January 2001 ! ip access-list extended northeast permit ip any any time-range xyz ! interface ethernet 0 ip access-group northeast in The following example permits UDP traffic until noon on December 31, 2000. After that time, UDP traffic is no longer allowed out Ethernet interface 0. time-range abc absolute end 12:00 31 December 2000 ! ip access-list extended northeast permit udp any any time-range abc ! interface ethernet 0 ip access-group northeast out The following example permits UDP traffic out Ethernet interface 0 on weekends only, from 8:00 a.m. on January 1, 1999 to 6:00 p.m. on December 31, 2001: time-range test absolute start 8:00 1 January 1999 end 18:00 31 December 2001 periodic weekends 00:00 to 23:59 ! ip access-list extended northeast permit udp any any time-range test ! interface ethernet 0 ip access-group northeast out Misconceptions: none Related commands: deny

periodic permit time-range Sample Configurations:

Command Name: Mode: Syntax:

periodic router(config-time-range)#

periodic days-of-the-week hh:mm to [days-of-the-week] hh:mm no periodic days-of-the-week hh:mm to [days-of-the-week] hh:mm Syntax Description:
days-ofthe-week The first occurrence of this argument is the starting day or day of the week that the associated time range is in effect. The second occurrence is the ending day or day of the week the associated statement is in effect. This argument can be any single day or combinations of days: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday. Other possible values are: dailyMonday through Sunday weekdaysMonday through Friday weekendSaturday and Sunday

If the ending days of the week are the same as the starting days of the week, they can be omitted.

hh:mm

The first occurrence of this argument is the starting hours:minutes that the associated time range is in effect. The second occurrence is the ending hours:minutes the associated statement is in effect. The hours:minutes are expressed in a 24-hour clock. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.

to

Entry of the to keyword is required to complete the range "from start-time to end-time."

Command Description: To specify a recurring (weekly) time range for functions that support the time-range feature, use the periodic time-range configuration command. To remove the time limitation, use the no form of this command. Usage Guidelines For Cisco IOS Release 12.2, IP and Internetwork Packet Exchange (IPX) extended access lists are the only functions that can use time ranges. For further information on using these functions,

refer to the Release 12.2 Cisco IOS IP Configuration Guide and the Release 12.2 Cisco IOS AppleTalk and Novell IPX Configuration Guide. The periodic command is one way to specify when a time range is in effect. Another way is to specify an absolute time period with the absolute command. Use either of these commands after the time-range global configuration command, which specifies the name of the time range. Multiple periodic entries are allowed per time-range command. If the end days-of-the-week value is the same as the start value, they can be omitted. If a time-range command has both absolute and periodic values specified, then the periodic items are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached. Note All time specifications are taken as local time. To ensure that the time range entries take effect at the desired times, you should synchronize the system software clock using Network Time Protocol (NTP). Example: The following example denies HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m.: time-range no-http periodic weekdays 8:00 to 18:00 ! ip access-list extended strict deny tcp any any eq http time-range no-http ! interface ethernet 0 ip access-group strict in The following example permits Telnet traffic on Mondays, Tuesdays, and Fridays from 9:00 a.m. to 5:00 p.m.: time-range testing periodic Monday Tuesday Friday 9:00 to 17:00 ! ip access-list extended legal permit tcp any any eq telnet time-range testing ! interface ethernet 0 ip access-group legal in Misconceptions: none

Related commands: absolute access-list (extended deny (IP) permit (IP) time-range Sample Configurations:

Command Name: Mode: Syntax:

time-range router(config)#

time-range time-range-name no time-range time-range-name Syntax Description:


time-rangename Desired name for the time range. The name cannot contain a space or quotation mark, and must begin with a letter.

Command Description: To enable time-range configuration mode and define time ranges for functions (such as extended access lists), use the time-range global configuration command. To remove the time limitation, use the no form of this command. Usage Guidelines The time-range entries are identified by a name, which is referred to by one or more other configuration commands. Multiple time ranges can occur in a single access list or other feature. Note For Cisco IOS Release 12.2, IP and Internetwork Packet Exchange (IPX) extended access lists are the only functions that can use time-ranges. For further information on using these functions, see the Release 12.2 Cisco IOS IP Configuration Guide and the Release 12.2 Cisco IOS AppleTalk and Novell IPX Configuration Guide. After the time-range command, use the periodic time-range configuration command, the absolute time-range configuration command, or some combination of them to define when the feature is in effect. Multiple periodic commands are allowed in a time range; only one absolute command is allowed. Example: router(config)# time-range no-http router(config-time-range)#periodic weekdays 8:00 to 18:00 Misconceptions: none

Related commands: absolute ip access-list periodic permit ip Sample Configurations: The following example denies HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m. The example allows UDP traffic on Saturday and Sunday from noon to midnight only. time-range no-http periodic weekdays 8:00 to 18:00 ! time-range udp-yes periodic weekend 12:00 to 24:00 ! ip access-list extended strict deny tcp any any eq http time-range no-http permit udp any any time-range udp-yes ! interface ethernet 0 ip access-group strict in

Command Name: Mode: Syntax:

access-list compiled router(config)#

access-list compiled no access-list compiled Syntax Description: This command has no arguments or keywords. Command Description: To enable the Turbo Access Control Lists (Turbo ACL) feature, use the access-list compiled command in global configuration mode. To disable the Turbo ACL feature, use the no form of this command. Usage Guidelines By default, the Turbo ACL feature is disabled. When Turbo ACL is disabled, normal ACL processing is enabled, and no ACL acceleration occurs. When the Turbo ACL feature is enabled using the access-list compiled command, the ACLs in the configuration are scanned and, if suitable, compiled for Turbo ACL acceleration. This scanning and compilation may take a few seconds when the system is processing large and complex ACLs, or when the system is processing a configuration that contains a large number of ACLs. Any configuration change to an ACL that is being accelerated, such as the addition of new ACL entries or the deletion of the ACL, triggers a recompilation of that ACL. When Turbo ACL tables are being built (or rebuilt) for a particular ACL, the normal sequential ACL search is used until the new tables are ready for installation. Example: The following example enables the Turbo ACL feature: router(config)#access-list compiled Misconceptions: none Related commands:

none Sample Configurations:

Command Name: Mode: Syntax:

show access-list compiled router#

show access-list compiled Syntax Description: This command has no arguments or keywords. Command Description: To display a table showing Turbo Access Control Lists (ACLs), use the show access-list compiled privileged EXEC command. Example: router# show access-list compiled Misconceptions: none Related commands: access-list compiled access-list (extended) access-list (standard) clear access-list counters clear access-temp ip access-list show ip access-list Sample Configurations: Router# show access-list compiled Compiled ACL statistics: 12 ACLs loaded, 12 compiled tables ACL State Tables Entries Config Fragment Redundant Memory 1 Operational 1 2 1 0 0 1Kb 2 Operational 1 3 2 0 0 1Kb 3 Operational 1 4 3 0 0 1Kb 4 Operational 1 3 2 0 0 1Kb 5 Operational 1 5 4 0 0 1Kb 9 Operational 1 3 2 0 0 1Kb

20 Operational 1 9 8 0 0 1Kb 21 Operational 1 5 4 0 0 1Kb 101 Operational 1 15 9 7 2 1Kb 102 Operational 1 13 6 6 0 1Kb 120 Operational 1 2 1 0 0 1Kb 199 Operational 1 4 3 0 0 1Kb First level lookup tables: Block Use Rows Columns Memory used 0 TOS/Protocol 6/16 12/16 66048 1 IP Source (MS) 10/16 12/16 66048 2 IP Source (LS) 27/32 12/16 132096 3 IP Dest (MS) 3/16 12/16 66048 4 IP Dest (LS) 9/16 12/16 66048 5 TCP/UDP Port 1/16 12/16 66048 6 TCP/UDP Dest Port 3/16 12/16 66048 7 TCP Flags/Fragment 3/16 12/16 66048

Command Name: Mode: Syntax:

access-class router(config-line)#

access-class access-list-number {in | out} no access-class access-list-number {in | out} Syntax Description:
access-listnumber Number of an IP access list. This is a decimal number from 1 to 199 or from 1300 to 2699.

in

Restricts incoming connections between a particular Cisco device and the addresses in the access list.

out

Restricts outgoing connections between a particular Cisco device and the addresses in the access list.

Command Description: To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command. Usage Guidelines Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them. To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number. Example: The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router: router(config)#access-list 12 permit 192.89.55.0 0.0.0.255 router(config-line)#line 1 5 router(config-line)#access-class 12 in

The following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5: router(config)#access-list 10 permit 36.0.0.0 0.255.255.255 router(config-line)#line 1 5 router(config-line)#access-class 10 out Misconceptions: none Related commands: show line Sample Configurations: access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list echo access-list access-list nntp access-list ntp access-list access-list access-list access-list access-list access-list access-list no cdp run ! line con 0 1 permit 192.168.1.10 101 deny ip 127.0.0.0 0.255.255.255 any log 101 deny ip 255.0.0.0 0.255.255.255 any log 101 deny ip 224.0.0.0 7.255.255.255 any log 101 deny ip host 0.0.0.0 any log 101 deny ip 192.168.1.0 0.0.0.255 any log 101 deny ip 10.0.0.0 0.255.255.255 any log 101 deny udp any any eq snmp 101 permit tcp any 192.168.1.0 0.0.0.255 established 101 permit tcp any host 192.168.1.3 eq smtp 101 permit tcp any host 192.168.1.3 eq www 101 permit tcp any host 192.168.1.3 eq 443 101 permit tcp any host 192.168.1.3 eq ftp 101 permit tcp any host 192.168.1.3 gt 1023 101 permit icmp any 192.168.1.0 0.0.0.255 echo-reply 101 permit icmp any host 172.16.1.1 echo-reply 101 permit icmp host 192.168.255.2 host 172.16.1.1 101 permit udp any host 192.168.1.3 eq domain 101 permit tcp host 192.168.255.2 host 192.168.1.3 eq 101 permit udp host 192.168.255.2 host 192.168.1.3 eq 101 101 101 101 101 102 102 deny icmp any host 192.168.1.1 echo log deny tcp any host 192.168.1.1 eq telnet log deny tcp any host 172.16.1.1 eq telnet log deny tcp any host 192.168.1.2 eq telnet log deny ip any any log permit ip 192.168.1.0 0.0.0.255 any deny ip any any log

exec-timeout 0 0 logging synchronous login local transport input none line aux 0 no exec login local line vty 0 4 access-class 1 in login local ! end

Command Name: Mode: Syntax:

access-list router(config)#

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source sourcewildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range timerange-name] [fragments] no access-list access-list-number
Internet Control Message Protocol (ICMP)

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} icmp source sourcewildcard destination destination-wildcard [icmp-type [icmpcode] | icmp-message] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments] Internet Group Management Protocol (IGMP) access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} igmp source sourcewildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log | log-input] [timerange time-range-name] [fragments] Transmission Control Protocol (TCP) access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source sourcewildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments] User Datagram Protocol (UDP) access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} udp source sourcewildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

Syntax Description:

access-listnumber

Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.

dynamic dynamic-name

(Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.

timeout minutes

(Optional) Specifies the absolute length of time, in minutes, that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

protocol

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the ip keyword. Some protocols allow further qualifiers described below.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted-decimal format. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. Each wildcard bit 0 indicates the corresponding bit position in the source. Each wildcard bit set to 1 indicates that both a 0 bit and a 1 bit in the corresponding position of the IP address of the packet will be considered a match to this access list entry. There are three alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part, dotted-decimal format. Place1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

Wildcard bits set to 1 need not be contiguous in the source wildcard. For example, a source wildcard of 0.255.0.64 would be valid.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: Use a 32-bit quantity in four-part, dotted-decimal format. Use the any keyword as an abbreviation for the destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.

destinationwildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7, or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines."

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. By default, the message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the

prior 5-minute interval. Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5minute interval). See the ip access-list log-update command for more information. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.

log-input

(Optional) Includes the input interface and source MAC address or VC in the logging output.

time-range time-rangename

(Optional) Name of the time range that applies to this statement. The name of the time range and its restrictions are specified by the time-range command.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines."

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK, FIN, PSH, RST, SYN or URG control bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

fragments

(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly.

Command Description: To define an extended IP access list, use the extended version of the access-list command in global configuration mode. To remove the access list, use the no form of this command. Usage Guidelines You can use access lists to control the transmission of packets on an interface, control vty access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs. Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control vty access or restrict the contents of routing updates must not match against the TCP source port, the type of service (ToS) value, or the precedence of the packet. Note After a numbered access list is created, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific numbered access list. The following is a list of precedence names:

critical flash flash-override immediate internet network priority routine

The following is a list of ToS names:


max-reliability max-throughput min-delay min-monetary-cost normal

The following is a list of ICMP message type names and ICMP message type and code names:

administratively-prohibited alternate-address conversion-error dod-host-prohibited dod-net-prohibited echo echo-reply general-parameter-problem host-isolated host-precedence-unreachable host-redirect host-tos-redirect host-tos-unreachable host-unknown host-unreachable information-reply information-request mask-reply mask-request mobile-redirect net-redirect net-tos-redirect net-tos-unreachable net-unreachable network-unknown no-room-for-option option-missing packet-too-big

parameter-problem port-unreachable precedence-unreachable protocol-unreachable reassembly-timeout redirect router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request traceroute ttl-exceeded unreachable

The following is a list of IGMP message names:


dvmrp host-query host-report pim trace

The following is a list of TCP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

bgp chargen daytime discard domain echo finger ftp ftp-data gopher hostname irc klogin kshell lpd nntp pop2 pop3

smtp sunrpc syslog tacacs-ds talk telnet time uucp whois www

The following is a list of UDP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

biff bootpc bootps discard dnsix domain echo mobile-ip nameserver netbios-dgm netbios-ns ntp rip snmp snmptrap sunrpc syslog tacacs-ds talk tftp time who xdmcp

Access List Processing of Fragments The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
If the Access-List Entry has... Then..

...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,

For an access-list entry containing only Layer 3 information: The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.

For an access list entry containing Layer 3 and Layer 4 information: The entry is applied to nonfragmented packets and initial fragments. o If the entry is a permit statement, the packet or fragment is permitted. o If the entry is a deny statement, the packet or fragment is denied. The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and o If the entry is a permit statement, the noninitial fragment is permitted. o If the entry is a deny statement, the next access-list entry is processed.

Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.

...the fragments keyword, and assuming all of the access-list entry information matches,

The access-list entry is applied only to noninitial fragments.

Note The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.

Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.

Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.
Note The fragments keyword cannot solve all cases involving access lists and IP fragments.

Fragments and Policy Routing Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse. By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended. Example: In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and the address of the mail host is 128.88.1.2. The established keyword is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicates that the packet belongs to an existing connection. access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25 interface serial 0 ip access-group 102 in The following example permits Domain Naming System (DNS) packets and ICMP echo and echo reply packets: access-list established access-list access-list access-list access-list access-list 102 permit tcp any 128.88.0.0 0.0.255.255 102 102 102 102 102 permit permit permit permit permit tcp any host 128.88.1.2 eq smtp tcp any any eq domain udp any any eq domain icmp any any echo icmp any any echo-reply

The following examples show how wildcard bits are used to indicate the bits of the prefix or mask that are relevant. Wildcard bits are similar to the bitmasks that are used with normal access lists. Prefix or mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and prefix or mask bits corresponding to wildcard bits set to 0 are used in comparison.

The following example permits 192.108.0.0 255.255.0.0 but denies any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0): access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
The following example permits 131.108.0/24 but denies 131.108/16 and all other subnets of 131.108.0.0:

access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0 access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 The following example uses a time range to deny HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m.: time-range no-http periodic weekdays 8:00 to 18:00 ! access-list 101 deny tcp any any eq http time-range no-http ! interface ethernet 0 ip access-group 101 in

Misconceptions: An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.

Related commands: access-class access-list remark clear access-template deny

distribute-list in distribute-list out ip access-group ip accesrs-list ip access-list log-update ip accounting logging console permit remark show access-lists show ip access-list time-range Sample Configurations:

Command Name: Mode: Syntax:

access-list (IP standard) router(config)#

access-list access-list-number {deny | permit} source [sourcewildcard] [log] no access-list access-list-number Syntax Description:
accesslistnumber Number of an access list. This is a decimal number from 1 to 99 or from 1300 to 1999.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

source

Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted-decimal format. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

sourcewildcard

(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

Use the ip access-list log-update command to generate the logging messages to appear when the number of matches reaches a configurable threshold (rather than waiting for a 5minute interval). See the ip access-list log-update command for more information. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.

Command Description: To define a standard IP access list, use the standard version of the access-list command in global configuration mode. To remove a standard access list, use the no form of this command. Usage Guidelines Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list. You can use access lists to control the transmission of packets on an interface, control vty access, and restrict the contents of routing updates. Use the show access-lists EXEC command to display the contents of all access lists. Use the show ip access-list EXEC command to display the contents of one access list. Example: The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected. router(config)#access-list 1 permit 192.5.34.0 0.0.0.255 router(config)#access-list 1 permit 128.88.0.0 0.0.255.255 router(config)#access-list 1 permit 36.0.0.0 0.255.255.255 ! (Note: all other access implicitly denied) The following example of a standard access list allows access for devices with IP addresses in the range from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected. router(config)#access-list 1 permit 10.29.2.64 0.0.0.63 ! (Note: all other access implicitly denied)

To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect: router(config)#access-list 2 permit 36.48.0.3 router(config)#access-list 2 permit 36.48.0.3 0.0.0.0 Misconceptions: The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything. Related commands:

access-class access-list (IP extended) access-list remark deny (IP) distribute-list in (IP) distribute-list out (IP) ip access-group ip access-list log-update logging console permit (IP) remark (IP) show access-lists show ip access-list Sample Configurations:

Command Name: Mode: Syntax:

access-list remark router(config)#

access-list access-list-number remark remark no access-list access-list-number remark remark Syntax Description:
access-list-number Number of an IP access list.

remark

Comment that describes the access list entry, up to 100 characters long.

Command Description: To write a helpful comment (remark) for an entry in a numbered IP access list, use the access-list remark command in global configuration mode. To remove the remark, use the no form of this command. Usage Guidelines The remark can be up to 100 characters long; anything longer is truncated. If you want to write a comment about an entry in a named access list, use the remark command. Example: router(config)#access-list 1 remark Permit only Jones workstation through router(config)#access-list 1 remark Do not allow Smith workstation through Misconceptions: none Related commands: access-list (IP extended) access-list (IP standrard) ip access-list remark

Sample Configurations: In the following example, the workstation belonging to Jones is allowed access, and the workstation belonging to Smith is not allowed access: access-list access-list access-list access-list 1 1 1 1 remark Permit only Jones workstation through permit 171.69.2.88 remark Do not allow Smith workstation through deny 171.69.3.13

Command Name: Mode: Syntax:

clear access-list counters router#

clear access-list counters {access-list-number | access-listname} Syntax Description:


access-listnumber Access list number of the access list for which to clear the counters.

access-listname

Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.

Command Description: To clear the counters of an access list, use the clear access-list counters command in privileged EXEC mode. Usage Guidelines Some access lists keep counters that count the number of packets that pass each line of an access list. The show access-lists command displays the counters as a number of matches. Use the clear access-list counters command to restart the counters for a particular access list to 0. Example: The following example clears the counters for access list 101: router# clear access-list counters 101 Misconceptions: none Related commands: show access-lists Sample Configurations:

Command Name: Mode: Syntax:

deny (ip) router(config-ext-nacl)#

deny source [source-wildcard] no deny source [source-wildcard] deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] no deny protocol source source-wildcard destination destination-wildcard
Internet Control Message Protocol (ICMP)

deny icmp source source-wildcard destination destinationwildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Internet Group Management Protocol (IGMP)

deny igmp source source-wildcard destination destinationwildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Transmission Control Protocol (TCP)

deny tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
User Datagram Protocol (UDP)

deny udp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range timerange-name] [fragments] Syntax Description:
source Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

Use a 32-bit quantity in four-part, dotted-decimal format. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to the source. There are three alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

protocol

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. Some protocols allow further qualifiers described later.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: Use a 32-bit quantity in four-part, dotted-decimal format. Use the any keyword as an abbreviation for the destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.

destinationwildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines" of the access-list (IP extended) command.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5minute intervals, including the number of packets permitted or denied in the prior 5minute interval. Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5minute interval). See the ip access-list log-update command for more information. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.

time-range time-rangename

(Optional) Name of the time range that applies to this deny statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the

section "Usage Guidelines" of the access-list (IP extended) command.

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines" of the access-list (IP extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

fragments

(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.

Command Description: To set conditions for a named IP access list, use the deny command in access-list configuration mode.To remove a deny condition from an access list, use the no form of this command. Usage Guidelines Use this command following the ip access-list command to specify conditions under which a packet cannot pass the named access list. The time-range option allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this deny statement is in effect. Access List Processing of Fragments

The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
If the Access-List Entry has... ...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches, Then.. For an access-list entry containing only Layer 3 information: The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.

For an access list entry containing Layer 3 and Layer 4 information: The entry is applied to nonfragmented packets and initial fragments. o If the entry is a permit statement, the packet or fragment is permitted. o If the entry is a deny statement, the packet or fragment is denied. The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and o If the entry is a permit statement, the noninitial fragment is permitted. o If the entry is a deny statement, the next access-list entry is processed.

Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.

...the fragments keyword, and assuming all of the access-list entry information matches,

Note The access-list entry is applied only to noninitial fragments.The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.

Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list

entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list. Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts. Note The fragments keyword cannot solve all cases involving access lists and IP fragments. Fragments and Policy Routing Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse. By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy
routing will occur as intended.

Example: router(config-ext-nacl)#deny 192.5.34.0 0.0.0.255 Misconceptions: none Related commands: access-list (IP extended) access-list (IP standard) ip access-group ip access-list ip access-list log-update permit (IP) remark show ip access-list time-range Sample Configurations: The following example sets a deny condition for a standard access list named Internetfilter: ip access-list standard Internetfilter deny 192.5.34.0 0.0.0.255

permit 128.88.0.0 0.0.255.255 permit 36.0.0.0 0.255.255.255 ! (Note: all other access implicitly denied)

Command Name: Mode:

distribute-list in router(config)# router(config-router-af)#

Syntax: distribute-list {access-list-number | prefix prefix-list-name} in [interface-type interface-number] no distribute-list {access-list-number | prefix prefix-listname} in [interface-type interface-number] Syntax Description:
access-listnumber Standard IP access list number. The list defines which networks are to be received and which are to be suppressed in routing updates.

prefix prefixlist-name

Name of a prefix list. The list defines which networks are to be received and which are to be suppressed in routing updates, based upon matching the network prefix to the prefixes in the list.

in

Applies the access list to incoming routing updates.

interface-type

(Optional) Interface type.

interfacenumber

(Optional) Interface number on which the access list should be applied to incoming updates. If no interface is specified, the access list will be applied to all incoming updates.

Command Description: To filter networks received in updates, use the distribute-list in command in address family or router configuration mode. To disable this function, use the no form of this command. Usage Guidelines This command is not supported in Intermediate Sytem-to-Intermediate System (IS-IS) or Open Shortest Path First (OSPF). Using a prefix list allows filtering based upon the prefix length, making it possible to filter either on the prefix list, the gateway, or both for incoming updates.

Do not use both the access-list-number and prefix-list-name arguments with the distribute-list in command. Note To suppress networks from being advertised in updates, use the distribute-list out command. Example: router(config)# distribute-list 1 in router(config-router-af)#distribute-list 1 in Misconceptions: none Related commands: access-list (IP extended) address-family ipv4 address-family vpnv4 clear ip prefix-list distribute-list out ip prefix-list ip prefix-list description ip prefix-list sequence-number redistribute (IP) show ip bgp regexp Sample Configurations: In the following router configuration mode example, the BGP routing process accepts only two networksnetwork 0.0.0.0 and network 10.108.0.0: access-list 1 permit 0.0.0.0 access-list 1 permit 10.108.0.0 access-list 1 deny 0.0.0.0 255.255.255.255 router bgp network 10.108.0.0 distribute-list 1 in

In the following address family configuration mode example, the process accepts only two networksnetwork 0.0.0.0 and network 10.108.0.0: access-list 1 permit 0.0.0.0 access-list 1 permit 10.108.0.0 access-list 1 deny 0.0.0.0 255.255.255.255 router bgp

address-family ipv4 multicast network 10.108.0.0 distribute-list 1 in In the following example, the BGP routing process accepts only networks with prefixes that match those in the prefix list named firstlist on the Ethernet interface 0: router bgp distribute-list prefix firstlist in ethernet 0

Command Name: Mode:

distribute-list out router(config)# router(config-router-af)#

Syntax: distribute-list {access-list-number | prefix prefix-list-name} out [interface-name | routing-process | as-number] no distribute-list {access-list-number | prefix prefix-listname} out [interface-name | routing-process | as-number] Syntax Description:
access-listnumber Standard IP access list number. The list defines which networks are to be received and which are to be suppressed in routing updates.

prefix prefixlist-name

Name of a prefix list. The list defines which networks are to be received and which are to be suppressed in routing updates, based upon matching the network prefix to the prefixes in the list.

out

Applies the access list to outgoing routing updates.

interfacename

(Optional) Name of a particular interface.

routingprocess

(Optional) Name of a particular routing process, or the keyword static or connected.

as-number

(Optional) Autonomous system number.

Command Description: To suppress networks from being advertised in updates, use the distribute-list out command in address family or router configuration mode. To disable this function, use the no form of this command. Usage Guidelines

When redistributing networks, a routing process name can be specified as an optional trailing argument to the distribute-list command. Specifying an argument causes the access list to be applied to only those routes derived from the specified routing process. After the process-specific access list is applied, any access list specified by a distribute-list command without a process name argument will be applied. Addresses not specified in the distribute-list command will not be advertised in outgoing routing updates. Do not use both the prefix-list and access-list-name arguments with the distribute-list out command. Note To filter networks received in updates, use the distribute-list in command. Example: router(config)#distribute-list 1 out router(config-router-af)# distribute-list 1 out Misconceptions: none Related commands: access-list (IP extended) address-family ipv4 address-family vpnv4 clear ip prefix-list distribute-list in ip prefix-list ip prefix-list description ip prefix-list sequence-number redistribute (IP) show ip bgp regexp Sample Configurations: The following router configuration mode sample causes only one network (network 10.108.0.0) to be advertised by a RIP routing process: access-list 1 permit 10.108.0.0 access-list 1 deny 0.0.0.0 255.255.255.255 router rip network 10.108.0.0 distribute-list 1 out The following address family configuration mode sample causes only one network (network 10.108.0.0) to be advertised by a process:

access-list 1 permit 10.108.0.0 access-list 1 deny 0.0.0.0 255.255.255.255 router rip address-family ipv4 unicast network 10.108.0.0 distribute-list 1 out In the following sample, access list 1 is applied to outgoing routing updates, and Intermediate Sytem-to-Intermediate System (IS-IS) is enabled on Ethernet interface 0. Only network 10.131.101.0 will be advertised in outgoing IS-IS routing updates. router isis redistribute ospf 109 distribute-list 1 out interface Ethernet 0 ip router isis access-list 1 permit 10.131.101.0 0.0.0.255 In the following sample, the BGP routing process advertises only networks with prefixes that match those in the prefix list named firstlist on the Ethernet interface 0: router bgp distribute-list prefix firstlist out ethernet 0

Command Name: Mode: Syntax:

dynamic router(config-ext-nacl)#

dynamic dynamic-name [timeout minutes] {deny | permit} protocol source source-wildcard destination destinationwildcard [precedence precedence] [tos tos] [log] [fragments] no dynamic dynamic-name Internet Control Message Protocol (ICMP) dynamic dynamic-name [timeout minutes] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [fragments] Internet Group Management Protocol (IGMP) dynamic dynamic-name [timeout minutes] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [fragments] Transmission Control Protocol (TCP) dynamic dynamic-name [timeout minutes] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [fragments] User Datagram Protocol (UDP) dynamic dynamic-name [timeout minutes] {deny | permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [fragments] Syntax Description:
dynamic-name Identifies this access list as a dynamic access list.

timeout minutes

(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

protocol

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. Some protocols allow further qualifiers described later.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted decimal format. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

sourcewildcard

Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: Use a 32-bit quantity in four-part, dotted decimal format. Use the any keyword as an abbreviation for the destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.

destinationwildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7, or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines."

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5minute intervals, including the number of packets permitted or denied in the prior 5minute interval. Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5minute interval). See the ip access-list log-update command for more information. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines."

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines" of the access-list (IP extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

fragments

(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.

Command Description: To define a named dynamic IP access list, use the dynamic access-list configuration command. To remove the access lists, use the no form of this command. Usage Guidelines

You can use named access lists to control the transmission of packets on an interface and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs. Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control vty access or restrict the contents of routing updates must not match against the TCP source port, the ToS value, or the precedence of the packet. Note After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list. The following is a list of precedence names:

critical flash flash-override immediate internet network priority routine

The following is a list of ToS names:


max-reliability max-throughput min-delay min-monetary-cost normal

The following is a list of ICMP message type names and ICMP message type and code names:

administratively-prohibited alternate-address conversion-error dod-host-prohibited dod-net-prohibited echo echo-reply general-parameter-problem host-isolated host-precedence-unreachable host-redirect host-tos-redirect host-tos-unreachable

host-unknown host-unreachable information-reply information-request mask-reply mask-request mobile-redirect net-redirect net-tos-redirect net-tos-unreachable net-unreachable network-unknown no-room-for-option option-missing packet-too-big parameter-problem port-unreachable precedence-unreachable protocol-unreachable reassembly-timeout redirect router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request traceroute ttl-exceeded unreachable

The following is a list of IGMP message names:


dvmrp host-query host-report pim trace

The following is a list of TCP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

bgp chargen

daytime discard domain echo finger ftp ftp-data gopher hostname irc klogin kshell lpd nntp pop2 pop3 smtp sunrpc syslog tacacs-ds talk telnet time uucp whois www

The following is a list of UDP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

biff bootpc bootps discard dns dnsix echo mobile-ip nameserver netbios-dgm netbios-ns ntp rip snmp snmptrap

sunrpc syslog tacacs-ds talk tftp time who xdmcp

Access List Processing of Fragments The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
If the Access-List Entry has... ...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches, Then.. For an access-list entry containing only Layer 3 information: The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.

For an access list entry containing Layer 3 and Layer 4 information: The entry is applied to nonfragmented packets and initial fragments. o If the entry is a permit statement, the packet or fragment is permitted. o If the entry is a deny statement, the packet or fragment is denied. The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and o If the entry is a permit statement, the noninitial fragment is permitted. o If the entry is a deny statement, the next access-list entry is processed.

Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.

...the fragments keyword, and assuming all of the access-list

Note

The access-list entry is applied only to noninitial

entry information matches,

fragments.The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.

Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list. Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts. Note The fragments keyword cannot solve all cases involving access lists and IP fragments.

Fragments and Policy Routing Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse. By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended. Example: router(config-ext-nacl)#dynamic testlist timeout 5 Misconceptions: An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement. Related commands: clear access-template distribute-list in (IP)

distribute-list out (IP) ip access-group ip access-list ip access-list log-update logging console show access-lists show ip access-list Sample Configurations: The following sample defines a dynamic access list named washington: ip access-group washington in ! ip access-list extended washington dynamic testlist timeout 5 permit ip any any permit tcp any host 185.302.21.2 eq 23

Command Name: Mode: Syntax:

ip access-group router(config-if)#

ip access-group {access-list-number | access-list-name}{in | out} no ip access-group {access-list-number | access-list-name}{in | out}

Syntax Description:
access-listnumber Number of an access list. This is a decimal number from 1 to 199 or from 1300 to 2699.

access-list-name

Name of an IP access list as specified by an ip access-list command.

in

Filters on inbound packets.

out

Filters on outbound packets.

Command Description: To control access to an interface, use the ip access-group command in interface configuration mode. To remove the specified access group, use the no form of this command. Usage Guidelines Access lists are applied on either outbound or inbound interfaces. For standard inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message. For standard outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.

If the specified access list does not exist, all packets are passed. When you enable outbound access lists, you automatically disable autonomous switching for that interface. When you enable input access lists on any CBus or CxBus interface, you automatically disable autonomous switching for all interfaces (with one exceptionan SSE configured with simple access lists can still switch packets, on output only). Example: The following example applies list 101 on packets outbound from Ethernet interface 0: router(config)#interface ethernet 0 router(config-if)#ip access-group 101 out Misconceptions: none Related commands: access-list (IP extended) access-list (IP standard) ip access-list show access-lists Sample Configurations: interface Serial 1 description Access to the Internet via this interface ip access-group inboundfilters in ip access-group outboundfilters out ! ip reflexive-list timeout 120 ! ip access-list extended outboundfilters permit tcp any any reflect tcptraffic ! ip access-list extended inboundfilters permit bgp any any permit eigrp any any deny icmp any any evaluate tcptraffic

Command Name: Mode: Syntax:

ip access-list log-update router(config)#

ip access-list log-update threshold number-of-matches no ip access-list log-update Syntax Description:


number-ofmatches Threshold number of packets necessary to match an access list before a log message is generated. The range is 0 to 2147483647. There is no default number of matches.

Command Description: To set the threshold number of packets that generate a log message if they match an access list, use the ip access-list log-update command in global configuration mode. To remove the threshold, use the no form of this command. Usage Guidelines Log messages are generated if you have specified the log keyword in the access-list (IP standard), access-list (IP extended), deny (IP), dynamic, or permit command. Log messages provide information about the packets that are permitted or denied by an access list. By default, log messages appear at the console. (The level of messages logged to the console is controlled by the logging console command.) The log message includes the access list number, whether the packet was permitted or denied, and other information. By default, the log messages are sent at the first matching packet and after that, identical messages are accumulated for 5-minute intervals, with a single message being sent with the number of packets permitted and denied during that interval. However, you can use the ip access-list log-update command to set the number of packets that, when match an access list (and are permitted or denied), cause the system to generate a log message. You might want to do this to receive log messages more frequently than at 5-minute intervals. Caution If you set the number-of-matches argument to 1, a log message is sent right away, rather than caching it; every packet that matches an access list causes a log message. A setting of 1 is not recommended because the volume of log messages could overwhelm the system. Even if you use the ip access-list log-update command, the 5-minute timer remains in effect, so the cache is emptied at the end of 5 minutes, regardless of the count of messages in the cache.

Regardless of when the log message is sent, the cache is flushed and the count reset to 0 for that message the same way it is when a threshold is not specified. If the syslog server is not directly connected to a LAN that the router shares, any intermediate router might drop the log messages because they are UDP (unreliable) messages. Example: The following example enables logging whenever the 1000th packet matches an access list entry: router(config)#ip access-list log-update threshold 1000 Misconceptions: none Related commands: access-list (IP extended) access-list (IP standard) deny (IP) dynamic logging console permit Sample Configurations:

Command Name: Mode: Syntax:

ip access-list router(config)#

ip access-list {standard | extended} access-list-name no ip access-list {standard | extended} access-list-name

Syntax Description:
standard Specifies a standard IP access list.

extended

Specifies an extended IP access list.

access-listname

Name of the access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists.

Command Description: To define an IP access list by name, use the ip access-list command in global configuration mode. To remove a named IP access list, use the no form of this command. Usage Guidelines Use this command to configure a named IP access list as opposed to a numbered IP access list. This command will take you into access-list configuration mode, where you must define the denied or permitted access conditions with the deny and permit commands. Specifying the standard or extended keyword with the ip access-list command determines the prompt you get when you enter access-list configuration mode. Use the ip access-group command to apply the access list to an interface. Named access lists are not compatible with Cisco IOS releases prior to Release 11.2. Example: router(config)# ip access-list standard Internetfilter Misconceptions:

none Related commands: access list (IP extended) access list (IP standard) access-list remark deny (IP) ip access-group permit (IP) remark show ip access-list Sample Configurations: ip access-list standard Internetfilter permit 192.5.34.0 0.0.0.255 permit 128.88.0.0 0.0.255.255 permit 36.0.0.0 0.255.255.255 ! (Note: all other access implicitly denied)

Command Name: Mode: Syntax:

ip accounting router(config-if)

ip accounting [access-violations] no ip accounting [access-violations] Syntax Description:


accessviolations (Optional) Enables IP accounting with the ability to identify IP traffic that fails IP access lists.

Command Description: To enable IP accounting on an interface, use the ip accounting command in interface configuration mode. To disable IP accounting, use the no form of this command. Usage Guidelines The ip accounting command records the number of bytes (IP header and data) and packets switched through the system on a source and destination IP address basis. Only transit IP traffic is measured and only on an outbound basis; traffic generated by the router access server or terminating in this device is not included in the accounting statistics. If you specify the access-violations keyword, the ip accounting command provides information identifying IP traffic that fails IP access lists. Identifying IP source addresses that violate IP access lists alerts you to possible attempts to breach security. The data might also indicate that you should verify IP access list configurations. To receive a logging message on the console when an extended access list entry denies a packet access (to log violations), you must include the log keyword in the access-list (IP extended) or access-list (IP standard) command. Statistics are accurate even if IP fast switching or IP access lists are being used on the interface. IP accounting disables autonomous switching and SSE switching on the interface. Example: The following example enables IP accounting on Ethernet interface 0: router(config)#interface ethernet 0 router(config-if)#ip accounting

Misconceptions: none Related commands: access-list (IP extended) access-list (IP standard) Sample Configurations:

Command Name: Mode: Syntax:

permit router(config-ext-nacl)#

permit source [source-wildcard] no permit source [source-wildcard] permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] no permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] Internet Control Message Protocol (ICMP) permit icmp source source-wildcard destination destinationwildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] Internet Group Management Protocol (IGMP) permit igmp source source-wildcard destination destinationwildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] Transmission Control Protocol (TCP) permit tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] User Datagram Protocol UDP) permit udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range timerange-name] [fragments] Syntax Description:

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted decimal format. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

protocol

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. Some protocols allow further qualifiers described later.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: Use a 32-bit quantity in four-part, dotted-decimal format. Use the any keyword as an abbreviation for the destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.

destinationwildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore. Use the any keyword as an abbreviation for a destination and destinationwildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destinationwildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines" of the access-list (IP extended) command.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5minute intervals, including the number of packets permitted or denied in the prior 5minute interval. Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5minute interval). See the ip access-list log-update command for more information. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.

time-range time-rangename

(Optional) Name of the time range that applies to this permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage

Guidelines" of the access-list (IP extended) command.

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines" of the access-list (IP extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

fragments

(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.

Command Description: To set conditions for a named IP access list, use the permit access-list configuration command. To remove a condition from an access list, use the no form of this command. Usage Guidelines Use this command following the ip access-list command to define the conditions under which a packet passes the access list.

The time-range option allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this permit statement is in effect. Access List Processing of Fragments The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
If the Access-List Entry has... ...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches, Then.. For an access-list entry containing only Layer 3 information: The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.

For an access list entry containing Layer 3 and Layer 4 information: The entry is applied to nonfragmented packets and initial fragments. o If the entry is a permit statement, the packet or fragment is permitted. o If the entry is a deny statement, the packet or fragment is denied. The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and o If the entry is a permit statement, the noninitial fragment is permitted. o If the entry is a deny statement, the next access-list entry is processed.

Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.

...the fragments keyword, and assuming all of the access-list entry information matches,

The access-list entry is applied only to noninitial fragments.

Note The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.

Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next

access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list. Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts. Note The fragments keyword cannot solve all cases involving access lists and IP fragments. Fragments and Policy Routing Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse. By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended. Example: The following example sets conditions for a standard access list named Internetfilter: router(config-ext-nacl)# permit 128.88.0.0 0.0.255.255 router(config-ext-nacl)# permit 36.0.0.0 0.255.255.255 Misconceptions: none Related commands: deny (IP) ip access-group ip access-list ip access-list log-update show ip access-list time-range Sample Configurations:

ip access-list standard Internetfilter deny 192.5.34.0 0.0.0.255 permit 128.88.0.0 0.0.255.255 permit 36.0.0.0 0.255.255.255

Command Name: Mode:

remark router(config)# router(config-ext-nacl)#

Syntax: remark remark no remark remark Syntax Description:


remark Comment that describes the access list entry, up to 100 characters long.

Command Description: To write a helpful comment (remark) for an entry in a named IP access list, use the remark access-list configuration command. To remove the remark, use the no form of this command. Usage Guidelines The remark can be up to 100 characters long; anything longer is truncated. If you want to write a comment about an entry in a numbered IP access list, use the access-list remark command. Example: In the following example, the Jones subnet is not allowed to use outbound Telnet: router(config)#ip access-list extended telnetting router(config-ext-nacl)#remark Do not allow Jones subnet to telnet out router(config-ext-nacl)#deny tcp host 171.69.2.88 any eq telnet Misconceptions: none Related commands: access-list remark deny (IP) ip access-list permit (IP)

Sample Configurations:

Command Name: Mode: Syntax:

show access-lists router#

show access-lists [access-list-number | access-list-name] Syntax Description:


access-listnumber (Optional) Number of the access list to display. The system displays all access lists by default.

access-list-name

(Optional) Name of the IP access list to display.

Command Description: To display the contents of current access lists, use the show access-lists privileged EXEC command. Example: router# show access-lists router# show access-lists 101 Misconceptions: none Related commands: access-list (IP extended) access-list (IP standard) clear access-list counters clear access-template ip access-list show access-lists Sample Configurations: The following is sample output from the show access-lists command when access list 101 is specified: Router# show access-lists 101

Extended IP access list 101 permit tcp host 198.92.32.130 any established (4304 matches) check=5 permit udp host 198.92.32.130 any eq domain (129 matches) permit icmp host 198.92.32.130 any permit tcp host 198.92.32.130 host 171.69.2.141 gt 1023 permit tcp host 198.92.32.130 host 171.69.2.135 eq smtp (2 matches) permit tcp host 198.92.32.130 host 198.92.30.32 eq smtp permit tcp host 198.92.32.130 host 171.69.108.33 eq smtp permit udp host 198.92.32.130 host 171.68.225.190 eq syslog permit udp host 198.92.32.130 host 171.68.225.126 eq syslog deny ip 150.136.0.0 0.0.255.255 224.0.0.0 15.255.255.255 deny ip 171.68.0.0 0.1.255.255 224.0.0.0 15.255.255.255 (2 matches) check=1 deny ip 172.24.24.0 0.0.1.255 224.0.0.0 15.255.255.255 deny ip 192.82.152.0 0.0.0.255 224.0.0.0 15.255.255.255 deny ip 192.122.173.0 0.0.0.255 224.0.0.0 15.255.255.255 deny ip 192.122.174.0 0.0.0.255 224.0.0.0 15.255.255.255 deny ip 192.135.239.0 0.0.0.255 224.0.0.0 15.255.255.255 deny ip 192.135.240.0 0.0.7.255 224.0.0.0 15.255.255.255 deny ip 192.135.248.0 0.0.3.255 224.0.0.0 15.255.255.255 The following is sample output from the show access-lists command when the Turbo Access Control List (ACL) feature is configured on all of the following access lists. router# show access-lists Standard IP access list 1 (Compiled) deny any Standard IP access list 2 (Compiled) deny 192.168.0.0, wildcard bits 0.0.0.255 permit any Standard IP access list 3 (Compiled) deny 0.0.0.0 deny 192.168.0.1, wildcard bits 0.0.0.255 permit any Standard IP access list 4 (Compiled) permit 0.0.0.0 permit 192.168.0.2, wildcard bits 0.0.0.255

Command Name: Mode: Syntax:

show ip access-list router#

show ip access-list [access-list-number | access-list-name] Syntax Description:


access-list-number (Optional) Number of the IP access list to display.

access-list-name

(Optional) Name of the IP access list to display.

Command Description: To display the contents of all current IP access lists, use the show ip access-list privileged EXEC command. Usage Guidelines The show ip access-list command provides output identical to the show access-lists command, except that it is IP-specific and allows you to specify a particular access list. Example: router# show ip access-list router# show ip access-list Internetfilter Misconceptions: none Related commands: access-list (IP extended) access-list (IP standard) clear access-list counters clear access-template ip access-list show access-lists Sample Configurations:

The following is sample output from the show ip access-list command when all access lists are requested: router# show ip access-list Extended IP access list 101 deny udp any any eq ntp permit tcp any any permit udp any any eq tftp permit icmp any any permit udp any any eq domain The following is sample output from the show ip access-list command when the name of a specific access list is requested: router# show ip access-list Internetfilter Extended IP access list Internetfilter permit tcp any 171.69.0.0 0.0.255.255 eq telnet deny tcp any any deny udp any 171.69.0.0 0.0.255.255 lt 1024 deny ip any any log

Command Name: Mode: Syntax:

clear ip auth-proxy cache router#

clear ip auth-proxy cache {* | host-ip-address} Syntax Description:


* Clears all authentication proxy entries, including user profiles and dynamic access lists.

host-ipaddress

Clears the authentication proxy entry, including user profiles and dynamic access lists, for the specified host.

Command Description: To clear authentication proxy entries from the router, use the clear ip auth-proxy cache command in privileged EXEC mode. Example: The following example deletes all authentication proxy entries: router#clear ip auth-proxy cache * The following example deletes the authentication proxy entry for the host with IP address 192.168.4.5: router#clear ip auth-proxy cache 192.168.4.5 Misconceptions: none Related commands: show ip auth-proxy Sample Configurations:

Command Name: Mode: Syntax:

debug ip auth-proxy router#

debug ip auth-proxy {ftp | function-trace | http | objectcreation | object-deletion | tcp | telnet | timer} Syntax Description:
ftp Displays FTP events related to the authentication proxy.

function-trace

Displays the authentication proxy functions.

http

Displays HTTP events related to the authentication proxy.

object-creation

Displays additional entries to the authentication proxy cache.

object-deletion

Displays deletion of cache entries for the authentication proxy.

tcp

Displays TCP events related to the authentication proxy.

telnet

Displays Telnet-related authentication proxy events.

timer

Displays authentication proxy timer-related events.

Command Description: To display the authentication proxy configuration information on the router, use the debug ip auth-proxy command in privileged EXEC mode. Example: The following examples illustrates the output of the debug ip auth-proxy command. In these examples, debugging is on for object creations, object deletions, HTTP, and TCP.

In this example, the client host at 192.168.201.1 is attempting to make an HTTP connection to the web server located at 192.168.21.1. The HTTP debugging information is on for the authentication proxy. The output shows that the router is setting up an authentication proxy entry for the login request: 00:11:10: AUTH-PROXY creates info: cliaddr - 192.168.21.1, cliport - 36583 seraddr - 192.168.201.1, serport - 80 ip-addr 192.168.21.1 pak-addr 0.0.0.0 Following a successful login attempt, the debugging information shows the authentication proxy entries created for the client. In this example, the client is authorized for SMTP (port 25), FTP data (port 20), FTP control (port 21), and Telnet (port 23) traffic. The dynamic ACL entries are included in the display. 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY acl item 61AD60CC 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY acl item 6151C908 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY acl item 61A40B88 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY acl item 61879550 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY OBJ_CREATE:acl item 61AD60CC OBJ_CREATE:create acl wrapper 6151C7C8 -192.168.162.216 Port [0] Dst 192.168.162.220 Port [25] OBJ_CREATE:acl item 6151C908 OBJ_CREATE:create acl wrapper 6187A060 -192.168.162.216 Port [0] Dst 192.168.162.220 Port [20] OBJ_CREATE:acl item 61A40B88 OBJ_CREATE:create acl wrapper 6187A0D4 -192.168.162.216 Port [0] Dst 192.168.162.220 Port [21] OBJ_CREATE:acl item 61879550 OBJ_CREATE:create acl wrapper 61879644 -192.168.162.216 Port [0] Dst 192.168.162.220 Port [23]

The next example shows the debug output following a clear ip auth-proxy cache command to clear the authentication entries from the router. The dynamic ACL entries are removed from the router. 00:12:36:AUTH-PROXY OBJ_DELETE:delete 00:12:36:AUTH-PROXY OBJ_DELETE:delete 6151C7C8 -- acl item 61AD60CC 00:12:36:AUTH-PROXY OBJ_DELETE:delete 6187A060 -- acl item 6151C908 00:12:36:AUTH-PROXY OBJ_DELETE:delete 6187A0D4 -- acl item 61A40B88 auth_proxy cache 61AD6298 create acl wrapper create acl wrapper create acl wrapper

00:12:36:AUTH-PROXY OBJ_DELETE:delete create acl wrapper 61879644 -- acl item 61879550 The following example shows the timer information for a dynamic ACL entry. All times are expressed in milliseconds. The first laststart is the time that the ACL entry is created relative to the startup time of the router. The lastref is the time of the last packet to hit the dynamic ACL relative to the startup time of the router. The exptime is the next expected expiration time for the dynamic ACL. The delta indicates the remaining time before the dynamic ACL expires. After the timer expires, the debugging information includes a message indicating that the ACL and associated authentication proxy information for the client have been removed. 00:19:51:first laststart 1191112 00:20:51:AUTH-PROXY:delta 54220 lastref 1245332 exptime 1251112 00:21:45:AUTH-PROXY:ACL and cache are removed Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

ip auth-proxy (interface configuration) router(config-if)#

ip auth-proxy auth-proxy-name no ip auth-proxy auth-proxy-name Syntax Description:


authproxyname Specifies the name of the authentication proxy rule to apply to the interface configuration. The authentication proxy rule is established with the ip auth-proxy name command.

Command Description: To apply an authentication proxy rule at a firewall interface, use the ip auth-proxy command in interface configuration mode. To remove the authentication proxy rules, use the no form of this command. Usage Guidelines Use the ip auth-proxy command to enable the named authentication proxy rule at the firewall interface. Traffic passing through the interface from hosts with an IP address matching the standard access list and protocol type (HTTP) is intercepted for authentication if no corresponding authentication cache entry exists. If no access list is defined, the authentication proxy intercepts traffic from all hosts whose connection initiating packets are received at the configured interface. Use the no form of this command with a rule name to disable the authentication proxy for a given rule on a specific interface. If a rule is not specified, the no form of this command disables the authentication proxy on the interface. Example: router(config-if)#ip auth-proxy HQ_users Misconceptions: none Related commands: ip auth-proxy name

Sample Configurations: The following example configures interface Ethernet0 with the HQ_users rule: interface e0 ip address 172.21.127.210 255.255.255.0 ip access-group 111 in ip auth-proxy HQ_users ip nat inside

Command Name: Mode: Syntax:

ip auth-proxy auth-proxy-banner router(config)#

ip auth-proxy auth-proxy-banner [banner-text] no ip auth-proxy auth-proxy-banner [banner-text] Syntax Description:


bannertext (Optional) Specifies a text string to replace the default banner, which is the name of the router. The text string should be written in the following format: "C banner-text C," where "C" is a delimiting character.

Command Description: To display a banner, such as the router name, in the authentication proxy login page, use the ip auth-proxy auth-proxy-banner command in global configuration mode. To disable display of the banner, use the no form of this command. Usage Guidelines The ip auth-proxy auth-proxy-banner command allows users to configure one of two possible options:

The ip auth-proxy auth-proxy-banner command is enabled. In this scenario, the administrator has not supplied any text. Thus, a default banner that states the following: "Cisco Systems, <router's hostname> Authentication" will be displayed in the authentication proxy login page. This scenario is most commonly used.

The ip auth-proxy auth-proxy-banner command with the banner-text argument is enabled. In this scenario, the administrator can supply multiline text that will be converted to HTML by the auth-proxy parser code. Thus, only the multiline text will displayed in the authentication proxy login page. You will not see the default banner, "Cisco Systems, <router's hostname> Authentication."

Example: The following example causes the router name to be displayed in the authentication proxy login page:

router(config)#ip auth-proxy auth-proxy-banner The following example shows how to specify the custom banner "whozat" to be displayed in the authentication proxy login page: router(config)#ip auth-proxy auth-proxy-banner ^Cwhozat^C Misconceptions: none Related commands: ip auth-proxy name Sample Configurations:

Command Name: Mode: Syntax:

ip auth-proxy name router(config)#

ip auth-proxy name auth-proxy-name http [list {acl | acl-name}] [auth-cache-time min] no ip auth-proxy name auth-proxy-name Syntax Description:
authproxyname Associates a name with an authentication proxy rule. Enter a name of up to 16 alphanumeric characters.

http

Specifies the protocol that triggers the authentication proxy. The only supported protocol is HTTP.

list {acl | acl-name}

(Optional) Specifies a standard (1-99), extended (1-199), or named access list to use with the authentication proxy. With this option, the authentication proxy is applied only to those hosts in the access list. If no list is specified, all connections initiating HTTP traffic arriving at the interface are subject to authentication.

authcachetime min

(Optional) Overrides the global authentication proxy cache timer for a specific authentication proxy name, offering more control over timeout values. Enter a value in the range 1 to 2,147,483,647. The default value is equal to the value set with the ip authproxy auth-cache-time command.

Command Description: To create an authentication proxy rule, use the ip auth-proxy name command in global configuration mode. To remove the authentication proxy rules, use the no form of this command. Usage Guidelines This command creates a named authentication proxy rule, and it allows you to associate that rule with an access control list (ACL), providing control over which hosts use the authentication proxy. The rule is applied to an interface on a router using the ip auth-proxy command. Use the auth-cache-time option to override the global the authentication proxy cache timer. This option provides control over timeout values for specific authentication proxy rules. The authentication proxy cache timer monitors the length of time (in minutes) that an authentication

cache entry, along with its associated dynamic user access control list, is managed after a period of inactivity. When that period of inactivity (idle time) expires, the authentication entry and the associated dynamic access lists are deleted. Use the list option to associate a set of specific IP addresses or a named ACL with the ip authproxy name command. Use the no form of this command with a rule name to remove the authentication proxy rules. If no rule is specified, the no form of this command removes all the authentication rules on the router, and disables the proxy at all interfaces. Note You must use the aaa authorization auth-proxy command together with the ip authproxy name command. Together these commands set up the authorization policy to be retrieved by the firewall. Refer to the aaa authorization auth-proxy command for more information. Example: The following example creates the HQ_users authentication proxy rule. Because an access list is not specified in the rule, all connection-initiating HTTP traffic is subjected to authentication. router(config)#ip auth-proxy name HQ_users http The following example creates the Mfg_users authentication proxy rule and applies it to hosts specified in ACL 10: router(config)#access-list 10 192.168.7.0 0.0.0.255 router(config)#ip auth-proxy name Mfg_users http list 10 The following example sets the timeout value for Mfg_users to 30 minutes: router(config)#access-list 15 any router(config)#ip auth-proxy name Mfg_users http auth-cache-time 30 list 15 The following example disables the Mfg_users rule: router(config)#no ip auth-proxy name Mfg_users The following example disables the authentication proxy at all interfaces and removes all the rules from the router configuration: router(config)#no ip auth-proxy Misconceptions:

none Related commands: aaa authorization ip auth-proxy ip auth-proxy (interface configuration) show ip auth-proxy

Sample Configurations:

Command Name: Mode: Syntax:

ip auth-proxy router(config)#

ip auth-proxy auth-cache-time min no ip auth-proxy auth-cache-time Syntax Description:


authcache-time min Specifies the length of time in minutes that an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity. Enter a value in the range 1 to 2,147,483,647. The default value is 60 minutes.

Command Description: To set the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user access control list, is managed after a period of inactivity), use the ip auth-proxy command in global configuration mode. To set the default value, use the no form of this command. Usage Guidelines Use this command to set the global idle timeout value for the authentication proxy. You must set the auth-cache-time timeout min option to a higher value than the idle timeout of any Contextbased Access Control (CBAC) protocols. Otherwise, when the authentication proxy removes the user profile along associated dynamic user ACLs, there might be some idle connections monitored by CBAC. Removing these user-specific ACLs could cause those idle connections to hang. If the CBAC idle timeout value is shorter, CBAC resets these connections when the CBAC idle timeout expires, which is before the authentication proxy removes the user profile. Example: The following example sets the authorization cache timeout to 30 minutes: router(config)#ip auth-proxy auth-cache-time 30 Misconceptions: none Related commands: ip auth-proxy name

show ip auth-proxy Sample Configurations:

Command Name: Mode: Syntax:

show ip auth-proxy router(config)#

show ip auth-proxy {cache | configuration} Syntax Description:


cache Display the current list of the authentication proxy entries.

configuration

Display the running authentication proxy configuration.

Command Description: To display the authentication proxy entries or the running authentication proxy configuration, use the show ip auth-proxy command in privileged EXEC mode. Usage Guidelines Use the show ip auth-proxy to display either the authentication proxy entries or the running authentication proxy configuration. Use the cache keyword to list the host IP address, the source port number, the timeout value for the authentication proxy, and the state for connections using authentication proxy. If authentication proxy state is HTTP_ESTAB, the user authentication was successful. Use the configuration keyword to display all authentication proxy rules configured on the router. Example: The following example shows sample output from the show ip auth-proxy cache command after one user authentication using the authentication proxy: router# show ip auth-proxy cache Authentication Proxy Cache Client IP 192.168.25.215 Port 57882, timeout 1, state HTTP_ESTAB\ The following example shows how the show ip auth-proxy configuration command displays the information about the authentication proxy rule pxy. The global idle timeout value is 60 minutes. The idle timeouts value for this named rule is 30 minutes. No host list is specified in the

rule, meaning that all connection initiating HTTP traffic at the interface is subject to the authentication proxy rule. router# show ip auth-proxy configuration Authentication cache time is 60 minutes Authentication Proxy Rule Configuration Auth-proxy name pxy http list not specified auth-cache-time 30 minutes

Misconceptions: none Related commands: clear ip auth-proxy cache ip auth-proxy ip auth-proxy (interface configuration) ip auth-proxy name Sample Configurations:

Command Name: Mode: Syntax:

debug ip inspect router#

debug ip inspect {function-trace | object-creation | objectdeletion | events | timers | protocol | detailed} no debug ip inspect detailed Syntax Description:
functiontrace Displays messages about software functions called by CBAC.

objectcreation

Display messages about software objects being created by CBAC. Object creation corresponds to the beginning of CBAC-inspected sessions.

objectdeletion

Displays messages about software objects being deleted by CBAC. Object deletion corresponds to the closing of CBAC-inspected sessions.

events

Displays messages about CBAC software events, including information about CBAC packet processing.

timers

Displays messages about CBAC timer events such as when a CBAC idle timeout is reached.

protocol

Displays messages about CBAC-inspected protocol events, including details about the packets of the protocol. Below is a list of protocol keywords. Transport-layer protocols TCP UDP Application-layer protocols CU-SeeMe FTP commands and responses cuseeme ftp-cmd tcp udp

FTP tokens (enables tracing of the FTP tokens parsed) ftp-tokens H.323 (version 1 and version 2) HTTP Microsoft NetShow UNIX r-commands (rlogin, rexec, rsh) RealAudio RPC RTSP SMTP SQL*Net StreamWorks TFTP VDOLive h323 http netshow rcmd realaudio rpc rtsp smtp sqlnet streamworks tftp vdolive

detailed

Causes detailed information to be displayed for all the other enabled CBAC debugging. Use this form of the command in conjunction with other CBAC debugging commands.

Command Description: To display messages about Context-Based Access Control (CBAC) events, use the debug ip inspect command in privileged EXEC mode. The no form of this command disables debugging output. Example: debug ip inspect function-trace debug ip inspect object-creation debug ip inspect object-deletion debug ip inspect events

debug ip inspect timers debug ip inspect tcp debug ip inspect detailed Misconceptions: none Related commands: none Sample Configurations: The following is sample output from the debug ip inspect function-trace command:
*Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: CBAC FUNC: insp_inspection CBAC FUNC: insp_pre_process_sync CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1 bucket 41 CBAC FUNC: insp_find_pregen_session CBAC FUNC: insp_get_idbsb CBAC FUNC: insp_get_idbsb CBAC FUNC: insp_get_irc_of_idb CBAC FUNC: insp_get_idbsb CBAC FUNC: insp_create_sis CBAC FUNC: insp_inc_halfopen_sis CBAC FUNC: insp_link_session_to_hash_table CBAC FUNC: insp_inspect_pak CBAC FUNC: insp_l4_inspection CBAC FUNC: insp_process_tcp_seg CBAC FUNC: insp_listen_state CBAC FUNC: insp_ensure_return_traffic CBAC FUNC: insp_add_acl_item CBAC FUNC: insp_ensure_return_traffic CBAC FUNC: insp_add_acl_item CBAC FUNC: insp_process_syn_packet CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1 bucket 41 CBAC FUNC: insp_create_tcp_host_entry CBAC* FUNC: insp_fast_inspection CBAC* FUNC: insp_inspect_pak CBAC* FUNC: insp_l4_inspection CBAC* FUNC: insp_process_tcp_seg CBAC* FUNC: insp_synrcvd_state CBAC* FUNC: insp_fast_inspection CBAC* FUNC: insp_inspect_pak CBAC* FUNC: insp_l4_inspection CBAC* FUNC: insp_process_tcp_seg CBAC* FUNC: insp_synrcvd_state CBAC FUNC: insp_dec_halfopen_sis CBAC FUNC: insp_remove_sis_from_host_entry CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1 bucket 41

This output shows the functions called by CBAC as a session is inspected. Entries with an asterisk (*) after the word "CBAC" are entries when the fast path is used; otherwise, the process path is used. The following is sample output from the debug ip inspect object-creation and debug ip inspect object-deletion command: *Mar 2 01:18:30: CBAC OBJ_CREATE: *Mar 2 01:18:30: CBAC OBJ_CREATE: acl item 25A3634 *Mar 2 01:18:30: CBAC OBJ_CREATE: *Mar 2 01:18:30: CBAC OBJ_DELETE: *Mar 2 01:18:30: CBAC OBJ_CREATE: 10.0.0.1 bucket 31 *Mar 2 01:18:30: CBAC OBJ_DELETE: *Mar 2 01:18:30: CBAC OBJ_DELETE: 25A36FC -- acl item 25A3634 *Mar 2 01:18:31: CBAC OBJ_DELETE: 10.0.0.1 create pre-gen sis 25A3574 create acl wrapper 25A36FC -create sis 25C1CC4 delete pre-gen sis 25A3574 create host entry 25A3574 addr delete sis 25C1CC4 delete create acl wrapper delete host entry 25A3574 addr

The following is sample output from the debug ip inspect object-creation, debug ip inspect object-deletion, and debug ip inspect events commands: *Mar 2 01:18:51: CBAC OBJ_CREATE: create pre-gen sis 25A3574 *Mar 2 01:18:51: CBAC OBJ_CREATE: create acl wrapper 25A36FC -acl item 25A3634 *Mar 2 01:18:51: CBAC 10.1.0.1 Port [1:65535] *Mar 2 01:18:51: CBAC Dst 10.0.0.1 Port [46406:46406] *Mar 2 01:18:51: CBAC Pre-gen sis 25A3574 created: 10.1.0.1[1:65535] 30.0.0.1[46406:46406] *Mar 2 01:18:51: CBAC OBJ_CREATE: create sis 25C1CC4 *Mar 2 01:18:51: CBAC sis 25C1CC4 initiator_addr (10.1.0.1:20) responder_addr (30.0.0.1:46406) initiator_alt_addr (40.0.0.1:20) responder_alt_addr (10.0.0.1:46406) *Mar 2 01:18:51: CBAC OBJ_DELETE: delete pre-gen sis 25A3574 *Mar 2 01:18:51: CBAC OBJ_CREATE: create host entry 25A3574 addr 10.0.0.1 bucket 31 *Mar 2 01:18:51: CBAC OBJ_DELETE: delete sis 25C1CC4 *Mar 2 01:18:51: CBAC OBJ_DELETE: delete create acl wrapper 25A36FC -- acl item 25A3634 *Mar 2 01:18:51: CBAC OBJ_DELETE: delete host entry 25A3574 addr 10.0.0.1 The following is sample output from the debug ip inspect timers command: *Mar 2 01:19:15: CBAC Timer Init Leaf: Pre-gen sis 25A3574 *Mar 2 01:19:15: CBAC Timer Start: Pre-gen sis 25A3574 Timer: 25A35D8 Time: 30000 milisecs

*Mar 2 01:19:15: CBAC Timer *Mar 2 01:19:15: CBAC Timer 25A35D8 *Mar 2 01:19:15: CBAC Timer Time: 30000 milisecs *Mar 2 01:19:15: CBAC Timer Time: 3600000 milisecs *Mar 2 01:19:15: CBAC Timer Time: 5000 milisecs *Mar 2 01:19:15: CBAC Timer

Init Leaf: sis 25C1CC4 Stop: Pre-gen sis 25A3574 Timer: Start: sis 25C1CC4 Timer: 25C1D5C Start: sis 25C1CC4 Timer: 25C1D5C Start: sis 25C1CC4 Timer: 25C1D5C Stop: sis 25C1CC4 Timer: 25C1D5C

The following is sample output from the debug ip inspect tcp command: *Mar 2 01:20:43: CBAC* sis 25A3604 pak 2541C58 TCP P ack 4223720032 seq 4200176225(22) (10.0.0.1:46409) => (10.1.0.1:21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet *Mar 2 01:20:43: CBAC sis 25A3604 pak 2541C58 TCP P ack 4223720032 seq 4200176225(22) (10.0.0.1:46409) => (10.1.0.1:21) *Mar 2 01:20:43: CBAC sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC* sis 25A3604 pak 2544374 TCP P ack 4200176247 seq 4223720032(30) (10.0.0. 1:46409) <= (10.1.0.1:21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC* sis 25A3604 pak 25412F8 TCP P ack 4223720062 seq 4200176247(15) (10.0.0. 1:46409) => (10.1.0.1:21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC sis 25C1CC4 pak 2544734 TCP S seq 4226992037(0) (10.1.0.1:20) => (10.0.0.1:46411) *Mar 2 01:20:43: CBAC* sis 25C1CC4 pak 2541E38 TCP S ack 4226992038 seq 4203405054(0) (10.1.0.1:20) <= (10.0.0.1:46411) This sample shows TCP packets being processed, and lists the corresponding acknowledge (ACK) packet numbers and sequence (SEQ) numbers. The number of data bytes in the TCP packet is shown in parenthesesfor example, (22). For each packet shown, the addresses and port numbers are shown separated by a colon. For example, (10.1.0.1:21) indicates an IP address of 10.1.0.1 and a TCP port number of 21. Entries with an asterisk (*) after the word "CBAC" are entries when the fast path is used; otherwise, the process path is used. The following is sample output from the debug ip inspect tcp and debug ip inspect detailed commands: *Mar 2 01:20:58: CBAC* Pak 2541E38 Find session for (30.0.0.1:46409) (40.0.0.1:21) tcp

*Mar 2 01:20:58: P ack 4223720160 seq 4200176262(22) *Mar 2 01:20:58: CBAC* Pak 2541E38 Addr:port pairs to match: (30.0.0.1:46409) (40.0.0.1:21) *Mar 2 01:20:58: CBAC* sis 25A3604 SIS_OPEN *Mar 2 01:20:58: CBAC* Pak 2541E38 IP: s=30.0.0.1 (Ethernet0), d=40.0.0.1 (Ethernet1), len 76,proto=6 *Mar 2 01:20:58: CBAC sis 25A3604 Saving State: SIS_OPEN/ESTAB iisn 4200176160 i_rcvnxt 4223720160 i_sndnxt 4200176262 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 4223720160 r_rcvwnd 8760 *Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 TCP P ack 4223720160 seq 4200176262(22) (30.0.0.1:46409) => (40.0.0.1:21) *Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 SIS_OPEN/ESTAB TCP seq 4200176262(22) Flags: ACK 4223720160 PSH *Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 --> SIS_OPEN/ESTAB iisn 4200176160 i_rcvnxt 4223720160 i_sndnxt 4200176284 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 4223720160 r_rcvwnd 8760 *Mar 2 01:20:58: CBAC* sis 25A3604 L4 inspect result: PASS packet 2541E38 (30.0.0.1:46409) (40.0.0.1:21) bytes 22 ftp *Mar 2 01:20:58: CBAC sis 25A3604 Restoring State: SIS_OPEN/ESTAB iisn 4200176160 i_rcvnxt 4223 720160 i_sndnxt 4200176262 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 4223720160 r_rcvwnd 8760 *Mar 2 01:20:58: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet *Mar 2 01:20:58: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet *Mar 2 01:20:58: CBAC* Bump up: inspection requires the packet in the process path(30.0.0.1) (40.0.0.1) *Mar 2 01:20:58: CBAC Pak 2541E38 Find session for (30.0.0.1:46409) (40.0.0.1:21) tcp *Mar 2 01:20:58: P ack 4223720160 seq 4200176262(22) *Mar 2 01:20:58: CBAC Pak 2541E38 Addr:port pairs to match: (30.0.0.1:46409) (40.0.0.1:21) *Mar 2 01:20:58: CBAC sis 25A3604 SIS_OPEN *Mar 2 01:20:58: CBAC Pak 2541E38 IP: s=30.0.0.1 (Ethernet0), d=40.0.0.1 (Ethernet1), len 76, proto=6

Command Name: Mode: Syntax:

ip inspect alert off router(config)#

ip inspect alert-off no ip inspect alert-off Syntax Description: This command has no arguments or keywords. Command Description: To disable Context-based Access Control (CBAC) alert messages, which are displayed on the console, use the ip inspect alert off command in global configuration mode. To enable CBAC alert messages, use the no form of this command. Example: router(config)#ip inspect alert-off Misconceptions: By default alert messages are displayed. Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

ip inspect audit trail router(config)#

ip inspect audit trail no ip inspect audit trail Syntax Description: This command has no arguments or keywords. Command Description: To turn on Context-based Access Control (CBAC) audit trail messages, which will be displayed on the console after each CBAC session closes, use the ip inspect audit trail command in global configuration mode. To turn off CBAC audit trail message, use the no form of this command. Example: The following example turns on CBAC audit trail messages: router(config)#ip inspect audit trail Afterward, audit trail messages such as the following are displayed: %FW-6-SESS_AUDIT_TRAIL: tcp session initiator (192.168.1.13:33192) sent 22 bytes -- responder (192.168.129.11:25) sent 208 bytes %FW-6-SESS_AUDIT_TRAIL: ftp session initiator 192.168.1.13:33194) sent 336 bytes -- responder (192.168.129.11:21) sent 325 bytes These messages are examples of audit trail messages. To determine which protocol was inspected, refer to the responder's port number. The port number follows the responder's IP address. Misconceptions: none Related commands: none Sample Configurations:

Command Name:` Mode: Syntax:

ip inspect dns-timeout router(config)#

ip inspect dns-timeout seconds no ip inspect dns-timeout Syntax Description:


seconds Specifies the length of time in seconds, for which a DNS name lookup session will still be managed while there is no activity. The default is 5 seconds.

Command Description: To specify the Domain Name System (DNS) idle timeout (the length of time during which a DNS name lookup session will still be managed while there is no activity), use the ip inspect dns-timeout command in global configuration mode. To reset the timeout to the default of 5 seconds, use the no form of this command. Usage Guidelines When the software detects a valid User Datagram Protocol packet for a new DNS name lookup session, if Context-based Access Control (CBAC) inspection is configured for UDP, the software establishes state information for the new DNS session. If the software detects no packets for the DNS session for a time period defined by the DNS idle timeout, the software will not continue to manage state information for the session. The DNS idle timeout applies to all DNS name lookup sessions inspected by CBAC. The DNS idle timeout value overrides the global UDP timeout. The DNS idle timeout value also enters aggressive mode and overrides any timeouts specified for specific interfaces when you define a set of inspection rules with the ip inspect name command. Example: The following example sets the DNS idle timeout to 30 seconds: router(config)#ip inspect dns-timeout 30 The following example sets the DNS idle timeout back to the default (5 seconds): router(config)#no ip inspect dns-timeout

Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

ip inspect hashtable router(config)#

ip inspect hashtable number no ip inspect hashtable number Syntax Description:


number Size of the hash table in terms of buckets. Possible values for the hash table are 1024, 2048, 4096, and 8192; the default value is 1024.

Command Description: To change the size of the session hash table, use the ip inspect hashtable command in global configuration mode. To restore the size of the session hash table to the default, use the no form of this command. Usage Guidelines Use the ip inspect hashtable command to increase the size of the hash table when the number of concurrent sessions increases or to reduce the search time for the session. Collisions in a hash table result in poor hash function distribution because many entries are hashed into the same bucket for certain patterns of addresses. Even if a hash function distribution evenly dispenses the input across all of the buckets, a small hash table size will not scale well if there are a large number of sessions. As the number of sessions increase, the collisions increase, which increases the length of the linked lists, thereby, deteriorating the throughput performance. Note You should increase the hash table size when the total number of sessions running through the context-based access control (CBAC) router is approximately twice the current hash size; decrease the hash table size when the total number of sessions is reduced to approximately half the current hash size. Essentially, try to maintain a 1:1 ratio between the number of sessions and the size of the hash table. Example: The following example shows how to change the size of the session hash table to 2048 buckets: router(config)#ip inspect hashtable 2048 Misconceptions: none

Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

ip inspect max-incomplete high router(config)#

ip inspect max-incomplete high number no ip inspect max-incomplete high Syntax Description:


number Specifies the number of existing half-open sessions that will cause the software to start deleting half-open sessions. The default is 500 half-open sessions

Command Description: To define the number of existing half-open sessions that will cause the software to start deleting half-open sessions, use the ip inspect max-incomplete high command in global configuration mode. To reset the threshold to the default of 500 half-open sessions, use the no form of this command. Usage Guidelines An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only. Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute. When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number). The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC. Example:

The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800: router(config)#ip inspect max-incomplete high 900 router(config)#ip inspect max-incomplete low 800 Misconceptions: none Related commands: ip ip ip ip inspect inspect inspect inspect max-incomplete low one-minute high one-minute low tcp max-incomplete host

Sample Configurations:

Command Name: Mode: Syntax:

ip inspect max-incomplete low router(config)#

ip inspect max-incomplete low number no ip inspect max-incomplete low Syntax Description:


number Specifies the number of existing half-open sessions that will cause the software to stop deleting half-open sessions. The default is 400 half-open sessions.

Command Description: To define the number of existing half-open sessions that will cause the software to stop deleting half-open sessions, use the ip inspect max-incomplete low command in global configuration mode. To reset the threshold to the default of 400 half-open sessions, use the no form of this command. Usage Guidelines An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only. Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute. When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number). The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC. Example:

The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800: router(config)#ip inspect max-incomplete high 900 router(config)#ip inspect max-incomplete low 800 Misconceptions: none Related commands: ip ip ip ip inspect inspect inspect inspect max-incomplete high one-minute high one-minute low tcp max-incomplete host

Sample Configurations:

Command Name: Mode: Syntax:

ip inspect name router(config)#

ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds] no ip inspect name [inspection-name protocol] HTTP Inspection Syntax ip inspect name inspection-name http [java-list access-list] [alert {on | off}] [audit-trail {on | off}] [timeout seconds] (Java protocol only) no ip inspect name inspection-name protocol (removes the inspection rule for a protocol) RPC Inspection Syntax ip inspect name inspection-name rpc program-number number [waittime minutes] [alert {on | off}] [audit-trail {on | off}] [timeout seconds] (RPC protocol only) no ip inspect name inspection-name protocol (removes the inspection rule for a protocol) Fragment Inspection Syntax ip inspect name inspection-name fragment [max number timeout seconds] no ip inspect name inspection-name fragment (removes fragment inspection for a rule) Syntax Description:
inspection-name Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules. Note The inspection-name cannot exceed 16 characters; otherwise, the name will be truncated to the 16 character limit.

protocol

Protocol keywords are listed below. TCP tcp

UDP udp Application-Layer Protocols keywords Protocol CU-SeeMe FTP Java H.323 Microsoft NetShow Keyword cuseeme ftp http h323 netshow

UNIX R commands (rlogin, rexec, rsh) rcmd RealAudio RPC SMTP SQL*Net StreamWorks TFTP VDOLive realaudio rpc smtp sqlnet streamworks tftp vdolive

alert {on | off}

(Optional) For each inspected protocol, the generation of alert messages can be set be on or off. If no option is selected, alerts are generated based on the setting of the ip inspect alert-off command.

audit-trail {on | off}

(Optional) For each inspected protocol, audit trail can be set on or off. If no option is selected, audit trail message are generated based on the setting of the ip inspect audit-trail command.

http

(Optional) Specifies the HTTP protocol for Java applet blocking. This command is used only to enable Java inspection. If you do not configure a numbered standard access list, but use a "placeholder" access list in the ip inspect name inspectionname http command, all Java applets will be blocked.

timeout seconds

(Optional) To override the global TCP or User Datagram Protocol idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout. This timeout overrides the global TCP and UPD timeouts but will not override the global Domain Name System timeout.

java-list accesslist

(Optional) Specifies the numbered standard access list to use to determine "friendly" sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with numbered standard access lists.

rpc programnumber number

Specifies the program number to permit. This keyword is available only for the remote-procedure call protocol.

wait-time minutes

(Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the RPC protocol.

fragment

Specifies fragment inspection for the named rule.

max number

(Optional) Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. The acceptable range is 50 through 10000. The default is 256 state entries. Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.

timeout seconds (fragmentation)

(Optional) Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. The default timeout value is one second. If this number is set to a value greater that one second, it will be automatically adjusted by the Cisco IOS software when the number of free state structures goes below certain thresholds: when the number of free states is less than 32, the timeout will be divided by 2. When the number of free states is less than 16, the timeout will be set to 1 second.

Command Description:

To define a set of inspection rules, use the ip inspect name command in global configuration mode. To remove the inspection rule for a protocol or to remove the entire set of inspection rules, use the no form of this command. Usage Guidelines To define a set of inspection rules, enter this command for each protocol that you want Contextbased Access Control (CBAC) to inspect, using the same inspection-name. Give each set of inspection rules a unique inspection-name, which should not exceed the 16 charatcer limit. Define either one or two sets of rules per interfaceyou can define one set to examine both inbound and outbound traffic; or you can define two sets: one for outbound traffic and one for inbound traffic. To define a single set of inspection rules, configure inspection for all the desired applicationlayer protocols, and for TCP or UDP as desired. This combination of TCP, UDP, and application-layer protocols join together to form a single set of inspection rules with a unique name. To remove the inspection rule for a protocol, use the no form of this command with the specified inspection name and protocol; to remove the entire set of inspection rules, use the no form of this command only; that is, do not list any inspection names or protocols. In general, when inspection is configured for a protocol, return traffic entering the internal network will be permitted only if the packets are part of a valid, existing session for which state information is being maintained. TCP and UDP Inspection You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through the firewall, even if the application-layer protocol is not configured to be inspected. However, TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number than the previous exiting packet. Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for File Transfer Protocol, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant. With TCP and UDP inspection, packets entering the network must exactly match an existing session: the entering packets must have the same source/destination addresses and source/destination port numbers as the exiting packet (but reversed). Otherwise, the entering packets will be blocked at the interface. Application-Layer Protocol Inspection

In general, if you configure inspection for an application-layer protocol, packets for that protocol should be permitted to exit the firewall (by configuring the correct access control list), and packets for that protocol will only be allowed back in through the firewall if they belong to a valid existing session. Each protocol packet is inspected to maintain information about the session state. Java, H.323, RPC, and SMTP, and SQL*Net inspection have additional information, described in the next four sections. Java Inspection Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as "friendly." If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet will be blocked. Alternately, you could permit applets from all sites except sites specifically designated as "hostile." Note Before you configure Java inspection, you must configure a numbered standard access list that defines "friendly" and "hostile" external sites. You configure this numbered standard access list to permit traffic from friendly sites, and to deny traffic from hostile sites. If you do not configure a numbered standard access list, but use a "placeholder" access list in the ip inspect name inspection-name http command, all Java applets will be blocked. Caution CBAC does not detect or block encapsulated Java applets. Therefore, Java applets that are wrapped or encapsulated, such as applets in .zip or .jar format, are not blocked at the firewall. CBAC also does not detect or block applets loaded via FTP, gopher, or HTTP on a nonstandard port.

H.323 Inspection If you want CBAC inspection to work with NetMeeting 2.0 traffic (an H.323 application-layer protocol), you must also configure inspection for TCP, as described in the chapter "Configuring Context-Based Access Control" in the Cisco IOS Security Configuration Guide. This requirement exists because NetMeeting 2.0 uses an additional TCP channel not defined in the H.323 specification. RPC Inspection RPC inspection allows the specification of various program numbers. You can define multiple program numbers by creating multiple entries for RPC inspection, each with a different program number. If a program number is specified, all traffic for that program number will be permitted. If a program number is not specified, all traffic for that program number will be blocked. For example, if you created an RPC entry with the NFS program number, all NFS traffic will be allowed through the firewall. SMTP Inspection

SMTP inspection causes SMTP commands to be inspected for illegal commands. Any packets with illegal commands are dropped, and the SMTP session will hang and eventually time out. An illegal command is any command except for the following legal commands:

DATA EXPN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOML VRFY

Use of the timeout Keyword If you specify a timeout for any of the transport-layer or application-layer protocols, the timeout will override the global idle timeout for the interface that the set of inspection rules is applied to. If the protocol is TCP or a TCP application-layer protocol, the timeout will override the global TCP idle timeout. If the protocol is UDP or a UDP application-layer protocol, the timeout will override the global UDP idle timeout. If you do not specify a timeout for a protocol, the timeout value applied to a new session of that protocol will be taken from the corresponding TCP or UDP global timeout value valid at the time of session creation. IP Fragmentation Inspection CBAC inspection rules can help protect hosts against certain denial-of-service attacks involving fragmented IP packets. Even though the firewall keeps an attacker from making actual connections to a given host, the attacker may still be able to disrupt services provided by that host. This is done by sending many non-initial IP fragments or by sending complete fragmented packets through a router with an ACL that filters the first fragment of a fragmented packet. These fragments can tie up resources on the target host as it tries to reassemble the incomplete packets. Using fragmentation inspection, the firewall maintains an interfragment state (structure) for IP traffic. Non-initial fragments are discarded unless the corresponding initial fragment was permitted to pass through the firewall. Non-initial fragments received before the corresponding initial fragments are discarded.

Note Fragmentation inspection can have undesirable effects in certain cases, because it can result in the firewall discarding any packet whose fragments arrive out of order. There are many circumstances that can cause out-of-order delivery of legitimate fragments. Apply fragmentation inspection in situations where legitimate fragments, which are likely to arrive out of order, might have a severe performance impact. Because routers running Cisco IOS software are used in a very large variety of networks, and because the CBAC feature is often used to isolate parts of internal networks from one another, the fragmentation inspection feature is not enabled by default. Fragmentation detection must be explicitly enabled for an inspection rule using the ip inspect name command. Unfragmented traffic is never discarded because it lacks a fragment state. Even when the system is under heavy attack with fragmented packets, legitimate fragmented traffic, if any, will still get some fraction of the firewall's fragment state resources, and legitimate, unfragmented traffic can flow through the firewall unimpeded. Example: The following example causes the software to inspect TCP sessions and UDP sessions, and to specifically allow CU-SeeMe, FTP, and RPC traffic back through the firewall for existing sessions only. For UDP traffic, audit-trail is on. For FTP traffic, the idle timeout is set to override the global TCP idle timeout. For RPC traffic, program numbers 100003, 100005, and 100021 are permitted. router(config)#ip router(config)#ip router(config)#ip router(config)#ip router(config)#ip router(config)#ip router(config)#ip inspect inspect inspect inspect inspect inspect inspect name name name name name name name myrules myrules myrules myrules myrules myrules myrules tcp udp audit-trail on cuseeme ftp timeout 120 rpc program-number 100003 rpc program-number 100005 rpc program-number 100021

The following example adds fragment checking to software inspection of TCP and UDP sessions for the rule named myname. In this example, the firewall software will allocate 100 state structures, and the timeout value for dropping unassembled packets is set to 4 seconds. If 100 initial fragments for 100 different packets are sent through the router, all of the state structures will be used up. The initial fragment for packet 101 will be dropped. Additionally, if the number of free state structures (structures available for use by unassembled packets) drops below the threshold values, 32 or 16, the timeout value is automatically reduced to 2 or 1, respectively. Changing the timeout value frees up packet state structures more quickly. router(config)#ip router(config)#ip router(config)#ip router(config)#ip router(config)#ip router(config)#ip inspect inspect inspect inspect inspect inspect name name name name name name myrules myrules myrules myrules myrules myrules tcp udp audit-trail on cuseeme ftp timeout 120 rpc program-number 100003 rpc program-number 100005

router(config)#ip inspect name myrules rpc program-number 100021 router(config)#ip inspect name myrules fragment max 100 timeout 4 Misconceptions: No inspection rules are defined until you define them using this command. Related commands: ip inspect ip inspect audit trail ip inspect alert-off Sample Configurations:

Command Name: Mode: Syntax:

ip inspect one-minute high router(config)#

ip inspect one-minute high number no ip inspect one-minute high Syntax Description:


number Specifies the rate of new unestablished TCP sessions that will cause the software to start deleting half-open sessions. The default is 500 half-open sessions.

Command Description: To define the rate of new unestablished sessions that will cause the software to start deleting half-open sessions, use the ip inspect one-minute high command in global configuration mode. To reset the threshold to the default of 500 half-open sessions, use the no form of this command. Usage Guidelines An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only. Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute. When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially-decayed rate.) The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC. Example: The following example causes the software to start deleting half-open sessions when more than 1000 session establishment attempts have been detected in the last minute, and to stop deleting

half-open sessions when fewer than 950 session establishment attempts have been detected in the last minute: router(config)#ip inspect one-minute high 1000 router(config)#ip inspect one-minute low 950 Misconceptions: none Related commands: ip ip ip ip inspect inspect inspect inspect one-minute low max-incomplete high max-incomplete low tcp max-incomplete host

Sample Configurations:

Command Name: Mode: Syntax:

ip inspect one-minute low router(config)#

ip inspect one-minute low number no ip inspect one-minute low Syntax Description:


number Specifies the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions. The default is 400 half-open sessions.

Command Description: To define the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions, use the ip inspect one-minute low command in global configuration mode. To reset the threshold to the default of 400 half-open sessions, use the no form of this command Usage Guidelines An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only. Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute. When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially decayed rate.) The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC. Example: The following example causes the software to start deleting half-open sessions when more than 1000 session establishment attempts have been detected in the last minute, and to stop deleting

half-open sessions when fewer than 950 session establishment attempts have been detected in the last minute: router(config)#ip inspect one-minute high 1000 router(config)#ip inspect one-minute low 950 Misconceptions: none Related commands: ip ip ip ip inspect inspect inspect inspect max-incomplete high max-incomplete low one-minute high tcp max-incomplete host

Sample Configurations:

Command Name: Mode: Syntax:

ip inspect tcp finwait-time router(config)#

ip inspect tcp finwait-time seconds no ip inspect tcp finwait-time Syntax Description:


seconds Specifies how long a TCP session will be managed after the firewall detects a FIN-exchange. The default is 5 seconds.

Command Description: To define how long a TCP session will still be managed after the firewall detects a FINexchange, use the ip inspect tcp finwait-time command in global configuration mode. To reset the timeout to the default of 5 seconds, use the no form of this command. Usage Guidelines When the software detects a valid TCP packet that is the first in a session, and if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for the new session. Use this command to define how long TCP session state information will be maintained after the firewall detects a FIN-exchange for the session. The FIN-exchange occurs when the TCP session is ready to close. The global value specified for this timeout applies to all TCP sessions inspected by CBAC. The timeout set with this command is referred to as the "finwait" timeout. Note If the -n option is used with rsh, and the commands being executed do not produce output before the "finwait" timeout, the session will be dropped and no further output will be seen. Example: The following example changes the "finwait" timeout to 10 seconds: router(config)#ip inspect tcp finwait-time 10 The following example changes the "finwait" timeout back to the default (5 seconds): router(config)#no ip inspect tcp finwait-time

Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

ip inspect tcp idle-time router(config)#

ip inspect tcp idle-time seconds no ip inspect tcp idle-time Syntax Description:


seconds Specifies the length of time, in seconds, for which a TCP session will still be managed while there is no activity. The default is 3600 seconds (1 hour).

Command Description: To specify the TCP idle timeout (the length of time a TCP session will still be managed while there is no activity), use the ip inspect tcp idle-time command in global configuration mode. To reset the timeout to the default of 3600 seconds (1 hour), use the no form of this command. Usage Guidelines When the software detects a valid TCP packet that is the first in a session, and if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for the new session. If the software detects no packets for the session for a time period defined by the TCP idle timeout, the software will not continue to manage state information for the session. The global value specified for this timeout applies to all TCP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the ip inspect name (global configuration) command. Note This command does not affect any of the currently defined inspection rules that have explicitly defined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout value. If you change the TCP idle timeout with this command, the new timeout will apply to any new inspection rules you define or to any existing inspection rules that do not have an explicitly defined timeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit the global timeout value. Example: The following example sets the global TCP idle timeout to 1800 seconds (30 minutes): router(config)#ip inspect tcp idle-time 1800

The following example sets the global TCP idle timeout back to the default of 3600 seconds (one hour): router(config)#no ip inspect tcp idle-time Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

ip inspect tcp max-incomplete host router(config)#

ip inspect tcp max-incomplete host number block-time minutes no ip inspect tcp max-incomplete host Syntax Description:
number Specifies how many half-open TCP sessions with the same host destination address can exist at a time, before the software starts deleting half-open sessions to the host. Use a number from 1 to 250. The default is 50 half-open sessions.

blocktime

Specifies blocking of connection initiation to a host.

minutes

Specifies how long the software will continue to delete new connection requests to the host. The default is 0 minutes.

Command Description: To specify threshold and blocking time values for TCP host-specific denial-of-service detection and prevention, use the ip inspect tcp max-incomplete host command in global configuration mode. To reset the threshold and blocking time to the default values, use the no form of this command. Usage Guidelines An unusually high number of half-open sessions with the same destination host address could indicate that a denial-of-service attack is being launched against the host. For TCP, "half-open" means that the session has not reached the established state. Whenever the number of half-open sessions with the same destination host address rises above a threshold (the max-incomplete host number), the software will delete half-open sessions according to one of the following methods:

If the block-time minutes timeout is 0 (the default): The software will delete the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.

If the block-time minutes timeout is greater than 0: The software will delete all existing half-open sessions for the host, and then block all new connection requests to the host. The software will continue to block all new connection requests until the block-time expires.

The software also sends syslog messages whenever the max-incomplete host number is exceeded and when blocking of connection initiations to a host starts or ends. The global values specified for the threshold and blocking time apply to all TCP connections inspected by Context-based Access Control (CBAC). Example: The following example changes the max-incomplete host number to 40 half-open sessions, and changes the block-time timeout to 2 minutes (120 seconds): router(config)#ip inspect tcp max-incomplete host 40 block-time 120 The following example resets the defaults (50 half-open sessions and 0 seconds): router(config)#no ip inspect tcp max-incomplete host Misconceptions: none Related commands: ip ip ip ip inspect inspect inspect inspect max-incomplete high max-incomplete low one-minute high one-minute low

Sample Configurations:

Command Name: Mode: Syntax:

ip inspect tcp synwait-time router(config)#

ip inspect tcp synwait-time seconds no ip inspect tcp synwait-time Syntax Description:


seconds Specifies how long, in seconds, the software will wait for a TCP session to reach the established state before dropping the session. The default is 30 seconds.

Command Description: To define how long the software will wait for a TCP session to reach the established state before dropping the session, use the ip inspect tcp synwait-time command in global configuration mode. To reset the timeout to the default of 30 seconds, use the no form of this command. Usage Guidelines Use this command to define how long Cisco IOS software will wait for a TCP session to reach the established state before dropping the session. The session is considered to have reached the established state after the session's first SYN bit is detected. The global value specified for this timeout applies to all TCP sessions inspected by Contextbased Access Control (CBAC). Example: The following example changes the "synwait" timeout to 20 seconds: router(config)#ip inspect tcp synwait-time 20 The following example changes the "synwait" timeout back to the default (30 seconds): router(config)#no ip inspect tcp synwait-time Misconceptions: none Related commands:

none Sample Configurations:

Command Name: Mode: Syntax:

ip inspect udp idle-time router(config)#

ip inspect udp idle-time seconds no ip inspect udp idle-time Syntax Description:


seconds Specifies the length of time a UDP "session" will still be managed while there is no activity. The default is 30 seconds.

Command Description: To specify the User Datagram Protocol idle timeout (the length of time for which a UDP "session" will still be managed while there is no activity), use the ip inspect udp idle-time command in global configuration model. To reset the timeout to the default of 30 seconds, use the no form of this command. Usage Guidelines When the software detects a valid UDP packet, if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for a new UDP "session." Because UDP is a connectionless service, there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, it has similar source or destination addresses) and if the packet was detected soon after another similar UDP packet. If the software detects no UDP packets for the UDP session for the a period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session. The global value specified for this timeout applies to all UDP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the ip inspect name command. Note This command does not affect any of the currently defined inspection rules that have explicitly defined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout value. If you change the UDP idle timeout with this command, the new timeout will apply to any new inspection rules you define or to any existing inspection rules that do not have an explicitly defined timeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit the global timeout value. Example:

The following example sets the global UDP idle timeout to 120 seconds (2 minutes): router(config)#ip inspect udp idle-time 120 The following example sets the global UDP idle timeout back to the default of 30 seconds: router(config)#no ip inspect udp idle-time Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

ip inspect router(config-if)#

ip inspect inspection-name {in | out} no ip inspect inspection-name {in | out} Syntax Description:
inspection-name Identifies which set of inspection rules to apply.

in

Applies the inspection rules to inbound traffic.

out

Applies the inspection rules to outbound traffic.

Command Description: To apply a set of inspection rules to an interface, use the ip inspect command in interface configuration mode. To remove the set of rules from the interface, use the no form of this command. Usage Guidelines Use this command to apply a set of inspection rules to an interface. Typically, if the interface connects to the external network, you apply the inspection rules to outbound traffic; alternately, if the interface connects to the internal network, you apply the inspection rules to inbound traffic. If you apply the rules to outbound traffic, then return inbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an outbound packet. If you apply the rules to inbound traffic, then return outbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an inbound packet. Example:

The following example applies a set of inspection rules named "outboundrules" to an external interface's outbound traffic. This causes inbound IP traffic to be permitted only if the traffic is part of an existing session, and to be denied if the traffic is not part of an existing session. router(config)#interface serial0 router(config-if)#ip inspect outboundrules out Misconceptions: If no set of inspection rules is applied to an interface, no traffic will be inspected by CBAC. Related commands: ip inspect name Sample Configurations: ip inspect name myfw ftp timeout 3600 ip inspect name myfw http timeout 3600 ip inspect name myfw tcp timeout 3600 ip inspect name myfw udp timeout 3600 ip inspect name myfw tftp timeout 3600 ! interface Ethernet0/1 ip address 172.16.1.2 255.255.255.0 ip access-group 111 in ip inspect myfw out ! access-list 111 deny icmp any 10.1.1.0 0.0.0.255 echo access-list 111 permit icmp any 10.1.1.0 0.0.0.255

Command Name: Mode: Syntax: no ip inspect Syntax Description:

no ip inspect router(config)#

This command has no arguments or keywords. Command Description: To turn off Context-based Access Control (CBAC) completely at a firewall, use the no ip inspect command in global configuration mode. Note The no in inspect command removes all CBAC configuration entries and resets all CBAC global timeouts and thresholds to the defaults. All existing sessions are deleted and their associated access lists are removed. Example: The following example turns off CBAC at a firewall: router(config)#no ip inspect Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

show ip inspect router#

show ip inspect {name inspection-name | config | interfaces | session [detail] | all} Syntax Description:
name inspectionname Displays the configured inspection rule with the name inspection-name.

config

Displays the complete CBAC inspection configuration.

interfaces

Displays interface configuration with respect to applied inspection rules and access lists.

session [detail]

Displays existing sessions that are currently being tracked and inspected by CBAC. The optional detail keyword causes additional details about these sessions to be shown.

all

Displays all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC.

Command Description: To view Context-based Access Control (CBAC) configuration and session information, use the show ip inspect command in privileged EXEC mode. Example: router# show ip inspect name myinspectionrule router# show ip inspect config router# show ip inspect interfaces

router# show ip inspect sessions router# show ip inspect sessions detail router# show ip inspect all Misconceptions: none Related commands: none Sample Configurations: The following example shows sample output for the show ip inspect name myinspectionrule command, where the inspection rule "myinspectionrule" is configured: Inspection Rule Configuration Inspection name myinspectionrule tcp timeout 3600 udp timeout 30 ftp timeout 3600 The output shows the protocols that should be inspected by CBAC and the corresponding idle timeouts for each protocol. The following is sample output for the show ip inspect config command: Session audit trail is disabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name myinspectionrule tcp timeout 3600 udp timeout 30 ftp timeout 3600 The output shows CBAC configuration, including global timeouts, thresholds, and inspection rules.

The following is sample output for the show ip inspect interfaces command: Interface Configuration Interface Ethernet0 Inbound inspection rule is myinspectionrule tcp timeout 3600 udp timeout 30 ftp timeout 3600 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is not set The following is sample output for the show ip inspect sessions command: Established Sessions Session 25A3318 (10.0.0.1:20)=>(10.1.0.1:46068) ftp-data SIS_OPEN Session 25A6E1C (10.1.0.1:46065)=>(10.0.0.1:21) ftp SIS_OPEN The output shows the source and destination addresses and port numbers (separated by colons), and it indicates that the session is an FTP session. The following is sample output for the show ip inspect sessions detail command: Established Sessions Session 25A335C (40.0.0.1:20)=>(30.0.0.1:46069) ftp-data SIS_OPEN Created 00:00:07, Last heard 00:00:00 Bytes sent (initiator:responder) [0:3416064] acl created 1 Inbound access-list 111 applied to interface Ethernet1 Session 25A6E1C (30.0.0.1:46065)=>(40.0.0.1:21) ftp SIS_OPEN Created 00:01:34, Last heard 00:00:07 Bytes sent (initiator:responder) [196:616] acl created 1 Inbound access-list 111 applied to interface Ethernet1 The output includes times, number of bytes sent, and which access list is applied. The following is sample output for the show ip inspect all command: Session audit trail is disabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec

dns-timeout is 5 sec Inspection Rule Configuration Inspection name all tcp timeout 3600 udp timeout 30 ftp timeout 3600 Interface Configuration Interface Ethernet0 Inbound inspection rule is all tcp timeout 3600 udp timeout 30 ftp timeout 3600 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is not set Established Sessions Session 25A6E1C (30.0.0.1:46065)=>(40.0.0.1:21) ftp SIS_OPEN Session 25A34A0 (40.0.0.1:20)=>(30.0.0.1:46072) ftp-data SIS_OPEN

Command Name: Mode: Syntax:

banner exec router(config)#

banner exec d message d no banner exec Syntax Description:


d Delimiting character of your choicea pound sign (#), for example. You cannot use the delimiting character in the banner message.

message

Message text. You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable. Tokens are described below.

Command Description: To specify and enable a message to be displayed when an EXEC process is created (an EXEC banner), use the banner exec global configuration command. To delete the existing EXEC banner, use the no form of this command. Usage Guidelines This command specifies a message to be displayed when an EXEC process is created (a line is activated, or an incoming connection is made to a vty). Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. When a user connects to a router, the message-of-the-day (MOTD) banner appears first, followed by the login banner and prompts. After the user logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner. To disable the EXEC banner on a particular line or lines, use the no exec-banner line configuration command. To customize the banner, use tokens in the form $(token) in the message text. Tokens will display current Cisco IOS configuration variables, such as the router's host name and IP address. The tokens are described below. Banner exec Tokens

Token Information Displayed in the Banner $(hostname) Displays the host name for the router. $(domain) $(line) Displays the domain name for the router. Displays the vty or tty (asynchronous) line number.

$(line-desc) Displays the description attached to the line.

Example: The following example sets an EXEC banner that uses tokens. The percent sign (%) is used as a delimiting character. Notice that the $(token) syntax is replaced by the corresponding configuration variable. Router(config)# banner exec % Enter TEXT message. End with the character '%'. Session activated on line $(line), $(line-desc). Enter commands at the prompt. % When a user logs on to the system, the following output is displayed: User Access Verification Username: joeuser Password: <password> Session activated on line 50, vty default line. Enter commands at the prompt. Router> Misconceptions: none Related commands: banner incoming banner login banner motd banner slip-ppp exec-banner Sample Configurations:

Command Name: Mode: Syntax:

banner incoming router(config)#

banner incoming d message d no banner incoming Syntax Description:


d Delimiting character of your choicea pound sign (#), for example. You cannot use the delimiting character in the banner message.

message

Message text. You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable. Tokens are described below.

Command Description: To define and enable a banner to be displayed when there is an incoming connection to a terminal line from a host on the network, use the banner incoming global configuration command. To delete the incoming connection banner, use the no form of this command. Usage Guidelines Follow the banner incoming command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. An incoming connection is one initiated from the network side of the router. Incoming connections are also called reverse Telnet sessions. These sessions can display MOTD banners and incoming banners, but they do not display EXEC banners. Use the no motd-banner line configuration command to disable the MOTD banner for reverse Telnet sessions on asynchronous lines. When a user connects to the router, the message-of-the-day (MOTD) banner (if configured) appears first, before the login prompt. After the user successfully logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner. Incoming banners cannot be suppressed. If you do not want the incoming banner to appear, you must delete it with the no banner incoming command.

To customize the banner, use tokens in the form $(token) in the message text. Tokens will display current Cisco IOS configuration variables, such as the router's host name and IP address. The tokens are described below. Banner incoming Tokens
Token Information Displayed in the Banner $(hostname) Displays the host name for the router. $(domain) $(line) Displays the domain name for the router. Displays the vty or tty (asynchronous) line number.

$(line-desc) Displays the description attached to the line.

Example: The following example sets an incoming connection banner. The pound sign (#) is used as a delimiting character. Router# banner incoming # This is the Reuses router. # The following example sets an incoming connection banner that uses several tokens. The percent sign (%) is used as a delimiting character. banner incoming % Enter TEXT message. End with the character '%'. You have entered $(hostname).$(domain) on line $(line) ($(linedesc)) % When the incoming connection banner is executed, the user will see the following banner. Notice that the $(token) syntax is replaced by the corresponding configuration variable. You have entered darkstar.ourdomain.com on line 5 (Dialin Modem) Misconceptions: none Related commands: banner banner banner banner exec login motd slip-ppp
darkstar(config)#

Sample Configurations:

Command Name: Mode: Syntax:

banner login router(config)#

banner login d message d no banner login Syntax Description:


d Delimiting character of your choicea pound sign (#), for example. You cannot use the delimiting character in the banner message.

message

Message text. You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable. Tokens are described below.

Command Description: To define and enable a customized banner to be displayed before the username and password login prompts, use the banner login global configuration command. To disable the login banner, use no form of this command. Usage Guidelines Follow the banner login command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. When a user connects to the router, the message-of-the-day (MOTD) banner (if configured) appears first, followed by the login banner and prompts. After the user successfully logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner. To customize the banner, use tokens in the form $(token) in the message text. Tokens will display current Cisco IOS configuration variables, such as the router's host name and IP address. The tokens are described below. Banner login Tokens
Token Information Displayed in the Banner $(hostname) Displays the host name for the router.

$(domain) $(line)

Displays the domain name for the router. Displays the vty or tty (asynchronous) line number.

$(line-desc) Displays the description attached to the line.

Example: The following example sets a login banner. Double quotes (") are used as the delimiting character. Router# banner login " Access for authorized users only. Please enter your username and password. " The following example sets a login banner that uses several tokens. The percent sign (%) is used as the delimiting character. darkstar(config)# banner login % Enter TEXT message. End with the character '%'. You have entered $(hostname).$(domain) on line $(line) ($(linedesc)) % When the login banner is executed, the user will see the following banner. Notice that the $(token) syntax is replaced by the corresponding configuration variable. You have entered darkstar.ourdomain.com on line 5 (Dialin Modem) Misconceptions: none Related commands: banner banner banner banner exec incoming motd slip-ppp

Sample Configurations:

Command Name: Mode: Syntax:

banner motd router(config)#

banner motd d message d no banner motd Syntax Description:


d Delimiting character of your choicea pound sign (#), for example. You cannot use the delimiting character in the banner message.

message

Message text. You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable.

Command Description: To define and enable a message-of-the-day (MOTD) banner, use the banner motd global configuration command. To delete the MOTD banner, use the no form of this command. Usage Guidelines Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. This MOTD banner is displayed to all terminals connected and is useful for sending messages that affect all users (such as impending system shutdowns). Use the no exec-banner or no motdbanner command to disable the MOTD banner on a line. The no exec-banner command also disables the EXEC banner on the line. When a user connects to the router, the MOTD banner appears before the login prompt. After the user logs in to the router, the EXEC banner or incoming banner will be displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner will be displayed. For all other connections, the router will display the EXEC banner. To customize the banner, use tokens in the form $(token) in the message text. Tokens will display current Cisco IOS configuration variables, such as the router's host name and IP address. The tokens are described below. Banner motd Tokens

Token Information Displayed in the Banner $(hostname) Displays the host name for the router. $(domain) $(line) Displays the domain name for the router. Displays the vty or tty (asynchronous) line number.

$(line-desc) Displays the description attached to the line.

Example: The following example configures an MOTD banner. The pound sign (#) is used as a delimiting character. Router# banner motd # Building power will be off from 7:00 AM until 9:00 AM this coming Tuesday. # The following example configures an MOTD banner with a token. The percent sign (%) is used as a delimiting character. darkstar(config)# banner motd % Enter TEXT message. End with the character '%'. Notice: all routers in $(domain) will be upgraded beginning April 20 % When the MOTD banner is executed, the user will see the following. Notice that the $(token) syntax is replaced by the corresponding configuration variable. Notice: all routers in ourdomain.com will be upgraded beginning April 20 Misconceptions: none Related commands: banner exec banner incoming banner login banner slip-ppp motd-banner Sample Configurations:

Command Name: Mode: Syntax:

banner slip-ppp router(config)#

banner slip-ppp d message d no banner slip-ppp Syntax Description:


d Delimiting character of your choicea pound sign (#), for example. You cannot use the delimiting character in the banner message.

message

Message text. You can include tokens in the form $(token) in the message text. Tokens will be replaced with the corresponding configuration variable.

Command Description: To customize the banner that is displayed when a SLIP or PPP connection is made, use the banner slip-ppp global configuration command. To restore the default SLIP or PPP banner, use the no form of this command. Usage Guidelines Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. Use this command to define a custom SLIP or PPP connection message. This is useful when legacy client applications require a specialized connection string. To customize the banner, use tokens in the form $(token) in the message text. Tokens will display current Cisco IOS configuration variables, such as the routers host name, IP address, encapsulation type, and MTU size. The banner tokens are described below. Banner slip-ppp Tokens
Token Information Displayed in the Banner $(hostname) Displays the host name of the router. $(domain) $(peer-ip) Displays the domain name of the router. Displays the IP address of the peer machine.

$(gate-ip) $(encap)

Displays the IP address of the gateway machine. Displays the encapsulation type (SLIP, PPP, and so on).

$(encap-alt) Displays the encapsulation type as SL/IP instead of SLIP. $(mtu) Displays the Maximum Transmission Unit (MTU) size.

Example: The following example sets the SLIP/PPP banner using several tokens and the percent sign (%) as the delimiting character: Router(config)# banner slip-ppp % Enter TEXT message. End with the character '%'. Starting $(encap) connection from $(gate-ip) to $(peer-ip) using a maximum packet size of $(mtu) bytes... % The new SLIP/PPP banner will now be displayed when the slip EXEC command is used. Notice that the $(token) syntax is replaced by the corresponding configuration variable. Router# slip Starting SLIP connection from 172.16.69.96 to 192.168.1.200 using a maximum packet size of 1500 bytes... Misconceptions: none Related commands: banner exec banner incoming banner motd slip ppp Sample Configurations:

Command Name: Mode: Syntax:

clear tcp router#

clear tcp {line line-number | local hostname port remote hostname port | tcb address} Syntax Description:
line line-number Line number of the TCP connection to clear.

local hostname port remote hostname port

Host name of the local router and port and host name of the remote router and port of the TCP connection to clear.

tcb address

Transmission Control Block (TCB) address of the TCP connection to clear. The TCB address is an internal identifier for the endpoint.

Command Description: To clear a TCP connection, use the clear tcp privileged EXEC command. Usage Guidelines The clear tcp command is particularly useful for clearing hung TCP connections. The clear tcp line line-number command terminates the TCP connection on the specified tty line. Additionally, all TCP sessions initiated from that tty line are terminated. The clear tcp local hostname port remote hostname port command terminates the specific TCP connection identified by the host name and port pair of the local and remote router. The clear tcp tcb address command terminates the specific TCP connection identified by the TCB address. Example: The following example clears a TCP connection using its tty line number. The show tcp command displays the line number (tty2) that is used in the clear tcp command. Router# show tcp

tty2, virtual tty from host router20.cisco.com Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Local host: 171.69.233.7, Local port: 23 Foreign host: 171.69.61.75, Foreign port: 1058 Enqueued packets for retransmit: 0, input: 0, saved: 0 Event Timers (current time is 0x36144): Timer Starts Wakeups Next Retrans 4 0 0x0 TimeWait 0 0 0x0 AckHold 7 4 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 iss: 4151109680 snduna: 4151109752 sndnxt: 4151109752 sndwnd: 24576 irs: 1249472001 rcvnxt: 1249472032 rcvwnd: 4258 delrcvwnd: 30 SRTT: 710 ms, RTTO: 4442 ms, RTV: 1511 ms, KRTT: 0 ms minRTT: 0 ms, maxRTT: 300 ms, ACK hold: 300 ms Router# clear tcp line 2 [confirm] [OK] The following example clears a TCP connection by specifying its local router host name and port and its remote router host name and port. The show tcp brief command displays the local (Local Address) and remote (Foreign Address) host names and ports to use in the clear tcp command. Router# show tcp brief TCB Local Address Foreign Address (state) 60A34E9C router1.cisco.com.23 router20.cisco.1055 ESTAB Router# clear tcp local router1 23 remote router20 1055 [confirm] [OK] The following example clears a TCP connection using its TCB address. The show tcp brief command displays the TCB address to use in the clear tcp command. Router# show tcp brief TCB Local Address Foreign Address (state) 60B75E48 router1.cisco.com.23 router20.cisco.1054 ESTAB Router# clear tcp tcb 60B75E48 [confirm] [OK] Misconceptions: none Related commands:

show tcp show tcp brief Sample Configurations:

Command Name: Mode: Syntax: exec no exec Syntax Description:

exec router(config-line)#

This command has no arguments or keywords. Command Description: To allow an EXEC process on a line, use the exec line configuration command. To turn off the EXEC process for the specified line, use the no form of this command. Usage Guidelines When you want to allow an outgoing connection only for a line, use the no exec command. When a user tries to Telnet to a line with the no exec command configured, the user will get no response when pressing the Return key at the login screen. Example: The following example turns off the EXEC process on line 7. You might want to do this on the auxiliary port if the attached device (for example, the control port of a rack of modems) sends unsolicited data. If this happens, an EXEC process starts, which makes the line unavailable. router(config)#line 7 router(config-line)#no exec Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax: exec-banner no exec-banner Syntax Description:

exec-banner router(config-line)#

This command has no arguments or keywords. Command Description: To reenable the display of EXEC and message-of-the-day (MOTD) banners on the specified line or lines, use the exec-banner line configuration command. To suppress the banners on the specified line or lines, use the no form of this command. Usage Guidelines This command determines whether the router will display the EXEC banner and the message-ofthe-day (MOTD) banner when an EXEC session is created. These banners are defined with the banner exec and banner motd global configuration commands. By default, these banner are enabled on all lines. Disable the EXEC and MOTD banners using the no exec-banner command. This command has no effect on the incoming banner, which is controlled by the banner incoming command.
The MOTD banners can also be disabled by the no motd-banner line configuration command, which disables MOTD banners on a line. If the no exec-banner command is configured on a line, the MOTD banner will be disabled regardless of whether the motd-banner command is enabled or disabled.

For reverse Telnet connections, the EXEC banner is never displayed. Instead, the incoming banner is displayed. The MOTD banner is displayed by default, but it is disabled if either the no exec-banner command or no motd-banner command is configured. Example: The following example suppresses the EXEC and MOTD banners on virtual terminal lines 0 to 4: router(config)#line vty 0 4 router(config-line)#no exec-banner Misconceptions: none

Related commands: banner exec banner incoming banner motd motd-banner Sample Configurations:

Command Name: Mode: Syntax:

exec-timeout router(config-line)#

exec-timeout minutes [seconds] no exec-timeout Syntax Description:


minutes Integer that specifies the number of minutes.

seconds

(Optional) Additional time intervals in seconds.

Command Description: To set the interval that the EXEC command interpreter waits until user input is detected, use the exec-timeout line configuration command. To remove the timeout definition, use the no form of this command. Usage Guidelines If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session. To specify no timeout, enter the exec-timeout 0 0 command. Example: The following example sets a time interval of 2 minutes, 30 seconds: router(config)#line console router(config-line)#exec-timeout 2 30 The following example sets a time interval of 10 seconds: router(config)#line console router(config-line)#exec-timeout 0 10 Misconceptions:

none

Related commands: none Sample Configurations:

Command Name: Mode: Syntax: lock Syntax Description:

lock router>

This command has no arguments or keywords. Command Description: To configure a temporary password on a line, use the lock EXEC command. Usage Guidelines You can prevent access to your session while keeping your connection open by setting up a temporary password. To lock access to the terminal, perform the following steps: Step 1 Enter the lock command. The system prompts you for a password. Step 2 Enter a password, which can be any arbitrary string. The system will prompt you to confirm the password. The screen then clears and displays the message "Locked." Step 3 To regain access to your sessions, reenter the password. The Cisco IOS software honors session timeouts on a locked lines. You must clear the line to remove this feature. The system administrator must set the line up to allow use of the temporary locking feature by using the lockable line configuration command. Example: Router(config-line)# lockable Router(config-line)# ^Z Router# copy system:running-config nvram:startup-config Building configuration... OK Router# lock Password: <password> Again: <password> Locked Password: <password> Router# Misconceptions:

none Related commands: lockable login (EXEC) Sample Configurations:

Command Name: Mode: Syntax:

menu clear-screen router(config)#

menu menu-name clear-screen Syntax Description:


menu-name Name of the menu this command should be applied to.

Command Description: To clear the terminal screen before displaying a menu, use the menu clear-screen global configuration command. Usage Guidelines This command uses a terminal-independent mechanism based on termcap entries defined in the router and the configured terminal type for the user. This command allows the same menu to be used on multiple types of terminals instead of having terminal-specific strings embedded within menu titles. If the termcap entry does not contain a clear string, the menu system enters 24 new lines, causing all existing text to scroll off the top of the terminal screen. Example: In the following example, the terminal screen is cleared before displaying the menu named Access1: router(config)#menu Access1 clear-screen Misconceptions: none

Related commands: menu menu menu menu menu menu (EXEC) command default line-mode options prompt

menu single-space menu status-line menu text menu title no menu Sample Configurations:

Command Name: Mode: Syntax:

menu command router(config)#

menu menu-name command menu-item {command | menu-exit} Syntax Description:


menuname Name of the menu. You can specify a maximum of 20 characters.

menuitem

Number, character, or string used as the key for the item. The key is displayed to the left of the menu item text. You can specify a maximum of 18 menu entries. When the tenth item is added to the menu, the line-mode and single-space options are activated automatically.

command

Command to issue when the user selects an item.

menuexit

Provides a way for menu users to return to a higher-level menu or exit the menu system.

Command Description: To specify underlying commands for user menus, use the menu command global configuration command. Usage Guidelines Use this command to assign actions to items in a menu. Use the menu text global configuration command to assign text to items. These commands must use the same menu name and menu selection key. The menu command command has a special keyword for the command argument, menu-exit, that is available only within menus. It is used to exit a submenu and return to the previous menu level, or to exit the menu altogether and return to the EXEC command prompt. You can create submenus that are opened by selecting entries in another menu. Use the menu EXEC command as the command for the submenu item. Note If you nest too many levels of menus, the system prints an error message on the terminal and returns to the previous menu level.

When a menu allows connections (their normal use), the command for an entry activating the connection should contain a resume command, or the line should be configured to prevent users from escaping their sessions with the escape-char none command. Otherwise, when they escape from a connection and return to the menu, there will be no way to resume the session and it will sit idle until the user logs out. Specifying the resume command as the action that is performed for a selected menu entry permits a user to resume a named connection or connect using the specified name, if there is no active connection by that name. As an option, you can also supply the connect string needed to connect initially. When you do not supply this connect string, the command uses the specified connection name. You can also use the resume/next command, which resumes the next connection in the user's list of connections. This function allows you to create a single menu entry that steps through all of the user's connections. Note A menu should not contain any exit paths that leave users in an unfamiliar interface environment. When a particular line should always display a menu, that line can be configured with an autocommand line configuration command. Menus can be run on a per-user basis by defining a similar autocommand command for that local username. Example: In the following example, the commands to be issued when the menu user selects option 1, 2, or 3 are specified for the menu named Access1: router(config)#menu Access1 command 1 tn3270 vms.cisco.com router(config)#menu Access1 command 2 rlogin unix.cisco.com router(config)#menu Access1 command 3 menu-exit The following example allows a menu user to exit a menu by entering Exit at the menu prompt: router(config)#menu Access1 text Exit Exit menu Access1 command Exit menu-exit Misconceptions: none Related commands: autocommand menu (EXEC) menu clear-screen menu default

menu menu menu menu menu menu menu

line-mode options prompt single-space status-line text title

Sample Configurations:

Command Name: Mode: Syntax:

menu default router(config)#

menu menu-name default menu-item Syntax Description:


menu-name Name of the menu. You can specify a maximum of 20 characters.

menu-item

Number, character, or string key of the item to use as the default.

Command Description: To specify the menu item to use as the default, use the menu default global configuration command. Usage Guidelines Use this command to specify which menu entry is used when the user presses Enter without specifying an item. The menu entries are defined by the menu command and menu text global configuration commands. Example: In the following example, the menu user exits the menu when pressing Enter without selecting an item: router(config)#menu Access1 9 text Exit the menu router(cofnig)#menu Access1 9 command menu-exit router(config)#menu Access1 default 9 Misconceptions: none Related commands: menu menu menu menu (EXEC) command prompt text

menu title Sample Configurations:

Command Name: Mode: Syntax:

menu line-mode router(config)#

menu menu-name line-mode Syntax Description:


menu-name Name of the menu this command should be applied to.

Command Description: To require the user to press Enter after specifying an item, use the menu line-mode global configuration command. Usage Guidelines In a menu of nine or fewer items, you ordinarily select a menu item by entering the item number. In line mode, you select a menu entry by entering the item number and pressing Enter. Line mode allows you to backspace over the selected number and enter another number before pressing Enter to issue the command. This option is activated automatically when more than nine menu items are defined but also can be configured explicitly for menus of nine or fewer items. In order to use strings as keys for items, the menu line-mode command must be configured. Example: In the following example, the line-mode option is enabled for the menu named Access1: router(config)#menu Access1 line-mode Misconceptions: none Related commands: menu menu menu menu (EXEC) clear-screen command default

menu menu menu menu menu

options prompt single-space status-line text

Sample Configurations:

Command Name: Mode: Syntax:

menu options router(config)#

menu menu-name options menu-item {login | pause} Syntax Description:


menu-name The name of the menu. You can specify a maximum of 20 characters.

menu-item

Number, character, or string key of the item affected by the option.

login

Requires a login before issuing the command.

pause

Pauses after the command is entered before redrawing the menu.

Command Description: To set options for items in user menus, use the menu options global configuration command. Usage Guidelines Use the menu command and menu text global configuration commands to define a menu entry. Example: In the following example, a login is required before issuing the command specified by menu entry 3 of the menu named Access1: router(config)#menu Access1 options 3 login Misconceptions: none Related commands: menu (EXEC) menu clear-screen menu command

menu menu menu menu menu menu menu

default line-mode prompt single-space status-line text title

Sample Configurations:

Command Name: Mode: Syntax:

menu prompt router(config)#

menu menu-name prompt d prompt d Syntax Description:


menuname Name of the menu. You can specify a maximum of 20 characters.

A delimiting character that marks the beginning and end of a title. Text delimiters are characters that do not ordinarily appear within the text of a title, such as slash ( / ), double quote ("), and tilde (~). ^C is reserved for special use and should not be used in the text of the title.

prompt

Prompt string for the menu.

Command Description: To specify the prompt for a user menu, use the menu prompt global configuration command. Usage Guidelines Press Enter after entering the first delimiter. The router will prompt you for the text of the prompt. Enter the text followed by the delimiter, and press Enter. Use the menu command and menu text commands to define the menu selections. Example: In the following example, the prompt for the menu named Access1 is configured as "Select an item.": Router(config)# menu Access1 prompt / Enter TEXT message. End with the character '/'. Select an item. / Router(config)# Misconceptions: none

Related commands: menu menu menu menu menu (EXEC) command default text title

Sample Configurations:

Command Name: Mode: Syntax:

menu single-space router(config)#

menu menu-name single-space Syntax Description:


menu-name Name of the menu this command should be applied to.

Command Description: To display menu items single-spaced rather than double-spaced, use the menu single-space global configuration command. Usage Guidelines When more than nine menu items are defined, the menu is displayed single-spaced. To configure the menus with nine or fewer items to display single-spaced, use this command. Example: In the following example, single-spaced menu items are displayed for the menu named Access1: router(config)#menu Access1 single-space Misconceptions: none Related commands: menu menu menu menu menu menu menu menu menu menu (EXEC) clear-screen command default line-mode options prompt status-line text title

Sample Configurations:

Command Name: Mode: Syntax:

menu status-line router(config)#

menu menu-name status-line Syntax Description:

menu-name

Name of the menu this command should be applied to.

Command Description: To display a line of status information about the current user at the top of a menu, use the menu status-line global configuration command. Usage Guidelines This command displays the status information at the top of the screen before the menu title is displayed. This status line includes the router's host name, the user's line number, and the current terminal type and keymap type (if any). Example: In the following example, status information is enabled for the menu named Access1: router(config)#menu Access1 status-line Misconceptions: none Related commands: menu menu menu menu menu menu menu menu menu (EXEC) clear-screen command default line-mode options prompt single-space text

menu title Sample Configurations:

Command Name: Mode: Syntax:

menu text router(config)#

menu menu-name text menu-item menu-text Syntax Description:


menuname Name of the menu. You can specify a maximum of 20 characters.

menuitem

Number, character, or string used as the key for the item. The key is displayed to the left of the menu item text. You can specify a maximum of 18 menu items. When the tenth item is added to the menu, the menu line-mode and menu single-space commands are activated automatically.

menutext

Text of the menu item.

Command Description: To specify the text of a menu item in a user menu, use the menu text global configuration command. Usage Guidelines Use this command to assign text to items in a menu. Use the menu command command to assign actions to items. These commands must use the same menu name and menu selection key. You can specify a maximum of 18 items in a menu. Example: In the following example, the descriptive text for the three entries is specified for options 1, 2, and 3 in the menu named Access1: router(config)#menu Access1 text 1 IBM Information Systems router(config)#menu Access1 text 2 UNIX Internet Access router(config)#menu Access1 text 3 Exit menu system Misconceptions:

none Related commands: menu menu menu menu menu menu menu menu menu menu (EXEC) clear-screen command default line-mode options prompt single-space status-line title

Sample Configurations:

Command Name: Mode: Syntax:

menu title router(config)#

menu menu-name title d menu-title d Syntax Description:


menuname Name of the menu. You can specify a maximum of 20 characters.

A delimiting character that marks the beginning and end of a title. Text delimiters are characters that do not ordinarily appear within the text of a title, such as slash ( / ), double quote ("), and tilde (~). ^C is reserved for special use and should not be used in the text of the title.

menutitle

Lines of text to appear at the top of the menu.

Command Description: To create a title (banner) for a user menu, use the menu title global configuration command. Usage Guidelines The menu title command must use the same menu name used with the menu text and menu command commands used to create a menu. You can position the title of the menu horizontally by preceding the title text with blank characters. You can also add lines of space above and below the title by pressing Enter. Follow the title keyword with one or more blank characters and a delimiting character of your choice. Then enter one or more lines of text, ending the title with the same delimiting character. You cannot use the delimiting character within the text of the message. When you are configuring from a terminal and are attempting to include special control characters, such as a screen-clearing string, you must use Ctrl-V before the special control characters so that they are accepted as part of the title string. The string ^[[H^[[J is an escape string used by many VT100-compatible terminals to clear the screen. To use a special string, you must enter Ctrl-V before each escape character.

You also can use the menu clear-screen global configuration command to clear the screen before displaying menus and submenus, instead of embedding a terminal-specific string in the menu title. The menu clear-screen command allows the same menu to be used on different types of terminals. Example: In the following example, the title that will be displayed is specified when the menu named Access1 is invoked. Press Enter after the second slash (/) to display the prompt. Router(config)# menu Access1 title Enter TEXT message. End with the character '/'. Welcome to Access1 Internet Services. Type a number to select an option; Type 9 to exit the menu. / Router(config)# Misconceptions: none Related commands: menu menu menu menu menu menu menu menu menu (EXEC) clear-screen command line-mode options prompt single-space status-line text

Sample Configurations:

Command Name: Mode: Syntax: motd-banner no motd-banner Syntax Description:

motd-banner router(config)#

This command has no arguments or keywords. Command Description: To enable the display of message-of-the-day (MOTD) banners on the specified line or lines, use the motd-banner line configuration command. To suppress the MOTD banners on the specified line or lines, use the no form of this command. Usage Guidelines This command determines whether the router will display the MOTD banner when an EXEC session is created on the specified line or lines. The MOTD banner is defined with the banner motd global configuration command. By default, the MOTD banner is enabled on all lines. Disable the MOTD banner on specific lines using the no motd-banner line configuration command. The MOTD banners can also be disabled by the no exec-banner line configuration command, which disables both MOTD banners and EXEC banners on a line. If the no exec-banner command is configured on a line, the MOTD banner will be disabled regardless of whether the motd-banner command is enabled or disabled. For reverse Telnet connections, the EXEC banner is never displayed. Instead, the incoming banner is displayed. The MOTD banner is displayed by default, but it is disabled if either the no exec-banner command or no motd-banner command is configured. Example: The following example suppresses the MOTD banner on vty lines 0 through 4: router(config)#line vty 0 4 router(config-line)#no motd-banner Misconceptions: none

Related commands: banner exec banner incoming banner motd motd-banner Sample Configurations:

Command Name: Mode: Syntax: name-connection Syntax Description:

name-connection router>

This command has no arguments or keywords. Command Description: To assign a logical name to a connection, use the name-connection user EXEC command. Usage Guidelines This command can be useful for keeping track of multiple connections. You are prompted for the connection number and name to assign. The where command displays a list of the assigned logical connection names. Example: The following example assigns the logical name blue to the connection: Router> where Conn Host Address Byte Idle Conn Name * 1 doc-2509 172.30.162.131 0 0 doc-2509 Router> name-connection Connection number: 1 Enter logical name: blue Connection 1 to doc-2509 will be named "BLUE" [confirm] Misconceptions: none Related commands: where Sample Configurations:

Command Name: Mode: Syntax: no menu menu-name Syntax Description:


menu-name

no menu router(config)#

Name of the menu to delete from the configuration file.

Command Description: To delete a user menu from the configuration file, use the no menu global configuration command. Usage Guidelines Use this command to remove any menu commands for a particular menu from the configuration file. As with all global configuration commands, this command will only effect the startup configuration file when you save the running configuration using the copy running-config startup-config EXEC command. Example: The following example deletes the menu named Access1: router(config)#no menu Access1 Misconceptions: none Related commands: menu menu menu menu menu (EXEC) command prompt text title

Sample Configurations:

Command Name: Mode Syntax:

refuse-message router(config-line)#

refuse-message d message d no refuse-message Syntax Description:


d Delimiting character of your choicea pound sign (#), for example. You cannot use the delimiting character in the message.

message

Message text.

Command Description: To define and enable a line-in-use message, use the refuse-message line configuration command. To disable the message, use the no form of this command. Usage Guidelines Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. You cannot use the delimiting character within the text of the message. When you define a message using this command, the Cisco IOS software performs the following steps: 1. Accepts the connection. 2. Prints the custom message. 3. Clears the connection. Example: In the following example, line 5 is configured with a line-in-use message, and the user is instructed to try again later: router(config)#line 5 router(config-line)#refuse-message /The dial-out modem is currently in use.

Please try again later./ Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

send router#

send {line-number | * | aux number | console number | tty number | vty number} Syntax Description:
line-number Line number to which the message will be sent.

Sends a message to all lines.

aux number

Sends a message to the specified AUX port.

console number

Sends a message to the specified console port.

tty number

Sends a message to the specified asynchronous line.

vty number

Sends a message to the specified virtual asynchronous line.

Command Description: To send messages to one or all terminal lines, use the send privileged EXEC command. Usage Guidelines After entering this command, the system prompts for the message to be sent, which can be up to 500 characters long. Enter Ctrl-Z to end the message. Enter Ctrl-C to abort this command. Example: The following example sends a message to all lines: 2509# send * Enter message, end with CTRL/Z; abort with CTRL/C: The system 2509 will be shut down in 10 minutes for repairs.^Z Send message? [confirm]

2509# *** *** *** Message from tty0 to all terminals: *** The system 2509 will be shut down in 10 minutes for repairs. 2509# Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

service linenumber router(config)#

service linenumber no service linenumber Syntax Description: This command has no arguments or keywords. Command Description: To configure the Cisco IOS software to display line number information after the EXEC or incoming banner, use the service linenumber global configuration command. To disable this function, use the no form of this command. Usage Guidelines With the service linenumber command, you can have the Cisco IOS software display the host name, line number, and location each time an EXEC process is started, or an incoming connection is made. The line number banner appears immediately after the EXEC banner or incoming banner. This feature is useful for tracking problems with modems, because the host and line for the modem connection are listed. Modem type information can also be included. Example: In the following example, a user Telnets to Router2 before and after the service linenumber command is enabled. The second time, information about the line is displayed after the banner. Router1> telnet Router2 Trying Router2 (172.30.162.131)... Open Welcome to Router2. User Access Verification Password: Router2> enable Password: Router2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)# service linenumber Router2(config)# end Router2# logout [Connection to Router2 closed by foreign host] Router1> telnet Router2 Trying Router2 (172.30.162.131)... Open

Welcome to Router2. Router2 line 10 User Access Verification Password: Router2> Misconceptions: none Related commands: show users Sample Configurations:

Command Name: Mode: Syntax:

vacant-message router(config-line)#

vacant-message [d message d] no vacant-message Syntax Description:


d (Optional) Delimiting character that marks the beginning and end of the vacant-message. Text delimiters are characters that do not ordinarily appear within the text of a title, such as slash ( / ), double quote ("), or tilde (~). ^C is reserved for special use and should not be used in the message.

message

(Optional) Vacant terminal message.

Command Description: To display an idle terminal message, use the vacant-message line configuration command. To remove the default vacant message or any other vacant message that may have been set, use the no form of this command. Usage Guidelines This command enables the banner to be displayed on the screen of an idle terminal. The vacantmessage command without any arguments restores the default message. Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. Note For a rotary group, you need to define only the message for the first line in the group. Example: The following example turns on the system banner and displays this message: router(config)#line 0 router(config-line)#vacant-message # Welcome to Cisco Systems, Inc. Press Return to get started.

Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax: clear crypto sa

clear crypto sa router#

clear crypto sa peer {ip-address | peer-name} clear crypto sa map map-name clear crypto sa entry destination-address protocol spi clear crypto sa counters Syntax Description:
peer Deletes any IPSec security associations for the specified peer.

ip-address

Specifies a remote peer's IP address.

peer-name

Specifies a remote peer's name as the fully qualified domain name, for example remotepeer.example.com.

map

Deletes any IPSec security associations for the named crypto map set.

map-name

Specifies the name of a crypto map set.

entry

Deletes the IPSec security association with the specified address, protocol, and SPI.

destinationaddress

Specifies the IP address of your peer or the remote peer.

protocol

Specifies either the Encapsulation Security Protocol or Authentication Header.

spi

Specifies an SPI (found by displaying the security association database).

Command Name: Mode: Syntax:

crypto dynamic-map router(config)#

crypto dynamic-map dynamic-map-name dynamic-seq-num no crypto dynamic-map dynamic-map-name [dynamic-seq-num] Syntax Description:
dynamic-map-name Specifies the name of the dynamic crypto map set.

dynamic-seq-num

Specifies the number of the dynamic crypto map entry

Command Description: To create a dynamic crypto map entry and enter the crypto map configuration command mode, use the crypto dynamic-map global configuration command. To delete a dynamic crypto map set or entry, use the no form of this command. Usage Guidelines Use dynamic crypto maps to create policy templates that can be used when processing negotiation requests for new security associations from a remote IP Security peer, even if you do not know all of the crypto map parameters required to communicate with the remote peer (such as the peer's IP address). For example, if you do not know about all the IPSec remote peers in your network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the Internet Key Exchange authentication has completed successfully.) When a router receives a negotiation request via IKE from another IPSec peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map. The dynamic crypto map is a policy template; it will accept "wildcard" parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPSec security associations with a previously unknown IPSec peer. (The peer still must specify matching values for the "non-wildcard" IPSec security association negotiation parameters.) If the router accepts the peer's request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results

of the negotiation. At this point, the router performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed. Dynamic crypto map sets are not used for initiating IPSec security associations. However, they are used for determining whether or not traffic should be protected. The only configuration required in a dynamic crypto map is the set transform-set command. All other configuration is optional. Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. After you define a dynamic crypto map set (which commonly contains only one map entry) using this command, you include the dynamic crypto map set in an entry of the "parent" crypto map set using the crypto map (IPSec global configuration) command. The parent crypto map set is then applied to an interface. You should make crypto map entries referencing dynamic maps the lowest priority map entries, so that negotiations for security associations will try to match the static crypto map entries first. Only after the negotiation request does not match any of the static map entries do you want it to be evaluated against the dynamic map. To make a dynamic crypto map the lowest priority map entry, give the map entry referencing the dynamic crypto map the highest seq-num of all the map entries in a crypto map set. For both static and dynamic crypto maps, if unprotected inbound traffic matches a permit statement in an access list, and the corresponding crypto map entry is tagged as "IPSec," then the traffic is dropped because it is not IPSec-protected. (This is because the security policy as specified by the crypto map entry states that this traffic must be IPSec-protected.) For static crypto map entries, if outbound traffic matches a permit statement in an access list and the corresponding security association (SA) is not yet established, the router will initiate new SAs with the remote peer. In the case of dynamic crypto map entries, if no SA existed, the traffic would simply be dropped (because dynamic crypto maps are not used for initiating new SAs). Note Use care when using the any keyword in permit entries in dynamic crypto maps. If it is possible for the traffic covered by such a permit entry to include multicast or broadcast traffic, the access list should include deny entries for the appropriate address range. Access lists should also include deny entries for network and subnet broadcast traffic, and for any other traffic that should not be IPSec protected. Example: router(config)#crypto map mymap 10 ipsec-isakmp router(config)#crypto map mymap 20 ipsec-isakmp

router(config)#crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap router(config)#crypto dynamic-map mydynamicmap 10 Misconceptions: none Related commands: crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set pfs set security-association lifetime set transform-set show crypto dynamic-map show crypto map (IPSec) Sample Configurations: crypto map mymap 10 ipsec-isakmp match address 101 set transform-set my_t_set1 set peer 10.0.0.1 set peer 10.0.0.2 crypto map mymap 20 ipsec-isakmp match address 102 set transform-set my_t_set1 my_t_set2 set peer 10.0.0.3 crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap ! crypto dynamic-map mydynamicmap 10 match address 103 set transform-set my_t_set1 my_t_set2 my_t_set3

Command Name: Mode: Syntax:

crypto ipsec security-association lifetime router(config)#

crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes} no crypto ipsec security-association lifetime {seconds | kilobytes} Syntax Description:
seconds seconds Specifies the number of seconds a security association will live before expiring. The default is 3600 seconds (one hour).

kilobytes kilobytes

Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 kilobytes.

Command Description: To change global lifetime values used when negotiating IPSec security associations, use the crypto ipsec security-association lifetime global configuration command. To reset a lifetime to the default value, use the no form of this command. Usage Guidelines IPSec security associations use shared secret keys. These keys and their security associations time out together. Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lirfetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The security association expires after the first of these lifetimes is reached. If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations,

but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Refer to the clear crypto sa command for more details. To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds form of the command. The timed lifetime causes the security association to time out after the specified number of seconds have passed. To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes form of the command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key. Shorter lifetimes can make it harder to mount a successful key recovery attack, since the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations. The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map entry). How These Lifetimes Work The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword). A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first). If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected. Example: The following example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2,700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabytes per second for one half hour). router#crypto ipsec security-association lifetime seconds 2700 router#crypto ipsec security-association lifetime kilobytes 2304000 Misconceptions:

none Related commands: set security-association lifetime show crypto ipsec security-association lifetime Sample Configurations:

Command Name: Mode: Syntax:

crypto ipsec transform-set router(config)#

crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] no crypto ipsec transform-set transform-set-name Syntax Description:
transform-setname Specifies the name of the transform set to create (or modify).

transform1 transform2 transform3

Specifies up to three "transforms." These transforms define the IPSec security protocols and algorithms. Accepted transform values are described in the "Usage Guidelines" section.

Command Description: To define a transform setan acceptable combination of security protocols and algorithmsuse the crypto ipsec transform-set global configuration command. To delete a transform set, use the no form of the command. Usage Guidelines A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP Security protected traffic. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow. You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peer's IPSec security associations. When IKE is not used to establish security associations, a single transform set must be used. The transform set is not negotiated. Before a transform set can be included in a crypto map entry it must be defined using this command.

A transform set specifies one or two IPSec security protocols (either Encapsulation Security Protocol or Authentication Header or both) and specifies which algorithms to use with the selected security protocol. To define a transform set, you specify one to three "transforms"each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer. In a transform set you could specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform. The table below lists the acceptable transform combination selections for the AH and ESP protocols. Table 22: Allowed Transform Combinations
Transform type AH Transform (Pick up to one.) Transform ah-md5-hmac ah-sha-hmac ah-sha-hmac AH with the SHA (HMAC variant) authentication algorithm AH with the SHA (HMAC variant) authentication algorithm Description AH with the MD5 (HMAC variant) authentication algorithm

ESP Encryption Transform (Pick up to one.)

esp-des esp-3des esp-null

ESP with the 56-bit DES encryption algorithm ESP with the 168-bit DES encryption algorithm (3DES or Triple DES) Null encryption algorithm

ESP Authentication Transform (Pick up to one.)

esp-md5hmac esp-shahmac

ESP with the MD5 (HMAC variant) authentication algorithm ESP with the SHA (HMAC variant) authentication algorithm

IP Compression Transform (Pick

comp-lzs

IP compression with the LZS algorithm.

up to one.)

Examples of acceptable transform combinations are:


ah-md5-hmac esp-des esp-3des and esp-md5-hmac ah-sha-hmac and esp-des and esp-sha-hmac comp-lzs

The parser will prevent you from entering invalid combinations; for example, once you specify an AH transform it will not allow you to specify another AH transform for the current transform set. IPSec Protocols: Encapsulation Security Protocol and Authentication Header Both the Encapsulation Security Protocol (ESP) and Authentication Header (AH) protocols implement security services for IPSec. ESP provides packet encryption and optional data authentication and anti-replay services. AH provides data authentication and anti-replay services. ESP encapsulates the protected dataeither a full IP datagram r(or only the payload)with an ESP header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately after the outer IP header and before the inner IP datagram or payload. Traffic that originates and terminates at the IPSec peers can be sent in either tunnel or transport mode; all other traffic is sent in tunnel mode. Tunnel mode encapsulates and protects a full IP datagram, while transport mode encapsulates/protects the payload of an IP datagram. For more information about modes, see the mode (IPSec) command description. Selecting Appropriate Transforms The following tips may help you select transforms that are appropriate for your situation:

If you want to provide data confidentiality, include an ESP encryption transform. If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform. (Some consider the benefits of outer IP header data integrity to be debatable.)

If you use an ESP encryption transform, also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set. If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5, but is slower. Note that some transforms might not be supported by the IPSec peer. In cases where you need to specify an encryption transform but do not actually encrypt packets, you can use the esp-null transform.

Suggested transform combinations:


esp-des and esp-sha-hmac ah-sha-hmac and esp-des and esp-sha-hmac

The Crypto Transform Configuration Mode After you issue the crypto ipsec transform-set command, you are put into the crypto transform configuration mode. While in this mode, you can change the mode to tunnel or transport. (These are optional changes.) After you have made these changes, type exit to return to global configuration mode. For more information about these optional changes, see the match address (IPSec) and mode (IPSec) command descriptions. Changing Existing Transforms If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set. If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Example: The following example defines two transform sets. The first transform set will be used with an IPSec peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec peer that only supports the older transforms. router(config)#crypto ipsec transform-set newer esp-3des espsha-hmac router(config)#crypto ipsec transform-set older ah-rfc-1828 esprfc1829

Misconceptions: none Related commands: mode (IPSec) set transform-set show crypto ipsec transform-set Sample Configurations:

crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key mysecretkey address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set mypolicy esp-des esp-md5-hmac ! crypto dynamic-map dyna 10 set transform-set mypolicy ! crypto map test 10 ipsec-isakmp dynamic dyna

Command Name: Mode: Syntax: crypto map map-name

crypto map (interface IPSec) router(config-if)#

no crypto map [map-name] Syntax Description:


mapname Name that identifies the crypto map set. This is the name assigned when the crypto map was created. When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored.

Command Description: To apply a previously defined crypto map set to an interface, use the crypto map interface configuration command. To remove the crypto map set from the interface, use the no form of this command. Usage Guidelines Use this command to assign a crypto map set to an interface. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of cisco, ipsec-isakmp, and ipsec-manual crypto map entries. Example: The following example assigns crypto map set "mymap" to the S0 interface. When traffic passes through S0, the traffic will be evaluated against all the crypto map entries in the "mymap" set. When outbound traffic matches an access list in one of the "mymap" crypto map entries, a security association will be established per that crypto map entry's configuration (if no security association or connection already exists). router(config)#interface S0 router(config-if)#crypto map mymap

Misconceptions: none Related commands: crypto map (global IPSec) crypto map local-address show crypto map (IPSec) Sample Configurations: ! interface FastEthernet0/1 ip address 10.1.1.2 255.255.255.0 no ip directed-broadcast duplex auto speed auto crypto map mymap !

Command Name: Mode: Syntax:

crypto map local-address router(config)#

crypto map map-name local-address interface-id no crypto map map-name local-address Syntax Description:
mapname Name that identifies the crypto map set. This is the name assigned when the crypto map was created.

interfaceid

The identifying interface that should be used by the router to identify itself to remote peers. If Internet Key Exchange is enabled and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.

Command Description: To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address global configuration command. To remove this command from the configuration, use the no form of this command. Usage Guidelines If you apply the same crypto map to two interfaces and do not use this command, two separate security associations (with different local IP addresses) could be established to the same peer for similar traffic. If you are using the second interface as redundant to the first interface, it could be preferable to have a single security association (with a single local IP address) created for traffic sharing the two interfaces. Having a single security association decreases overhead and makes administration simpler. This command allows a peer to establish a single security association (and use a single local IP address) that is shared by the two redundant interfaces. If applying the same crypto map set to more than one interface, the default behavior is as follows:

Each interface will have its own security association database.

The IP address of the local interface will be used as the local address for IPSec traffic originating from/destined to that interface.

However, if you use a local-address for that crypto map set, it has multiple effects:

Only one IPSec security association database will be established and shared for traffic through both interfaces. The IP address of the specified interface will be used as the local address for IPSec (and IKE) traffic originating from or destined to that interface.

One suggestion is to use a loopback interface as the referenced local address interface, because the loopback interface never goes down. Example: The following example assigns crypto map set "mymap" to the S0 interface and to the S1 interface. When traffic passes through either S0 or S1, the traffic will be evaluated against the all the crypto maps in the "mymap" set. When traffic through either interface matches an access list in one of the "mymap" crypto maps, a security association will be established. This same security association will then apply to both S0 and S1 traffic that matches the originally matched IPSec access list. The local address that IPSec will use on both interfaces will be the IP address of interface loopback0. router(config)#interface S0 router(config-if)#crypto map mymap router(config)#interface S1 router(config-if)#crypto map mymap router(config)#crypto map mymap local-address loopback0 Misconceptions: none Related commands: crypto map (interface IPSec) Sample Configurations:

Command Name: Mode: Syntax:

crypto map (global IPSec) router(config)#

crypto map map-name seq-num ipsec-manual crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-mapname] [discover] no crypto map map-name [seq-num] Syntax Description:
map-name The name that identifies the crypto map set. This is the name assigned when the crypto map was created.

seq-num

The number you assign to the crypto map entry. See additional explanation for using this argument in the "Usage Guidelines" section.

ipsecmanual

Indicates that Internet Key Exchange will not be used to establish the IP Security security associations for protecting the traffic specified by this crypto map entry.

ipsecisakmp

Indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.

dynamic

(Optional) Specifies that this crypto map entry is to reference a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device. If you use this keyword, none of the crypto map configuration commands will be available.

dynamicmap-name

(Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template.

discover

(Optional) Enables peer discovery. By default, peer discovery is not enabled.

Command Description:

To create or modify a crypto map entry and enter the crypto map configuration mode, use the crypto map global configuration command. To delete a crypto map entry or set, use the no form of this command. Usage Guidelines Use this command to create a new crypto map entry or to modify an existing crypto map entry. Once a crypto map entry has been created, you cannot change the parameters specified at the global configuration level because these parameters determine which of the configuration commands are valid at the crypto map level. For example, once a map entry has been created as ipsec-isakmp, you cannot change it to ipsec-manual or cisco; you must delete and reenter the map entry. After you define crypto map entries, you can assign the crypto map set to interfaces using the crypto map (interface IPSec) command. What Crypto Maps Are For Crypto maps provide two functions: (1) filtering and classifying traffic to be protected and (2) defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic. IPSec crypto maps link together definitions of the following:

What traffic should be protected Which IPSec peers the protected traffic can be forwarded tothese are the peers with which a security association can be established Which transform sets are acceptable for use with the protected traffic How keys and security associations should be used or managed (or what the keys are, if IKE is not used)

Multiple Crypto Map Entries with the Same map-name Form a Crypto Map Set A crypto map set is a collection of crypto map entries, each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one IPSec peer with specified security applied to that traffic, and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied. To accomplish this you would create two crypto maps, each with the same map-name, but each with a different seq-num. The seq-num Argument The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map

entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority. For example, imagine that there is a crypto map set that contains three crypto map entries: mymap 10, mymap 20, and mymap 30. The crypto map set named mymap is applied to interface Serial 0. When traffic passes through the Serial 0 interface, the traffic is evaluated first for mymap 10. If the traffic matches a permit entry in the extended access list in mymap 10, the traffic will be processed according to the information defined in mymap 10 (including establishing IPSec security associations when necessary). If the traffic does not match the mymap 10 access list, the traffic will be evaluated for mymap 20, and then mymap 30, until the traffic matches a permit entry in a map entry. (If the traffic does not match a permit entry in any crypto map entry, it will be forwarded without any IPSec security.) Dynamic Crypto Maps Refer to the "Usage Guidelines" section of the crypto dynamic-map command for a discussion on dynamic crypto maps. You should make crypto map entries which reference dynamic map sets the lowest priority map entries, so that inbound security association negotiations requests will try to match the static maps first. Only after the request does not match any of the static maps do you want it to be evaluated against the dynamic map set. To make a crypto map entry referencing a dynamic crypto map set the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set. Create dynamic crypto map entries using the crypto dynamic-map command. After you create a dynamic crypto map set, add the dynamic crypto map set to a static crypto map set with the crypto map (IPSec global configuration) command using the dynamic keyword. Tunnel Endpoint Discovery Tunnel Endpoint Discovery is an enhancement to the IP Security Protocol (IPSec) feature. Defining a dynamic crypto map allows you to be able to dynamically determine an IPSec peer; however, only the receiving router has this ability. With Tunnel Endpoint Discovery, the initiating router can dynamically determine an IPSec peer for secure IPSec communications. Dynamic Tunnel Endpoint Discovery allows IPSec to scale to large networks by reducing multiple encryptions, reducing the setup time, and allowing for simple configurations on participating peer routers. Each node has a simple configuration that defines the local network that the router is protecting and the IPSec transforms that are required. Example: The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations: crypto map mymap 10 ipsec-isakmp

match address 101 set transform-set my_t_set1 set peer 10.0.0.1 The following example shows the minimum required crypto map configuration when the security associations are manually established: crypto transform-set someset ah-md5-hmac esp-des crypto map mymap 10 ipsec-manual match address 102 set transform-set someset set peer 10.0.0.5 set session-key inbound ah 256 98765432109876549876543210987654 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc set session-key inbound esp 256 cipher 0123456789012345 set session-key outbound esp 256 cipher abcdefabcdefabcd The following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set. Crypto map "mymap 10" allows security associations to be established between the router and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the remote peer for traffic matching access list 102. Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the remote peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer. The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec SA are also dropped. crypto map mymap 10 ipsec-isakmp match address 101 set transform-set my_t_set1 set peer 10.0.0.1 set peer 10.0.0.2 crypto map mymap 20 ipsec-isakmp match address 102 set transform-set my_t_set1 my_t_set2

set peer 10.0.0.3 crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap ! crypto dynamic-map mydynamicmap 10 match address 103 set transform-set my_t_set1 my_t_set2 my_t_set3 The following example configures Tunnel Endpoint Discovery on a Cisco router: crypto map testtag 10 ipsec-isakmp dynamic dmap discover Misconceptions: none Related commands: crypto dynamic-map crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set pfs set security-association level per-host set security-association lifetime set session-key set transform-set show crypto map (IPSec) Sample Configurations:

Command Name: Mode: Syntax:

match address (IPSec) router(config-crypto-map)#

match address [access-list-id | name] no match address [access-list-id | name] Syntax Description:
accesslist-id (Optional) Identifies the extended access list by its name or number. This value should match the access-list-number or name argument of the extended access list being matched.

name

(Optional) Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched.

Command Description: To specify an extended access list for a crypto map entry, use the match address crypto map configuration command. To remove the extended access list from a crypto map entry, use the no form of this command. Usage Guidelines This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended. Use this command to assign an extended access list to a crypto map entry. You also need to define this access list using the access-list or ip access-list extended commands. The extended access list specified with this command will be used by IPSec to determine which traffic should be protected by crypto and which traffic does not need crypto protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.) Note that the crypto access list is not used to determine whether to permit or deny traffic through the interface. An access list applied directly to the interface makes that determination. The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface's crypto map entries to determine if it should be protected by crypto and if so (if traffic

matches a permit entry) which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of dynamic crypto map entries, if no SA exists, the packet is dropped.) After passing the regular access lists at the interface, inbound traffic is evaluated against the crypto access lists specified by the entries of the interface's crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec.) In the case of IPSec, the access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be "permitted" by the crypto access list. Example: The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. (This example is for a static crypto map.) router(config)#crypto map mymap 10 ipsec-isakmp router(config-crypto-map)#match address 101 router(config-crypto-map)#set transform-set my_t_set1 router(config-crypto-map)#set peer 10.0.0.1 Misconceptions: none Related commands: crypto dynamic-map crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address set peer (IPSec) set pfs set security-association level per-host set security-association lifetime set session-key set transform-set show crypto map (IPSec) Sample Configurations: crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key Delaware address 192.168.10.66

crypto isakmp key Key-What-Key address 192.168.11.19 ! ! crypto ipsec transform-set BearMama ah-md5-hmac esp-des crypto ipsec df-bit clear ! ! crypto map armadillo 1 ipsec-isakmp set peer 192.168.10.66 set transform-set BearMama match address 101 ! crypto map basilisk 1 ipsec-isakmp set peer 192.168.11.19 set transform-set BearMama match address 102 ! ! interface Ethernet0 ip address 192.168.10.38 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map armadillo crypto ipsec df-bit copy ! interface Ethernet1 ip address 192.168.11.75 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map basilisk ! interface Serial0 no ip address ip broadcast-address 0.0.0.0 no ip route-cache no ip mroute-cache

Command Name: Mode: Syntax:

mode (IPSec) router(cfg-crypto-tran)#

mode [tunnel | transport] no mode Syntax Description:


tunnel | transport (Optional) Specifies the mode for a transform set: either tunnel or transport mode. If neither tunnel nor transport is specified, the default (tunnel mode) is assigned.

Command Description: To change the mode for a transform set, use the mode crypto transform configuration command. To reset the mode to the default value of tunnel mode, use the no form of the command. Usage Guidelines Use this command to change the mode specified for the transform. This setting is only used when the traffic to be protected has the same IP addresses as the IPSec peers (this traffic can be encapsulated either in tunnel or transport mode). This setting is ignored for all other traffic (all other traffic is encapsulated in tunnel mode). If the traffic to be protected has the same IP address as the IP Security peers and transport mode is specified, during negotiation the router will request transport mode but will accept either transport or tunnel mode. If tunnel mode is specified, the router will request tunnel mode and will accept only tunnel mode. After you define a transform set, you are put into the crypto transform configuration mode. While in this mode you can change the mode to either tunnel or transport. This change applies only to the transform set just defined. If you do not change the mode when you first define the transform set, but later decide you want to change the mode for the transform set, you must re-enter the transform set (specifying the transform name and all its transforms) and then change the mode. If you use this command to change the mode, the change will only affect the negotiation of subsequent IPSec security associations via crypto map entries which specify this transform set. (If you want the new settings to take effect sooner, you can clear all or part of the security association database. See the clear crypto sa command for more details.

Tunnel Mode With tunnel mode, the entire original IP packet is protected (encrypted, authenticated, or both) and is encapsulated by the IPSec headers and trailers (an Encapsulation Security Protocol header and trailer, an Authentication Header, or both). Then a new IP header is prefixed to the packet, specifying the IPSec endpoints as the source and destination. Tunnel mode can be used with any IP traffic. Tunnel mode must be used if IPSec is protecting traffic from hosts behind the IPSec peers. For example, tunnel mode is used with Virtual Private Networks (VPNs) where hosts on one protected network send packets to hosts on a different protected network via a pair of IPSec peers. With VPNs, the IPSec peers "tunnel" the protected traffic between the peers while the hosts on their protected networks are the session endpoints. Transport Mode With transport mode, only the payload (data) of the original IP packet is protected (encrypted, authenticated, or both). The payload is encapsulated by the IPSec headers and trailers (an ESP header and trailer, an AH header, or both). The original IP headers remain intact and are not protected by IPSec. Use transport mode only when the IP traffic to be protected has IPSec peers as both the source and destination. For example, you could use transport mode to protect router management traffic. Specifying transport mode allows the router to negotiate with the remote peer whether to use transport or tunnel mode. Example: The following example defines a transform set and changes the mode to transport mode. The mode value only applies to IP traffic with the source and destination addresses at the local and remote IPSec peers. router(config)#crypto ipsec transform-set newer esp-des esp-shahmac router(cfg-crypto-tran)#mode transport router(cfg-crypto-tran)#exit Misconceptions: none Related commands: rcrypto ipsec transform-set Sample Configurations:

Command Name: Mode:

set peer (IPSec) router(config-crypto-map)#

Syntax: set peer {hostname | ip-address} no set peer {hostname | ip-address} Syntax Description:
hostname Specifies the IPSec peer by its host name. This is the peer's host name concatenated with its domain name (for example, myhost.example.com).

ipaddress

Specifies the IPSec peer by its IP address.

Command Description: To specify an IP Security peer in a crypto map entry, use the set peer crypto map configuration command. To remove an IPSec peer from a crypto map entry, use the no form of this command. Usage Guidelines Use this command to specify an IPSec peer for a crypto map. This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used (because, in general, the peer is unknown). For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, Internet Key Exchange tries the next peer on the crypto map list. For ipsec-manual crypto entries, you can specify only one IPSec peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer. You can specify the remote IPSec peer by its host name only if the host name is mapped to the peer's IP address in a Domain Name Server or if you manually map the host name to the IP address with the ip host command. Example:

router(config-crypto-map)#set peer 10.0.0.1 router(config-crypto-map)#set peer 10.0.0.2 Misconceptions: none Related commands: crypto dynramic-map crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set pfs set security-association level per-host set security-association lifetime set session-key set transform-set show crypto map (IPSec) Sample Configurations: crypto map mymap 10 ipsec-isakmp match address 101 set transform-set my_t_set1 set peer 10.0.0.1 set peer 10.0.0.2

Command Name: Mode:

set pfs router(config-crypto-map)#

Syntax: set pfs [group1 | group2] no set pfs Syntax Description:


group1 (Optional) Specifies that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

group2

(Optional) Specifies that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

Command Description: To specify that IP Security should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations, use the set pfs crypto map configuration command. To specify that IPSec should not request PFS, use the no form of the command. Usage Guidelines This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries. During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local configuration specifies PFS, the remote peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS it will accept any offer of PFS from the peer. PFS adds another level of security because if one key is ever cracked by an attacker then only the data sent with that key will be compromised. Without PFS, data sent with other keys could be also compromised.

With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. (This exchange requires additional processing time.) The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1. Example: The following example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10": router(config)#crypto map mymap 10 ipsec-isakmp router(config-crypto-map)#set pfs group2 Misconceptions: none Related commands: crypto dynamic-map crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set security-association level per-host set security-association lifetime set transform-set show crypto map (IPSec) Sample Configurations: ! crypto ipsec profile foo-profile set transform-set foo-transforms set pfs group2 !

Command Name: Mode: Syntax:

set security-association level per-host router(config-crypto-map)#

set security-association level per-host no set security-association level per-host Syntax Description: This command has no arguments or keywords. Command Description: To specify that separate IP Security security associations should be requested for each source/destination host pair, use the set security-association level per-host crypto map configuration command. To specify that one security association should be requested for each crypto map access list permit entry, use the no form of this command. Usage Guidelines This command is only available for ipsec-isakmp crypto map entries and is not supported for dynamic crypto map entries. When you use this command, you need to specify that a separate security association should be used for each source/destination host pair. Normally, within a given crypto map, IPSec will attempt to request security associations at the granularity specified by the access list entry. For example, if the access list entry permits IP protocol traffic between subnet A and subnet B, IPSec will attempt to request security associations between subnet A and subnet B (for any IP protocol), and unless finer-grained security associations are established (by a peer request), all IPSec-protected traffic between these two subnets would use the same security association. This command causes IPSec to request separate security associations for each source/destination host pair. In this case, each host pairing (where one host was in subnet A and the other host was in subnet B) would cause IPSec to request a separate security association. With this command, one security association would be requested to protect traffic between host A and host B, and a different security association would be requested to protect traffic between host A and host C. The access list entry can specify local and remote subnets, or it can specify a host-and-subnet combination. If the access list entry specifies protocols and ports, these values are applied when establishing the unique security associations.

Use this command with care, as multiple streams between given subnets can rapidly consume system resources. Example: The following example shows what happens with an access list entry of permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 and a per-host level:

A packet from 1.1.1.1 to 2.2.2.1 will initiate a security association request, which would look like it originated via permit ip host 1.1.1.1 host 2.2.2.1. A packet from 1.1.1.1 to 2.2.2.2 will initiate a security association request, which would look like it originated via permit ip host 1.1.1.1 host 2.2.2.2. A packet from 1.1.1.2 to 2.2.2.1 will initiate a security association request, which would look like it originated via permit ip host 1.1.1.2 host 2.2.2.1.

Without the per-host level, any of the above packets will initiate a single security association request originated via permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255. Misconceptions: none Related commands: crypto dynamic-map crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set pfs set security-association lifetime set transform-set show crypto map (IPSec) Sample Configurations:

Command Name: Mode: Syntax:

set security-association lifetime router(config-crypto-map)#

set security-association lifetime {seconds seconds | kilobytes kilobytes} no set security-association lifetime {seconds | kilobytes} Syntax Description:
seconds seconds Specifies the number of seconds a security association will live before expiring.

kilobytes kilobytes

Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires.

Command Description: To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IP Security security associations, use the set security-association lifetime crypto map configuration command. To reset a crypto map entry's lifetime value to the global value, use the no form of this command. Usage Guidelines This command is available only for ipsec-isakmp crypto map entries and dynamic crypto map entries. IPSec security associations use shared secret keys. These keys and their security associations time out together. Assuming that the particular crypto map entry has lifetime values configured, when the router requests new security associations during security association negotiation, it will specify its crypto map lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The session keys/security association expires after the first of these lifetimes is reached.

If you change a lifetime, the change will not be applied to existing security associations, but will be used in subsequent negotiations to establish security associations for data flows supported by this crypto map entry. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Refer to the clear crypto sa command for more detail. To change the timed lifetime, use the set security-association lifetime seconds form of the command. The timed lifetime causes the keys and security association to time out after the specified number of seconds have passed. To change the traffic-volume lifetime, use the set security-association lifetime kilobytes form of the command. The traffic-volume lifetime causes the key and security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security association's key. Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with. However, shorter lifetimes need more CPU processing time. The lifetime values are ignored for manually established security associations (security associations installed via an ipsec-manual crypto map entry). How These Lifetimes Work Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations it will specify its global lifetime values in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of either the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the seconds time out or after the kilobytes amount of traffic is passed. A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first). If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected. Example: The following example shortens the timed lifetime for a particular crypto map entry, because there is a higher risk that the keys could be compromised for security associations belonging to

the crypto map entry. The traffic-volume lifetime is not changed because there is not a high volume of traffic anticipated for these security associations. The timed lifetime is shortened to 2700 seconds (45 minutes). router(config)#crypto map mymap 10 ipsec-isakmp router(config-crypto-map)#set security-association lifetime seconds 2700 Misconceptions: none Related commands: crypto dynamic-map crypto ipsec security-association lifetime crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set pfs set security-association level per-host set transform-set show crypto map (IPSec) Sample Configurations:

Command Name: Mode: Syntax:

set session-key router(config-crypto-map)#

set session-key {inbound | outbound} ah spi hex-key-string set session-key {inbound | outbound} esp spi cipher hex-keystring [authenticator hex-key-string] no set session-key {inbound | outbound} ah no set session-key {inbound | outbound} esp Syntax Description:
inbound Sets the inbound IPSec session key. (You must set both inbound and outbound keys.)

outbound

Sets the outbound IPSec session key. (You must set both inbound and outbound keys.)

ah

Sets the IPSec session key for the Authentication Header protocol. Use when the crypto map entry's transform set includes an AH transform.

esp

Sets the IPSec session key for the Encapsulation Security Protocol. Use when the crypto map entry's transform set includes an ESP transform.

spi

Specifies the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (FFFF FFFF). You can assign the same SPI to both directions and both protocols. However, not all peers have the same flexibility in SPI assignment. For a given destination address/protocol combination, unique SPI values must be used. The destination address is that of the router if inbound, the peer if outbound.

hex-key-string

Specifies the session key; enter in hexadecimal format. This is an arbitrary hexadecimal string of 8, 16, or 20 bytes. If the crypto map's transform set includes a DES algorithm, specify at least 8 bytes per

key. If the crypto map's transform set includes an MD5 algorithm, specify at least 16 bytes per key. If the crypto map's transform set includes an SHA algorithm, specify 20 bytes per key. Keys longer than the above sizes are simply truncated.

cipher

Indicates that the key string is to be used with the ESP encryption transform.

authenticator

(Optional) Indicates that the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry's transform set includes an ESP authentication transform.

Command Description: To manually specify the IP Security session keys within a crypto map entry, use the set sessionkey crypto map configuration command. This command is only available for ipsec-manual crypto map entries. To remove IPSec session keys from a crypto map entry, use the no form of this command. Usage Guidelines Use this command to define IPSec keys for security associations via ipsec-manual crypto map entries. (In the case of ipsec-isakmp crypto map entries, the security associations with their corresponding keys are automatically established via the IKE negotiation.) If the crypto map's transform set includes an AH protocol, you must define IPSec keys for AH for both inbound and outbound traffic. If the crypto map's transform set includes an ESP encryption protocol, you must define IPSec keys for ESP encryption for both inbound and outbound traffic. If your transform set includes an ESP authentication protocol, you must define IPSec keys for ESP authentication for inbound and outbound traffic. When you define multiple IPSec session keys within a single crypto map, you can assign the same security parameter index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map. However, not all peers have the same flexibility in SPI assignment. You should coordinate SPI assignment with your peer's operator, making certain that the same SPI is not used more than once for the same destination address/protocol combination. Security associations established via this command do not expire (unlike security associations established via IKE). Session keys at one peer must match the session keys at the remote peer.

If you change a session key, the security association using the key will be deleted and reinitialized. Example: The following example shows a crypto map entry for manually established security associations. The transform set "t_set" includes only an AH protocol. crypto ipsec transform-set t_set ah-sha-hmac ! crypto map mymap 20 ipsec-manual match address 102 set transform-set t_set set peer 10.0.0.21 set session-key inbound ah 300 1111111111111111111111111111111111111111 set session-key outbound ah 300 2222222222222222222222222222222222222222 The following example shows a crypto map entry for manually established security associations. The transform set "someset" includes both an AH and an ESP protocol, so session keys are configured for both AH and ESP for both inbound and outbound traffic. The transform set includes both encryption and authentication ESP transforms, so session keys are created for both using the cipher and authenticator keywords. crypto ipsec transform-set someset ah-sha-hmac esp-des esp-shahmac ! crypto map mymap 10 ipsec-manual match address 101 set transform-set someset set peer 10.0.0.1 set session-key inbound ah 300 9876543210987654321098765432109876543210 set session-key outbound ah 300 fedcbafedcbafedcbafedcbafedcbafedcbafedc set session-key inbound esp 300 cipher 0123456789012345 authenticator 0000111122223333444455556666777788889999 set session-key outbound esp 300 cipher abcdefabcdefabcd authenticator 9999888877776666555544443333222211110000 Misconceptions: none Related commands:

crypto map (global IPSec) crypto map (interface IPSec) crypto map local-address match address (IPSec) set peer (IPSec) set transform-set show crypto map (IPSec) Sample Configurations:

Command Name: Mode: Syntax:

set transform-set router(config-crypto-map)#

set transform-set transform-set-name [transform-setname2...transform-set-name6] no set transform-set Syntax Description:


transform-setname Name of the transform set. For an ipsec-manual crypto map entry, you can specify only one transform set. For an ipsec-isakmp or dynamic crypto map entry, you can specify up to 6 transform sets.

Command Description: To specify which transform sets can be used with the crypto map entry, use the set transformset crypto map configuration command. To remove all transform sets from a crypto map entry, use the no form of this command. Usage Guidelines This command is required for all static and dynamic crypto map entries. Use this command to specify which transform sets to include in a crypto map entry. For an ipsec-isakmp crypto map entry, you can list multiple transform sets with this command. List the higher priority transform sets first. If the local router initiates the negotiation, the transform sets are presented to the peer in the order specified in the crypto map entry. If the peer initiates the negotiation, the local router accepts the first transform set that matches one of the transform sets specified in the crypto map entry. The first matching transform set that is found at both peers is used for the security association. If no match is found, IPSec will not establish a security association. The traffic will be dropped because there is no security association to protect the traffic.

For an ipsec-manual crypto map entry, you can specify only one transform set. If the transform set does not match the transform set at the remote peer's crypto map, the two peers will fail to correctly communicate because the peers are using different rules to process the traffic. If you want to change the list of transform sets, re-specify the new list of transform sets to replace the old list. This change is only applied to crypto map entries that reference this transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Any transform sets included in a crypto map must previously have been defined using the crypto ipsec transform-set command. Example: The following example defines two transform sets and specifies that they can both be used within a crypto map entry. (This example applies only when IKE is used to establish security associations. With crypto maps used for manually established security associations, only one transform set can be included in a given crypto map entry.) router(config)#crypto ipsec transform-set my_t_set1 esp-des espsha-hmac router(config)#crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac ! router(config)#crypto map mymap 10 ipsec-isakmp router(config-crypto-map)#match address 101 router(config-crypto-map)#set transform-set my_t_set1 my_t_set2 router(config-crypto-map)#set peer 10.0.0.1 router(config-crypto-map)#set peer 10.0.0.2 In this example, when traffic matches access list 101, the security association can use either transform set "my_t_set1" (first priority) or "my_t_set2" (second priority) depending on which transform set matches the remote peer's transform sets. Misconceptions: none Related commands: none Sample Configurations: crypto isakmp policy 1

hash md5 authentication pre-share crypto isakmp key Delaware address 192.168.10.66 crypto isakmp key Key-What-Key address 192.168.11.19 ! ! crypto ipsec transform-set BearMama ah-md5-hmac esp-des crypto ipsec df-bit clear ! ! crypto map armadillo 1 ipsec-isakmp set peer 192.168.10.66 set transform-set BearMama match address 101 ! crypto map basilisk 1 ipsec-isakmp set peer 192.168.11.19 set transform-set BearMama match address 102 ! ! interface Ethernet0 ip address 192.168.10.38 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map armadillo crypto ipsec df-bit copy ! interface Ethernet1 ip address 192.168.11.75 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map basilisk ! interface Serial0 no ip address ip broadcast-address 0.0.0.0 no ip route-cache no ip mroute-cache

Command Name: Mode: Syntax:

show crypto dynamic-map router#

show crypto dynamic-map [tag map-name] Syntax Description:


tag map-name (Optional) Displays only the crypto dynamic map set with the specified map-name.

Command Description: To view a dynamic crypto map set, use the show crypto dynamic-map privileged EXEC command. Example: router# show crypto dynamic-map Misconceptions: none Related commands: none Sample Configurations: Router# show crypto dynamic-map

Crypto Map Template"dyn1" 10 Extended IP access list 152 access-list 152 permit ip source: addr = 172.21.114.67/0.0.0.0 dest: addr = 0.0.0.0/255.255.255.255 Current peer: 0.0.0.0 Security association lifetime: 4608000 kilobytes/120 seconds PFS (Y/N): N Transform sets={ tauth, t1, }

Command Name: Mode: Syntax:

show crypto ipsec sa router#

show crypto ipsec sa [map map-name | address | identity] [detail] Syntax Description:
map mapname (Optional) Displays any existing security associations created for the crypto map set named map-name.

address

(Optional) Displays the all existing security associations, sorted by the destination address (either the local address or the address of the IP Security remote peer) and then by protocol (Authentication Header or Encapsulation Security Protocol).

identity

(Optional) Displays only the flow information. It does not show the security association information.

detail

(Optional) Displays detailed error counters. (The default is the high level send/receive error counters.)

Command Description: To view the settings used by current security associations, use the show crypto ipsec sa privileged EXEC command. Usage Guidelines If no keyword is used, all security associations are displayed. They are sorted first by interface, and then by traffic flow (for example, source/destination address, mask, protocol, port). Within a flow, the security associations are listed by protocol (ESP/AH) and direction (inbound/outbound). Example:
router# show crypto ipsec sa

Misconceptions: none

Related commands: none Sample Configurations: router# show crypto ipsec sa interface: Ethernet0 Crypto map tag: router-alice, local addr. 172.21.114.123 local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0) current_peer: 172.21.114.67 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0 local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67 path mtu 1500, media mtu 1500 current outbound spi: 20890A6F inbound esp sas: spi: 0x257A1039(628756537) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 26, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y inbound ah sas: outbound esp sas: spi: 0x20890A6F(545852015) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 27, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y

outbound ah sas: interface: Tunnel0 Crypto map tag: router-alice, local addr. 172.21.114.123 local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0) current_peer: 172.21.114.67 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0 local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67 path mtu 1500, media mtu 1500 current outbound spi: 20890A6F inbound esp sas: spi: 0x257A1039(628756537) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 26, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y inbound ah sas: outbound esp sas: spi: 0x20890A6F(545852015) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 27, crypto map: router-alice sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes replay detection support: Y outbound ah sas:

Command Name: lifetime Mode: Syntax:

show crypto ipsec security-association

router#

show crypto ipsec security-association lifetime Syntax Description: This command has no arguments or keywords. Command Description: To view the security-association lifetime value configured for a particular crypto map entry, use the show crypto ipsec security-association lifetime privileged EXEC command. Example: router# show crypto ipsec security-association lifetime Misconceptions: none Related commands: none Sample Configurations: router# show crypto ipsec security-association lifetime Security-association lifetime: 4608000 kilobytes/120 seconds

Command Name: Mode: Syntax:

show crypto ipsec transform-set router#

show crypto ipsec transform-set [tag transform-set-name] Syntax Description:


tag transform-setname (Optional) Displays only the transform sets with the specified transform-setname.

Command Description: To view the configured transform sets, use the show crypto ipsec transform-set privileged EXEC command. Example: router# show crypto ipsec transform-set Misconceptions: none Related commands: none Sample Configurations: router# show crypto ipsec transform-set Transform set combined-des-sha: { esp-des esp-sha-hmac will negotiate = { Tunnel, }, Transform set combined-des-md5: { esp-des esp-md5-hmac will negotiate = { Tunnel, }, Transform set t1: { esp-des esp-md5-hmac will negotiate = { Tunnel, }, Transform set t100: { ah-sha-hmac } will negotiate = { Transport, }, } }

Transform set t2: { ah-sha-hmac } will negotiate = { Tunnel, }, { esp-des } will negotiate = { Tunnel, },

Command Name: Mode: Syntax:

show crypto map router#

show crypto map [interface interface | tag map-name] Syntax Description:


interface interface (Optional) Displays only the crypto map set applied to the specified interface.

tag map-name

(Optional) Displays only the crypto map set with the specified map-name.

Command Description: To view the crypto map configuration, use the show crypto map privileged EXEC command. Example: router# show crypto map Misconceptions: none Related commands: none Sample Configurations: router# show crypto map

Crypto Map: "router-alice" idb: Ethernet0 local address: 172.21.114.123 Crypto Map "router-alice" 10 ipsec-isakmp Peer = 172.21.114.67 Extended IP access list 141 access-list 141 permit ip source: addr = 172.21.114.123/0.0.0.0

dest: addr = 172.21.114.67/0.0.0.0 Current peer: 172.21.114.67 Security-association lifetime: 4608000 kilobytes/120 seconds PFS (Y/N): N Transform sets={ t1, }

debug aaa accounting


To display information on accountable events as they occur, use the debug aaa accounting privileged EXEC command. To disable debugging output, use the no form of the command. debug aaa accounting no debug aaa accounting

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
The information displayed by the debug aaa accounting command is independent of the accounting protocol used to transfer the accounting information to a server. Use the debug tacacs and debug radius protocolspecific commands to get more detailed information about protocol-level issues. You can also use the show accounting command to step through all active sessions and to print all the accounting records for actively accounted functions. The show accounting command allows you to display the active "accountable events" on the system. It provides systems administrators a quick look at what is happening, and may also be useful for collecting information in the event of a data loss of some kind on the accounting server. The show accounting command displays additional data on the internal state of the authentication, authorization, and accounting (AAA) security system if debug aaa accounting is turned on as well.

Examples
The following is sample output from the debug aaa accounting command:
Router# debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14

Related Commands
Command debug aaa Description Displays information on accountable events as

authentication

they occur.

debug aaa authorization

Displays information on AAA/TACACS+ authorization.

debug radius

Displays information associated with the RADIUS.

debug tacacs

Displays information associated with the TACACS.

debug aaa authentication


To display information on AAA/Terminal Access Controller Access Control System Plus (TACACS+) authentication, use the debug aaa authentication privileged EXEC command. To disable debugging command, use the no form of the command. debug aaa authentication no debug aaa authentication

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
Use this command to learn the methods of authentication being used and the results of these methods.

Examples
The following is sample output from the debug aaa authentication command. A single EXEC login that uses the "default" method list and the first method, TACACS+, is displayed. The TACACS+ server sends a GETUSER request to prompt for the username and then a GETPASS request to prompt for the password, and finally a PASS response to indicate a successful login. The number 50996740 is the session ID, which is unique for each authentication. Use this ID number to distinguish between different authentications if several are occurring concurrently.
Router# debug aaa authentication 6:50:12: AAA/AUTHEN: create_user user='' ruser='' port='tty19' rem_addr='172.31.60.15' authen_type=1 service=1 priv=1 6:50:12: AAA/AUTHEN/START (0): port='tty19' list='' action=LOGIN service=LOGIN 6:50:12: AAA/AUTHEN/START (0): using "default" list 6:50:12: AAA/AUTHEN/START (50996740): Method=TACACS+ 6:50:12: TAC+ (50996740): received authen response status = GETUSER 6:50:12: AAA/AUTHEN (50996740): status = GETUSER 6:50:15: AAA/AUTHEN/CONT (50996740): continue_login 6:50:15: AAA/AUTHEN (50996740): status = GETUSER 6:50:15: AAA/AUTHEN (50996740): Method=TACACS+ 6:50:15: TAC+: send AUTHEN/CONT packet 6:50:15: TAC+ (50996740): received authen response status = GETPASS 6:50:15: AAA/AUTHEN (50996740): status = GETPASS 6:50:20: AAA/AUTHEN/CONT (50996740): continue_login 6:50:20: AAA/AUTHEN (50996740): status = GETPASS 6:50:20: AAA/AUTHEN (50996740): Method=TACACS+ 6:50:20: TAC+: send AUTHEN/CONT packet 6:50:20: TAC+ (50996740): received authen response status = PASS 6:50:20: AAA/AUTHEN (50996740): status = PASS

debug aaa authorization


To display information on AAA/TACACS+ authorization, use the debug aaa authorization privileged EXEC command. To disable debugging output, use the no form of the command. debug aaa authorization no debug aaa authorization

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
Use this command to learn the methods of authorization being used and the results of these methods.

Examples
The following is sample output from the debug aaa authorization command. In this display, an EXEC authorization for user "carrel" is performed. On the first line, the username is authorized. On the second and third lines, the attribute value (AV) pairs are authorized. The debug output displays a line for each AV pair that is authenticated. Next, the display indicates the authorization method used. The final line in the display indicates the status of the authorization process, which, in this case, has failed.
Router# debug aaa authorization 2:23:21: AAA/AUTHOR (0): user='carrel' 2:23:21: AAA/AUTHOR (0): send AV service=shell 2:23:21: AAA/AUTHOR (0): send AV cmd* 2:23:21: AAA/AUTHOR (342885561): Method=TACACS+ 2:23:21: AAA/AUTHOR/TAC+ (342885561): user=carrel 2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV service=shell 2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV cmd* 2:23:21: AAA/AUTHOR (342885561): Post authorization status = FAIL

The aaa authorization command causes a request packet containing a series of AV pairs to be sent to the TACACS daemon as part of the authorization process. The daemon responds in one of the following three ways:

Accepts the request as is Makes changes to the request Refuses the request, thereby refusing authorization

Table 4 describes AV pairs associated with the debug aaa authorization command that may show up in the debug output. Table 4 Attribute Value Pairs for Authorization

Attribute Value Description service=arap Authorization for the ARA protocol is being requested. service=shell Authorization for EXEC startup and command authorization is being requested. Authorization for PPP is being requested. Authorization for SLIP is being requested. Authorization for LCP is being requested (lower layer of PPP). Used with service=slip and service=slip to indicate which protocol layer is being authorized. Used with service=ppp to indicate which protocol layer is being authorized. Used with service=ppp or service=arap to indicate which protocol layer is being authorized. Used with service=ppp for VINES over PPP.

service=ppp service=slip protocol=lcp

protocol=ip

protocol=ipx

protocol=atalk

protocol=vines

protocol=unknown Used for undefined or unsupported conditions. cmd=x Used with service=shell, if cmd=NULL, this is an authorization request to start an EXEC. If cmd is not NULL, this is a command authorization request and will contain the name of the command being authorized. For example, cmd=telnet. Used with service=shell. When performing command authorization, the name of the command is given by a cmd=x pair for each argument listed. For example, cmdarg=archie.sura.net. Used with service=shell and service=arap. For ARA, this pair contains an access list number. For service=shell, this pair contains an access class number. For example, acl=2. Used with service=ppp and protocol=ip. Contains an IP input

cmd-arg=x

acl=x

inacl=x

access list for SLIP or PPP/IP. For example, inacl=2. outacl=x Used with service=ppp and protocol=ip. Contains an IP output access list for SLIP or PPP/IP. For example, outacl=4. Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=172.30.23.11. Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false. For example, routing=true. Used with service=arap. The number of minutes before an ARA session disconnects. For example, timeout=60. Used with service=shell and cmd=NULL. Specifies an autocommand to be executed at EXEC startup. For example, autocmd=telnet yxz.com. Used with service=shell and cmd=NULL. Specifies a noescape option to the username configuration command. Can be either true or false. For example, noescape=true. Used with service=shell and cmd=NULL. Specifies a nohangup option to the username configuration command. Can be either true or false. For example, nohangup=false. Used with service=shell and cmd=NULL. Specifies the current privilege level for command authorization as a number from 0 to 15. For example, priv-lvl=15. Used with service=arap. Specifies an AppleTalk zonelist for ARA. For example, zonelist=5. Used with service=ppp and protocol=ip. Specifies the name of a local pool from which to get the address of the remote host.

addr=x

routing=x

timeout=x

autocmd=x

noescape=x

nohangup=x

priv-lvl=x

zonelist=x

addr-pool=x

debug aaa pod


To display debug messages related to POD packets, use the debug aaa pod privileged EXEC command. To disable debugging output, use the no form of this command. debug aaa pod no debug aaa pod

Syntax Description
This command has no keywords or arguments.

Defaults
Debugging for POD packets is not enabled.

Command History
Release 12.1(3)T Modification This command was introduced.

Examples
The following example shows output from a successful POD request when the show debug command is used.
Router# debug aaa pod AAA POD packet processing debugging is on Router# show debug General OS: AAA POD packet processing debugging is on Router# *Jul 9 16:04:32.271:POD:10.100.1.34 request queued *Jul 9 16:04:32.271:POD:10.100.1.34 user 0.0.0.0 sessid 0x0 key 0xA5AFA004 *Jul 9 16:04:32.271:POD: Line User IDB Session Id Key *Jul 9 16:04:32.271:POD:Skip Se0:21 meklund 0.0.0.0 0x0 0x0 *Jul 9 16:04:32.271:POD:KILL Se0:22 meklund 0.0.0.0 0x60000020 0xA5AFA004 *Jul 9 16:04:32.271:POD:Sending ACK to 10.100.1.34/1812 --Interface Se0:22 was killed because the pod request contained a key of 0xA5AFA004 and pod was configured with the command aaa pod server port 1812 auth-type any server-key mykey

Related Commands
Command Description

aaa pod server

Enables the POD feature.

debug arp
To display information on Address Resolution Protocol (ARP) transactions, use the debug arp privileged EXEC command. The no form of this command disables debugging output. debug arp no debug arp

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
Use this command when some nodes on a TCP/IP network are responding, but others are not. It shows whether the router is sending ARP packets and whether it is receiving ARP packets.

Examples
The following is sample output from the debug arp command:
Router# debug arp IP ARP: sent req 172.16.22.7 0000.0c01.e117, dst 172.16.22.96 0000.0000.0000 IP ARP: rcvd rep 172.16.22.96 0800.2010.b908, dst 172.16.22.7 IP ARP: rcvd req 172.16.6.10 0000.0c00.6fa2, dst 172.16.6.62 IP ARP: rep filtered 172.16.22.7 aa92.1b36.a456, dst 255.255.255.255 ffff.ffff.ffff IP ARP: rep filtered 172.16.9.7 0000.0c00.6b31, dst 172.16.22.7 0800.2010.b908

In the output, each line of output represents an ARP packet that the router sent or received. Explanations for the individual lines of output follow. The first line indicates that the router at IP address 172.16.22.7 and MAC address 0000.0c01.e117 sent an ARP request for the MAC address of the host at 172.16.22.96. The series of zeros (0000.0000.0000) following this address indicate that the router is currently unaware of the MAC address.
IP ARP: sent req 172.16.22.7 0000.0c01.e117, dst 172.16.22.96 0000.0000.0000

The second line indicates that the router at IP address 172.16.22.7 receives a reply from the host at 172.16.22.96 indicating that its MAC address is 0800.2010.b908:
IP ARP: rcvd rep 172.16.22.96 0800.2010.b908, dst 172.16.22.7

The third line indicates that the router receives an ARP request from the host at 172.16.6.10 requesting the MAC address for the host at 172.16.6.62:

IP ARP: rcvd req 172.16.6.10 0000.0c00.6fa2, dst 172.16.6.62

The fourth line indicates that another host on the network attempted to send the router an ARP reply for its own address. The router ignores meaningless replies. Usually, meaningless replies happen if a bridge is being run in parallel with the router and is allowing ARP to be bridged. This condition indicates a network misconfiguration.
IP ARP: rep filtered 172.16.22.7 aa92.1b36.a456, dst 255.255.255.255 ffff.ffff.ffff

The fifth line indicates that another host on the network attempted to inform the router that it is on network 172.16.9.7, but the router does not know that the network is attached to a different router interface. The remote host (probably a PC or an X terminal) is misconfigured. If the router were to install this entry, it would deny service to the real machine on the proper cable.
IP ARP: rep filtered 172.16.9.7 0000.0c00.6b31, dst 172.16.22.7 0800.2010.b908

debug cdp ip
To enable debug output for the IP routing information that is carried and processed by the Cisco Discovery Protocol (CDP), use the debug cdp ip privileged EXEC command. The no form of this command disables debugging output. debug cdp ip no debug cdp ip

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
CDP is a media- and protocol-independent device-discovery protocol that runs on all Cisco routers. You can use the debug cdp ip command to determine the IP network prefixes CDP is advertising and whether CDP is correctly receiving this information from neighboring routers. Use the debug cdp ip command with the debug ip routing command to debug problems that occur when on-demand routing (ODR) routes are not installed in the routing table at a hub router. You can also use the debug cdp ip command with the debug cdp packet and debug cdp adjacency commands along with encapsulation-specific debug commands to debug problems that occur in the receipt of CDP IP information.

Examples
The following is sample output from the debug cdp ip command. This example shows the transmission of IP-specific information in a CDP update. In this case, three network prefixes are being sent, each with a different network mask.
Router# CDP-IP: CDP-IP: CDP-IP: debug cdp ip Writing prefix 172.1.69.232.112/28 Writing prefix 172.19.89.0/24 Writing prefix 11.0.0.0/8

In addition to these messages, you might see the following messages:

This message indicates that CDP is attempting to install the prefix 172.16.1.0/24 into the IP routing table:
CDP-IP: Updating prefix 172.16.1.0/24 in routing table

This message indicates a protocol error occurred during an attempt to decode an incoming CDP packet:
CDP-IP: IP TLV length (3) invalid

This message indicates the receipt of the IP prefix 172.16.1.0/24 from a CDP neighbor connected via Ethernet interface 0/0. The neighbor IP address is 10.0.01.
CDP-IP: Reading prefix 172.16.1.0/24 source 10.0.0.1 via Ethernet0/0

Related Commands
Command debug ip routing Description Displays information on RIP routing table updates and route cache updates.

debug crypto engine accelerator logs


To enable logging of commands and associated parameters sent from the VPN module driver to the VPN module hardware using a debug flag, use the debug crypto engine accelerator logs privileged EXEC command. debug crypto engine accelerator logs no debug crypto engine accelerator logs

Syntax Description
This command has no arguments or keywords.

Defaults
The logging of commands sent from the VPN module driver to the VPN module hardware is disabled.

Command History
Release 12.1(1)XC Modification This command was introduced on the Cisco 1720 and Cisco 1750 routers.

Usage Guidelines
Use the debug crypto engine accelerator logs command when encryption traffic is sent to the router and a problem with the encryption module is suspected. This command is intended only for Cisco TAC personnel to collect debugging information.

Examples
The command debug crypto engine accelerator logs uses a debug flag to log commands and associated parameters sent from the VPN module driver to the VPN module hardware as follows:
Router# debug crypto engine accelerator logs encryption module logs debugging is on

Related Commands

Command crypto engine accelerator

Description Enables or disables the crypto engine accelerator if it exists.

show crypto engine accelerator logs

Prints information about the last 32 CGX Library packet processing commands, and associated parameters sent from the VPN module driver to the VPN module hardware.

show crypto engine accelerator sadatabase

Prints active (in-use) entries in the platform-specific VPN module database.

show crypto engine configuration

Displays the Cisco IOS crypto engine of your router.

debug crypto engine


To display debug messages about crypto engines, which perform encryption and decryption, use the debug crypto engine privileged EXEC command. To disable debugging output, use the no form of this command. debug crypto engine no debug crypto engine

Syntax Description
This command has no arguments or keywords.

Command History
Release 12.0 Modification This command was introduced.

Usage Guidelines
Use the debug crypto engine command to display information pertaining to the crypto engine, such as when Cisco IOS software is performing encryption or decryption operations. The crypto engine is the actual mechanism that performs encryption and decryption. A crypto engine can be software or a hardware accelerator. Some platforms can have multiple crypto engines; therefore, the router will have multiple hardware accelerators.

Examples
The following is sample output from the debug crypto engine command. The first sample output shows messages from a router that successfully generates RSA keys. The second sample output shows messages from a router that decrypts the RSA key during Internet Key Exchange (IKE) negotiation.
Router# debug crypto engine 00:25:13:CryptoEngine0:generate key pair 00:25:13:CryptoEngine0:CRYPTO_GEN_KEY_PAIR 00:25:13:CRYPTO_ENGINE:key process suspended and continued 00:25:14:CRYPTO_ENGINE:key process suspended and continuedcr Router# debug crypto engine 00:27:45:%SYS-5-CONFIG_I:Configured from console by console 00:27:51:CryptoEngine0:generate alg parameter 00:27:51:CRYPTO_ENGINE:Dh phase 1 status:0 00:27:51:CRYPTO_ENGINE:Dh phase 1 status:0

00:27:51:CryptoEngine0:generate alg parameter 00:27:52:CryptoEngine0:calculate pkey hmac for conn id 0 00:27:52:CryptoEngine0:create ISAKMP SKEYID for conn id 1 00:27:52:Crypto engine 0:RSA decrypt with public key 00:27:52:CryptoEngine0:CRYPTO_RSA_PUB_DECRYPT 00:27:52:CryptoEngine0:generate hmac context for conn id 1 00:27:52:CryptoEngine0:generate hmac context for conn id 1 00:27:52:Crypto engine 0:RSA encrypt with private key 00:27:52:CryptoEngine0:CRYPTO_RSA_PRIV_ENCRYPT 00:27:53:CryptoEngine0:clear dh number for conn id 1 00:27:53:CryptoEngine0:generate hmac context for conn id 1 00:27:53:validate proposal 0 00:27:53:validate proposal request 0 00:27:54:CryptoEngine0:generate hmac context for conn id 1 00:27:54:CryptoEngine0:generate hmac context for conn id 1 00:27:54:ipsec allocate flow 0 00:27:54:ipsec allocate flow 0

Related Commands
Command crypto key generate rsa Description Generates RSA key pairs.

debug crypto ipsec


To display IPSec events, use the debug crypto ipsec privileged EXEC command. The no form of this command disables debugging output. debug crypto ipsec no debug crypto ipsec

Syntax Description
This command has no arguments or keywords.

Examples
The following is sample output from the debug crypto ipsec command. In this example, security associations (SAs) have been successfully established.
Router# debug crypto ipsec

IPSec requests SAs between 172.21.114.123 and 172.21.114.67, on behalf of the permit ip host 172.21.114.123 host 172.21.114.67 command. It prefers to use the transform set esp-des w/esp-md5-hmac, but it will also consider ah-shahmac.
00:24:30: IPSEC(sa_request): , (key eng. msg.) src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.123, dest= 172.21.114.67, _proxy= 172.21.114.123/255.255.255.255/0/0 (type=1), dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 120s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 00:24:30: IPSEC(sa_request): , (key eng. msg.) src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.123, dest= 172.21.114.67, _proxy= 172.21.114.123/255.255.255.255/0/0 (type=1), dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1)., protocol= AH, transform= ah-sha-hmac , lifedur= 120s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0.

IKE asks for SPIs from IPSec. For inbound security associations, IPSec controls its own SPI space.
00:24:34: IPSEC(key_engine): got a queue event... 00:24:34: IPSEC(spi_response): getting spi 302974012ld for SA from 172.21.114.67 to 172.21.114.123 for prot 3 00:24:34: IPSEC(spi_response): getting spi 525075940ld for SA from 172.21.114.67 to 172.21.114.123 for prot 2

IKE will ask IPSec if it accepts the SA proposal. In this case, it will be the one sent by the local IPSec in the first place:

00:24:34: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 172.21.114.67, src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.123, dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1), _proxy= 172.21.114.123/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

After the proposal is accepted, IKE finishes the negotiations, generates the keying material, and then notifies IPSec of the new security associations (one security association for each direction).
00:24:35: IPSEC(key_engine): got a queue event...

The following output pertains to the inbound SA. The conn_id value references an entry in the crypto engine connection table.
00:24:35: IPSEC(initialize_sas): , (key eng. msg.) dest= 172.21.114.123, src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.67, dest_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1), _proxy= 172.21.114.67/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 120s and 4608000 kb, spi= 0x120F043C(302974012), conn_id= 29, keysize= 0, flags= 0x4

The following output pertains to the outbound SA:


00:24:35: IPSEC(initialize_sas): , (key eng. msg.) src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.123, dest= 172.21.114.67, _proxy= 172.21.114.123/255.255.255.255/0/0 (type=1), dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 120s and 4608000kb, spi= 0x38914A4(59315364), conn_id= 30, keysize= 0, flags= 0x4

IPSec now installs the SA information into its SA database.


00:24:35: IPSEC(create_sa): sa created, (sa) sa_dest= 172.21.114.123, sa_prot= 50, sa_spi= 0x120F043C(302974012), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 29 00:24:35: IPSEC(create_sa): sa created, (sa) sa_dest= 172.21.114.67, sa_prot= 50, sa_spi= 0x38914A4(59315364), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 30

The following is sample output for the debug crypto ipsec command as seen on the peer router. In this example, IKE asks IPSec if it will accept an SA proposal. Although the peer sent two proposals, IPSec accepted the first proposal.
00:26:15: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 172.21.114.67, src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.123, dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1), _proxy= 172.21.114.123/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IKE asks for SPIs.


00:26:15: IPSEC(key_engine): got a queue event... 00:26:15: IPSEC(spi_response): getting spi 59315364ld for SA from 172.21.114.123 to 172.21.114.67 for prot 3

IKE does the remaining processing, completing the negotiation and generating keys. It then tells IPSec about the new SAs.
00:26:15: IPSEC(key_engine): got a queue event...

The following output pertains to the inbound SA:


00:26:15: IPSEC(initialize_sas): , (key eng. msg.) dest= 172.21.114.67, src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.123, dest_proxy= 172.21.114.67/0.0.0.0/0/0 (type=1), _proxy= 172.21.114.123/0.0.0.0/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 120s and 4608000kb, spi= 0x38914A4(59315364), conn_id= 25, keysize= 0, flags= 0x4

The following output pertains to the outbound SA:


00:26:15: IPSEC(initialize_sas): , (key eng. msg.) src=http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup /122debug/ 172.21.114.67, dest= 172.21.114.123, _proxy= 172.21.114.67/0.0.0.0/0/0 (type=1), dest_proxy= 172.21.114.123/0.0.0.0/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 120s and 4608000kb, spi= 0x120F043C(302974012), conn_id= 26, keysize= 0, flags= 0x4

IPSec now installs the SA information into its SA database:


00:26:15: IPSEC(create_sa): sa created, (sa) sa_dest= 172.21.114.67, sa_prot= 50, sa_spi= 0x38914A4(59315364), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 25 00:26:15: IPSEC(create_sa): sa created, (sa) sa_dest= 172.21.114.123, sa_prot= 50, sa_spi= 0x120F043C(302974012), sa_trans= esp-des esp-md5-hmac , sa_conn_id= 26

debug crypto isakmp


To display messages about IKE events, use the debug crypto isakmp privileged EXEC command. The no form of this command disables debugging output. debug crypto isakmp no debug crypto isakmp

Syntax Description
This command has no arguments or keywords.

Examples
The following is sample output from the debug crypto isakmp command for an IKE peer that initiates an IKE negotiation. First, IKE negotiates its own security association (SA), checking for a matching IKE policy:
Router# debug crypto isakmp 20:26:58: ISAKMP (8): beginning Main Mode exchange 20:26:58: ISAKMP (8): processing SA payload. message ID = 0 20:26:58: ISAKMP (8): Checking ISAKMP transform 1 against priority 10 policy 20:26:58: ISAKMP: encryption DES-CBC 20:26:58: ISAKMP: hash SHA 20:26:58: ISAKMP: default group 1 20:26:58: ISAKMP: auth pre-share 20:26:58: ISAKMP (8): atts are acceptable. Next payload is 0

IKE has found a matching policy. Next, the IKE SA is used by each peer to authenticate the other peer:
20:26:58: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: ISAKMP ISAKMP ISAKMP ISAKMP ISAKMP ISAKMP ISAKMP (8): (8): (8): (8): (8): (8): (8): SA is doing pre-shared key authentication processing KE payload. message ID = 0 processing NONCE payload. message ID = 0 SKEYID state generated processing ID payload. message ID = 0 processing HASH payload. message ID = 0 SA has been authenticated

Next, IKE negotiates to set up the IPSec SA by searching for a matching transform set:
20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: ISAKMP (8): beginning Quick Mode exchange, M-ID of 767162845 ISAKMP (8): processing SA payload. message ID = 767162845 ISAKMP (8): Checking IPSec proposal 1 ISAKMP: transform 1, ESP_DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 600 ISAKMP: SA life type in kilobytes

20:26:59: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 20:26:59: ISAKMP: authenticator is HMAC-MD5 20:26:59: ISAKMP (8): atts are acceptable.

A matching IPSec transform set has been found at the two peers. Now the IPSec SA can be created (one SA is created for each direction):
20:26:59: 20:26:59: 20:26:59: 20:26:59: 20:26:59: 155.0.0.1 20:26:59: 20:26:59: 20:26:59: 20:26:59: 155.0.0.2 20:26:59: 20:26:59: 20:26:59: ISAKMP (8): processing NONCE payload. message ID = 767162845 ISAKMP (8): processing ID payload. message ID = 767162845 ISAKMP (8): processing ID payload. message ID = 767162845 ISAKMP (8): Creating IPSec SAs inbound SA from 155.0.0.2 to 155.0.0.1 (proxy 155.0.0.2 to ) has spi 454886490 and conn_id 9 and flags 4 lifetime of 600 seconds lifetime of 4608000 kilobytes outbound SA from 155.0.0.1 to 155.0.0.2 (proxy 155.0.0.1 to ) has spi 75506225 and conn_id 10 and flags 4 lifetime of 600 seconds lifetime of 4608000 kilobytes

debug crypto key-exchange


To show Digital Signature Standard (DSS) public key exchange messages, use the debug crypto key-exchange privileged EXEC command. The no form of this command disables debugging output. debug crypto key-exchange no debug crypto key-exchange

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
Encryption and authentication are provided by a software service on the router called a crypto engine. The crypto engine performs authentication through DSS public and private keys when a connection is set up. DSS is a means of sending a "signature" at the end of a message that positively identifies the author of the message. The signature cannot be forged or duplicated by others, so whoever received a message with a DSS signature knows exactly who sent the message. If the process of exchanging DSS public keys with a peer router by means of the config crypto key-exchange command is not successful, try to exchange DSS public keys again after enabling the debug crypto key-exchange command to help you diagnose the problem.

Examples
The following is sample output from the debug crypto key-exchange command. The first shows output from the initiating router in a key exchange. The second shows output from the passive router in a key exchange. The number of bytes received should match the number of bytes sent from the initiating side, although the number of messages can be different.
Router# debug crypto key-exchange CRYPTO-KE: Sent 4 bytes. CRYPTO-KE: Sent 2 bytes. CRYPTO-KE: Sent 2 bytes. CRYPTO-KE: Sent 2 bytes. CRYPTO-KE: Sent 64 bytes. Router# debug crypto key-exchange CRYPTO-KE: Received 4 bytes. CRYPTO-KE: Received 2 bytes. CRYPTO-KE: Received 2 bytes. CRYPTO-KE: Received 2 bytes. CRYPTO-KE: Received 49 bytes. CRYPTO-KE: Received 15 bytes.

Related Commands

Command debug crypto sesmgmt

Description Displays connection setup messages and their flow through the router.

debug crypto pki messages


To display debug messages for the details of the interaction (message dump) between the certification authority (CA) and the router, use the debug crypto pki messages privileged EXEC command. To disable debugging output, use the no form of this command. debug crypto pki messages no debug crypto pki messages

Syntax Description
This command has no arguments or keywords.

Defaults
Disabled

Command History
Release 12.0 Modification This command was introduced.

Usage Guidelines
Use the debug crypto pki messages command to display messages about the actual data being sent and received during public key infrastructure (PKI) transactions. You can also use the show crypto ca certificates command to display information about your certificate.

Examples
The following example is sample output for the debug crypto pki messages command:
Router# debug crypto pki messages Fingerprint: 2CFC6265 77BA6496 3AEFCB50 29BC2BF2 00:48:23:Write out pkcs#10 content:274 00:48:23:30 82 01 0E 30 81 B9 02 01 00 30 22 31 20 00:48:23:48 86 F7 0D 01 09 02 16 11 70 6B 69 2D 33 00:48:23:63 6F 2E 63 6F 6D 30 5C 30 0D 06 09 2A 86 00:48:23:01 05 00 03 4B 00 30 48 02 41 00 DD 2C C6 00:48:23:11 E2 81 95 01 6A 80 34 25 10 C4 5F 3D 8B 00:48:23:6C 2D 65 4C B6 A6 B0 02 1C B2 84 C1 C8 AC

30 36 48 35 33 A4

1E 61 86 A5 1C 28

06 2E F7 3F 19 6E

09 63 0D 0F 50 EF

2A 69 01 97 FD 9D

86 73 01 6C 91 3B

00:48:23:30 98 CB 36 A2 47 4E 7E 6F C9 3E 00:48:23:A0 32 30 10 06 09 2A 86 48 86 F7 00:48:23:30 1E 06 09 2A 86 48 86 F7 0D 01 00:48:23:0B 06 03 55 1D 0F 04 04 03 02 05 00:48:23:F7 0D 01 01 04 05 00 03 41 00 2C 00:48:23:5C FD AE 52 8F 2C 13 95 9E 9D 8B 00:48:23:63 27 A3 AC 6D 74 EB 69 E3 06 E9 00:48:23:BE 90 57 02 F2 75 8E 0F 16 60 10 00:48:23:Enveloped Data ... 00:48:23:30 80 06 09 2A 86 48 86 F7 0D 01 00:48:23:31 80 30 82 01 0F 02 01 00 30 78 00:48:23:04 06 13 02 55 53 31 0B 30 09 06 00:48:23:13 30 11 06 03 55 04 07 13 0A 53 00:48:23:31 15 30 13 06 03 55 04 0A 13 0C 00:48:23:74 65 6D 31 0E 30 0C 06 03 55 04 00:48:23:Signed Data 1382 bytes 00:48:23:30 80 06 09 2A 86 48 86 F7 0D 01 00:48:23:31 0E 30 0C 06 08 2A 86 48 86 F7 00:48:23:2A 86 48 86 F7 0D 01 07 01 A0 80 00:48:23:02 55 53 31 0B 30 09 06 03 55 04 00:48:23:33 34 5A 17 0D 31 30 31 31 31 35 00:48:23:31 20 30 1E 06 09 2A 86 48 86 F7 00:48:23:2D 33 36 61 2E 63 69 73 63 6F 2E 00:48:23:2A 86 48 86 F7 0D 01 01 01 05 00 00:48:23:2C C6 35 A5 3F 0F 97 6C 11 E2 81 00:48:23:3D 8B 33 1C 19 50 FD 91 6C 2D 65 00:48:23:86 F7 0D 01 01 01 05 00 04 40 C6 00:48:23:15 F7 3E 15 6D 71 E1 D0 13 2B 14 00:48:23:EF C2 D6 CB 91 39 19 F8 44 68 0E 00:48:23:3F EC C6 04 A5 D9 7C B1 56 47 3F 00:48:23:00 00 00:48:24:Received pki message:1778 types 00:48:24:30 82 06 EE 06 09 2A 86 48 86 F7 00:48:24:82 06 DB 02 01 01 31 0E 30 0C 06 00:48:24:05 00 30 82 04 C5 06 09 2A 86 48 00:48:24:B6 04 82 04 B2 30 82 04 AE 06 09 00:48:24:0E 61 85 48 B1 DA 3D 73 F1 4B D8 00:48:24:17 3D 03 19 B3 8F 06 8B FE FB B1 00:48:24:78 DD 27 BA 28 2F 85 09 F0 61 74 00:48:24:71 AF 87 D2 72 75 B7 F7 89 6F E4 00:48:24:05 54 6F 06 75 72 8A AF 54 A6 EF 00:48:24:CB 26 80 8D DC 89 77 57 1E D5 7A 00:48:24:Verified signed data 1202 bytes: 00:48:24:30 82 04 AE 06 09 2A 86 48 86 F7 00:48:24:82 04 9B 02 01 00 31 81 9F 30 81 00:48:24:20 30 1E 06 09 2A 86 48 86 F7 0D 00:48:24:33 36 61 2E 63 69 73 63 6F 2E 63 00:48:24:E2 55 65 DE DB 23 91 D7 60 53 96 00:48:24:2E EB 9B 0D 75 EC 8E AF C0 9C 62 00:48:24:AB 83 32 89 3E 5B A9 9F A9 9A 6D 00:48:24:FA 5A FC F3 31 98 2B 8E 55 71 C4 00:48:24:19 E3 1A C3 F5 ED 4D 81 1F 6F 34 00:48:24:EA 2B A8 D4 32 53 A7 86 50 71 5E 00:48:24:AB 7A 2A 07 C0 7E C1 A7 12 31 33 00:48:24:57 70 2D 0B F5 C8 A7 FC FE 40 74 00:48:24:FF 6F 7B E6 74 E2 F5 A1 9A C8 3C 00:48:24:ED F3 00:48:24:Decrypted enveloped content: 00:48:24:30 82 03 C8 06 09 2A 86 48 86 F7 00:48:24:82 03 B5 02 01 01 31 00 30 0B 06

B8 0D 09 A0 FD A4 E4 6F 07 30 03 61 43 0B 07 0D 24 08 31 0D 63 03 95 4C 24 64 C5 5B

26 01 0E 30 88 C9 9F BE 03 6A 55 6E 69 13 02 02 80 13 38 01 6F 4B 01 B6 36 1B B5 D4

BE 09 31 0D 2C 48 0A 2B A0 31 04 74 73 05 A0 05 04 02 35 09 6D 00 6A A6 D6 0C 84 93

15 07 11 06 8A 32 A8

02 31 14 09 13 84 FB

03 03 0F 2A B6 BF 20

01 13 30 86 81 05 F0

00 01 0D 48 88 03 02

01 63 30 86 EA 49 03

80 0B 08 61 63 49 80 05 82 43 34 02 30 30 80 B0 D5 0F 18 00

30 30 13 20 6F 50 30 00 02 41 33 16 5C 48 34 02 A6 96 8B 00

80 09 02 43 20 49 80 30 75 31 34 11 30 02 25 1C 92 BF 2D 00

02 06 43 72 53 53 02 80 30 13 5A 70 0D 41 10 B2 80 F9 A4 00

01 03 41 75 79 55 01 06 80 30 30 6B 06 00 C4 84 5D 2E B1 00

00 55 31 7A 73 31 01 09 06 11 22 69 09 DD 5F C1 E5 05 CD 00

0D 08 86 2A 5E CE 0F E7 70 37 0D 9C 01 6F 64 78 3A F6 35 2A AB E8 23

01 2A F7 86 03 D4 0F 57 2D 86 01 02 09 6D BE 29 87 BF E2 64 94 EB DB

07 86 0D 48 6E 4C 92 84 15 BE 07 01 02 02 F2 E0 E2 CE 00 BE E0 9C 4A

02 48 01 86 F3 4D F0 76 6C 44 03 00 16 20 30 97 71 45 B3 4B 3B 82 90

A0 86 07 F7 E5 1B C8 53 B7 F8 A0 30 11 34 A7 00 16 CA 93 B1 A2 77 BE

82 F7 01 0D 72 81 C7 0B 30 66 82 46 70 45 8B EA C9 A5 DD 72 68 DE 4A

06 0D A0 01 5D CF 5B 50 91 60 04 30 6B 45 1B 84 C1 47 A0 AB 17 A4 94

DF 02 82 07 D7 59 96 8A 1C

30 05 04 03 17 B7 E7 B9 00

9F 22 69 41 D9 80 E4 40 6A 8C DE FA EB

30 31 2D 44 EB DD DB 9B 74 DA CE 75 8B

0D 01 07 02 A0 82 03 B9 30 09 2A 86 48 86 F7 0D 01 07

00:48:24:01 A0 82 03 9D 30 82 03 99 30 82 03 43 A0 03 02 01 02 02 0A 00:48:24:70 45 B3 F6 00 00 00 00 01 23 30 0D 06 09 2A 86 48 86 F7 0D 000:48:24:35 35 32 32 5A 30 22 31 20 30 1E 06 09 2A 86 48 86 F7 0D 01 00:48:24:09 02 13 11 70 6B 69 2D 33 36 61 2E 63 69 73 63 6F 2E 63 6F 00:48:24:6D 30 5C 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 4B 00:48:24:00 30 48 02 41 00 DD 2C C6 35 A5 3F 0F 97 6C 11 E2 81 95 01 00:48:24:6A 80 34 25 10 C4 5F 3D 8B 33 1C 19 50 FD 91 6C 2D 65 4C B6 00:48:24:63 6F 2E 63 6F 6D 2F 43 65 72 74 45 6E 72 6F 6C 6C 2F 6D 73 00:48:24:63 61 2D 72 6F 6F 74 5F 6D 73 63 61 2D 72 6F 6F 74 2E 63 72 00:48:24:74 30 41 06 08 2B 06 01 05 05 07 30 02 86 35 66 69 6C 65 3A 00:48:24:2F 2F 5C 5C 6D 73 63 61 2D 72 6F 6F 74 5C 43 65 72 74 45 6E 00:48:24:72 6F 6C 6C 5C 6D 73 63 61 2D 72 6F 6F 74 5F 6D 73 63 61 2D 00:48:24:72 6F 6F 74 2E 63 72 74 30 0D 06 09 2A 86 48 86 F7 0D 01 01 00:48:24:05 05 00 03 41 00 56 30 AD 99 1F FA 0D 1A C3 3D 71 2A DB A0 00:48:24:48 C5 EB C8 D4 FE 62 49 9C 69 5D E4 80 77 19 3E 07 B8 2B 4F 00:48:24:9A D7 72 A7 26 25 61 AE 5B 1C B5 7B 4C 18 CA 17 C3 D0 76 84 00:48:24:75 41 92 74 5E A4 E8 9E 09 60 31 00 00:48:24:%CRYPTO-6-CERTRET:Certificate received from Certificate Authority

Related Commands
Command crypto ca enroll Description Obtains the certificate of your router from the CA.

debug crypto pki transactions

Displays debug messages for the trace of interaction (message type) between the CA and the router.

show crypto ca certificates

Displays information about your certificate, the certificate of the CA, and any RA certificates.

debug crypto pki transactions


To display debug messages for the trace of interaction (message type) between the certification authority (CA) and the router, use the debug crypto pki transactions privileged EXEC command. To disable debugging output, use the no form of this command. debug crypto pki transactions no debug crypto pki transactions

Syntax Description
This command has no arguments or keywords.

Defaults
Disabled

Command History
Release 12.0 Modification This command was introduced.

Usage Guidelines
Use the debug crypto pki transactions command to display debug messages pertaining to public key infrastructure (PKI) certificates. The messages will show status information during certificate enrollment and verification. You can also use the show crypto ca certificates command to display information about your certificate.

Examples
The following example, which authenticates and enrolls a CA, contains sample output for the debug crypto pki transactions command:
Router(config)# crypto ca authenticate msca Certificate has the following attributes: Fingerprint:A5DE3C51 AD8B0207 B60BED6D 9356FB00 % Do you accept this certificate? [yes/no]:y Router# debug crypto pki transactions 00:44:00:CRYPTO_PKI:Sending CA Certificate Request: GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=msca HTTP/1.0

00:44:00:CRYPTO_PKI:http connection opened 00:44:01:CRYPTO_PKI:HTTP response header: HTTP/1.1 200 OK Server:Microsoft-IIS/5.0 Date:Fri, 17 Nov 2000 18:50:59 GMT Content-Length:2693 Content-Type:application/x-x509-ca-ra-cert Content-Type indicates we have received CA and RA certificates. 00:44:01:CRYPTO_PKI:WARNING:A certificate chain could not be constructed while selecting certificate status 00:44:01:CRYPTO_PKI:WARNING:A certificate chain could not be constructed while selecting certificate status 00:44:01:CRYPTO_PKI:Name:CN = msca-rootRA, O = Cisco System, C = US 00:44:01:CRYPTO_PKI:Name:CN = msca-rootRA, O = Cisco System, C = US 00:44:01:CRYPTO_PKI:transaction GetCACert completed 00:44:01:CRYPTO_PKI:CA certificate received. 00:44:01:CRYPTO_PKI:CA certificate received. Router(config)# crypto ca enroll msca % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: Re-enter password: % The subject name in the certificate will be:Router.cisco.com % Include the router serial number in the subject name? [yes/no]:n % Include an IP address in the subject name? [yes/no]:n Request certificate from CA? [yes/no]:y % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The 'show crypto ca certificate' command will also show the fingerprint. Router(config)# Fingerprint: 2CFC6265 77BA6496 3AEFCB50 29BC2BF2 00:44:29:CRYPTO_PKI:transaction PKCSReq completed 00:44:29:CRYPTO_PKI:status: 00:44:29:CRYPTO_PKI:http connection opened 00:44:29:CRYPTO_PKI: received msg of 1924 bytes 00:44:29:CRYPTO_PKI:HTTP response header: HTTP/1.1 200 OK Server:Microsoft-IIS/5.0 Date:Fri, 17 Nov 2000 18:51:28 GMT Content-Length:1778 Content-Type:application/x-pki-message 00:44:29:CRYPTO_PKI:signed attr:pki-message-type: 00:44:29:13 01 33 00:44:29:CRYPTO_PKI:signed attr:pki-status: 00:44:29:13 01 30 00:44:29:CRYPTO_PKI:signed attr:pki-recipient-nonce: 00:44:29:04 10 B4 C8 2A 12 9C 8A 2A 4A E1 E5 15 DE 22 C2 B4 FD 00:44:29:CRYPTO_PKI:signed attr:pki-transaction-id: 00:44:29:13 20 34 45 45 41 44 42 36 33 38 43 33 42 42 45 44 45 39 46 00:44:29:34 38 44 33 45 36 39 33 45 33 43 37 45 39 00:44:29:CRYPTO_PKI:status = 100:certificate is granted 00:44:29:CRYPTO__PKI:All enrollment requests completed. 00:44:29:%CRYPTO-6-CERTRET:Certificate received from Certificate Authority

Related Commands

Command crypto ca authenticate

Description Authenticates the CA (by getting the certificate of the CA).

crypto ca enroll

Obtains the certificate of your router from the CA.

debug crypto pki messages

Displays debug messages for details of the interaction (message dump) between the CA and the router.

show crypto ca certificates

Displays information about your certificate, the certificate of the CA, and any RA certificates.

debug crypto sesmgmt


To show connection setup messages and their flow through the router, use the debug crypto sesmgmt privileged EXEC command. The no form of this command disables debugging output. debug crypto sesmgmt no debug crypto sesmgmt

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
Encryption and authentication are provided by a software service on the router called a crypto engine. The crypto engine performs authentication through DSS public and private keys when a connection is set up. DSS is a means of sending a "signature" at the end of a message that positively identifies the author of the message. The signature cannot be forged or duplicated by others, so whoever receives a message with a DSS signature knows exactly who sent the message. When connections are not completing, use the debug crypto sesmgmt command to follow the progress of connection messages as a first step in diagnosing the problem. You see a record of each connection message as the router discovers it, and can track its progress through the necessary signing, verifying, and encryption session setup operations. Other significant connection setup events, such as the pregeneration of Diffie-Hellman public numbers, are also shown. For information on Diffie-Hellman public numbers, refer to the Security Configuration Guide. Also use the show crypto connections command to display additional information on connections.

Examples
The following is sample output from the debug crypto sesmgmt command. The first shows messages from a router that initiates a successful connection. The second shows messages from a router that receives a connection.
Router# debug crypto sesmgmt CRYPTO: Dequeued a message: Inititate_Connection CRYPTO: DH gen phase 1 status for conn_id 2 slot 0:OK CRYPTO: Signing done. Status:OK CRYPTO: ICMP message sent: s=172.21.114.163, d=172.21.114.162 CRYPTO-SDU: send_nnc_req: NNC Echo Request sent CRYPTO: Dequeued a message: CRM CRYPTO: DH gen phase 2 status for conn_id 2 slot 0:OK

CRYPTO: Verify done. Status=OK CRYPTO: Signing done. Status:OK CRYPTO: ICMP message sent: s=172.21.114.163, d=172.21.114.162 CRYPTO-SDU: recv_nnc_rpy: NNC Echo Confirm sent CRYPTO: Create encryption key for conn_id 2 slot 0:OK CRYPTO: Replacing -2 in crypto maps with 2 (slot 0) Router# debug crypto sesmgmt CRYPTO: Dequeued a message: CIM CRYPTO: Verify done. Status=OK CRYPTO: DH gen phase 1 status for conn_id 1 slot 0:OK CRYPTO: DH gen phase 2 status for conn_id 1 slot 0:OK CRYPTO: Signing done. Status:OK CRYPTO: ICMP message sent: s=172.21.114.162, d=172.21.114.163 CRYPTO-SDU: act_on_nnc_req: NNC Echo Reply sent CRYPTO: Create encryption key for conn_id 1 slot 0:OK CRYPTO: Replacing -2 in crypto maps with 1 (slot 0) CRYPTO: Dequeued a message: CCM CRYPTO: Verify done. Status=OK

Related Commands
Command debug crypto key-exchange Description Displays DSS public key exchange messages.

debug dhcp
To display debugging information about the Dynamic Host Configuration Protocol (DHCP) client activities and to monitor the status of DHCP packets, use the debug dhcp command in privileged EXEC mode. The no form of this command disables debugging output. debug dhcp [detail] no debug dhcp [detail]

Syntax Description
detail (Optional) Displays additional debug information.

Usage Guidelines
You can also use the debug dhcp command to monitor the subnet allocation and releasing for on-demand address pools. For debugging purposes, the debug dhcp detail command provides the most useful information such as the lease entry structure of the client and the state transitions of the lease entry. The debug output shows the scanned option values from received DHCP messages that are replies to a router request. The values of the op, htype, hlen, hops, server identifier option, xid, secs, flags, ciaddr, yiaddr, siaddr, and giaddr fields of the DHCP packet are shown in addition to the length of the options field.

Examples
The following examples show and explain some of the typical debug messages you might see when using the debug dhcp detail command. The following example shows the debug output when a DHCP client sends out a DHCPDISCOVER broadcast message to find its local DHCP server:
Router# debug dhcp detail 00:07:16:DHCP:DHCP client process started:10 00:07:16:RAC:Starting DHCP discover on Ethernet2 00:07:16:DHCP:Try 1 to acquire address for Ethernet2 00:07:16:%SYS-5-CONFIG_I:Configured from console by console 00:07:19:DHCP:Shutting down from get_netinfo() 00:07:19:DHCP:Attempting to shutdown DHCP Client 00:07:21:DHCP:allocate request 00:07:21:DHCP:new entry. add to queue 00:07:21:DHCP:SDiscover attempt # 1 for entry:

The first seven lines of the following output show the current values stored in the lease entry structure for the client:

00:07:21:Temp IP addr:0.0.0.0 for peer on Interface:Ethernet2 00:07:21:Temp sub net mask:0.0.0.0 00:07:21: DHCP Lease server:0.0.0.0, state:1 Selecting 00:07:21: DHCP transaction id:582 00:07:21: Lease:0 secs, Renewal:0 secs, Rebind:0 secs 00:07:21: Next timer fires after:00:00:03 00:07:21: Retry count:1 Client-ID:cisco-0010.7b6e.afd8-Et2 00:07:21:DHCP:SDiscover:sending 308 byte length DHCP packet 00:07:21:DHCP:SDiscover 308 bytes 00:07:21: B'cast on Ethernet2 interface from 0.0.0.0

The following example shows the offered addresses and parameters sent to the DHCP client by the DHCP server via a DHCPOFFER message. The messages containing the field "Scan" indicate the options that were scanned from the received BOOTP packet and the corresponding values.
00:07:23:DHCP:Received a BOOTREP pkt 00:07:23:DHCP:Scan:Message type:DHCP Offer 00:07:23:DHCP:Scan:Server ID Option:10.1.1.1 = A010101 00:07:23:DHCP:Scan:Lease Time:180 00:07:23:DHCP:Scan:Renewal time:90 00:07:23:DHCP:Scan:Rebind time:157 00:07:23:DHCP:Scan:Subnet Address Option:255.255.255.0

The following debug output shows selected fields in the received BOOTP packet:
00:07:23:DHCP:rcvd pkt source:10.1.1.1, destination: 255.255.255.255 00:07:23: UDP sport:43, dport:44, length:308 00:07:23: DHCP op:2, htype:1, hlen:6, hops:0 00:07:23: DHCP server identifier:10.1.1.1 00:07:23: xid:582, secs:0, flags:8000 00:07:23: client:0.0.0.0, your:10.1.1.2 00:07:23: srvr: 0.0.0.0, gw:0.0.0.0 00:07:23: options block length:60 00:07:23:DHCP Offer Message Offered Address:10.1.1.2 00:07:23:DHCP:Lease Seconds:180 Renewal secs: 90 Rebind secs:157 00:07:23:DHCP:Server ID Option:10.1.1.1 00:07:23:DHCP:offer received from 10.1.1.1

The following example shows the debug output when the DHCP client sends out a DHCPREQUEST broadcast message to the DHCP server to accept the offered parameters:
00:07:23:DHCP:SRequest attempt # 1 for entry: 00:07:23:Temp IP addr:10.1.1.2 for peer on Interface:Ethernet2 00:07:23:Temp sub net mask:255.255.255.0 00:07:23: DHCP Lease server:10.1.1.1, state:2 Requesting 00:07:23: DHCP transaction id:582 00:07:23: Lease:180 secs, Renewal:0 secs, Rebind:0 secs 00:07:23: Next timer fires after:00:00:02 00:07:23: Retry count:1 Client-ID:cisco-0010.7b6e.afd8-Et2 00:07:23:DHCP:SRequest- Server ID option:10.1.1.1 00:07:23:DHCP:SRequest- Requested IP addr option:10.1.1.2 00:07:23:DHCP:SRequest placed lease len option:180 00:07:23:DHCP:SRequest:326 bytes 00:07:23:DHCP:SRequest:326 bytes 00:07:23: B'cast on Ethernet2 interface from 0.0.0.0

The following example shows the debug output when the DHCP server sends a DHCPACK message to the client with the full set of configuration parameters:
00:07:23:DHCP:Received a BOOTREP pkt 00:07:23:DHCP:Scan:Message type:DHCP Ack 00:07:23:DHCP:Scan:Server ID Option:10.1.1.1 = A010101 00:07:23:DHCP:Scan:Lease Time:180 00:07:23:DHCP:Scan:Renewal time:90 00:07:23:DHCP:Scan:Rebind time:157 00:07:23:DHCP:Scan:Subnet Address Option:255.255.255.0 00:07:23:DHCP:rcvd pkt source:10.1.1.1, destination: 255.255.255.255 00:07:23: UDP sport:43, dport:44, length:308 00:07:23: DHCP op:2, htype:1, hlen:6, hops:0 00:07:23: DHCP server identifier:10.1.1.1 00:07:23: xid:582, secs:0, flags:8000 00:07:23: client:0.0.0.0, your:10.1.1.2 00:07:23: srvr: 0.0.0.0, gw:0.0.0.0 00:07:23: options block length:60 00:07:23:DHCP Ack Messag 00:07:23:DHCP:Lease Seconds:180 Renewal secs: 90 Rebind secs:157 00:07:23:DHCP:Server ID Option:10.1.1.1Interface Ethernet2 assigned DHCP address 10.1.1.2, mask 255.255.255.0 00:07:26:DHCP Client Pooling:***Allocated IP address:10.1.1.2 00:07:26:Allocated IP address = 10.1.1.2 255.255.255.0

Most fields are self-explanatory; however, fields that may need further explanation are described in Table 37. Table 37 debug dhcp Command Field Descriptions Fields DHCP:Scan:Subnet Address Option:255.255.255.0 Description Subnet mask option (option 1).

DHCP server identifier:1.1.1.1 Value of the DHCP server id option (option 54). Note that this is not the same as the siaddr field, which is the server IP address. srvr:0.0.0.0, gw:0.0.0.0 srvr is the value of the siaddr field. gw is the value of the giaddr field.

Related Commands
Command debug ip dhcp server Description Enables DHCP server debugging.

show dhcp lease

Displays DHCP addresses leased from a server.

debug eigrp packet


To display general debugging information, use the debug eigrp packet privileged EXEC command. The no form of this command disables debugging output. debug eigrp packet no debug eigrp packet

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
If a communication session is closing when it should not be, an end-to-end connection problem can be the cause. The debug eigrp packet command is useful for analyzing the messages traveling between the local and remote hosts.

Examples
The following is sample output from the debug eigrp packet command:
Router# debug eigrp packet EIGRP: Sending HELLO on Ethernet0/1 AS 109, Flags 0x0, Seq 0, Ack 0 EIGRP: Sending HELLO on Ethernet0/1 AS 109, Flags 0x0, Seq 0, Ack 0 EIGRP: Sending HELLO on Ethernet0/1 AS 109, Flags 0x0, Seq 0, Ack 0 EIGRP: Received UPDATE on Ethernet0/1 from AS 109, Flags 0x1, Seq 1, Ack 0 EIGRP: Sending HELLO/ACK on Ethernet0/1 to AS 109, Flags 0x0, Seq 0, Ack 1 EIGRP: Sending HELLO/ACK on Ethernet0/1 to AS 109, Flags 0x0, Seq 0, Ack 1 EIGRP: Received UPDATE on Ethernet0/1 from AS 109, Flags 0x0, Seq 2, Ack 0

192.195.78.24, 192.195.78.24, 192.195.78.24, 192.195.78.24,

The output shows transmission and receipt of Enhanced IGRP packets. These packet types may be hello, update, request, query, or reply packets. The sequence and acknowledgment numbers used by the Enhanced IGRP reliable transport algorithm are shown in the output. Where applicable, the networklayer address of the neighboring router is also included. Table 44 describes the significant fields shown in the display.
Table 44 debug eigrp packet Field Descriptions

Field

Description

EIGRP: Enhanced IGRP packet. AS n Flags nxn Autonomous system number. A flag of 1 means the sending router is indicating to the receiving router that this is the first packet it has sent to the receiver. A flag of 2 is a multicast that should be conditionally received by routers that have the conditionally receive (CR) bit set. This bit gets set when the sender of the multicast has previously sent a sequence packet explicitly telling it to set the CR bit. HELLO Hello packets are the neighbor discovery packets. They are used to determine whether neighbors are still alive. As long as neighbors receive the hello packets the router is sending, the neighbors validate the router and any routing information sent. If neighbors lose the hello packets, the receiving neighbors invalidate any routing information previously sent. Neighbors also send hello packets.

debug errors
To display errors, use the debug errors privileged EXEC command. The no form of this command disables debugging output. debug errors no debug errors

Syntax Description
This command has no arguments or keywords.

Examples
The following is sample output from the debug errors command:
Router# debug errors (2/0): Encapsulation error, link=7, host=836CA86D. (4/0): VCD#7 failed to echo OAM. 4 tries

The first line of output indicates that a packet was routed to the interface, but no static map was set up to route that packet to the proper virtual circuit. The second line of output shows that an OAM F5 (virtual circuit) cell error occurred.

debug events
To display events, use the debug events privileged EXEC command. The no form of this command disables debugging output. debug events no debug events

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
This command displays events that occur on the interface processor and is useful for diagnosing problems in an network. It provides an overall picture of the stability of the network. In a stable network, the debug events command does not return any information. If the command generates numerous messages, the messages can indicate the possible source of problems. When configuring or making changes to a router or interface for, enable the debug events command. Doing so alerts you to the progress of the changes or to any errors that might result. Also use this command periodically when you suspect network problems.

Examples
The following is sample output from the debug events command:
Router# debug events RESET(4/0): PLIM type is 1, Rate is 100Mbps aip_disable(4/0): state=1 config(4/0) aip_love_note(4/0): asr=0x201 aip_enable(4/0) aip_love_note(4/0): asr=0x4000 aip_enable(4/0): restarting VCs: 7 aip_setup_vc(4/0): vc:1 vpi:1 vci:1 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:2 vpi:2 vci:2 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:3 vpi:3 vci:3 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:4 vpi:4 vci:4 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:6 vpi:6 vci:6 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:7 vpi:7 vci:7 aip_love_note(4/0): asr=0x200 aip_setup_vc(4/0): vc:11 vpi:11 vci:11 aip_love_note(4/0): asr=0x200

Table 45 describes the significant fields in the display.

Table 45

debug events Field Descriptions

Field PLIM type

Description Indicates the interface rate in Mbps. Possible values are:


1 = TAXI(4B5B) 100 Mbps 2 = SONET 155 Mbps 3 = E3 34 Mbps

state

Indicates current state of the AIP. Possible values are:


1 = An ENABLE will be issued soon. 0 = The AIP will remain shut down.

asr

Defines a bitmask, which indicates actions or completions to commands. Valid bitmask values are:

0x0800 = AIP crashed, reload may be required. 0x0400 = AIP detected a carrier state change. 0x0n00 = Command completion status. Command completion status codes are:
o o o o o

n = 8 Invalid PLIM detected n = 4 Command failed n = 2 Command completed successfully n = 1 CONFIG request failed n = 0 Invalid value

The following line indicates that the AIP was reset. The PLIM detected was 1, so the maximum rate is set to 100 Mbps.
RESET(4/0): PLIM type is 1, Rate is 100Mbps

The following line indicates that the AIP was given a shutdown command, but the current configuration indicates that the AIP should be up:
aip_disable(4/0): state=1

The following line indicates that a configuration command has been completed by the AIP:
aip_love_note(4/0): asr=0x201

The following line indicates that the AIP was given a no shutdown command to take it out of the shutdown state:
aip_enable(4/0)

The following line indicates that the AIP detected a carrier state change. It does not indicate that the carrier is down or up, only that it has changed.

aip_love_note(4/0): asr=0x4000

The following line of output indicates that the AIP enable function is restarting all PVCs automatically:
aip_enable(4/0): restarting VCs: 7

The following lines of output indicate that PVC 1 was set up and a successful completion code was returned:
aip_setup_vc(4/0): vc:1 vpi:1 vci:1 aip_love_note(4/0): asr=0x200

debug ip auth-proxy
To display the authentication proxy configuration information on the router, use the debug ip auth-proxy command in privileged EXEC mode. debug ip auth-proxy {ftp | function-trace | http | object-creation | object-deletion | tcp | telnet | timer}

Syntax Description
ftp Displays FTP events related to the authentication proxy.

function-trace

Displays the authentication proxy functions.

http

Displays HTTP events related to the authentication proxy.

objectcreation

Displays additional entries to the authentication proxy cache.

objectdeletion

Displays deletion of cache entries for the authentication proxy.

tcp

Displays TCP events related to the authentication proxy.

telnet

Displays Telnet-related authentication proxy events.

timer

Displays authentication proxy timer-related events.

Command History
Release 12.0(5)T Modification This command was introduced.

Usage Guidelines
Use the debug ip auth-proxy command to display authentication proxy activity. See the "Examples" section for more information about the debug options. Note The function-trace debugging information provides low-level software information for Cisco technical support representatives. No output examples are provided for this keyword option.

Examples
The following examples illustrates the output of the debug ip auth-proxy command. In these examples, debugging is on for object creations, object deletions, HTTP, and TCP. In this example, the client host at 192.168.201.1 is attempting to make an HTTP connection to the web server located at 192.168.21.1. The HTTP debugging information is on for the authentication proxy. The output shows that the router is setting up an authentication proxy entry for the login request:
00:11:10: AUTH-PROXY creates info: cliaddr - 192.168.21.1, cliport - 36583 seraddr - 192.168.201.1, serport - 80 ip-addr 192.168.21.1 pak-addr 0.0.0.0

Following a successful login attempt, the debugging information shows the authentication proxy entries created for the client. In this example, the client is authorized for SMTP (port 25), FTP data (port 20), FTP control (port 21), and Telnet (port 23) traffic. The dynamic ACL entries are included in the display.
00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY 61AD60CC 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY 6151C908 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY 61A40B88 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY 00:11:25:AUTH_PROXY 00:11:25:AUTH-PROXY 61879550 00:11:25:AUTH-PROXY 00:11:25:AUTH-PROXY OBJ_CREATE:acl item 61AD60CC OBJ_CREATE:create acl wrapper 6151C7C8 -- acl item 192.168.162.216 Port [0] Dst 192.168.162.220 Port [25] OBJ_CREATE:acl item 6151C908 OBJ_CREATE:create acl wrapper 6187A060 -- acl item 192.168.162.216 Port [0] Dst 192.168.162.220 Port [20] OBJ_CREATE:acl item 61A40B88 OBJ_CREATE:create acl wrapper 6187A0D4 -- acl item 192.168.162.216 Port [0] Dst 192.168.162.220 Port [21] OBJ_CREATE:acl item 61879550 OBJ_CREATE:create acl wrapper 61879644 -- acl item 192.168.162.216 Port [0] Dst 192.168.162.220 Port [23]

The next example shows the debug output following a clear ip auth-proxy cache command to clear the authentication entries from the router. The dynamic ACL entries are removed from the router.
00:12:36:AUTH-PROXY 00:12:36:AUTH-PROXY item 61AD60CC 00:12:36:AUTH-PROXY item 6151C908 00:12:36:AUTH-PROXY item 61A40B88 00:12:36:AUTH-PROXY item 61879550 OBJ_DELETE:delete auth_proxy cache 61AD6298 OBJ_DELETE:delete create acl wrapper 6151C7C8 -- acl OBJ_DELETE:delete create acl wrapper 6187A060 -- acl OBJ_DELETE:delete create acl wrapper 6187A0D4 -- acl OBJ_DELETE:delete create acl wrapper 61879644 -- acl

The following example shows the timer information for a dynamic ACL entry. All times are expressed in milliseconds. The first laststart is the time that the ACL entry is created relative to the startup time of the router. The lastref is the time of the last packet to hit the dynamic ACL relative to the startup time of the router. The exptime is the next expected expiration time for the dynamic ACL. The delta indicates the remaining time before the dynamic ACL expires. After the timer expires, the debugging information includes a message indicating that the ACL and associated authentication proxy information for the client have been removed.
00:19:51:first laststart 1191112 00:20:51:AUTH-PROXY:delta 54220 lastref 1245332 exptime 1251112 00:21:45:AUTH-PROXY:ACL and cache are removed

Related Commands
Command show debug Description Displays the debug options set on the router.

debug ip dhcp server


To enable DHCP Server debugging, use the debug ip dhcp server privileged EXEC command. debug ip dhcp server {events | packets | linkage}

Syntax Description
events Reports server events, like address assignments and database updates.

packets

Decodes DHCP receptions and transmissions.

linkage

Displays database linkage information (such as parent-child relationships in a radix tree).

Defaults
Disabled by default

Command History
Release 12.0(1)T Modification This command was introduced.

debug ip eigrp
To display information on Enhanced IGRP protocol packets, use the debug ip eigrp privileged EXEC command. The no form of this command disables debugging output. debug ip eigrp no debug ip eigrp

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
This command helps you analyze the packets that are sent and received on an interface. Because the debug ip eigrp command generates a substantial amount of output, only use it when traffic on the network is light.

Examples
The following is sample output from the debug ip eigrp command:
Router# debug ip eigrp IP-EIGRP: Processing incoming UPDATE packet IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960 IP-EIGRP: Ext 192.168.0.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960 IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960 IP-EIGRP: 172.69.43.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 172.69.43.0 255.255.255.0 metric 371200 - 256000 115200 IP-EIGRP: 192.135.246.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 192.135.246.0 255.255.255.0 metric 46310656 - 45714176 596480 IP-EIGRP: 172.69.40.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 172.69.40.0 255.255.255.0 metric 2272256 - 1657856 614400 IP-EIGRP: 192.135.245.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 192.135.245.0 255.255.255.0 metric 40622080 - 40000000 622080 IP-EIGRP: 192.135.244.0 255.255.255.0, - do advertise out Ethernet0/1

Table 70 describes the significant fields shown in the display. Table 70 debug ip eigrp Field Descriptions Field Description

IPEIGRP:

Indicates that this is an IP Enhanced IGRP packet.

Ext

Indicates that the following address is an external destination rather than an internal destination, which would be labeled as Int.

Displays the computed metric, which includes SM and the cost between this router and the neighbor. The first number is the composite metric. The next two numbers are the inverse bandwidth and the delay, respectively.

SM

Displays the metric as reported by the neighbor.

debug ip ftp
To activate the debugging option to track the transactions submitted during an FTP session, use the debug ip ftp privileged EXEC command. To disable debugging output, use the no form of this command. debug ip ftp no debug ip ftp

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
The debug ip ftp command is useful for debugging problems associated with FTP.

Examples
The following is an example of the debug ip ftp command:
Router# debug ip ftp FTP transactions debugging is on

The following is sample output from the debug ip ftp command:


FTP: 220 ProFTPD 1.2.0pre8 Server (DFW Nostrum FTP Server) [defiant.dfw.nostrum.com] Dec 27 22:12:09.133: FTP: ---> USER router Dec 27 22:12:09.133: FTP: 331 Password required for router. Dec 27 22:12:09.137: FTP: ---> PASS WQHK5JY2 Dec 27 22:12:09.153: FTP: 230 Anonymous access granted, restrictions apply. Dec 27 22:12:09.153: FTP: ---> TYPE I Dec 27 22:12:09.157: FTP: 200 Type set to I. Dec 27 22:12:09.157: FTP: ---> PASV . . . . . . . . . . . . . . Dec 27 22:12:09.173: FTP: ---> QUIT

Dec 27 22:12:09.181: FTP: 221 Goodbye.

debug ip http authentication


To troubleshoot HTTP authentication problems, use privileged EXEC command. The no form of this command disables debugging output. debug ip http authentication no debug ip http authentication

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
The debug ip http authentication command displays the authentication method the router attempted and authentication-specific status messages.

Examples
The following is sample output from the debug ip http authentication command:
Router# debug ip http authentication Authentication for url `/' `/' level 15 privless `/' Authentication username = `local15' priv-level = 15 auth-type = local

Table 71 describes the significant fields shown in the display. Table 71 debug ip http authentication Command Descriptions Field Authentication for url Description Provides information about the URL in different forms.

Authentication username

Identifies the user.

priv-level

Indicates the user privilege level.

auth-type

Indicates the authentication method.

debug ip http transaction


To display HTTP server transaction processing, use the debug ip http transaction privileged EXEC command. The no form of this command disables debugging output. debug ip http transaction no debug ip http transaction

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
Use the debug ip http transaction command to display what the HTTP server is parsing at a high level. To display what the HTTP server is parsing at a low level, use the debug ip http token command.

Examples
The following is sample output from the debug ip http transaction command. In this example, the browser accessed the router's home page http:/ /routername/.
Router# debug ip http transaction HTTP: parsed uri '/' HTTP: client version 1.0 HTTP: parsed extension Referer HTTP: parsed line http://www.company.com/ HTTP: parsed extension Connection HTTP: parsed line Keep-Alive HTTP: parsed extension User-Agent HTTP: parsed line Mozilla/2.01 (X11; I; FreeBSD 2.1.0-RELEASE i386) HTTP: parsed extension Host HTTP: parsed line router-name HTTP: parsed extension Accept HTTP: parsed line image/gif, image/x-xbitmap, image/jpeg, image/ HTTP: parsed extension Authorization HTTP: parsed authorization type Basic HTTP: received GET ''

Table 72 lists describes some of the fields in the output. Table 72 debug ip http transaction Field Descriptions Field HTTP: parsed uri '/' Description Uniform resource identifier that is

requested.

HTTP: client version 1.0

Client HTTP version.

HTTP: parsed extension Referer

HTTP extension.

HTTP: parsed line http://www.company.com/

Value of HTTP extension.

HTTP: received GET ''

HTTP request method.

Related Commands
Command debug ip http ezsetup Description Displays the configuration changes that occur during the EZ Setup process.

debug ip http token

Displays individual tokens parsed by the HTTP server.

debug ip http url

Shows the URLs accessed from the router.

debug ip http url


To show the URLs accessed from the router, use the debug ip http url privileged EXEC command. The no form of this command disables debugging output. debug ip http url no debug ip http url

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
Use the debug ip http url command to keep track of the URLs that are accessed and to determine from which hosts the URLs are accessed.

Examples
The following output is from the debug ip http url command. In this example, the HTTP server accessed the URLs and /exec. The output shows the URL being requested and the IP address of the host requesting the URL.
Router# debug ip http url HTTP: processing URL '/' from host 172.31.2.141 HTTP: processing URL '/exec' from host 172.31.2.141

Related Commands
Command debug ip http ezsetup Description Displays the configuration changes that occur during the EZ Setup process.

debug ip http token

Displays individual tokens parsed by the HTTP server.

debug ip http transaction

Displays HTTP server transaction processing.

debug ip icmp
To display information on Internal Control Message Protocol (ICMP) transactions, use the debug ip icmp privileged EXEC command. The no form of this command disables debugging output. debug ip icmp no debug ip icmp

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
This command helps you determine whether the router is sending or receiving ICMP messages. Use it, for example, when you are troubleshooting an end-toend connection problem.

Note For more information about the fields in debug ip icmp command output, refer to RFC-792, Internet Control Message Protocol; Appendix I of RFC-950, Internet Standard Subnetting Procedure; and RFC-1256, ICMP Router Discovery Messages.

Examples
The following is sample output from the debug ip icmp command:
Router# debug ip icmp ICMP: rcvd type 3, code 1, from 10.95.192.4 ICMP: 10.56.0.202, dst 172.69.16.1, echo reply ICMP: dst (10.120.1.0) port unreachable rcv from ICMP: 172.69.12.35, dst 172.69.20.7, echo reply ICMP: dst (255.255.255.255) protocol unreachable ICMP: dst (10.120.1.0) port unreachable rcv from ICMP: dst (255.255.255.255) protocol unreachable ICMP: dst (10.120.1.0) port unreachable rcv from ICMP: 10.56.0.202, dst 172.69.16.1, echo reply ICMP: dst (10.120.1.0) port unreachable rcv from ICMP: dst (255.255.255.255) protocol unreachable ICMP: dst (10.120.1.0) port unreachable rcv from

10.120.1.15 rcv from 10.31.7.21 10.120.1.15 rcv from 10.31.7.21 10.120.1.15 10.120.1.15 rcv from 10.31.7.21 10.120.1.15

Table 73 describes the significant fields shown in the display. Table 73 debug ip icmp Field Descriptions Field Description

ICMP:

Indication that this message describes an ICMP packet.

rcvd type 3

The type field can be one of the following:


0Echo Reply 3Destination Unreachable 4Source Quench 5Redirect 8Echo 9Router Discovery Protocol Advertisement 10Router Discovery Protocol Solicitations 11Time Exceeded 12Parameter Problem 13Timestamp 14Timestamp Reply 15Information Request 16Information Reply 17Mask Request 18Mask Reply

code 1

This field is a code. The meaning of the code depends upon the type field value, as follows:

Echo and Echo ReplyThe code field is always zero. Destination UnreachableThe code field can have the following values: 0Network unreachable 1Host unreachable 2Protocol unreachable 3Port unreachable 4Fragmentation needed and DF bit set 5Source route failed

Source QuenchThe code field is always 0. RedirectThe code field can have the following

values: 0Redirect datagrams for the network 1Redirect datagrams for the host 2Redirect datagrams for the command mode of service and network 3Redirect datagrams for the command mode of service and host

Router Discovery Protocol Advertisements and SolicitationsThe code field is always zero.

Time ExceededThe code field can have the following values: 0Time to live exceeded in transit 1Fragment reassembly time exceeded

Parameter ProblemThe code field can have the following values: 0General problem 1Option is missing 2Option missing, no room to add

Timestamp and Timestamp ReplyThe code field is always zero. Information Request and Information ReplyThe code field is always zero. Mask Request and Mask ReplyThe code field is always zero.

from 10.95.192.4

Source address of the ICMP packet.

Table 74 describes the significant fields in the second line of the display.

Table 74 debug ip icmp Field Descriptions Field ICMP: Description Indicates that this message describes an ICMP packet.

10.56.10.202

Address of the sender of the echo.

dst 172.69.16.1

Address of the receiving router.

echo reply

Indicates that the router received an echo reply.

Other messages that the debug ip icmp command can generate follow. When an IP router or host sends out an ICMP mask request, the following message is generated when the router sends a mask reply:
ICMP: sending mask reply (255.255.255.0) to 172.69.80.23 via Ethernet0

The following two lines are examples of the two forms of this message. The first form is generated when a mask reply comes in after the router sends out a mask request. The second form occurs when the router receives a mask reply with a nonmatching sequence and ID. Refer to Appendix I of RFC 950, Internet Standard Subnetting Procedures, for details.
ICMP: mask reply 255.255.255.0 from 172.69.80.31 ICMP: unexpected mask reply 255.255.255.0 from 172.69.80.32

The following output indicates that the router sent a redirect packet to the host at address 172.69.80.31, instructing that host to use the gateway at address 172.69.80.23 in order to reach the host at destination address 172.69.1.111:
ICMP: redirect sent to 172.69.80.31 for dest 172.69.1.111 use gw 172.69.80.23

The following message indicates that the router received a redirect packet from the host at address 172.69.80.23, instructing the router to use the gateway at address 172.69.80.28 in order to reach the host at destination address 172.69.81.34:
ICMP: redirect rcvd from 172.69.80.23 -- for 172.69.81.34 use gw 172.69.80.28

The following message is displayed when the router sends an ICMP packet to the source address (172.69.94.31 in this case), indicating that the destination address (172.69.13.33 in this case) is unreachable:

ICMP: dst (172.69.13.33) host unreachable sent to 172.69.94.31

The following message is displayed when the router receives an ICMP packet from an intermediate address (172.69.98.32 in this case), indicating that the destination address (172.69.13.33 in this case) is unreachable:
ICMP: dst (172.69.13.33) host unreachable rcv from 172.69.98.32

Depending on the code received (as Table 73 describes), any of the unreachable messages can have any of the following "strings" instead of the "host" string in the message:
net protocol port frag. needed and DF set source route failed prohibited

The following message is displayed when the TTL in the IP header reaches zero and a time exceed ICMP message is sent. The fields are self-explanatory.
ICMP: time exceeded (time to live) send to 10.95.1.4 (dest was 172.69.1.111)

The following message is generated when parameters in the IP header are corrupted in some way and the parameter problem ICMP message is sent. The fields are self-explanatory.
ICMP: parameter problem sent to 128.121.1.50 (dest was 172.69.1.111)

Based on the preceding information, the remaining output can be easily understood:
ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: ICMP: parameter problem rcvd 172.69.80.32 source quench rcvd 172.69.80.32 source quench sent to 128.121.1.50 (dest was 172.69.1.111) sending time stamp reply to 172.69.80.45 sending info reply to 172.69.80.12 rdp advert rcvd type 9, code 0, from 172.69.80.23 rdp solicit rcvd type 10, code 0, from 172.69.80.43

debug ip inspect
To display messages about Context-Based Access Control (CBAC) events, use the debug ip inspect privileged EXEC command. The no form of this command disables debugging output. debug ip inspect {function-trace | object-creation | object-deletion | events | timers | protocol | detailed} no debug ip inspect detailed

Syntax Description
functiontrace Displays messages about software functions called by CBAC.

objectcreation

Display messages about software objects being created by CBAC. Object creation corresponds to the beginning of CBACinspected sessions.

objectdeletion

Displays messages about software objects being deleted by CBAC. Object deletion corresponds to the closing of CBACinspected sessions.

events

Displays messages about CBAC software events, including information about CBAC packet processing.

timers

Displays messages about CBAC timer events such as when a CBAC idle timeout is reached.

protocol

Displays messages about CBAC-inspected protocol events, including details about the packets of the protocol. Table 3 provides a list of protocol keywords.

detailed

Causes detailed information to be displayed for all the other enabled CBAC debugging. Use this form of the command in conjunction with other CBAC debugging commands.

Table 75 Protocol Keywords for the debug ip inspect Command

Application Protocol Transport-layer protocols

protocol keyword

TCP

tcp

UDP

udp

Application-layer protocols

CU-SeeMe

cuseeme

FTP commands and responses

ftp-cmd

FTP tokens (enables tracing of the FTP tokens parsed)

ftp-tokens

H.323 (version 1 and version 2)

h323

HTTP

http

Microsoft NetShow

netshow

UNIX r-commands (rlogin, rexec, rsh)

rcmd

RealAudio

realaudio

RPC

rpc

RTSP

rtsp

SMTP

smtp

SQL*Net

sqlnet

StreamWorks

streamworks

TFTP

tftp

VDOLive

vdolive

Command History
Release 11.2P Modification This command was introduced.

12.0(5)T

NetShow support was introduced.

12.0(7)T

H.323 V2 and RTSP protocol support was introduced

Examples
The following is sample output from the debug ip inspect function-trace command:
*Mar *Mar *Mar 41 *Mar *Mar *Mar *Mar *Mar 2 01:16:16: CBAC FUNC: insp_inspection 2 01:16:16: CBAC FUNC: insp_pre_process_sync 2 01:16:16: CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1 bucket 2 2 2 2 2 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: CBAC CBAC CBAC CBAC CBAC FUNC: FUNC: FUNC: FUNC: FUNC: insp_find_pregen_session insp_get_idbsb insp_get_idbsb insp_get_irc_of_idb insp_get_idbsb

*Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar 41 *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar *Mar 41

2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16: 01:16:16:

CBAC CBAC CBAC CBAC CBAC CBAC CBAC CBAC CBAC CBAC CBAC CBAC CBAC

FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC: FUNC:

insp_create_sis insp_inc_halfopen_sis insp_link_session_to_hash_table insp_inspect_pak insp_l4_inspection insp_process_tcp_seg insp_listen_state insp_ensure_return_traffic insp_add_acl_item insp_ensure_return_traffic insp_add_acl_item insp_process_syn_packet insp_find_tcp_host_entry addr 40.0.0.1 bucket

CBAC FUNC: insp_create_tcp_host_entry CBAC* FUNC: insp_fast_inspection CBAC* FUNC: insp_inspect_pak CBAC* FUNC: insp_l4_inspection CBAC* FUNC: insp_process_tcp_seg CBAC* FUNC: insp_synrcvd_state CBAC* FUNC: insp_fast_inspection CBAC* FUNC: insp_inspect_pak CBAC* FUNC: insp_l4_inspection CBAC* FUNC: insp_process_tcp_seg CBAC* FUNC: insp_synrcvd_state CBAC FUNC: insp_dec_halfopen_sis CBAC FUNC: insp_remove_sis_from_host_entry CBAC FUNC: insp_find_tcp_host_entry addr 40.0.0.1 bucket

This output shows the functions called by CBAC as a session is inspected. Entries with an asterisk (*) after the word "CBAC" are entries when the fast path is used; otherwise, the process path is used. The following is sample output from the debug ip inspect object-creation and debug ip inspect object-deletion command:
*Mar 2 01:18:30: *Mar 2 01:18:30: 25A3634 *Mar 2 01:18:30: *Mar 2 01:18:30: *Mar 2 01:18:30: bucket 31 *Mar 2 01:18:30: *Mar 2 01:18:30: item 25A3634 *Mar 2 01:18:31: CBAC OBJ_CREATE: create pre-gen sis 25A3574 CBAC OBJ_CREATE: create acl wrapper 25A36FC -- acl item CBAC OBJ_CREATE: create sis 25C1CC4 CBAC OBJ_DELETE: delete pre-gen sis 25A3574 CBAC OBJ_CREATE: create host entry 25A3574 addr 10.0.0.1 CBAC OBJ_DELETE: delete sis 25C1CC4 CBAC OBJ_DELETE: delete create acl wrapper 25A36FC -- acl CBAC OBJ_DELETE: delete host entry 25A3574 addr 10.0.0.1

The following is sample output from the debug ip inspect object-creation, debug ip inspect object-deletion, and debug ip inspect events commands:
*Mar 2 01:18:51: CBAC *Mar 2 01:18:51: CBAC 25A3634 *Mar 2 01:18:51: CBAC *Mar 2 01:18:51: CBAC *Mar 2 01:18:51: CBAC 30.0.0.1[46406:46406] OBJ_CREATE: create pre-gen sis 25A3574 OBJ_CREATE: create acl wrapper 25A36FC -- acl item 10.1.0.1 Port [1:65535] Dst 10.0.0.1 Port [46406:46406] Pre-gen sis 25A3574 created: 10.1.0.1[1:65535]

*Mar 2 01:18:51: CBAC OBJ_CREATE: create sis 25C1CC4 *Mar 2 01:18:51: CBAC sis 25C1CC4 initiator_addr (10.1.0.1:20) responder_addr (30.0.0.1:46406) initiator_alt_addr (40.0.0.1:20) responder_alt_addr (10.0.0.1:46406) *Mar 2 01:18:51: CBAC OBJ_DELETE: delete pre-gen sis 25A3574 *Mar 2 01:18:51: CBAC OBJ_CREATE: create host entry 25A3574 addr 10.0.0.1 bucket 31 *Mar 2 01:18:51: CBAC OBJ_DELETE: delete sis 25C1CC4 *Mar 2 01:18:51: CBAC OBJ_DELETE: delete create acl wrapper 25A36FC -- acl item 25A3634 *Mar 2 01:18:51: CBAC OBJ_DELETE: delete host entry 25A3574 addr 10.0.0.1

The following is sample output from the debug ip inspect timers command:
*Mar 2 01:19:15: CBAC *Mar 2 01:19:15: CBAC Time: 30000 milisecs *Mar 2 01:19:15: CBAC *Mar 2 01:19:15: CBAC *Mar 2 01:19:15: CBAC milisecs *Mar 2 01:19:15: CBAC 3600000 milisecs *Mar 2 01:19:15: CBAC milisecs *Mar 2 01:19:15: CBAC Timer Init Leaf: Pre-gen sis 25A3574 Timer Start: Pre-gen sis 25A3574 Timer: 25A35D8 Timer Init Leaf: sis 25C1CC4 Timer Stop: Pre-gen sis 25A3574 Timer: 25A35D8 Timer Start: sis 25C1CC4 Timer: 25C1D5C Time: 30000 Timer Start: sis 25C1CC4 Timer: 25C1D5C Time: Timer Start: sis 25C1CC4 Timer: 25C1D5C Time: 5000 Timer Stop: sis 25C1CC4 Timer: 25C1D5C

The following is sample output from the debug ip inspect tcp command:
*Mar 2 01:20:43: CBAC* sis 25A3604 pak 2541C58 TCP P ack 4223720032 seq 4200176225(22) (10.0.0.1:46409) => (10.1.0.1:21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet *Mar 2 01:20:43: CBAC sis 25A3604 pak 2541C58 TCP P ack 4223720032 seq 4200176225(22) (10.0.0.1:46409) => (10.1.0.1:21) *Mar 2 01:20:43: CBAC sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC* sis 25A3604 pak 2544374 TCP P ack 4200176247 seq 4223720032(30) (10.0.0. 1:46409) <= (10.1.0.1:21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC* sis 25A3604 pak 25412F8 TCP P ack 4223720062 seq 4200176247(15) (10.0.0. 1:46409) => (10.1.0.1:21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC sis 25C1CC4 pak 2544734 TCP S seq 4226992037(0) (10.1.0.1:20) => (10.0.0.1:46411) *Mar 2 01:20:43: CBAC* sis 25C1CC4 pak 2541E38 TCP S ack 4226992038 seq 4203405054(0) (10.1.0.1:20) <= (10.0.0.1:46411)

This sample shows TCP packets being processed, and lists the corresponding acknowledge (ACK) packet numbers and sequence (SEQ) numbers. The number of data bytes in the TCP packet is shown in parenthesesfor example, (22). For each packet shown, the addresses and port numbers are shown separated by a colon. For example, (10.1.0.1:21) indicates an IP address of 10.1.0.1 and a TCP port number of 21. Entries with an asterisk (*) after the word "CBAC" are entries when the fast path is used; otherwise, the process path is used.

The following is sample output from the debug ip inspect tcp and debug ip inspect detailed commands:
*Mar 2 01:20:58: CBAC* Pak 2541E38 Find session for (30.0.0.1:46409) (40.0.0.1:21) tcp *Mar 2 01:20:58: P ack 4223720160 seq 4200176262(22) *Mar 2 01:20:58: CBAC* Pak 2541E38 Addr:port pairs to match: (30.0.0.1:46409) (40.0.0.1:21) *Mar 2 01:20:58: CBAC* sis 25A3604 SIS_OPEN *Mar 2 01:20:58: CBAC* Pak 2541E38 IP: s=30.0.0.1 (Ethernet0), d=40.0.0.1 (Ethernet1), len 76,proto=6 *Mar 2 01:20:58: CBAC sis 25A3604 Saving State: SIS_OPEN/ESTAB iisn 4200176160 i_rcvnxt 4223720160 i_sndnxt 4200176262 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 4223720160 r_rcvwnd 8760 *Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 TCP P ack 4223720160 seq 4200176262(22) (30.0.0.1:46409) => (40.0.0.1:21) *Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 SIS_OPEN/ESTAB TCP seq 4200176262(22) Flags: ACK 4223720160 PSH *Mar 2 01:20:58: CBAC* sis 25A3604 pak 2541E38 --> SIS_OPEN/ESTAB iisn 4200176160 i_rcvnxt 4223720160 i_sndnxt 4200176284 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 4223720160 r_rcvwnd 8760 *Mar 2 01:20:58: CBAC* sis 25A3604 L4 inspect result: PASS packet 2541E38 (30.0.0.1:46409) (40.0.0.1:21) bytes 22 ftp *Mar 2 01:20:58: CBAC sis 25A3604 Restoring State: SIS_OPEN/ESTAB iisn 4200176160 i_rcvnxt 4223 720160 i_sndnxt 4200176262 i_rcvwnd 8760 risn 4223719771 r_rcvnxt 4200176262 r_sndnxt 4223720160 r_rcvwnd 8760 *Mar 2 01:20:58: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet *Mar 2 01:20:58: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet *Mar 2 01:20:58: CBAC* Bump up: inspection requires the packet in the process path(30.0.0.1) (40.0.0.1) *Mar 2 01:20:58: CBAC Pak 2541E38 Find session for (30.0.0.1:46409) (40.0.0.1:21) tcp *Mar 2 01:20:58: P ack 4223720160 seq 4200176262(22) *Mar 2 01:20:58: CBAC Pak 2541E38 Addr:port pairs to match: (30.0.0.1:46409) (40.0.0.1:21) *Mar 2 01:20:58: CBAC sis 25A3604 SIS_OPEN *Mar 2 01:20:58: CBAC Pak 2541E38 IP: s=30.0.0.1 (Ethernet0), d=40.0.0.1 (Ethernet1), len 76, proto=6

debug ip nat
To display information about IP packets translated by the IP Network Address Translation (NAT) feature, use the debug ip nat privileged EXEC command. To disable debugging output, use the no form of this command. debug ip nat [access-list | detailed | h323 | pptp] no debug ip nat [access-list | detailed | h323 | pptp]

Syntax Description
accesslist (Optional) The standard IP access list number. If the datagram is not permitted by the specified access list, the related debugging output is suppressed.

detailed

(Optional) Displays debug information in a detailed format.

h323

(Optional) Displays H.225/H.245 protocol information.

pptp

(Optional) Displays Point-to-Point Tunneling (PPTP) protocol information.

Defaults
Disabled

Command Modes
Privileged EXEC

Command History
Release 11.2 Modification This command was introduced.

12.1(5)T

This command was modified to include the h323 keyword.

Usage Guidelines
The NAT feature reduces the need for unique, registered IP addresses. It can also save private network administrators from needing to renumber hosts and routers that do not conform to global IP addressing. Use the debug ip nat command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router. The debug ip nat detailed command generates a description of each packet considered for translation. This command also outputs information about certain errors or exceptional conditions, such as the failure to allocate a global address. To display messages related to the processing of H.225 signalling and H.245 messages, use the debug ip nat h323 command.

Caution Because the debug ip nat command generates a substantial amount of output, use it only when traffic on the IP network is low, so other activity on the system is not adversely affected.

Examples
The following is sample output from the debug ip nat command. In this example, the first two lines show the debugging output produced by a Domain Name System (DNS) request and reply. The remaining lines show the debugging output from a Telnet connection from a host on the inside of the network to a host on the outside of the network. All Telnet packets, except for the first packet, were translated in the fast path, as indicated by the asterisk (*).
Router# debug ip nat NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825] NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852] NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]

Table 80 describes the significant fields shown in the display. Table 80 debug ip nat Field Descriptions Field NAT: Description Indicates that the packet is being translated by the NAT feature. An asterisk (*) indicates that the translation is occurring in the fast path. The first packet in a

conversation always goes through the slow path (that is, they are process switched). The remaining packets go through the fast path if a cache entry exists.

s=192.168.1.95 172.31.233.209

Source address of the packet and how it is being translated.

d=172.31.2.132

Destination address of the packet.

[6825]

IP identification number of the packet. Might be useful in the debugging process to correlate with other packet traces from protocol analyzers.

The following is sample output from the debug ip nat detailed command. In this example, the first two lines show the debugging output produced by a DNS request and reply. The remaining lines show the debugging output from a Telnet connection from a host on the inside of the network to a host on the outside of the network. In this example, the inside host 192.168.1.95 was assigned the global address 172.31.233.193.
Router# debug ip nat detailed NAT: i: udp (192.168.1.95, 1493) -> (172.31.2.132, NAT: o: udp (172.31.2.132, 53) -> (172.31.233.193, NAT*: i: tcp (192.168.1.95, 1135) -> (172.31.2.75, NAT*: o: tcp (172.31.2.75, 23) -> (172.31.233.193, NAT*: i: tcp (192.168.1.95, 1135) -> (172.31.2.75, NAT*: i: tcp (192.168.1.95, 1135) -> (172.31.2.75, NAT*: o: tcp (172.31.2.75, 23) -> (172.31.233.193, NAT*: o: tcp (172.31.2.75, 23) -> (172.31.233.193, 53) [22399] 1493) [63671] 23) [22400] 1135) [22002] 23) [22401] 23) [22402] 1135) [22060] 1135) [22071]

Table 81 describes the significant fields shown in the display. Table 81 debug ip nat detailed Field Descriptions Field NAT: Description Indicates that the packet is being translated by the NAT feature. An asterisk (*) indicates that the translation is occurring in the fast path.

i:

Indicates that the packet is moving from a host inside the network to one outside the network.

o:

Indicates that the packet is moving from a host outside the network to one inside the network.

udp

Protocol of the packet.

(192.168.1.95, 1493) (172.31.2.132, 53)

Indicates that the packet is sent from IP address 192.168.1.95, port number 1493 to IP address 172.31.2.132, port number 53.

[22399]

IP identification number of the packet.

The following is sample output from the debug ip nat h323 command. In this example, an H.323 call is established between two hosts, one host on the inside and the other one on the outside. The debug displays the H.323 messages names that NAT recognizes and the embedded IP addresses contained in those messages.
Router# debug ip nat h323 NAT:H225:[0] processing a Setup message NAT:H225:[0] found Setup sourceCallSignalling NAT:H225:[0] fix TransportAddress addr=192.168.122.50 port=11140 NAT:H225:[0] found Setup fastStart NAT:H225:[0] Setup fastStart PDU length:18 NAT:H245:[0] processing OpenLogicalChannel message, forward channel number 1 NAT:H245:[0] found OLC forward mediaControlChannel NAT:H245:[0] fix TransportAddress addr=192.168.122.50 port=16517 NAT:H225:[0] Setup fastStart PDU length:29 NAT:H245:[0] processing OpenLogicalChannel message, forward channel number 1 NAT:H245:[0] found OLC reverse mediaChannel NAT:H245:[0] fix TransportAddress addr=192.168.122.50 port=16516 NAT:H245:[0] found OLC reverse mediaControlChannel NAT:H245:[0] fix TransportAddress addr=192.168.122.50 port=16517 NAT:H225:[1] processing an Alerting message NAT:H225:[1] found Alerting fastStart NAT:H225:[1] Alerting fastStart PDU length:25 NAT:H245:[1] processing OpenLogicalChannel message, forward channe

Table 82 describes the significant fields shown in the display. Table 82 debug ip nat h323 Field Descriptions

Field NAT:

Description Indicates that the packet is being translated by the NAT feature.

H.225/H.245:

Protocol of the packet.

[1]

Indicates that the packet is moving from a host inside the network to one outside the network.

[0]

Indicates that the packet is moving from a host outside the network to one inside the network.

debug ip ospf events


To display information on Open Shortest Path First (OSPF)-related events, such as adjacencies, flooding information, designated router selection, and shortest path first (SPF) calculation, use the debug ip ospf events privileged EXEC command. The no form of this command disables debugging output. debug ip ospf events no debug ip ospf events

Syntax Description
This command has no arguments or keywords.

Examples
The following is sample output from the debug ip ospf events command:
Router# debug ip ospf events OSPF:hello with invalid timers on interface Ethernet0 hello interval received 10 configured 10 net mask received 255.255.255.0 configured 255.255.255.0 dead interval received 40 configured 30

The debug ip ospf events output shown might appear if any of the following situations occurs:

The IP subnet masks for routers on the same network do not match. The OSPF hello interval for the router does not match that configured for a neighbor. The OSPF dead interval for the router does not match that configured for a neighbor. If a router configured for OSPF routing is not seeing an OSPF neighbor on an attached network, perform the following tasks:

Make sure that both routers have been configured with the same IP mask, OSPF hello interval, and OSPF dead interval. Make sure that both neighbors are part of the same area type. In the following example line, the neighbor and this router are not part of a stub area (that is, one is a part of a transit area and the other is a part of a stub area, as explained in RFC 1247):
OSPF: hello packet with mismatched E bit

Related Commands
Command Description

debug ip pgm host

Displays information about each OSPF packet received.

debug ip ospf packet


To display information about each Open Shortest Path First (OSPF) packet received, use the debug ip ospf packet privileged EXEC command. The no form of this command disables debugging output. debug ip ospf packet no debug ip ospf packet

Syntax Description
This command has no arguments or keywords.

Examples
The following is sample output from the debug ip ospf packet command:
Router# debug ip ospf packet OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.117 aid:0.0.0.0 chk:6AB2 aut:0 auk:

The debug ip ospf packet command produces one set of information for each packet received. The output varies slightly depending on which authentication is used. The following is sample output from the debug ip ospf packet command when MD5 authentication is used.
Router# debug ip ospf packet OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.116 aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x0

Table 84 describes the fields shown in the display. Table 84 debug ip ospf packet Field Descriptions Field v: OSPF version. Description

t:

OSPF packet type. Possible packet types follow:


1Hello 2Data description 3Link state request 4Link state update 5Link state acknowledgment

l:

OSPF packet length in bytes.

rid:

OSPF router ID.

aid:

OSPF area ID.

chk:

OSPF checksum.

aut:

OSPF authentication type. Possible authentication types follow:


0No authentication 1Simple password 2MD5

auk:

OSPF authentication key.

keyid:

MD5 key ID.

seq:

Sequence number.

Related Commands
Command debug ip ospf events Description Displays information on OSPF-related events, such as adjacencies, flooding information, designated router selection, and SPF calculation.

debug ip packet
To display general IP debugging information and IP security option (IPSO) security transactions, use the debug ip packet privileged EXEC command. The no form of this command disables debugging output. debug ip packet [access-list-number] no debug ip packet [access-list-number]

Syntax Description
access-listnumber (Optional) The IP access list number that you can specify. If the datagram is not permitted by that access list, the related debugging output is suppressed.

Usage Guidelines
If a communication session is closing when it should not be, an end-to-end connection problem can be the cause. The debug ip packet command is useful for analyzing the messages traveling between the local and remote hosts. IP debugging information includes packets received, generated, and forwarded. Fast-switched packets do not generate messages. IPSO security transactions include messages that describe the cause of failure each time a datagram fails a security test in the system. This information is also sent to the sending host when the router configuration allows it.

Caution Because the debug ip packet command generates a substantial amount of output, use it only when traffic on the IP network is low, so other activity on the system is not adversely affected.

Examples
The following is sample output from the debug ip packet command:
Router# debug ip packet IP: s=172.69.13.44 (Fddi0), d=10.125.254.1 (Serial2), g=172.69.16.2, forward IP: s=172.69.1.57 (Ethernet4), d=10.36.125.2 (Serial2), g=172.69.16.2, forward IP: s=172.69.1.6 (Ethernet4), d=255.255.255.255, rcvd 2 IP: s=172.69.1.55 (Ethernet4), d=172.69.2.42 (Fddi0), g=172.69.13.6, forward IP: s=172.69.89.33 (Ethernet2), d=10.130.2.156 (Serial2), g=172.69.16.2, forward

IP: s=172.69.1.27 (Ethernet4), d=172.69.43.126 (Fddi1), forward IP: s=172.69.1.27 (Ethernet4), d=172.69.43.126 (Fddi0), forward IP: s=172.69.20.32 (Ethernet2), d=255.255.255.255, rcvd IP: s=172.69.1.57 (Ethernet4), d=10.36.125.2 (Serial2), access denied

g=172.69.23.5, g=172.69.13.6, 2 g=172.69.16.2,

The output shows two types of messages that the debug ip packet command can produce; the first line of output describes an IP packet that the router forwards, and the third line of output describes a packet that is destined for the router. In the third line of output, rcvd 2 indicates that the router decided to receive the packet. Table 86 describes the fields shown in the first line. Table 86 debug ip packet Field Descriptions Field IP: Description Indicates that this is an IP packet.

s=172.69.13.44 (Fddi0)

Indicates the source address of the packet and the name of the interface that received the packet.

d=10.125.254.1 (Serial2)

Indicates the destination address of the packet and the name of the interface (in this case, S2) through which the packet is being sent out on the network.

g=172.69.16.2

Indicates the address of the next hop gateway.

forward

Indicates that the router is forwarding the packet. If a filter denies a packet, "access denied" replaces "forward," as shown in the last line of output.

The calculation on whether to send a security error message can be somewhat confusing. It depends upon both the security label in the datagram and the label of the incoming interface. First, the label contained in the datagram is examined for anything obviously wrong. If nothing is wrong, assume the datagram to be correct. If something is wrong, the datagram is treated as unclassified genser. Then the label is compared with the interface range, and the appropriate action is taken, as Table 87 describes.

Table 87 Security Actions Classification Too low Authorities Too low Good Too high Action Taken No Response No Response No Response

In range

Too low Good Too high

No Response Accept Send Error

Too high

Too low In range Too high

No Response Send Error Send Error

The security code can only generate a few types of ICMP error messages. The only possible error messages and their meanings follow:

ICMP Parameter problem, code 0Error at pointer ICMP Parameter problem, code 1Missing option ICMP Parameter problem, code 2See Note that follows ICMP Unreachable, code 10Administratively prohibited

Note The message "ICMP Parameter problem, code 2" identifies a specific error that occurs in the processing of a datagram. This message indicates that the router received a datagram containing a maximum length IP header but no security option. After being processed and routed to another interface, it is discovered that the outgoing interface is marked with "add a security label." Because the IP header is already full, the system cannot add a label and must drop the datagram and return an error message.

When an IP packet is rejected due to an IP security failure, an audit message is sent via DNSIX NAT. Also, any debug ip packet output is appended to include a description of the reason for rejection. This description can be any of the following:

No basic No basic, no response Reserved class Reserved class, no response Class too low, no response Class too high Class too high, bad authorities, no response Unrecognized class Unrecognized class, no response Multiple basic Multiple basic, no response Authority too low, no response Authority too high Compartment bits not dominated by maximum sensitivity level Compartment bits do not dominate minimum sensitivity level Security failure: extended security disallowed NLESO source appeared twice ESO source not found Postroute, failed xfc out No room to add IPSO

debug ip rip
To display information on RIP routing transactions, use the debug ip rip privileged EXEC command. The no form of this command disables debugging output. debug ip rip no debug ip rip

Syntax Description
This command has no arguments or keywords.

Examples
The following is sample output from the debug ip rip command:

The output shows that the router being debugged has received updates from one router at source address 160.89.80.28. That router sent information about five destinations in the routing table update. Notice that the fourth destination address in the update131.108.0.0is inaccessible because it is more than 15 hops away from the router sending the update. The router being debugged also sent updates, in both cases to broadcast address 255.255.255.255 as the destination. The second line is an example of a routing table update. It shows how many hops a given Internet address is from the router. The entries show that the router is sending updates that are similar, except that the number in parentheses is the source address encapsulated into the IP header. Examples of additional output that the debug ip rip command can generate follow.

Entries such as the following appear at startup or when an event occurs such as an interface making a transition or a user manually clearing the routing table:
RIP: broadcasting general request on Ethernet0 RIP: broadcasting general request on Ethernet1

An entry such as the following is most likely caused by a malformed packet from the sender:
RIP: bad version 128 from 160.89.80.43

debug ip routing
To display information on Routing Information Protocol (RIP) routing table updates and route cache updates, use the debug ip routing privileged EXEC command. The no form of this command disables debugging output. debug ip routing no debug ip routing

Syntax Description
This command has no arguments or keywords.

Examples
The following is sample output from the debug ip routing command:
Router# debug ip routing RT: add 172.25.168.0 255.255.255.0 via 172.24.76.30, igrp metric [100/3020] RT: metric change to 172.25.168.0 via 172.24.76.30, igrp metric [100/3020] new metric [100/2930] IP: cache invalidation from 0x115248 0x1378A, new version 5736 RT: add 172.26.219.0 255.255.255.0 via 172.24.76.30, igrp metric [100/16200] RT: metric change to 172.26.219.0 via 172.24.76.30, igrp metric [100/16200] new metric [100/10816] RT: delete route to 172.26.219.0 via 172.24.76.30, igrp metric [100/10816] RT: no routes to 172.26.219.0, entering holddown IP: cache invalidation from 0x115248 0x1378A, new version 5737 RT: 172.26.219.0 came out of holddown RT: garbage collecting entry for 172.26.219.0 IP: cache invalidation from 0x115248 0x1378A, new version 5738 RT: add 172.26.219.0 255.255.255.0 via 172.24.76.30, igrp metric [100/10816] RT: delete route to 172.26.219.0 via 172.24.76.30, igrp metric [100/10816] RT: no routes to 172.26.219.0, entering holddown IP: cache invalidation from 0x115248 0x1378A, new version 5739 RT: 172.26.219.0 came out of holddown RT: garbage collecting entry for 172.26.219.0 IP: cache invalidation from 0x115248 0x1378A, new version 5740 RT: add 172.26.219.0 255.255.255.0 via 172.24.76.30, igrp metric [100/16200] RT: metric change to 172.26.219.0 via 172.24.76.30, igrp metric [100/16200] new metric [100/10816] RT: delete route to 172.26.219.0 via 172.24.76.30, igrp metric [100/10816] RT: no routes to 172.26.219.0, entering holddown IP: cache invalidation from 0x115248 0x1378A, new version 5741

In the following lines, a newly created entry has been added to the IP routing table. The "metric change" indicates that this entry existed previously, but its metric changed and the change was reported by means of IGRP. The metric could also be reported via RIP, OSPF, or another IP routing protocol. The

numbers inside the brackets report the administrative distance and the actual metric.
RT: add 172.25.168.0 255.255.255.0 via 172.24.76.30, igrp metric [100/3020] RT: metric change to 172.25.168.0 via 172.24.76.30, igrp metric [100/3020] new metric [100/2930] IP: cache invalidation from 0x115248 0x1378A, new version 5736

"Cache invalidation" means that the fast-switching cache was invalidated due to a routing table change. "New version" is the version number of the routing table. When the routing table changes, this number is incriminated. The hexadecimal numbers are internal numbers that vary from version to version and software load to software load. In the following output, the "holddown" and "cache invalidation" lines are displayed. Most of the distance vector routing protocols use "holddown" to avoid typical problems like counting to infinity and routing loops. If you look at the output of the show ip protocols command you will see the timer values for "holddown" and "cache invalidation." "Cache invalidation" corresponds to "came out of holddown." "Delete route" is triggered when a better path comes along. It removes the old inferior path.
RT: RT: IP: RT: delete route to 172.26.219.0 via 172.24.76.30, igrp metric [100/10816] no routes to 172.26.219.0, entering holddown cache invalidation from 0x115248 0x1378A, new version 5737 172.26.219.0 came out of holddown

debug ip security
To display IP security option processing, use the debug ip security privileged EXEC command. The no form of this command disables debugging output. debug ip security no debug ip security

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
The debug ip security command displays information for both basic and extended IP security options. For interfaces where ip security is configured, each IP packet processed for that interface results in debugging output regardless of whether the packet contains IP security options. IP packets processed for other interfaces that also contain IP security information also trigger debugging output. Some additional IP security debugging information is also controlled by the debug ip packet privileged EXEC command.

Caution Because the debug ip security command generates a substantial amount of output for every IP packet processed, use it only when traffic on the IP network is low, so other activity on the system is not adversely affected.

Examples
The following is sample output from the debug ip security command:
Router# debug ip security IP Security: 172.24.72.52 dst 172.24.72.53, number of BSO 1 idb: NULL pak: insert (0xFF) 0x0 IP Security: BSO postroute: SECINSERT changed to secret (0x5A) 0x10 IP Security: 172.24.72.53 dst 172.24.72.52, number of BSO 1 idb: secret (0x6) 0x10 to secret (0x6) 0x10, no implicit def secret (0x6) 0x10 pak: secret (0x5A) 0x10 IP Security: checking BSO 0x10 against [0x10 0x10] IP Security: classified BSO as secret (0x5A) 0x10

Table 92 describes significant fields shown in the output. Table 92 debug ip security Field Descriptions Field number of Description Indicates the number of basic security options found in the

BSO idb

packet. Provides information on the security configuration for the incoming interface. Provides information on the security classification of the incoming packet. Indicates the source IP address.

pak

dst

Indicates the destination IP address.

The following line indicates that the packet was locally generated, and it has been classified with the internally significant security level "insert" (0xff) and authority information of 0x0:
idb: NULL pak: insert (0xff) 0x0

The following line indicates that the packet was received via an interface with dedicated IP security configured. Specifically, the interface is configured at security level "secret" and with authority information of 0x0. The packet itself was classified at level "secret" (0x5a) and authority information of 0x10.
idb: secret (0x6) 0x10 to secret (0x6) 0x10, no implicit def secret (0x6) 0x10 pak: secret (0x5A) 0x10

debug ip ssh
To display debug messages for Secure Shell (SSH), use the debug ip ssh EXEC command. To disable debugging output, use the no form of the command. debug ip ssh no debug ip ssh

Syntax Description
This command has no arguments or keywords.

Defaults
Debugging for SSH is not enabled.

Command History
Release 12.0(5)S Modification This command was introduced.

12.1(1)T

This command was integrated into Cisco IOS Release 12.1 T.

Usage Guidelines
Use the debug ssh command to ensure normal operation of the SSH server.

Examples
The following example shows the SSH debugging output:
Router# debug ssh 00:53:46: SSH0: starting SSH control process 00:53:46: SSH0: Exchanging versions - SSH-1.5-Cisco-1.25 00:53:46: SSH0: client version is - SSH-1.5-1.2.25 00:53:46: SSH0: SSH_SMSG_PUBLIC_KEY message sent 00:53:46: SSH0: SSH_CMSG_SESSION_KEY message received 00:53:47: SSH0: keys exchanged and encryption on 00:53:47: SSH0: authentication request for userid guest 00:53:47: SSH0: authentication successful for jcisco 00:53:47: SSH0: starting exec shell

debug ip tcp intercept


To display TCP intercept statistics, use the debug ip tcp intercept privileged EXEC command. The no form of this command disables debugging output. debug ip tcp intercept no debug ip tcp intercept

Syntax Description
This command has no arguments or keywords.

Examples
Figure 4 illustrates a scenario in which a router configured with TCP intercept operates between a client and a server.

Figure 4 Example TCP Intercept Environment

The following is sample output from the debug ip tcp intercept command:
Router# debug ip tcp intercept

A connection attempt arrives:


INTERCEPT: new connection (172.19.160.17:61774) => (10.1.1.30:23) INTERCEPT: 172.19.160.17:61774 <- ACK+SYN (10.1.1.30:61774)

A second connection attempt arrives:


INTERCEPT: new connection (172.19.160.17:62030) => (10.1.1.30:23) INTERCEPT: 172.19.160.17:62030 <- ACK+SYN (10.1.1.30:62030)

The router re-sends to both apparent clients:


INTERCEPT: retransmit 2 (172.19.160.17:61774) <- (10.1.1.30:23) SYNRCVD INTERCEPT: retransmit 2 (172.19.160.17:62030) <- (10.1.1.30:23) SYNRCVD

A third connection attempt arrives:


INTERCEPT: new connection (171.69.232.23:1048) => (10.1.1.30:23) INTERCEPT: 171.69.232.23:1048 <- ACK+SYN (10.1.1.30:1048)

The router sends more retransmissions trying to establish connections with the apparent clients:
INTERCEPT: retransmit 4 (172.19.160.17:61774) <- (10.1.1.30:23) SYNRCVD INTERCEPT: retransmit 4 (172.19.160.17:62030) <- (10.1.1.30:23) SYNRCVD INTERCEPT: retransmit 2 (171.69.232.23:1048) <- (10.1.1.30:23) SYNRCVD

The router establishes the connection with the third client and re-sends to the server:
INTERCEPT: 1st half of connection is established (171.69.232.23:1048) => (10.1.1.30:23) INTERCEPT: (171.69.232.23:1048) SYN -> 10.1.1.30:23 INTERCEPT: retransmit 2 (171.69.232.23:1048) -> (10.1.1.30:23) SYNSENT

The server responds; the connection is established:


INTERCEPT: 2nd half of connection established (171.69.232.23:1048) => (10.1.1.30:23) INTERCEPT: (171.69.232.23:1048) ACK -> 10.1.1.30:23

The router re-sends to the first two apparent clients, times out, and sends resets:
INTERCEPT: INTERCEPT: INTERCEPT: INTERCEPT: INTERCEPT: SYNRCVD INTERCEPT: INTERCEPT: SYNRCVD INTERCEPT: retransmit 8 (172.19.160.17:61774) <- (10.1.1.30:23) SYNRCVD retransmit 8 (172.19.160.17:62030) <- (10.1.1.30:23) SYNRCVD retransmit 16 (172.19.160.17:61774) <- (10.1.1.30:23) SYNRCVD retransmit 16 (172.19.160.17:62030) <- (10.1.1.30:23) SYNRCVD retransmitting too long (172.19.160.17:61774) => (10.1.1.30:23) 172.19.160.17:61774 <- RST (10.1.1.30:23) retransmitting too long (172.19.160.17:62030) => (10.1.1.30:23) 172.19.160.17:62030 <- RST (10.1.1.30:23)

debug ip tcp transactions


To display information on significant TCP transactions such as state changes, retransmissions, and duplicate packets, use the debug ip tcp transactions privileged EXEC command. The no form of this command disables debugging output. debug ip tcp transactions no debug ip tcp transactions

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
This command is particularly useful for debugging a performance problem on a TCP/IP network that you have isolated above the data link layer. The debug ip tcp transactions command displays output for packets the router sends and receives, but does not display output for packets it forwards.

Examples
The following is sample output from the debug ip tcp transactions command:
Router# debug ip tcp transactions TCP: sending SYN, seq 168108, ack 88655553 TCP0: Connection to 10.9.0.13:22530, advertising MSS 966 TCP0: state was LISTEN -> SYNRCVD [23 -> 10.9.0.13(22530)] TCP0: state was SYNSENT -> SYNRCVD [23 -> 10.9.0.13(22530)] TCP0: Connection to 10.9.0.13:22530, received MSS 956 TCP0: restart retransmission in 5996 TCP0: state was SYNRCVD -> ESTAB [23 -> 10.9.0.13(22530)] TCP2: restart retransmission in 10689 TCP2: restart retransmission in 10641 TCP2: restart retransmission in 10633 TCP2: restart retransmission in 13384 -> 10.0.0.13(16151)] TCP0: restart retransmission in 5996 [23 -> 10.0.0.13(16151)]

Table 96 describes the significant fields shown in the display. Table 96 debug ip tcp transactions Field Descriptions Field TCP: sending SYN Description Indicates that this is a TCP transaction. Indicates that a synchronize packet is being sent.

seq 168108 ack 88655553

Indicates the sequence number of the data being sent. Indicates the sequence number of the data being acknowledged. Indicates the TTY number (0, in this case) with which this TCP connection is associated. Indicates the remote address with which a connection has been established.

TCP0:

Connection to 10.9.0.13:22530

advertising MSS 966 Indicates the maximum segment size this side of the TCP connection is offering to the other side. state was LISTEN -> Indicates that the TCP state machine changed state from SYNRCVD LISTEN to SYNSENT. Possible TCP states follow:

CLOSEDConnection closed. CLOSEWAITReceived a FIN segment. CLOSINGReceived a FIN/ACK segment. ESTABConnection established. FINWAIT 1Sent a FIN segment to start closing the connection. FINWAIT 2Waiting for a FIN segment. LASTACKSent a FIN segment in response to a received FIN segment. LISTENListening for a connection request. SYNRCVDReceived a SYN segment, and responded. SYNSENTSent a SYN segment to start connection negotiation. TIMEWAITWaiting for network to clear segments for this connection before the network no longer recognizes the connection as valid. This must occur before a new connection can be set up.

[23 -> 10.9.0.13(22530)]

The element within these brackets are as follows:


The first field (23) indicates local TCP port. The second field (10.9.0.13) indicates the destination IP address. The third field (22530) indicates the destination TCP port.

restart

retransmission in 5996

debug ip trigger-authentication
To display information related to automated double authentication, use the debug ip trigger-authentication privileged EXEC command. The no form of this command disables debugging output. debug ip trigger-authentication [verbose] no debug ip trigger-authentication [verbose]

Syntax Description
verbose (Optional) Specifies that the complete debugging output be displayed, including information about packets that are blocked before authentication is complete.

Usage Guidelines
Use this command when troubleshooting automated double authentication. This command displays information about the remote host table. Whenever entries are added, updated, or removed, a new debugging message is displayed. What is the remote host table? Whenever a remote user needs to be userauthenticated in the second stage of automated double authentication, the local device sends a UDP packet to the host of the remote user. Whenever such a UDP packet is sent, the host IP address of the user is added to a table. If additional UDP packets are sent to the same remote host, a new table entry is not created; instead, the existing entry is updated with a new time stamp. This remote host table contains a cumulative list of host entries; entries are deleted after a timeout period or after you manually clear the table using the clear ip trigger-authentication command. If you include the verbose keyword, the debugging output also includes information about packet activity.

Examples
The following is sample output from the debug ip trigger-authentication command. In this example, the local device at 172.21.127.186 sends a UDP packet to the remote host at 172.21.127.114. The UDP packet is sent to request the remote user's username and password (or PIN). (The output indicates "New entry added.")

After a timeout period, the local device has not received a valid response from the remote host, so the local device sends another UDP packet. (The output indicates "Time stamp updated.") Then the remote user is authenticated, and after a length of time (the timeout period) the entry is removed from the remote host table. (The output indicates "remove obsolete entry.")
myfirewall# debug ip trigger-authentication TRIGGER_AUTH: UDP sent from 172.21.127.186 to 172.21.127.114, qdata=7C2504 New entry added, timestamp=2940514234 TRIGGER_AUTH: UDP sent from 172.21.127.186 to 172.21.127.114, qdata=7C2504 Time stamp updated, timestamp=2940514307 TRIGGER_AUTH: remove obsolete entry, remote host=172.21.127.114

The following is sample output from the debug ip trigger-authentication verbose command. In this example, messages about packet activity are included because of the use of the verbose keyword. You can see many packets that are being blocked at the interface because the user has not yet been double authenticated. These packets will be permitted through the interface only after the user has been double authenticated. (You can see packets being blocked when the output indicates "packet enqueued" then "packet ignored.")
TRIGGER_AUTH: packet enqueued, qdata=69FEEC remote host=172.21.127.113, local host=172.21.127.186 (if: 0.0.0.0) TRIGGER_AUTH: UDP sent from 172.21.127.186 to 172.21.127.113, qdata=69FEEC Time stamp updated TRIGGER_AUTH: packet enqueued, qdata=69FEEC remote host=172.21.127.113, local host=172.21.127.186 (if: 0.0.0.0) TRIGGER_AUTH: packet ignored, qdata=69FEEC TRIGGER_AUTH: packet enqueued, qdata=69FEEC remote host=172.21.127.113, local host=172.21.127.186 (if: 0.0.0.0) TRIGGER_AUTH: packet ignored, qdata=69FEEC TRIGGER_AUTH: packet enqueued, qdata=69FEEC remote host=172.21.127.113, local host=172.21.127.186 (if: 0.0.0.0) TRIGGER_AUTH: UDP sent from 172.21.127.186 to 172.21.127.113, qdata=69FEEC Time stamp updated TRIGGER_AUTH: packet enqueued, qdata=69FEEC remote host=172.21.127.113, local host=172.21.127.186 (if: 0.0.0.0) TRIGGER_AUTH: packet ignored, qdata=69FEEC TRIGGER_AUTH: packet enqueued, qdata=69FEEC remote host=172.21.127.113, local host=172.21.127.186 (if: 0.0.0.0) TRIGGER_AUTH: packet ignored, qdata=69FEEC

debug ip udp
To enable logging of User Datagram Protocol (UDP) packets sent and received, use the debug ip udp privileged EXEC command. To disable debugging output, use the no form of this command. debug ip udp no debug ip udp

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
Enter the debug ip udp command on the device that should be receiving packets from the host. Check the debugging output to see whether packets are being received from the host.

Caution The debug ip udp command can use considerable CPU cycles on the device. Do not enable it if your network is heavily congested.

Examples
The following is sample output from the debug ip udp command:
Router# debug ip udp UDP packet debugging is on Router# 00:18:48: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=584 00:18:48: UDP: sent src=10.1.1.10(67), dst=172.17.110.136(67), length=604 00:18:48: UDP: rcvd src=172.17.110.136(67), dst=10.1.1.10(67), length=308 00:18:48: UDP: sent src=0.0.0.0(67), dst=255.255.255.255(68), length=328 00:18:48: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=584 00:18:48: UDP: sent src=10.1.1.10(67), dst=172.17.110.136(67), length=604 00:18:48: UDP: rcvd src=172.17.110.136(67), dst=10.1.1.10(67), length=308 00:18:50: UDP: sent src=0.0.0.0(67), dst=255.255.255.255(68), length=328

debug kerberos
To display information associated with the Kerberos Authentication Subsystem, use the debug kerberos privileged EXEC command. The no form of this command disables debugging output. debug kerberos no debug kerberos

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
Kerberos is a security system that authenticates users and services without passing a cleartext password over the network. Cisco supports Kerberos under the authentication, authorization, and accounting (AAA) security system. Use the debug aaa authentication command to get a high-level view of login activity. When Kerberos is used on the router, you can use the debug kerberos command for more detailed debugging information.

Examples
The following is part of the sample output from the debug aaa authentication command for a Kerberos login attempt that failed. The information indicates that Kerberos is the authentication method used.
Router# debug aaa authentication AAA/AUTHEN/START (116852612): Method=KRB5 AAA/AUTHEN (116852612): status = GETUSER AAA/AUTHEN/CONT (116852612): continue_login AAA/AUTHEN (116852612): status = GETUSER AAA/AUTHEN (116852612): Method=KRB5 AAA/AUTHEN (116852612): status = GETPASS AAA/AUTHEN/CONT (116852612): continue_login AAA/AUTHEN (116852612): status = GETPASS AAA/AUTHEN (116852612): Method=KRB5 AAA/AUTHEN (116852612): password incorrect AAA/AUTHEN (116852612): status = FAIL

The following is sample output from the debug kerberos command for a login attempt that was successful. The information indicates that the router sent a request to the KDC and received a valid credential.
Router# debug kerberos Kerberos: Requesting TGT with expiration date of 820911631 Kerberos: Sent TGT request to KDC Kerberos: Received TGT reply from KDC Kerberos: Received valid credential with endtime of 820911631

The following is sample output from the debug kerberos command for a login attempt that failed. The information indicates that the router sent a request to the KDC and received a reply, but the reply did not contain a valid credential.
Router# debug kerberos Kerberos: Requesting TGT with expiration date of 820911731 Kerberos: Sent TGT request to KDC Kerberos: Received TGT reply from KDC Kerberos: Received invalid credential. AAA/AUTHEN (425003829): password incorrect

The following output shows other failure messages you might see that indicate a configuration problem. The first message indicates that the router failed to find the default Kerberos realm, therefore the process failed to build a message to send to the KDC. The second message indicates that the router failed to retrieve its own IP address. The third message indicates that the router failed to retrieve the current time. The fourth message indicates the router failed to find or create a credentials cache for a user, which is usually caused by low memory availability.
Router# debug kerberos Kerberos: authentication Kerberos: authentication Kerberos: authentication Kerberos: authentication failed failed failed failed when parsing name while getting my address while getting time of day while allocating credentials cache

Related Commands
Command debug aaa authentication Description Displays information on accountable events as they occur.

debug list
To filter debugging information on a per-interface or per-access list basis, use the debug list privileged EXEC command. The no form of this command turns off the list filter. debug list [list] [interface] no debug list [list] [interface]

Syntax Description
list (Optional) An access list number in the range from 1100 to 1199.

interface

(Optional) The nterface type. Allowed values are the following:


channelIBM Channel interface ethernetIEEE 802.3 fddiANSI X3T9.5 nullNull interface serialSerial tokenringIEEE 802.5 tunnelTunnel interface

Usage Guidelines
The debug list command is used with other debug commands for specific protocols and interfaces to filter the amount of debug information that is displayed. In particular, this command is designed to filter specific physical unit (PU) output from bridging protocols. The debug list command is supported with the following commands:

debug llc2 errors debug llc2 packets debug llc2 state debug rif debug sdlc debug token ring

Note All debug commands that support access list filtering use access lists in the range from 1100 to 1199. The access list numbers shown in the examples are merely samples of valid numbers.

Examples
To use the debug list command on only the first of several LLC2 connections, use the show llc2 command to display the active connections:
Router# show llc2 SdllcVirtualRing2008 DTE: 4000.2222.22c7 4000.1111.111c 04 04 state NORMAL SdllcVirtualRing2008 DTE: 4000.2222.22c8 4000.1111.1120 04 04 state NORMAL SdllcVirtualRing2008 DTE: 4000.2222.22c1 4000.1111.1104 04 04 state NORMAL

Next, configure an extended bridging access list, numbered 1103, for the connection you want to filter:
access-list 1103 permit 4000.1111.111c 0000.0000.0000 4000.2222.22c7 0000.0000.0000 0xC 2 eq 0x404

The convention for the LLC debug list command filtering is to use dmac = 6 bytes, smac = 6 bytes, dsap_offset = 12, and ssap_offset = 13. Finally, you invoke the following debug commands:
Router# debug list 1103 Router# debug llc2 packet LLC2 Packets debugging is on for access list: 1103

To use the debug list command for SDLC connections, with the exception of address 04, create access list 1102 to deny the specific address and permit all others:
access-list 1102 deny 0000.0000.0000 0000.0000.0000 0000.0000.0000 0000.0000.0000 0xC 1 eq 0x4 access-list 1102 permit 0000.0000.0000 0000.0000.0000 0000.0000.0000 0000.0000.0000

The convention is to use dmac = 0.0.0, smac = 0.0.0, and sdlc_frame_offset = 12. Invoke the following debug commands:
Router# debug list 1102 Router# debug sdlc SDLC link debugging is on for access list: 1102

To enable SDLC debugging (or debugging for any of the other supported protocols) for a specific interface rather than for all interfaces on a router, use the following commands:
Router# debug list serial 0 Router# debug sdlc SDLC link debugging is on for interface: Serial0

To enable Token Ring debugging between two MAC address, 0000.3018.4acd and 0000.30e0.8250, configure an extended bridging access list 1106:
access-list 1106 permit 0000.3018.4acd 8000.0000.0000 0000.30e0.8250 8000.0000.0000 access-list 1106 permit 0000.30e0.8250 8000.0000.0000 0000.3018.4acd 8000.0000.0000

Invoke the following debug commands:


Router# debug list 1106 Router# debug token ring Token Ring Interface debugging is on for access list: 1106

To enable RIF debugging for a single MAC address, configure an access list 1109:
access-list 1109 permit permit 0000.0000.0000 ffff.ffff.ffff 4000.2222.22c6 0000.0000.0000

Invoke the following debug commands:


Router# debug list 1109 Router# debug rif RIF update debugging is on for access list: 1109

Related Commands
Command debug llc2 errors Description Displays LLC2 protocol error conditions or unexpected input.

debug llc2 packet

Displays all input and output from the LLC2 protocol stack.

debug llc2 state

Displays state transitions of the LLC2 protocol.

debug rif

Displays information on entries entering and leaving the RIF cache.

debug rtsp

Displays information on SDLC frames received and sent by any router serial interface involved in supporting SDLC end

station functions.

debug token ring

Displays messages about Token Ring interface activity.

debug netbios packet


To display general information about NetBIOS packets, use the debug netbios packet privileged EXEC command. The no form of this command disables debugging output. debug netbios packet no debug netbios packet

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
For complete information on the NetBIOS process, use the debug netbios error command along with the debug netbios packet command.

Examples
The following is sample output from the debug netbios packet and debug netbios error commands. This example shows the LLC header for an asynchronous interface followed by the NetBIOS information. For additional information on the NetBIOS fields, refer to IBM LAN Technical Reference IEEE 802.2.
Router# debug netbios packet Async1 (i) U-format UI C_R=0x0 (i) NETBIOS_ADD_NAME_QUERY Resp_correlator= 0x6F 0x0 name=CS-NT-1 Async1 (i) U-format UI C_R=0x0 (i) NETBIOS_ADD_GROUP_QUERY Resp_correlator= 0x6F 0x0 name=COMMSERVER-WG Async1 (i) U-format UI C_R=0x0 (i) NETBIOS_ADD_NAME_QUERY Resp_correlator= 0x6F 0x0 name=CS-NT-1 Ethernet0 (i) U-format UI C_R=0x0 (i) NETBIOS_DATAGRAM Length= 0x2C 0x0 Dest name=COMMSERVER-WG name=CS-NT-3

Related Commands
Command Description

debug netbios error

Displays information about NetBIOS protocol errors.

debug netbios-namecache

Displays name caching activities on a router.

debug ntp
To display debug messages for Network Time Protocol (NTP) features, use the debug ntp command. To stop the output of ntp debugging messages, use the no form of this command. debug ntp {adjust | authentication | events | loopfilter | packets | params | refclock | select | sync | validity} no debug ntp {adjust | authentication | events | loopfilter | packets | params | refclock | select | sync | validity}

Syntax Description
adjust Displays debugging information on NTP clock adjustments.

authentication

Displays debugging information on NTP authentication.

events

Displays debugging information on NTP events.

loopfilter

Displays debugging information on NTP loop filters.

packets

Displays debugging information on NTP packets.

params

Displays debugging information on NTP clock parameters.

refclock

Displays debugging information on NTP reference clocks.

select

Displays debugging information on NTP clock selection.

sync

Displays debugging information on NTP clock synchronization.

validity

Displays debugging information on NTP peer clock validity.

Defaults
Debug commands are disabled by default.

Command History
Release 12.0 T Modification This command was introduced in a release prior to Cisco IOS Release 12.1.

Related Commands
Command ntp refclock Description Configures an external clock source for use with NTP services.

debug packet
To display per-packet debugging output, use the debug packet privileged EXEC command. The no form of this command disables debugging output. debug packet [interface number [vcd vcd-number] | vc vpi/vci | vcname] no debug packet [interface number [vcd vcd-number] | vc vpi/vci | vcname]

Syntax Description
interface number (Optional) interface or subinterface number.

vcd vcd-number

(Optional) Number of the virtual circuit designator (VCD).

vc vpi/vci

(Optional) VPI and VCI numbers of the VC.

vc-name

(Optional) Name of the PVC or SVC.

Usage Guidelines
The debug packet command displays all process-level packets for both outbound and inbound packets. This command is useful for determining whether packets are being received and sent correctly. The output reports information online when a packet is received or a transmission is attempted. For sent packets, the information is displayed only after the protocol data unit (PDU) is entirely encapsulated and a next hop VC is found. If information is not displayed, the address translation probably failed during encapsulation. When a next hop VC is found, the packet is displayed exactly as it will be presented on the wire. Having a display indicates that the packets are properly encapsulated for transmission. For received packets, information is displayed for all incoming frames. The display can show whether the sending station properly encapsulates the frames. Because all incoming frames are displayed, this information is useful when performing back-to-back testing and corrupted frames cannot be dropped by an intermediary switch.

The debug packet command also displays the initial bytes of the actual PDU in hexadecimal. This information can be decoded only by qualified support or engineering personnel. Caution Because the debug packet command generates a substantial amount of output for every packet processed, use it only when traffic on the network is low, so other activity on the system is not adversely affected.

Examples
The following is sample output from the debug packet command:
Router# debug packet 2/0.5(I): VCD:0x9 VCI:0x23 Type:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length0x70 4500 002E 0000 0000 0209 92ED 836C A26E FFFF FFFF 1108 006D 0001 0000 0000 A5CC 6CA2 0000 000A 0000 6411 76FF 0100 6C08 00FF FFFF 0003 E805 DCFF 0105

Table 133 describes the significant fields in the display.


Table 133 debug packet Field Descriptions

Field 2/0.5 (I) VCD: 0xn

Description Indicates the subinterface that generated this packet. Indicates a receive packet. (O) indicates an output packet. Indicates the virtual circuit associated with this packet, where n is some value. Indicates the descriptor mode bits on output only, where nnnn is a hexadecimal value. Displays the encapsulation type for this packet. Displays the total length of the packet including the headers.

DM: 0xnnnn TYPE:n Length:n

The following two lines of output are the binary data, which are the contents of the protocol PDU before encapsulation:
4500 002E 0000 0000 0209 92ED 836C A26E FFFF FFFF 1108 006D 0001 0000 0000 A5CC 6CA2 0000 000A 0000 6411 76FF 0100 6C08 00FF FFFF 0003 E805 DCFF 0105

The following is sample output from the debug packet command:


Router# debug packet Ethernet0: Unknown ARPA, 0000.0c00.6fa4, dst ffff.ffff.ffff, type 0x0a0 data 00000c00f23a00000c00ab45, len 60

Serial3: Serial2: Serial7: Serial0:

Unknown HDLC, size 64, type 0xaaaa, flags 0x0F00 Unknown PPP, size 128 Unknown FRAME-RELAY, size 174, type 0x5865, DLCI 7a compressed TCP/IP packet dropped

Table 134 describes the significant fields shown in the display.


Table 134 debug packet Field Descriptions

Field Ethernet0 Unknown

Description Name of the Ethernet interface that received the packet. Network could not classify this packet. Examples include packets with unknown link types. Packet uses ARPA-style encapsulation. Possible encapsulation styles vary depending on the media command mode (MCM) and encapsulation style. Ethernet (MCM)Encapsulation Style:

ARPA

APOLLO ARP ETHERTALK ISO1 ISO3 LLC2 NOVELL-ETHER SNAP

FDDI (MCM)Encapsulation Style:


APOLLO ISO1 ISO3 LLC2 SNAP

Frame RelayEncapsulation Style:


BRIDGE FRAME-RELAY

Serial (MCM)Encapsulation Style:


BFEX25 BRIDGE

DDN-X25 DDNX25-DCE ETHERTALK FRAME-RELAY HDLC HDH LAPB LAPBDCE MULTI-LAPB PPP SDLC-PRIMARY SDLC-SECONDARY SLIP SMDS STUN X25 X25-DCE

Token Ring (MCM)Encapsulation Style:


3COM-TR ISO1 ISO3 MAC LLC2 NOVELL-TR SNAP VINES-TR

0000.0c00.6fa4 dst.ffff.ffff.ffff type 0x0a0 data... len 60

MAC address of the node generating the packet. MAC address of the destination node for the packet. Packet type. First 12 bytes of the datagram following the MAC header. Length of the message (in bytes) that the interface received from the wire. Length of the message (in bytes) that the interface received from the wire. Equivalent to the len field.

size 64

flags 0x0F00 DLCI 7a compressed TCP/IP packet dropped

HDLC or PP flags field. The DLCI number on Frame Relay. TCP header compression is enabled on an interface and the packet is not HDLC or X25.

debug ppp
To display information on traffic and exchanges in an internetwork implementing the PPP, use the debug ppp privileged EXEC command. The no form of this command disables debugging output. debug ppp {packet | negotiation | error | authentication | compression | cbcp} no debug ppp {packet | negotiation | error | authentication | compression | cbcp}

Syntax Description
packet Displays PPP packets being sent and received. (This command displays low-level packet dumps.)

negotiation

Displays PPP packets sent during PPP startup, where PPP options are negotiated.

error

Displays protocol errors and error statistics associated with PPP connection negotiation and operation.

authentication

Displays authentication protocol messages, including Challenge Authentication Protocol (CHAP) packet exchanges and Password Authentication Protocol (PAP) exchanges.

compression

Displays information specific to the exchange of PPP connections using MPPC. This command is useful for obtaining incorrect packet sequence number information where MPPC compression is enabled.

cbcp

Displays protocol errors and statistics associated with PPP connection negotiations using MSCB.

Usage Guidelines
Use the debug ppp command when trying to find the following:

The Network Control Protocols (NCPs) that are supported on either end of a PPP connection Any loops that might exist in a PPP internetwork Nodes that are (or are not) properly negotiating PPP connections Errors that have occurred over the PPP connection Causes for CHAP session failures Causes for PAP session failures Information specific to the exchange of PPP connections using the Callback Control Protocol (CBCP), used by Microsoft clients Incorrect packet sequence number information where MPPC compression is enabled

Refer to Internet RFCs 1331, 1332, and 1333 for details concerning PPPrelated nomenclature and protocol information. Caution The debug ppp compression command is CPU-intensive and should be used with caution. This command should be disabled immediately after debugging.

Examples
The following is sample output from the debug ppp packet command as seen from the Link Quality Monitor (LQM) side of the connection. This display example depicts packet exchanges under normal PPP operation.
Router# debug ppp packet PPP Serial4(o): lcp_slqr() state PPP Serial4(i): pkt type 0xC025, PPP Serial4(i): lcp_rlqr() state PPP Serial4(i): pkt type 0xC021, PPP Serial4: I LCP ECHOREQ(9) id PPP Serial4: input(C021) state = PPP Serial4: O LCP ECHOREP(A) id PPP Serial4(o): lcp_slqr() state PPP Serial4(i): pkt type 0xC025, PPP Serial4(i): lcp_rlqr() state PPP Serial4(i): pkt type 0xC021, PPP Serial4: I LCP ECHOREQ(9) id PPP Serial4: input(C021) state = PPP Serial4: O LCP ECHOREP(A) id PPP Serial4(o): lcp_slqr() state PPP Serial4(i): pkt type 0xC025, PPP Serial4(i): lcp_rlqr() state PPP Serial4(i): pkt type 0xC021, PPP Serial4: I LCP ECHOREQ(9) id PPP Serial4: input(C021) state = PPP Serial4: O LCP ECHOREP(A) id PPP Serial4(o): lcp_slqr() state PPP Serial4(i): pkt type 0xC025, PPP Serial4(i): lcp_rlqr() state PPP Serial4(i): pkt type 0xC021, = OPEN magic = D21B4, len datagramsize 52 = OPEN magic = D3454, len datagramsize 16 3 (C) magic D3454 OPEN code = ECHOREQ(9) id 3 (C) magic D21B4 = OPEN magic = D21B4, len datagramsize 52 = OPEN magic = D3454, len datagramsize 16 4 (C) magic D3454 OPEN code = ECHOREQ(9) id 4 (C) magic D21B4 = OPEN magic = D21B4, len datagramsize 52 = OPEN magic = D3454, len datagramsize 16 5 (C) magic D3454 OPEN code = ECHOREQ(9) id 5 (C) magic D21B4 = OPEN magic = D21B4, len datagramsize 52 = OPEN magic = D3454, len datagramsize 16 = 48 = 48

= 3 len = 12 = 48 = 48

= 4 len = 12 = 48 = 48

= 5 len = 12 = 48 = 48

PPP PPP PPP PPP PPP PPP PPP PPP PPP PPP PPP

Serial4: I LCP ECHOREQ(9) id Serial4: input(C021) state = Serial4: O LCP ECHOREP(A) id Serial4(o): lcp_slqr() state Serial4(i): pkt type 0xC025, Serial4(i): lcp_rlqr() state Serial4(i): pkt type 0xC021, Serial4: I LCP ECHOREQ(9) id Serial4: input(C021) state = Serial4: O LCP ECHOREP(A) id Serial4(o): lcp_slqr() state

6 (C) magic D3454 OPEN code = ECHOREQ(9) id 6 (C) magic D21B4 = OPEN magic = D21B4, len datagramsize 52 = OPEN magic = D3454, len datagramsize 16 7 (C) magic D3454 OPEN code = ECHOREQ(9) id 7 (C) magic D21B4 = OPEN magic = D21B4, len

= 6 len = 12 = 48 = 48

= 7 len = 12 = 48

Table 140 describes the significant fields shown in the display.


Table 140 debug ppp packet Field Descriptions

Field PPP Serial4 (o), O (i), I lcp_slqr() PPP debugging output.

Description

Interface number associated with this debugging information. Packet was detected as an output packet. Packet was detected as an input packet. Procedure name; running LQM, send a Link Quality Report (LQR). Procedure name; running LQM, received an LQR. Router received a packet of the specified packet type (in hexadecimal notation). A value of C025 indicates packet of type LQM. PPP state; normal state is OPEN.

lcp_rlqr() input (C021)

state = OPEN

magic = D21B4 Magic Number for indicated node; when output is indicated, this is the Magic Number of the node on which debugging is enabled. The actual Magic Number depends on whether the packet detected is indicated as I or O. datagramsize 52 code = ECHOREQ(9) Packet length including header.

Identifies the type of packet received. Both forms of the packet, string and hexadecimal, are presented.

len = 48 id = 3 pkt type 0xC025 LCP ECHOREQ(9) LCP ECHOREP(A)

Packet length without header. ID number per Link Control Protocol (LCP) packet format. Packet type in hexadecimal notation; typical packet types are C025 for LQM and C021 for LCP. Echo Request; value in parentheses is the hexadecimal representation of the LCP type. Echo Reply; value in parentheses is the hexadecimal representation of the LCP type.

To elaborate on the displayed output, consider the partial exchange. This sequence shows that one side is using ECHO for its keepalives and the other side is using LQRs.
Router# debug ppp packet PPP Serial4(o): lcp_slqr() state PPP Serial4(i): pkt type 0xC025, PPP Serial4(i): lcp_rlqr() state PPP Serial4(i): pkt type 0xC021, PPP Serial4: I LCP ECHOREQ(9) id PPP Serial4: input(C021) state = PPP Serial4: O LCP ECHOREP(A) id PPP Serial4(o): lcp_slqr() state = OPEN magic = D21B4, len datagramsize 52 = OPEN magic = D3454, len datagramsize 16 3 (C) magic D3454 OPEN code = ECHOREQ(9) id 3 (C) magic D21B4 = OPEN magic = D21B4, len = 48 = 48

= 3 len = 12 = 48

The first line states that the router with debugging enabled has sent an LQR to the other side of the PPP connection:
PPP Serial4(o): lcp_slqr() state = OPEN magic = D21B4, len = 48

The next two lines indicate that the router has received a packet of type C025 (LQM) and provides details about the packet:
PPP Serial4(i): pkt type 0xC025, datagramsize 52 PPP Serial4(i): lcp_rlqr() state = OPEN magic = D3454, len = 48

The next two lines indicate that the router received an ECHOREQ of type C021 (LCP). The other side is sending ECHOs. The router on which debugging is configured for LQM but also responds to ECHOs.
PPP Serial4(i): pkt type 0xC021, datagramsize 16 PPP Serial4: I LCP ECHOREQ(9) id 3 (C) magic D3454

Next, the router is detected to have responded to the ECHOREQ with an ECHOREP and is preparing to send out an LQR:
PPP Serial4: O LCP ECHOREP(A) id 3 (C) magic D21B4 PPP Serial4(o): lcp_slqr() state = OPEN magic = D21B4, len = 48

The following is sample output from the debug ppp negotiation command. This is a normal negotiation, where both sides agree on Network Control

Program (NCP) parameters. In this case, protocol type IP is proposed and acknowledged.
Router# debug ppp negotiation ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = C025/3E8 ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = 3D56CAC ppp: received config for type = 4 (QUALITYTYPE) acked ppp: received config for type = 5 (MAGICNUMBER) value = 3D567F8 acked (ok) PPP Serial4: state = ACKSENT fsm_rconfack(C021): rcvd id 5 ppp: config ACK received, type = 4 (CI_QUALITYTYPE), value = C025 ppp: config ACK received, type = 5 (CI_MAGICNUMBER), value = 3D56CAC ppp: ipcp_reqci: returning CONFACK. (ok) PPP Serial4: state = ACKSENT fsm_rconfack(8021): rcvd id 4

Table 141 describes significant fields shown in the display.


Table 141 debug ppp Command Negotiation Field Descriptions

Field ppp sending CONFREQ type = 4 (CI_QUALITYTYPE)

Description PPP debugging output. Router sent a configuration request. Type of LCP configuration option that is being negotiated and a descriptor. A type value of 4 indicates Quality Protocol negotiation; a type value of 5 indicates Magic Number negotiation. For Quality Protocol negotiation, indicates NCP type and reporting period. In the example, C025 indicates LQM; 3E8 is a hexadecimal value translating to about 10 seconds (in hundredths of a second). For Magic Number negotiation, indicates the Magic Number being negotiated. Receiving node has received the proposed option negotiation for the indicated option type. Acknowledgment and acceptance of options. Specific PPP state in the negotiation process. IPCP notification message; sending CONFACK. Procedure fsm_rconfack processes received

value = C025/3E8

value = 3D56CAC

received config

acked state = ACKSENT ipcp_reqci fsm_rconfack (8021)

CONFACKs, and the protocol (8021) is IP. The first two lines indicate that the router is trying to bring up LCP and will use the indicated negotiation options (Quality Protocol and Magic Number). The value fields are the values of the options themselves. C025/3E8 translates to Quality Protocol LQM. 3E8 is the reporting period (in hundredths of a second). 3D56CAC is the value of the Magic Number for the router.
ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = C025/3E8 ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = 3D56CAC

The next two lines indicate that the other side negotiated for options 4 and 5 as requested and acknowledged both. If the responding end does not support the options, a CONFREJ is sent by the responding node. If the responding end does not accept the value of the option, a CONFNAK is sent with the value field modified.
ppp: received config for type = 4 (QUALITYTYPE) acked ppp: received config for type = 5 (MAGICNUMBER) value = 3D567F8 acked (ok)

The next three lines indicate that the router received a CONFACK from the responding side and displays accepted option values. Use the rcvd id field to verify that the CONFREQ and CONFACK have the same ID field.
PPP Serial4: state = ACKSENT fsm_rconfack(C021): rcvd id 5 ppp: config ACK received, type = 4 (CI_QUALITYTYPE), value = C025 ppp: config ACK received, type = 5 (CI_MAGICNUMBER), value = 3D56CAC

The next line indicates that the router has IP routing enabled on this interface and that the IPCP NCP negotiated successfully:
ppp: ipcp_reqci: returning CONFACK.

In the last line, the state of the router is listed as ACKSENT.


PPP Serial4: state = ACKSENT fsm_rconfack(C021): rcvd id 5\

The following is sample output from when the debug ppp packet and debug ppp negotiation commands are enabled at the same time.

The following is sample output from the debug ppp negotiation command when the remote side of the connection is unable to respond to LQM requests:
Router# debug ppp negotiation ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 ppp: sending CONFREQ, type = 5 ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), (CI_MAGICNUMBER), (CI_QUALITYTYPE), value value value value value value value value value value value value value value value value value value value value value value value = = = = = = = = = = = = = = = = = = = = = = = C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8 44B7010 C025/3E8

ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = 44C1488

The following is sample output when no response is detected for configuration requests (with both the debug ppp negotiation and debug ppp packet command enabled):
Router# debug ppp negotiation Router# debug ppp packet ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = PPP Serial4: O LCP CONFREQ(1) id 14 (12) QUALITYTYPE (8) MAGICNUMBER (6) 4 77 253 200 ppp: TIMEout: Time= 44E0980 State= 3 ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = PPP Serial4: O LCP CONFREQ(1) id 15 (12) QUALITYTYPE (8) MAGICNUMBER (6) 4 77 253 200 ppp: TIMEout: Time= 44E1828 State= 3 ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = PPP Serial4: O LCP CONFREQ(1) id 16 (12) QUALITYTYPE (8) MAGICNUMBER (6) 4 77 253 200 ppp: TIMEout: Time= 44E27C8 State= 3 ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = PPP Serial4: O LCP CONFREQ(1) id 17 (12) QUALITYTYPE (8) MAGICNUMBER (6) 4 77 253 200 ppp: TIMEout: Time= 44E3768 State= 3

C025/3E8 44DFDC8 192 37 0 0 3 232

C025/3E8 44DFDC8 192 37 0 0 3 232

C025/3E8 44DFDC8 192 37 0 0 3 232

C025/3E8 44DFDC8 192 37 0 0 3 232

The following is sample output from the debug ppp error command. These messages might appear when the Quality Protocol option is enabled on an interface that is already running PPP.
Router# debug ppp error PPP Serial3(i): rlqr receive failure. successes = 15 PPP: myrcvdiffp = 159 peerxmitdiffp = 41091 PPP: myrcvdiffo = 2183 peerxmitdiffo = 1714439 PPP: threshold = 25 PPP Serial4(i): rlqr transmit failure. successes = 15 PPP: myxmitdiffp = 41091 peerrcvdiffp = 159 PPP: myxmitdiffo = 1714439 peerrcvdiffo = 2183 PPP: l->OutLQRs = 1 LastOutLQRs = 1 PPP: threshold = 25 PPP Serial3(i): lqr_protrej() Stop sending LQRs. PPP Serial3(i): The link appears to be looped back.

Table 142 describes the significant fields shown in the display.


Table 142 debug ppp Error Field Descriptions

Field PPP Serial3(i) PPP debugging output.

Description

Interface number associated with this debugging information; indicates that this is an input packet. Request to negotiate the Quality Protocol option is not

rlqr receive

failure myrcvdiffp = 159

accepted. Number of packets received over the time period.

peerxmitdiffp = Number of packets sent by the remote node over this period. 41091 myrcvdiffo = 2183 Number of octets received over this period.

peerxmitdiffo = Number of octets sent by the remote node over this period. 1714439 threshold = 25 Maximum error percentage acceptable on this interface. This percentage is calculated by the threshold value entered in the ppp quality number interface configuration command. A value of 100 - number (100 minus number) is the maximum error percentage. In this case, a number of 75 was entered. This means that the local router must maintain a minimum 75 percent non-error percentage, or the PPP link will be considered down. OutLQRs = 1 Local router's current send LQR sequence number.

LastOutLQRs = The last sequence number that the remote node side has seen 1 from the local node. The following is sample output from the debug ppp authentication command. Use this debug command to determine why an authentication fails.
Router# debug ppp authentication Serial0: Unable to authenticate. No name received from peer Serial0: Unable to validate CHAP response. USERNAME pioneer not found. Serial0: Unable to validate CHAP response. No password defined for USERNAME pioneer Serial0: Failed CHAP authentication with remote. Remote message is Unknown name Serial0: remote passed CHAP authentication. Serial0: Passed CHAP authentication with remote. Serial0: CHAP input code = 4 id = 3 len = 48

In general, these messages are self-explanatory. Fields that can show optional output are outlined in Table 143.
Table 143 debug ppp authentication Field Descriptions

Field

Description

Serial0

Interface number associated with this debugging information and CHAP access session in question.

The name pioneer in this example is the name received in USERNAME pioneer not found. the CHAP response. The router looks up this name in the list of usernames that are configured for the router. Remote message is Unknown name The following messages can appear:

No name received to authenticate Unknown name No secret for given name Short MD5 response received MD compare failed

code = 4

Specific CHAP type packet detected. Possible values are as follows:


1Challenge 2Response 3Success 4Failure

id = 3 len = 48

ID number per LCP packet format. Packet length without header.

The following shows sample output from the debug ppp command using the cbcp keyword. This output depicts packet exchanges under normal PPP operation where the Cisco access server is waiting for the remote PC to respond to the MSCB request. The router also has debug ppp negotiation and service timestamps msec commands enabled.
Router# debug ppp cbcp Dec 17 00:48:11.302: As8 MCB: User mscb Callback Number - Client ANY Dec 17 00:48:11.306: Async8 PPP: O MCB Request(1) id 1 len 9 Dec 17 00:48:11.310: Async8 MCB: O 1 1 0 9 2 5 0 1 0 Dec 17 00:48:11.314: As8 MCB: O Request Id 1 Callback Type Client-Num delay 0 Dec 17 00:48:13.342: As8 MCB: Timeout in state WAIT_RESPONSE Dec 17 00:48:13.346: Async8 PPP: O MCB Request(1) id 2 len 9 Dec 17 00:48:13.346: Async8 MCB: O 1 2 0 9 2 5 0 1 0 Dec 17 00:48:13.350: As8 MCB: O Request Id 2 Callback Type Client-Num delay 0 Dec 17 00:48:15.370: As8 MCB: Timeout in state WAIT_RESPONSE Dec 17 00:48:15.374: Async8 PPP: O MCB Request(1) id 3 len 9 Dec 17 00:48:15.374: Async8 MCB: O 1 3 0 9 2 5 0 1 0

Dec 17 00:48:15.378: delay 0 Dec 17 00:48:17.398: Dec 17 00:48:17.402: Dec 17 00:48:17.406: Dec 17 00:48:17.406: delay 0 Dec 17 00:48:19.426: Dec 17 00:48:19.430: Dec 17 00:48:19.430: Dec 17 00:48:19.434: delay 0 Dec 17 00:48:21.454: Dec 17 00:48:21.458: Dec 17 00:48:21.462: Dec 17 00:48:21.462: delay 0 Dec 17 00:48:23.482: Dec 17 00:48:23.486: Dec 17 00:48:23.490: Dec 17 00:48:23.490: delay 0 Dec 17 00:48:25.510: Dec 17 00:48:25.514: Dec 17 00:48:25.514: Dec 17 00:48:25.518: delay 0 Dec 17 00:48:26.242: Dec 17 00:48:26.246: Dec 17 00:48:26.250: Dec 17 00:48:26.254: Dec 17 00:48:26.258: 2492613 Dec 17 00:48:26.262: Dec 17 00:48:26.266: Dec 17 00:48:26.270: Dec 17 00:48:26.270: Dec 17 00:48:26.390: Dec 17 00:48:26.390: Dec 17 00:48:26.394: Dec 17 00:48:26.402: Async

As8 MCB: O Request Id 3 Callback Type Client-Num As8 MCB: Timeout in state WAIT_RESPONSE Async8 PPP: O MCB Request(1) id 4 len 9 Async8 MCB: O 1 4 0 9 2 5 0 1 0 As8 MCB: O Request Id 4 Callback Type Client-Num As8 MCB: Timeout in state WAIT_RESPONSE Async8 PPP: O MCB Request(1) id 5 len 9 Async8 MCB: O 1 5 0 9 2 5 0 1 0 As8 MCB: O Request Id 5 Callback Type Client-Num As8 MCB: Timeout in state WAIT_RESPONSE Async8 PPP: O MCB Request(1) id 6 len 9 Async8 MCB: O 1 6 0 9 2 5 0 1 0 As8 MCB: O Request Id 6 Callback Type Client-Num As8 MCB: Timeout in state WAIT_RESPONSE Async8 PPP: O MCB Request(1) id 7 len 9 Async8 MCB: O 1 7 0 9 2 5 0 1 0 As8 MCB: O Request Id 7 Callback Type Client-Num As8 MCB: Timeout in state WAIT_RESPONSE Async8 PPP: O MCB Request(1) id 8 len 9 Async8 MCB: O 1 8 0 9 2 5 0 1 0 As8 MCB: O Request Id 8 Callback Type Client-Num As8 PPP: I pkt type 0xC029, datagramsize 18 Async8 PPP: I MCB Response(2) id 8 len 16 Async8 MCB: I 2 8 0 10 2 C C 1 32 34 39 32 36 31 33 0 As8 MCB: Received response As8 MCB: Response CBK-Client-Num 2 12 12, addr 1Async8 PPP: O MCB Ack(3) id 9 len 16 Async8 MCB: O 3 9 0 10 2 C C 1 32 34 39 32 36 31 33 0 As8 MCB: O Ack Id 9 Callback Type Client-Num delay 12 As8 MCB: Negotiated MCB with peer As8 LCP: I TERMREQ [Open] id 4 len 8 (0x00000000) As8 LCP: O TERMACK [Open] id 4 len 4 As8 MCB: Peer terminating the link As8 MCB: Initiate Callback for mscb at 2492613 using

The following is sample output from the debug ppp compression command with service timestamps enabled and shows a typical PPP packet exchange between the router and Microsoft client where the MPPC header sequence numbers increment correctly:
Router# debug ppp compression 00:04:14: BR0:1 MPPC: Decomp 00:04:14: BR0:1 MPPC: Decomp 00:04:14: BR0:1 MPPC: Decomp 00:04:14: BR0:1 MPPC: Decomp 00:04:14: BR0:1 MPPC: Decomp hdr/exp_cc# hdr/exp_cc# hdr/exp_cc# hdr/exp_cc# hdr/exp_cc# 0x2003/0x0003 0x2004/0x0004 0x2005/0x0005 0x2006/0x0006 0x2007/0x0007

Table 144 describes the fields for the debug ppp compression output.
Table 144 debug ppp compression Field Descriptions

Field interface

Description Interface enabled with MPPC.

Decomp - hdr/ Decompression header and bit settings. exp_cc# 0x2003 0x0003 Expected coherency count. Received sequence number. Expected sequence number.

The following shows sample output from debug ppp negotiation and debug ppp error commands, which can be used to troubleshoot initial PPP negotiation and setup errors. This example shows a virtual interface (virtual interface 1) during normal PPP operation and CCP negotiation.
Router# debug ppp negotiation error Vt1 PPP: Unsupported or un-negotiated protocol. Link arp VPDN: Chap authentication succeeded for p5200 Vi1 PPP: Phase is DOWN, Setup Vi1 VPDN: Virtual interface created for dinesh@cisco.com Vi1 VPDN: Set to Async interface Vi1 PPP: Phase is DOWN, Setup Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking Vi1 CCP: Re-Syncing history using legacy method %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up Vi1 PPP: Treating connection as a dedicated line Vi1 PPP: Phase is ESTABLISHING, Active Open Vi1 LCP: O CONFREQ [Closed] id 1 len 25 Vi1 LCP: ACCM 0x000A0000 (0x0206000A0000) Vi1 LCP: AuthProto CHAP (0x0305C22305) Vi1 LCP: MagicNumber 0x000FB69F (0x0506000FB69F) Vi1 LCP: PFC (0x0702) Vi1 LCP: ACFC (0x0802) Vi1 VPDN: Bind interface direction=2 Vi1 PPP: Treating connection as a dedicated line Vi1 LCP: I FORCED CONFREQ len 21 Vi1 LCP: ACCM 0x000A0000 (0x0206000A0000) Vi1 LCP: AuthProto CHAP (0x0305C22305) Vi1 LCP: MagicNumber 0x12A5E4B5 (0x050612A5E4B5) Vi1 LCP: PFC (0x0702) Vi1 LCP: ACFC (0x0802) Vi1 VPDN: PPP LCP accepted sent & rcv CONFACK Vi1 PPP: Phase is AUTHENTICATING, by this end Vi1 CHAP: O CHALLENGE id 1 len 27 from "l_4000" Vi1 CHAP: I RESPONSE id 20 len 37 from "dinesh@cisco.com" Vi1 CHAP: O SUCCESS id 20 len 4 Vi1 PPP: Phase is UP Vi1 IPCP: O CONFREQ [Closed] id 1 len 10 Vi1 IPCP: Address 15.2.2.3 (0x03060F020203) Vi1 CCP: O CONFREQ [Not negotiated] id 1 len 10 Vi1 CCP: MS-PPC supported bits 0x00000001 (0x120600000001) Vi1 IPCP: I CONFREQ [REQsent] id 1 len 34

Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1 Vi1

IPCP: Address 0.0.0.0 (0x030600000000) IPCP: PrimaryDNS 0.0.0.0 (0x810600000000) IPCP: PrimaryWINS 0.0.0.0 (0x820600000000) IPCP: SecondaryDNS 0.0.0.0 (0x830600000000) IPCP: SecondaryWINS 0.0.0.0 (0x840600000000) IPCP: Using the default pool IPCP: Pool returned 11.2.2.5 IPCP: O CONFREJ [REQsent] id 1 len 16 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000) IPCP: SecondaryWINS 0.0.0.0 (0x840600000000) CCP: I CONFREQ [REQsent] id 1 len 15 CCP: MS-PPC supported bits 0x00000001 (0x120600000001) CCP: Stacker history 1 check mode EXTENDED (0x1105000104) CCP: Already accepted another CCP option, rejecting this STACKER CCP: O CONFREJ [REQsent] id 1 len 9 CCP: Stacker history 1 check mode EXTENDED (0x1105000104) IPCP: I CONFACK [REQsent] id 1 len 10 IPCP: Address 15.2.2.3 (0x03060F020203) CCP: I CONFACK [REQsent] id 1 len 10 CCP: MS-PPC supported bits 0x00000001 (0x120600000001) CCP: I CONFREQ [ACKrcvd] id 2 len 10 CCP: MS-PPC supported bits 0x00000001 (0x120600000001) CCP: O CONFACK [ACKrcvd] id 2 len 10 CCP: MS-PPC supported bits 0x00000001 (0x120600000001) CCP: State is Open IPCP: I CONFREQ [ACKrcvd] id 2 len 22 IPCP: Address 0.0.0.0 (0x030600000000) IPCP: PrimaryDNS 0.0.0.0 (0x810600000000) IPCP: SecondaryDNS 0.0.0.0 (0x830600000000) IPCP: O CONFNAK [ACKrcvd] id 2 len 22 IPCP: Address 11.2.2.5 (0x03060B020205) IPCP: PrimaryDNS 171.69.1.148 (0x8106AB450194) IPCP: SecondaryDNS 171.69.2.132 (0x8306AB450284) IPCP: I CONFREQ [ACKrcvd] id 3 len 22 IPCP: Address 11.2.2.5 (0x03060B020205) IPCP: PrimaryDNS 171.69.1.148 (0x8106AB450194) IPCP: SecondaryDNS 171.69.2.132 (0x8306AB450284) IPCP: O CONFACK [ACKrcvd] id 3 len 22 IPCP: Address 11.2.2.5 (0x03060B020205) IPCP: PrimaryDNS 171.69.1.148 (0x8106AB450194) IPCP: SecondaryDNS 171.69.2.132 (0x8306AB450284) IPCP: State is Open IPCP: Install route to 11.2.2.5

debug radius
To display information associated with RADIUS, use the debug radius privileged EXEC command. The no form of this command disables debugging output. debug radius no debug radius

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
RADIUS is a distributed security system that secures networks against unauthorized access. Cisco supports RADIUS under the authentication, authorization, and accounting (AAA) security system. Use the debug aaa authentication command to get a high-level view of login activity. When RADIUS is used on the router, you can use the debug radius command for more detailed debugging information.

Examples
The following is sample output from the debug aaa authentication command for a RADIUS login attempt that failed. The information indicates that RADIUS is the authentication method used.
Router# debug aaa authentication 14:02:55: AAA/AUTHEN (164826761): Method=RADIUS 14:02:55: AAA/AUTHEN (164826761): status = GETPASS 14:03:01: AAA/AUTHEN/CONT (164826761): continue_login 14:03:01: AAA/AUTHEN (164826761): status = GETPASS 14:03:01: AAA/AUTHEN (164826761): Method=RADIUS 14:03:04: AAA/AUTHEN (164826761): status = FAIL

The following is partial sample output from the debug radius command that shows a login attempt that failed because of a key mismatch (that is, a configuration problem):
Router# debug radius 13:55:19: Radius: IPC Send 0.0.0.0:1645, Access-Request, id 0x7, len 57 13:55:19: Attribute 4 6 AC150E5A 13:55:19: Attribute 5 6 0000000A 13:55:19: Attribute 1 7 62696C6C 13:55:19: Attribute 2 18 19D66483 13:55:22: Radius: Received from 171.69.1.152:1645, Access-Reject, id 0x7, len 20 13:55:22: Radius: Reply for 7 fails decrypt

The following is partial sample output from the debug radius command that shows a successful login attempt as indicated by an Access-Accept message:
Router# debug radius 13:59:02: Radius: IPC Send 0.0.0.0:1645, Access-Request, id 0xB, len 56 13:59:02: Attribute 4 6 AC150E5A 13:59:02: Attribute 5 6 0000000A 13:59:02: Attribute 1 6 62696C6C 13:59:02: Attribute 2 18 0531FEA3 13:59:04: Radius: Received from 171.69.1.152:1645, Access-Accept, id 0xB, len 26 13:59:04: Attribute 6 6 00000001

The following is partial sample output from the debug radius command that shows an unsuccessful login attempt as indicated by the Access-Reject message:
Router# debug radius 13:57:56: Radius: IPC Send 0.0.0.0:1645, Access-Request, id 0xA, len 57 13:57:56: Attribute 4 6 AC150E5A 13:57:56: Attribute 5 6 0000000A 13:57:56: Attribute 1 7 62696C6C 13:57:56: Attribute 2 18 49C28F6C 13:57:59: Radius: Received from 171.69.1.152:1645, Access-Reject, id 0xA, len 20

Related Commands
Command debug aaa accounting Description Displays information on accountable events as they occur.

debug aaa authentication

Displays information on AAA/TACACS+ authentication.

debug serial interface


To display information on a serial connection failure, use the debug serial interface privileged EXEC command. The no form of this command disables debugging output. debug serial interface no debug serial interface

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
If the show interface serial EXEC command shows that the line and protocol are down, you can use the debug serial interface command to isolate a timing problem as the cause of a connection failure. If the keepalive values in the mineseq, yourseen, and myseen fields are not incrementing in each subsequent line of output, there is a timing or line problem at one end of the connection.

Caution Although the debug serial interface command typically does not generate a substantial amount of output, nevertheless use it cautiously during production hours. When SMDS is enabled, for example, it can generate considerable output. The output of the debug serial interface command can vary, depending on the type of WAN configured for an interface: Frame Relay, HDLC, HSSI, SMDS, or X.25. The output also can vary depending on the type of encapsulation configured for that interface. The hardware platform also can affect debug serial interface output.

Examples
The following sections show and describe sample debug serial interface output for various configurations.
Debug Serial Interface for Frame Relay Encapsulation

The following message is displayed if the encapsulation for the interface is Frame Relay (or HDLC) and the router attempts to send a packet containing an unknown packet type:
Illegal serial link type code xxx

Debug Serial Interface for HDLC

The following is sample output from the debug serial interface command for an HDLC connection when keepalives are enabled. This output shows that the remote router is not receiving all the keepalives the router is sending. When the difference in the values in the myseq and mineseen fields exceeds three, the line goes down and the interface is reset.

Table 160 describes the significant fields. Table 160 debug serial interface Field Descriptions for HDLC Field Serial 1 HDLC myseq 636119 mineseen 636119 Description Interface through which the serial connection is taking place. Serial connection is an HDLC connection. Myseq counter increases by one each time the router sends a keepalive packet to the remote router. Value of the mineseen counter reflects the last myseq sequence number the remote router has acknowledged receiving from the router. The remote router stores this value in its yourseen counter and sends that value in a keepalive packet to the router. Yourseen counter reflects the value of the myseq sequence number the router has received in a keepalive packet from the remote router. Connection between the routers is maintained. Value changes to "line down" if the values of the myseq and myseen fields in a keepalive packet differ by more than three. Value returns to "line up"

yourseen 515032

line up

when the interface is reset. If the line is in loopback mode, ("looped") appears after this field. Table 161 describes additional error messages that the debug serial interface command can generate for HDLC. Table 161 debug serial interface Error Messages for HDLC Field Illegal serial link type code <xxx>, PC = 0xnnnnnn Illegal HDLC serial type code <xxx>, PC = 0xnnnnn Description Router attempted to send a packet containing an unknown packet type. Unknown packet type is received.

Serial 0: attempting to restart Interface is down. The hardware is then reset to correct the problem, if possible Serial 0: Received bridge Bridge packet is received over a serial interface packet sent to <nnnnnnnnn> configured for HDLC, and bridging is not configured on that interface.

Debug Serial Interface for HSSI

On an HSSI interface, the debug serial interface command can generate the following additional error message:
HSSI0: Reset from 0xnnnnnnn

This message indicates that the HSSI hardware has been reset. The 0xnnnnnnn variable is the address of the routine requesting that the hardware be reset; this value is useful only to development engineers.
Debug Serial Interface for ISDN Basic Rate

Table 162 describes error messages that the debug serial interface command can generate for ISDN Basic Rate. Table 162 debug serial interface Error Messages for ISDN Basic Rate Message BRI: D-chan collision Description Collision on the ISDN D channel has occurred; the software will retry transmission. ISDN hardware has lost frame alignment. This usually

Received SID Loss of

Frame Alignment int.

indicates a problem with the ISDN network.

Unexpected IMP int: ipr ISDN hardware received an unexpected interrupt. The = 0xnn 0xnn variable indicates the value returned by the interrupt register. BRI(d): RX Frame Length Violation. Length=n BRI(d): RX Nonoctet Aligned Frame BRI(d): RX Abort Sequence BRI(d): RX CRC Error BRI(d): RX Overrun Error BRI(d): RX Carrier Detect Lost BRI0: Reset from 0xnnnnnnn BRI hardware has been reset. The 0xnnnnnnn variable is the address of the routine that requested that the hardware be reset; it is useful only to development engineers. Any of these messages can be displayed when a receive error occurs on one of the ISDN channels. The (d) indicates which channel it is on. These messages can indicate a problem with the ISDN network connection.

BRI(d): Bad state in Any of these messages can be displayed if the ISDN SCMs scm1=x scm2=x hardware is not in the proper state. The hardware is scm3=x then reset. If the message is displayed constantly, it usually indicates a hardware problem. BRI(d): Bad state in SCONs scon1=x scon2 =x scon3=x BRI(d): Bad state ub SCR; SCR=x BRI(d): Illegal packet encapsulation=n Packet is received, but the encapsulation used for the packet is not recognized. The interface might be misconfigured.

Debug Serial Interface for an MK5025 Device

Table 163 describes the additional error messages that the debug serial interface command can generate for an MK5025 device. Table 163 debug serial interface Error Messages for an MK5025 Device Message MK5(d): Reset from 0xnnnnnnnn Description Hardware has been reset. The 0xnnnnnnn variable is the address of the routine that requested that the hardware be reset; it is useful only to development engineers. Packet is received, but the encapsulation used for the packet is not recognized. Interface might be misconfigured. Serial driver attempted to get a buffer (memory) and was unable to do so.

MK5(d): Illegal packet encapsulation=n

MK5(d): No packet available for packet realignment MK5(d): Bad state in CSR0=(x)

This message is displayed if the hardware is not in the proper state. The hardware is reset. If this message is displayed constantly, it usually indicates a hardware problem. Hardware has interrupted the software. It displays the state that the hardware is reporting. If the interrupt indicates that the state of carrier has changed, one of these messages is displayed to indicate the current state of DCD.

MK5(d): New serial state=n MK5(d): DCD is down. MK5(d): DCD is up.

Debug Serial Interface for SMDS Encapsulation

When encapsulation is set to SMDS, the debug serial interface command displays SMDS packets that are sent and received, and any error messages resulting from SMDS packet transmission. The error messages that the debug serial interface command can generate for SMDS follow.

The following message indicates that a new protocol requested SMDS to encapsulate the data for transmission. SMDS is not yet able to encapsulate the protocol.
SMDS: Error on Serial 0, encapsulation bad protocol = x

The following message indicates that SMDS was asked to encapsulate a packet, but no corresponding destination E.164 SMDS address was found in any of the static SMDS tables or in the ARP tables:
SMDS send: Error in encapsulation, no hardware address, type = x

The following message indicates that a protocol such as CLNS or IP has been enabled on an SMDS interface, but the corresponding multicast addresses have not been configured. The n variable displays the link type for which encapsulation was requested.
SMDS: Send, Error in encapsulation, type=n

The following messages can occur when a corrupted packet is received on an SMDS interface. The router expected x, but received y.
SMDS: Invalid packet, Reserved NOT ZERO, x y SMDS: Invalid packet, TAG mismatch x y SMDS: Invalid packet, Bad TRAILER length x y

The following messages can indicate an invalid length for an SMDS packet:
SMDS: SMDS: SMDS: SMDS: Invalid Invalid Invalid Invalid packet, packet, packet, packet, Bad Bad Bad Bad BA length x header extension length x header extension type x header extension value x

The following messages are displayed when the debug serial interface command is enabled:
Interface Serial 0 Sending SMDS L3 packet: SMDS: dgsize:x type:0xn :y dst:z

If the debug serial interface command is enabled, the following message can be displayed when a packet is received on an SMDS interface, but the destination SMDS address does not match any on that interface:
SMDS: Packet n, not addressed to us

debug serial packet


To display more detailed serial interface debugging information than you can obtain using the debug serial interface command, use the debug serial packet privileged EXEC command. The no form of this command disables debugging output. debug serial packet no debug serial packet

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
The debug serial packet command generates output that is dependent on the type of serial interface and the encapsulation running on that interface. The hardware platform also can impact debug serial packet output. The debug serial packet command displays output for only SMDS encapsulations.

Examples
The following is sample output from the debug serial packet command when SMDS is enabled on the interface:
Router# debug serial packet Interface Serial2 Sending SMDS L3 packet: SMDS Header: Id: 00 RSVD: 00 BEtag: EC Basize: 0044 Dest:E18009999999FFFF :C12015804721FFFF Xh:04030000030001000000000000000000 SMDS LLC: AA AA 03 00 00 00 80 38 SMDS Data: E1 19 01 00 00 80 00 00 0C 00 38 1F 00 0A 00 80 00 00 0C 01 2B 71 SMDS Data: 06 01 01 0F 1E 24 00 EC 00 44 00 02 00 00 83 6C 7D 00 00 00 00 00 SMDS Trailer: RSVD: 00 BEtag: EC Length: 0044

As the output shows, when encapsulation is set to SMDS, the debug serial packet command displays the entire SMDS header (in hexadecimal notation), and some payload data on transmit or receive. This information is useful only when you have an understanding of the SMDS protocol. The first line of the output indicates either Sending or Receiving.

debug snmp packet


To display information about every SNMP packet sent or received by the router, use the debug snmp packet privileged EXEC command. The no form of this command disables debugging output. debug snmp packet no debug snmp packet

Syntax Description
This command has no arguments or keywords.

Examples
The following is sample output from the debug snmp packet command. In this example, the router receives a get-next request from the host at 172.16.63.17 and responds with the requested information.
Router# debug snmp packet SNMP: Packet received via UDP from 172.16.63.17 on Ethernet0 SNMP: Get-next request, reqid 23584, errstat 0, erridx 0 sysUpTime = NULL TYPE/VALUE system.1 = NULL TYPE/VALUE system.6 = NULL TYPE/VALUE SNMP: Response, reqid 23584, errstat 0, erridx 0 sysUpTime.0 = 2217027 system.1.0 = Cisco Internetwork Operating System Software system.6.0 = SNMP: Packet sent via UDP to 172.16.63.17

Based on the kind of packet sent or received, the output may vary. For get-bulk requests, a line similar to the following is displayed:
SNMP: Get-bulk request, reqid 23584, nonrptr 10, maxreps 20

For traps, a line similar to the following is displayed:


SNMP: V1 Trap, ent 1.3.6.1.4.1.9.1.13, gentrap 3, spectrap 0

Table 170 describes the significant fields shown in the display. Table 170 debug snmp packet Field Descriptions Field Get-next request Description Indicates what type of SNMP PDU the packet is. Possible types are as follows:

Get request Get-next request Response Set request

V1 Trap Get-bulk request Inform request V2 Trap

Depending on the type of PDU, the rest of this line displays different fields. The indented lines following this line list the MIB object names and corresponding values. reqid Request identification number. This number is used by the SNMP manager to match responses with requests. Error status. All PDU types other than response will have an errstat of 0. If the agent encounters an error while processing the request, it will set errstat in the response PDU to indicate the type of error. Error index. This value will always be 0 in all PDUs other than responses. If the agent encounters an error, the erridx will be set to indicate which varbind in the request caused the error. For example, if the agent had an error on the second varbind in the request PDU, the response PDU will have an erridx equal to 2. Nonrepeater value. This value and the maximum repetition value are used to determine how many varbinds are returned. Refer to RFC 1905 for details. Maximum repetition value. This value and the nonrepeater value are used to determine how many varbinds are returned. Refer to RFC 1905 for details. Enterprise object identifier. Refer to RFC 1215 for details. Generic trap value. Refer to RFC 1215 for details. Specific trap value. Refer to RFC 1215 for details.

errstat

erridx

nonrptr

maxreps

ent gentrap spectrap

debug snmp requests


To display information about every SNMP request made by the SNMP manager, use the debug snmp requests privileged EXEC command. The no form of this command disables debugging output. debug snmp requests no debug snmp requests

Syntax Description
This command has no arguments or keywords.

Examples
The following is sample output from the debug snmp requests command:
Router# debug snmp requests SNMP Manager API: request dest: 171.69.58.33.161, community: public retries: 3, timeout: 30, mult: 2, use session rtt userdata: 0x0

Table 171 describes the significant fields shown in the display. Table 171 debug snmp requests field Field Descriptions Field SNMP Manager API dest community retries timeout Description Indicates that the router sent an SNMP request.

Destination of the request. Community string sent with the request. Number of times the request has been re-sent. Request timeout, or how long the router will wait before resending the request. Timeout multiplier. The timeout for a re-sent request will be equal to the previous timeout multiplied by the timeout multiplier.

mult

use session rtt Indicates that the average round-trip time of the session should be used in calculating the timeout value.

userdata

Internal Cisco IOS software data.

debug tacacs events


To display information from the TACACS+ helper process, use the debug tacacs events privileged EXEC command. The no form of this command disables debugging output. debug tacacs events no debug tacacs events

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
Use the debug tacacs events command only in response to a request from service personnel to collect data when a problem has been reported.

Caution Use the debug tacacs events command with caution because it can generate a substantial amount of output. The TACACS protocol is used on routers to assist in managing user accounts. TACACS+ enhances the TACACS functionality by adding security features and cleanly separating out the authentication, authorization, and accounting (AAA) functionality.

Examples
The following is sample output from the debug tacacs events command. In this example, the opening and closing of a TCP connection to a TACACS+ server are shown, and the bytes read and written over the connection and the TCP status of the connection:
Router# debug tacacs events %LINK-3-UPDOWN: Interface Async2, changed state to up 00:03:16: TAC+: Opening TCP/IP to 192.168.58.104/1049 timeout=15 00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to 192.168.58.104/1049 00:03:16: TAC+: periodic timer started 00:03:16: TAC+: 192.168.58.104 req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (ESTAB) expire=14 AUTHEN/START/SENDAUTH/CHAP queued 00:03:17: TAC+: 192.168.58.104 ESTAB 3BD868 wrote 46 of 46 bytes 00:03:22: TAC+: 192.168.58.104 CLOSEWAIT read=12 wanted=12 alloc=12 got=12 00:03:22: TAC+: 192.168.58.104 CLOSEWAIT read=61 wanted=61 alloc=61 got=49 00:03:22: TAC+: 192.168.58.104 received 61 byte reply for 3BD868 00:03:22: TAC+: req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (CLOSEWAIT) expire=9 AUTHEN/START/SENDAUTH/CHAP processed 00:03:22: TAC+: periodic timer stopped (queue empty)

00:03:22: TAC+: Closing TCP/IP 0x48A87C connection to 192.168.58.104/1049 00:03:22: TAC+: Opening TCP/IP to 192.168.58.104/1049 timeout=15 00:03:22: TAC+: Opened TCP/IP handle 0x489F08 to 192.168.58.104/1049 00:03:22: TAC+: periodic timer started 00:03:22: TAC+: 192.168.58.104 req=3BD868 id=299214410 ver=192 handle=0x489F08 (ESTAB) expire=14 AUTHEN/START/SENDPASS/CHAP queued 00:03:23: TAC+: 192.168.58.104 ESTAB 3BD868 wrote 41 of 41 bytes 00:03:23: TAC+: 192.168.58.104 CLOSEWAIT read=12 wanted=12 alloc=12 got=12 00:03:23: TAC+: 192.168.58.104 CLOSEWAIT read=21 wanted=21 alloc=21 got=9 00:03:23: TAC+: 192.168.58.104 received 21 byte reply for 3BD868 00:03:23: TAC+: req=3BD868 id=299214410 ver=192 handle=0x489F08 (CLOSEWAIT) expire=13 AUTHEN/START/SENDPASS/CHAP processed 00:03:23: TAC+: periodic timer stopped (queue empty)

The TACACS messages are intended to be self-explanatory or for consumption by service personnel only. However, the messages shown are briefly explained in the following text. The following message indicates that a TCP open request to host 192.168.58.104 on port 1049 will time out in 15 seconds if it gets no response:
00:03:16: TAC+: Opening TCP/IP to 192.168.58.104/1049 timeout=15

The following message indicates a successful open operation and provides the address of the internal TCP "handle" for this connection:
00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to 192.168.58.104/1049

The following message indicates that a TACACS+ request has been queued:
00:03:16: TAC+: 192.168.58.104 req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (ESTAB) expire=14 AUTHEN/START/SENDAUTH/CHAP queued

The message identifies the following:


Server that the request is destined for Internal address of the request TACACS+ ID of the request TACACS+ version number of the request Internal TCP handle the request uses (which will be zero for a singleconnection server) TCP status of the connectionwhich is one of the following:
o o o o o o o o o o

CLOSED LISTEN SYNSENT SYNRCVD ESTAB FINWAIT1 FINWAIT2 CLOSEWAIT LASTACK CLOSING

TIMEWAIT Number of seconds until the request times out Request type
o

The following message indicates that all 46 bytes were written to address 192.168.58.104 for request 3BD868:
00:03:17: TAC+: 192.168.58.104 ESTAB 3BD868 wrote 46 of 46 bytes

The following message indicates that 12 bytes were read in reply to the request:
00:03:22: TAC+: 192.168.58.104 CLOSEWAIT read=12 wanted=12 alloc=12 got=12

The following message indicates that 49 more bytes were read, making a total of 61 bytes in all, which is all that was expected:
00:03:22: TAC+: 192.168.58.104 CLOSEWAIT read=61 wanted=61 alloc=61 got=49

The following message indicates that a complete 61-byte reply has been read and processed for request 3BD868:
00:03:22: TAC+: 192.168.58.104 received 61 byte reply for 3BD868 00:03:22: TAC+: req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (CLOSEWAIT) expire=9 AUTHEN/START/SENDAUTH/CHAP processed

The following message indicates that the TACACS+ server helper process switched itself off when it had no more work to do:
00:03:22: TAC+: periodic timer stopped (queue empty)

Related Commands
Command debug aaa accounting Description Displays information on accountable events as they occur.

debug aaa authentication

Displays information on AAA/TACACS+ authentication.

debug aaa authorization

Displays information on AAA/TACACS+ authorization.

debug sw56

Displays debug information for switched 56 K services.

debug tacacs
To display information associated with the TACACS, use the debug tacacs privileged EXEC command. The no form of this command disables debugging output. debug tacacs no debug tacacs

Syntax Description
This command has no arguments or keywords.

Usage Guidelines
TACACS is a distributed security system that secures networks against unauthorized access. Cisco supports TACACS under the authentication, authorization, and accounting (AAA) security system. Use the debug aaa authentication command to get a high-level view of login activity. When TACACS is used on the router, you can use the debug tacacs command for more detailed debugging information.

Examples
The following is sample output from the debug aaa authentication command for a TACACS login attempt that was successful. The information indicates that TACACS+ is the authentication method used.
Router# debug aaa authentication 14:01:17: AAA/AUTHEN (567936829): Method=TACACS+ 14:01:17: TAC+: send AUTHEN/CONT packet 14:01:17: TAC+ (567936829): received authen response status = PASS 14:01:17: AAA/AUTHEN (567936829): status = PASS

The following is sample output from the debug tacacs command for a TACACS login attempt that was successful, as indicated by the status PASS:
Router# debug tacacs 14:00:09: TAC+: Opening TCP/IP connection to 192.168.60.15 using source 10.116.0.79 14:00:09: TAC+: Sending TCP/IP packet number 383258052-1 to 192.168.60.15 (AUTHEN/START) 14:00:09: TAC+: Receiving TCP/IP packet number 383258052-2 from 192.168.60.15 14:00:09: TAC+ (383258052): received authen response status = GETUSER 14:00:10: TAC+: send AUTHEN/CONT packet 14:00:10: TAC+: Sending TCP/IP packet number 383258052-3 to 192.168.60.15 (AUTHEN/CONT) 14:00:10: TAC+: Receiving TCP/IP packet number 383258052-4 from 192.168.60.15 14:00:10: TAC+ (383258052): received authen response status = GETPASS

14:00:14: TAC+: send AUTHEN/CONT packet 14:00:14: TAC+: Sending TCP/IP packet number 383258052-5 to 192.168.60.15 (AUTHEN/CONT) 14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 192.168.60.15 14:00:14: TAC+ (383258052): received authen response status = PASS 14:00:14: TAC+: Closing TCP/IP connection to 192.168.60.15

The following is sample output from the debug tacacs command for a TACACS login attempt that was unsuccessful, as indicated by the status FAIL:
Router# debug tacacs 13:53:35: TAC+: Opening TCP/IP connection to 192.168.60.15 using source 192.48.0.79 13:53:35: TAC+: Sending TCP/IP packet number 416942312-1 to 192.168.60.15 (AUTHEN/START) 13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 192.168.60.15 13:53:35: TAC+ (416942312): received authen response status = GETUSER 13:53:37: TAC+: send AUTHEN/CONT packet 13:53:37: TAC+: Sending TCP/IP packet number 416942312-3 to 192.168.60.15 (AUTHEN/CONT) 13:53:37: TAC+: Receiving TCP/IP packet number 416942312-4 from 192.168.60.15 13:53:37: TAC+ (416942312): received authen response status = GETPASS 13:53:38: TAC+: send AUTHEN/CONT packet 13:53:38: TAC+: Sending TCP/IP packet number 416942312-5 to 192.168.60.15 (AUTHEN/CONT) 13:53:38: TAC+: Receiving TCP/IP packet number 416942312-6 from 192.168.60.15 13:53:38: TAC+ (416942312): received authen response status = FAIL 13:53:40: TAC+: Closing TCP/IP connection to 192.168.60.15

Related Commands
Command debug aaa accounting Description Displays information on accountable events as they occur.

debug aaa authentication

Displays information on AAA/TACACS+ authentication.

debug tftp
To display Trivial File Transfer Protocol (TFTP) debugging information when encountering problems netbooting or using the copy tftp system:runningconfig or copy system:running-config tftp commands, use the debug tftp privileged EXEC command. The no form of this command disables debugging output. debug tftp no debug tftp

Syntax Description
This command has no arguments or keywords.

Examples
The following is sample output from the debug tftp command from the copy system:running-config tftp EXEC command:
Router# debug TFTP: msclock TFTP: msclock TFTP: msclock TFTP: msclock TFTP: msclock TFTP: msclock tftp 0x292B4; 0x2A63C; 0x2A6DC; 0x2A6DC; 0x2A6DC; 0x2A6E4; Sending write request (retry 0), socket_id 0x301DA8 Sending write request (retry 1), socket_id 0x301DA8 Received ACK for block 0, socket_id 0x301DA8 Received ACK for block 0, socket_id 0x301DA8 Sending block 1 (retry 0), socket_id 0x301DA8 Received ACK for block 1, socket_id 0x301DA8

Table 213 describes the significant fields in the first line of output.
Table 213 debug tftp Field Descriptions

Message TFTP: msclock 0x292B4; Sending write request (retry 0) socket_id 0x301DA8 TFTP packet.

Description

Internal timekeeping clock (in milliseconds). TFTP operation.

Unique memory address for the socket for the TFTP connection.

debug vpdn pppoe-data


To display data packets of PPPoE sessions, use the debug vpdn pppoe-data command in EXEC mode. To disable the debugging output, use the no form of this command. debug vpdn pppoe-data no debug vpdn pppoe-data

Syntax Description
This command has no arguments or keywords.

Defaults
No default behavior or values.

Command History
Release 12.1(1)T Modification This command was introduced.

Usage Guidelines
The debug vpdn pppoe-data command displays a large number of debug messages and should generally be used only on a debug chassis with a single active session.

Examples
The following is an example of output from the debug vpdn pppoe-data command:
6d20h:%LINK-3-UPDOWN:Interface Virtual-Access1, changed state to up 6d20h:PPPoE:OUT contiguous pak, size 19 FF 03 C0 21 01 01 00 0F 03 05 C2 23 05 05 06 D3 FF 2B DA 6d20h:PPPoE:IN particle pak, size 1240 C0 21 01 01 00 0A 05 06 39 53 A5 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6d20h:PPPoE:OUT contiguous pak, size 14 FF 03 C0 21 02 01 00 0A 05 06 39 53 A5 17 6d20h:PPPoE:OUT

contiguous pak, size 19 FF 03 C0 21 01 02 00 0F 03 05 C2 23 05 05 06 D3 FF 2B DA 6d20h:PPPoE:IN particle pak, size 1740 C0 21 02 02 00 0F 03 05 C2 23 05 05 06 D3 FF 2B DA 00 80 C2 00 07 00 00 00 10 7B 01 2C D9 00 B0 C2 EB 10 38 88 64 11 00 6d20h:PPPoE:OUT contiguous pak, size 30 FF 03 C2 23 01 06 00 1A 10 99 1E 6E 8F 8C F2 C6 EE 91 0A B0 01 CB 89 68 13 47 61 6E 67 61 6d20h:PPPoE:IN particle pak, size 3840 C2 23 02 06 00 24 10 E6 84 FF 3A A4 49 19 CE D7 AC D7 D5 96 CC 23 B3 41 6B 61 73 68 40 63 69 73 63 6F 2E 63 6F 6D 00 00 6d20h:PPPoE:OUT contiguous pak, size 8 FF 03 C2 23 03 06 00 04 6d20h:PPPoE:OUT contiguous pak, size 14 FF 03 80 21 01 01 00 0A 03 06 65 65 00 66 6d20h:PPPoE:IN particle pak, size 1240 80 21 01 01 00 0A 03 06 00 00 00 00 49 19 CE D7 AC D7 D5 96 CC 23 B3 41 6B 61 73 68 40 63 69 73 63 6F 2E 63 6F 6D 00 00 6d20h:PPPoE:OUT contiguous pak, size 14 FF 03 80 21 03 01 00 0A 03 06 65 65 00 67 6d20h:PPPoE:IN particle pak, size 1240 80 21 02 01 00 0A 03 06 65 65 00 66 00 04 AA AA 03 00 80 C2 00 07 00 00 00 10 7B 01 2C D9 00 B0 C2 EB 10 38 88 64 11 00 6d20h:PPPoE:IN particle pak, size 1240 80 21 01 02 00 0A 03 06 65 65 00 67 49 19 CE D7 AC D7 D5 96 CC 23 B3 41 6B 61 73 68 40 63 69 73 63 6F 2E 63 6F 6D 00 00 6d20h:PPPoE:OUT contiguous pak, size 14 FF 03 80 21 02 02 00 0A 03 06 65 65 00 67 6d20h:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access1, changed state to up 6d20h:PPPoE:OUT contiguous pak, size 16 FF 03 C0 21 09 01 00 0C D3 FF 2B DA 4C 4D 49 A4 6d20h:PPPoE:IN particle pak, size 1440 C0 21 0A 01 00 0C 39 53 A5 17 4C 4D 49 A4 AA AA 03 00 80 C2 00 07 00 00 00 10 7B 01 2C D9 00 B0 C2 EB 10 38 88 64 11 00 6d20h:PPPoE:IN particle pak, size 1440 C0 21 09 01 00 0C 39 53 A5 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Table 227 describes the fields shown in the displays.


Table 227 debug vpdn pppoe-data Field Descriptions

Field 6d20h:%LINK-3-UPDOWN:Interface VirtualAccess1, changed state to up 6d20h:PPPoE:OUT

Descriptions Virtual access interface 1 came up. The host delivered a PPPoE session packet to the access concentrator. The access concentrator received a PPPoE session packet.

6d20h:PPPoE:IN

Line protocol is up; the line can 6d20h:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access1, changed be used. state to up contiguous pak, size 19 particle pak, size 1240 Size 19 contiguous packet. Size 1240 particle packet.

Related Commands
Command debug vpdn pppoe-error Description Displays PPPoE protocol errors that prevent a session from being established or errors that cause an established session to be closed.

debug vpdn pppoe-events

Displays PPPoE protocol messages about events that are part of normal session establishment or shutdown.

debug vpdn pppoe-packet

Displays each PPPoE protocol packet exchanged.

protocol (VPDN)

Specifies the L2TP that the VPDN subgroup will use.

show vpdn

Displays information about active L2F protocol tunnel and message identifiers in a VPDN.

vpdn enable

Enables virtual private dialup networking on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway), if one is pre-sent.

debug vpdn pppoe-error


To display PPPoE protocol errors that prevent a session from being established or errors that cause an established sessions to be closed, use the debug vpdn pppoe-error command in EXEC mode. To disable the debugging output, use the no form of this command. debug vpdn pppoe-error no debug vpdn pppoe-error

Syntax Description
This command has no arguments or keywords.

Defaults
No default behavior or values.

Command History
Release 12.1(1)T Modification This command was introduced.

Examples
The following is a full list of error messages displayed by the debug vpdn pppoe-error command:
PPPOE:pppoe_acsys_err cannot grow packet PPPoE:Cannot find PPPoE info PPPoE:Bad MAC address:00b0c2eb1038 PPPOE:PADI has no service name tag PPPoE:pppoe_handle_padi cannot add AC name/Cookie. PPPoE:pppoe_handle_padi cannot grow packet PPPoE:pppoe_handle_padi encap failed PPPoE cannot create virtual access. PPPoE cannot allocate session structure. PPPoE cannot store session element in tunnel. PPPoE cannot allocate tunnel structure. PPPoE cannot store tunnel PPPoE:VA221:No Session, Packet Discarded PPPOE:Tried to shutdown a null session PPPoE:Session already open, closing PPPoE:Bad cookie:_addr=00b0c2eb1038 PPPoE:Max session count on mac elem exceeded:mac=00b0c2eb1038 PPPoE:Max session count on vc exceeded:vc=3/77 PPPoE:Bad MAC address - dropping packet PPPoE:Bad version or type - dropping packet

Table 228 describes the fields shown in the displays.


Table 228 debug vpdn pppoe-error Field Descriptions

Field PPPOE:pppoe_acsys_err cannot grow packet PPPoE:Cannot find PPPoE info

Descriptions Asynchronous PPPoE packet initialization error. The access concentrator sends a PADO to the host. The host was unable to identify the Ethernet MAC address. PADI requires a service name tag.

PPPoE:Bad MAC address:00b0c2eb1038

PPPOE:PADI has no service name tag

PPPoE:pppoe_handle_padi cannot add AC pppoe_handle_padi could not name/Cookie. append AC name. PPPoE:pppoe_handle_padi cannot grow packet PPPoE:pppoe_handle_padi encap failed pppoe_handle_padi could not append packet. pppoe_handle_padi could not specify PPPoE on ATM encapsulation. PPPoE session unable to verify virtual access interface. PPPoE session unable to allocate Stage Protocol. PPPoE tunnel cannot allocate session element. PPPoE tunnel unable to allocate Stage Protocol. PPPoE configuration settings unable to initialize a tunnel. No sessions created. All packets dropped.

PPPoE cannot create virtual access.

PPPoE cannot allocate session structure.

PPPoE cannot store session element in tunnel. PPPoE cannot allocate tunnel structure.

PPPoE cannot store tunnel

PPPoE:VA221:No Session, Packet Discarded

PPPOE:Tried to shutdown a null session PPPoE:Session already open, closing PPPoE:Bad cookie:_addr=00b0c2eb1038

Null session shutdown. PPPoE session already open. PPPoE session unable to append new cookie. The maximum number of sessions exceeded the Ethernet MAC address. The maximum number of sessions exceeded the PVC connection. The host was unable to identify the MAC address. Packet dropped. The host was unable to identify the encapsulation type.

PPPoE:Max session count on mac elem exceeded:mac=00b0c2eb1038

PPPoE:Max session count on vc exceeded:vc=3/77 PPPoE:Bad MAC address - dropping packet PPPoE:Bad version or type - dropping packet

Related Commands
Command debug vpdn pppoe-data Description Displays data packets of PPPoE sessions.

debug vpdn pppoe-events

Displays PPPoE protocol messages about events that are part of normal session establishment or shutdown.

debug vpdn pppoe-packet

Displays each PPPoE protocol packet exchanged.

protocol (VPDN)

Specifies the L2TP that the VPDN subgroup will use.

show vpdn

Displays information about active L2F protocol tunnel and

message identifiers in a VPDN.

vpdn enable

Enables virtual private dialup networking on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway), if one is pre-sent.

debug vpdn pppoe-events


To display PPPoE protocol messages about events that are part of normal session establishment or shutdown, use the debug vpdn pppoe-events command in EXEC mode. To disable the debugging output, use the no form of this command. debug vpdn pppoe-events no debug vpdn pppoe-events

Syntax Description
This command has no arguments or keywords.

Defaults
No default behavior or values.

Command History
Release 12.1(1)T Modification This command was introduced.

Examples
The following is an example of output from the debug vpdn pppoe-events command:
1w5d:IN PADI from PPPoE tunnel 1w5d:OUT PADO from PPPoE tunnel 1w5d:IN PADR from PPPoE tunnel 1w5d:PPPoE:VPN session created. 1w5d:%LINK-3-UPDOWN:Interface Virtual-Access2, changed state to up 1w5d:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access2, changed state to up

Table 229 describes the significant fields shown in the display.


Table 229 debug vpdn pppoe-events Field Descriptions

Field 1w5d:IN PADI from PPPoE tunnel

Descriptions The access concentrator receives a PADI packet from the PPPoE Tunnel.

1w5d:OUT PADO from PPPoE tunnel

The access concentrator sends a PADO to the host. The host sends a single PADR to the access concentrator that it has chosen. The access concentrator receives the PADR packet and creates a VPN session. Virtual access interface 2 came up. Line protocol is up. The line can be used.

1w5d:IN PADR from PPPoE tunnel

1w5d:PPPoE:VPN session created.

1w5d:%LINK-3-UPDOWN:Interface VirtualAccess2, changed state to up 1w5d:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access2, changed state to up

Related Commands
Command debug vpdn pppoe-data Description Displays data packets of PPPoE sessions.

debug vpdn pppoe-error

Displays PPPoE protocol errors that prevent a session from being established or errors that cause an established session to be closed.

debug vpdn pppoe-packet

Displays each PPPoE protocol packet exchanged.

protocol (VPDN)

Specifies the L2TP that the VPDN subgroup will use.

show vpdn

Displays information about active L2F protocol tunnel and message identifiers in a VPDN.

vpdn enable

Enables virtual private dialup networking on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway), if one is pre-sent.

debug vpdn pppoe-packet


To display each PPPoE protocol packet exchanged, use the debug vpdn pppoe-packet command in EXEC mode.To disable the debugging output, use the no form of this command. debug vpdn pppoe-packet no debug vpdn pppoe-packet

Syntax Description
This command has no arguments or keywords.

Defaults
No default behavior or values.

Command History
Release 12.1(1)T Modification This command was introduced.

Usage Guidelines
The debug vpdn pppoe-packet command displays a large number of debug messages and should generally only be used on a debug chassis with a single active session.

Examples
The following is an example of output from the debug vpdn pppoe-packet command:
PPPoE control packets debugging is on 1w5d:PPPoE:discovery packet contiguous pak, size 74 FF FF FF FF FF FF 00 10 7B 01 2C D9 88 00 00 00 04 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1w5d:OUT PADO from PPPoE tunnel contiguous pak, size 74 00 01 09 00 AA AA 03 00 80 C2 00 07 00 7B 01 2C D9 00 90 AB 13 BC A8 88 63 11 00 20 01 01 00 00 01 02 00 04 41 67 6E 1w5d:PPPoE:discovery packet contiguous pak, size 74 00 90 AB 13 BC A8 00 10 7B 01 2C D9 88

63 11 09 00 00 00 00 00 ...

00 00 10 07 00 00 69 01 ...

63 11 19

00 00 00 20 01 01 00 00 01 02 00 04 41 67 6E 69 01 04 00 10 B7 4B 86 5B 90 A5 EF 11 64 A9 BA ...

Table 230 describes the significant fields shown in the displays.


Table 230 debug vpdn pppoe-packet Field Descriptions

Field Descriptions PPPoE control packets debugging PPPoE debugging of packets is enabled. is on 1w5d:PPPoE:discovery packet The host performs a discovery to initiate a PPPoE session. The access concentrator sends a PADO to the host. The host performs a discovery to initiate a PPPoE session. Size 74 contiguous packet.

1w5d:OUT PADO from PPPoE tunnel 1w5d:PPPoE:discovery packet

contiguous pak, size 74

Related Commands
Command debug vpdn pppoe-data Description Displays data packets of PPPoE sessions.

debug vpdn pppoe-error

Displays PPPoE protocol errors that prevent a session from being established or errors that cause an established session to be closed.

debug vpdn pppoe-events

Displays PPPoE protocol messages about events that are part of normal session establishment or shutdown.

protocol (VPDN)

Specifies the L2TP that the VPDN subgroup will use.

show vpdn

Displays information about active L2F protocol tunnel and message identifiers in a VPDN.

vpdn enable

Enables virtual private dialup networking on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway), if one is pre-sent.

debug vpdn
To display debug traces for the virtual private dialup networks (VPDN), which provide PPP tunnels using the Layer 2 Forwarding (L2F) Protocol, use the debug vpdn command in privileged EXEC mode. The no form of this command disables debugging output. debug vpdn {error | event [disconnected] | l2tp-sequencing | l2x-data | l2x-errors | l2x-events | l2x-packets | packet [errors] | pppoe-data | pppoe-errors | pppoe-events | pppoe-packets} no debug vpdn {error | event [disconnected] | l2tp-sequencing | l2xdata | l2x-errors | l2x-events | l2x-packets | packet [errors] | pppoedata | pppoe-errors | pppoe-events | pppoe-packets}

Syntax Description
error Displays VPDN protocol errors.

event

Displays VPDN events.

disconnected

(Optional) Displays VPDN disconnect reasons.

l2tp-sequencing

Displays Layer 2 Tunneling Protocol (L2TP) sequencing.

l2x-data

Displays L2F Protocol and L2TP data packets.

l2x-errors

Displays L2F Protocol and L2TP protocol errors.

l2x-events

Displays L2F Protocol and L2TP protocol events.

l2x-packets

Displays L2F Protocol and L2TP control packets.

packet

Displays VPDN packets.

errors

(Optional) Displays VPDN packet errors.

pppoe-data

Displays PPP over Ethernet (PPPoE) data packets.

pppoe-errors

Displays PPPoE protocol errors.

pppoe-events

Displays PPPoE protocol events.

pppoe-packets

Displays PPPoE control packets.

Examples
The following is sample output for the natural sequence of events for an L2TP network server (LNS) named stella:
Router# debug vpdn event 20:47:33: %LINK-3-UPDOWN: Interface Async7, changed state to up 20:47:35: As7 VPDN: Looking for tunnel -- cisco.com -20:47:35: As7 VPDN: Get tunnel info for cisco.com with NAS stella, IP 172.21.9.13 20:47:35: As7 VPDN: Forward to address 172.21.9.13 20:47:35: As7 VPDN: Forwarding... 20:47:35: As7 VPDN: Bind interface direction=1 20:47:35: Tnl/Cl 8/1 L2TP: Session FS enabled 20:47:35: Tnl/Cl 8/1 L2TP: Session state change from idle to wait-fortunnel 20:47:35: As7 8/1 L2TP: Create session 20:47:35: Tnl 8 L2TP: SM State idle 20:47:35: Tnl 8 L2TP: Tunnel state change from idle to wait-ctl-reply 20:47:35: Tnl 8 L2TP: SM State wait-ctl-reply 20:47:35: As7 VPDN: bum1@cisco.com is forwarded 20:47:35: Tnl 8 L2TP: Got a challenge from remote peer, stella 20:47:35: Tnl 8 L2TP: Got a response from remote peer, stella 20:47:35: Tnl 8 L2TP: Tunnel Authentication success 20:47:35: Tnl 8 L2TP: Tunnel state change from wait-ctl-reply to established 20:47:35: Tnl 8 L2TP: SM State established 20:47:35: As7 8/1 L2TP: Session state change from wait-for-tunnel to waitreply 20:47:35: As7 8/1 L2TP: Session state change from wait-reply to established 20:47:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async7, changed state to up

The following shows sample debug output on the L2TP access concentrator (LAC) named stella:

Router# debug vpdn event 20:19:17: L2TP: I SCCRQ from stella tnl 8 20:19:17: L2X: Never heard of stella 20:19:17: Tnl 7 L2TP: New tunnel created for remote stella, address 172.21.9.4 20:19:17: Tnl 7 L2TP: Got a challenge in SCCRQ, stella 20:19:17: Tnl 7 L2TP: Tunnel state change from idle to wait-ctl-reply 20:19:17: Tnl 7 L2TP: Got a Challenge Response in SCCCN from stella 20:19:17: Tnl 7 L2TP: Tunnel Authentication success 20:19:17: Tnl 7 L2TP: Tunnel state change from wait-ctl-reply to established 20:19:17: Tnl 7 L2TP: SM State established 20:19:17: Tnl/Cl 7/1 L2TP: Session FS enabled 20:19:17: Tnl/Cl 7/1 L2TP: Session state change from idle to wait-fortunnel 20:19:17: Tnl/Cl 7/1 L2TP: New session created 20:19:17: Tnl/Cl 7/1 L2TP: O ICRP to stella 8/1 20:19:17: Tnl/Cl 7/1 L2TP: Session state change from wait-for-tunnel to wait-connect 20:19:17: Tnl/Cl 7/1 L2TP: Session state change from wait-connect to established 20:19:17: Vi1 VPDN: Virtual interface created for bum1@cisco.com 20:19:17: Vi1 VPDN: Set to Async interface 20:19:17: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking 20:19:18: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up 20:19:18: Vi1 VPDN: Bind interface direction=2 20:19:18: Vi1 VPDN: PPP LCP accepting rcv CONFACK 20:19:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up

Related Commands
Command debug aaa authentication Description Displays information on AAA/TACACS+ authentication.

Command Name: Mode: Syntax: cdp enable no cdp enable Syntax Description:

no cdp enable router(config-if)#

This command has no arguments or keywords. Command Description: To enable Cisco Discovery Protocol (CDP) on an interface, use the cdp enable interface configuration command. To disable CDP on an interface, use the no form of this command. Usage Guidelines CDP is enabled by default at the global level and on each supported interface in order to send or receive CDP information. However, some interfaces, such as ATM interfaces, do not support CDP. Using the no form of this command can be useful for security. Example: router(config-if)#cdp enable Misconceptions: none Related commands: cdp run Sample Configurations:

Command Name: Mode: Syntax: cdp run no cdp run Syntax Description:

no cdp run router(config)#

This command has no arguments or keywords. Command Description: To enable Cisco Discovery Protocol (CDP), use the cdp run global configuration command. To disable CDP, use the no form of this command. Usage Guidelines CDP is enabled on your router by default, which means the Cisco IOS software will receive CDP information. CDP also is enabled on supported interfaces by default. To disable CDP on an interface, use the no cdp enable interface configuration command. Using the no form of this command can be useful for security. Example: router(config)#no cdp run Misconceptions: none Related commands: cdp enable Sample Configurations: no cdp run ! line con 0 exec-timeout 0 0 logging synchronous login local transport input none line aux 0 no exec

login local line vty 0 4 access-class 1 in login local ! end

Command Name: Mode: Syntax:

no ip directed-broadcast router(config-if)#

ip directed-broadcast [access-list-number] | [extended access-list-number] no ip directed-broadcast [access-list-number] | [extended access-list-number]

Syntax Description:
access-list-number (Optional) Standard access list number in the range from 1 to 199. If specified, a broadcast must pass the access list to be forwarded.

extended accesslist-number

(Optional) Extended access list number in the range from 1300 to 2699.

Command Description: To enable the translation of a directed broadcast to physical broadcasts, use the ip directedbroadcast interface configuration command. To disable this function, use the no form of this command. Usage Guidelines An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet, but which originates from a node that is not itself part of that destination subnet. A router that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a router that is directly connected to its destination subnet, that packet is "exploded" as a broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast. The ip directed-broadcast interface command controls the explosion of directed broadcasts when they reach their target subnets. The command affects only the final transmission of the directed broadcast on its ultimate destination subnet. It does not affect the transit unicast routing of IP directed broadcasts. If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached will be exploded as broadcasts on that subnet. If an access list has been configured with the ip directed-

broadcast command, only directed broadcasts that are permitted by the access list in question will be forwarded; all other directed broadcasts destined for the interface subnet will be dropped. If the no ip directed-broadcast command has been configured for an interface, directed broadcasts destined for the subnet to which that interface is attached will be dropped, rather than being broadcast. Note Because directed broadcasts, and particularly Internet Control Message Protocol (ICMP) directed broadcasts, have been abused by malicious persons, we recommend that securityconscious users disable the ip directed-broadcast command on any intereface where directed broadcasts are not needed and that they use access lists to limit the number of exploded packets. Example: router(config-if)#no ip directed-broadcast Misconceptions: none Related commands: none Sample Configurations: ! interface FastEthernet0 ip address 192.168.1.2 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp no ip route-cache no ip mroute-cache !

Command Name: Mode: Syntax:

no ip finger router(config)#

ip finger [rfc-compliant] no ip finger Syntax Description: rfccompliant (Optional) Configures the system to wait for "Return" or "/W" input when processing Finger requests. This keyword should not be used for those systems.

Command Description: To configure a system to accept Finger protocol requests (defined in RFC 742), use the ip finger global configuration command. To disable this service, use the no form of this command. Usage Guidelines The Finger service allows remote users to view the output equivalent to the show users [wide] command. When ip finger is configured, the router will respond to a telnet a.b.c.d finger command from a remote host by immediately displaying the output of the show users command and then closing the connection. When the ip finger rfc-compliant command is configured, the router will wait for input before displaying anything (as required by RFC 1288). The remote user can then enter the Return key to display the output of the show users EXEC command, or enter /W to display the output of the show users wide EXEC command. After this information is displayed, the connection is closed. Note As with all minor services, the Finger service should be disabled on your system if you do not have a need for it in your network. Note Any network device that has UDP, TCP, BOOTP, or Finger services should be protected by a firewall or have the services disabled to protect against Denial of Service attacks. Because of the potential for hung lines, the rfc-compliant form of this command should not be configured for devices with more than 20 simultaneous users.

Example: router(config)# no ip finger Misconceptions: none Related commands: service ip finger Sample Configurations: ! username student password 0 cisco memory-size iomem 25 clock timezone PST -8 clock summer-time zone recurring ip subnet-zero no ip source-route no ip finger ip tcp selective-ack ip tcp path-mtu-discovery no ip domain-lookup !

Command Name: Mode: Syntax: ip http server no ip http server Syntax Description:

no ip http server router(config)#

This command has no arguments or keywords. Command Description: To enable the Cisco Web browser UI on a router or access server, use the ip http server global configuration command. To disable this feature, use the no form of this command. Using the no form of this command can be useful for security. Example: router(config)#ip http server Misconceptions: none Related commands: none Sample Configurations: ! ip classless ip route 0.0.0.0 0.0.0.0 172.16.1.2 no ip http server !

Command Name: Mode: Syntax:

no ip mroute-cache router(config-if)#

ip mroute-cache [distributed] no ip mroute-cache [distributed] Syntax Description:


distributed (Optional) Enables MDS on the interface. In the case of RSP, this keyword is optional; if it is omitted, fast switching occurs. On the GSR, this keyword is required because the GSR does only distributed switching.

Command Description: To configure IP multicast fast switching or multicast distributed switching (MDS), use the ip mroute-cache command in interface configuration mode. To disable either of these features, use the no form of this command. Using the no form of this command can be useful for security. Example: router(config-if)#no ip mroute-cache Misconceptions: none Related commands: none Sample Configurations: interface FastEthernet0 ip address 192.168.1.2 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp no ip route-cache no ip mroute-cache

Command Name: Mode: Syntax: ip proxy-arp no ip proxy-arp Syntax Description:

no ip proxy-arp router(config-if)#

This command has no arguments or keywords. Command Description: To enable proxy Address Resolution Protocol (ARP) on an interface, use the ip proxy-arp interface configuration command. To disable proxy ARP on the interface, use the no form of this command. Example: router(config-if)#no ip proxy-arp Misconceptions: none Related commands: none Sample Configurations: ! interface FastEthernet0 ip address 192.168.1.2 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp no ip route-cache no ip mroute-cache !

Command Name: Mode: Syntax: ip redirects no ip redirects Syntax Description:

no ip redirects router(config-if)#

This command has no arguments or keywords. Command Description: To enable the sending of Internet Control Message Protocol (ICMP) redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, use the ip redirects interface configuration command. To disable the sending of redirect messages, use the no form of this command. Using the no form of this command can be useful for security. Example: router(config-if)#no ip redirects Misconceptions: none Related commands: none Sample Configurations: ! interface FastEthernet0 ip address 192.168.1.2 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp no ip route-cache no ip mroute-cache !

Command Name: Mode: Syntax: ip source-route no ip source-route Syntax Description:

no ip source-route router(config)#

This command has no arguments or keywords. Command Description:

To allow the Cisco IOS software to handle IP datagrams with source routing header options, use the ip source-route global configuration command. To have the software discard any IP datagram containing a source-route option, use the no form of this command. Using the no form of this command can be useful for security. Example: router(config)#no ip source-route Misconceptions: none Related commands: none Sample Configurations: ! username student password 0 cisco memory-size iomem 25 clock timezone PST -8 clock summer-time zone recurring ip subnet-zero no ip source-route no ip finger ip tcp selective-ack ip tcp path-mtu-discovery no ip domain-lookup !

Command Name: Mode: Syntax:


ip unreachables no ip unreachables

no ip unreachables router(config-if)#

Syntax Description: This command has no arguments or keywords. Command Description: To enable the generation of Internet Control Message Protocol (ICMP) unreachable messages, use the ip unreachables interface configuration command. To disable this function, use the no form of this command. If the Cisco IOS software receives a nonbroadcast packet destined for itself that uses a protocol it does not recognize, it sends an ICMP unreachable message to the source. If the software receives a datagram that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it replies to the originator of that datagram with an ICMP host unreachable message. This command affects all types of ICMP unreachable messages. Using the no form of this command can be useful for security. Example: router(config-if)#no ip unreachables Misconceptions: none Related commands: none Sample Configurations: ! interface FastEthernet0 ip address 192.168.1.2 255.255.255.0 ip access-group 102 in

no no no no no no !

ip ip ip ip ip ip

redirectsj unreachables directed-broadcast proxy-arp route-cache mroute-cache

Command Name: Mode: Syntax: service finger no service finger Syntax Description:

no service finger router(config)#

This command has no arguments or keywords. Command Description: The service finger command has been replaced by the ip finger command. However, the service finger and no service finger commands continue to function to maintain backward compatibility with older versions of Cisco IOS software. Support for this command may be removed in a future release. See the description of the ip finger command in this chapter for more information. Example: Misconceptions: none Related commands: ip finger Sample Configurations:

Command Name: Mode: Syntax:

no service tcp-small-servers router(config)#

service tcp-small-servers no service tcp-small-servers Syntax Description: This command has no arguments or keywords. Command Description: To access minor TCP/IP services available from hosts on the network, use the service tcp-smallservers global configuration command. To disable these services, use the no form of the command. Usage Guidelines By default, the TCP servers for Echo, Discard, Chargen, and Daytime services are disabled. When the minor TCP/IP servers are disabled, access to the Echo, Discard, Chargen, and Daytime ports cause the Cisco IOS software to send a TCP RESET packet to the sender and discard the original incoming packet. Example: router(config)#no service tcp-small-servers Misconceptions: none Related commands: none Sample Configurations: version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers

! hostname NAS !

Command Name: Mode: Syntax:

no service udp-small-servers router(config)#

service udp-small-servers no service udp-small-servers Syntax Description: This command has no arguments or keywords. Command Description: To access minor User Datagram Protocol (UDP) services available from hosts on the network, use the service udp-small-servers global configuration command. To disable these services, use the no form of this command. Usage Guidelines By default the UPD servers for Echo, Discard, and Chargen services are disabled. When the servers are disabled, access to Echo, Discard, and Chargen ports causes the Cisco IOS software to send an "ICMP port unreachable" message to the sender and discard the original incoming packet. Example: router(config)#no service udp-small-servers Misconceptions: none Related commands: none Sample Configurations: version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers

! hostname NAS !

Command Name: Mode: Syntax: no snmp-server Syntax Description:

no snmp-server router(config)#

This command has no arguments or keywords. Command Description: To disable Simple Network Management Protocol (SNMP) agent operation, use the no snmpserver global configuration command. This command disables all running versions of SNMP (SNMPv1, SNMPv2C, and SNMPv3) on the device. Example: router(config)# no snmp-server Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax: ip ftp passive


no ip ftp passive

ip ftp passive router(config)#

Syntax Description: This command has no arguments or keywords. Command Description: To configure the router to use only passive File Transfer Protocol (FTP) connections, use the ip ftp passive global configuration command. To allow all types of FTP connections, use the no form of this command. Example: The following example configures the router to use only passive FTP connections: router(config)#ip ftp passive Misconceptions: none Related commands: ip ftp password ip ftp source-interface ip ftp username Sample Configurations:

Command Name: Mode: Syntax:

ip ftp password router(config)#

ip ftp password [type] password no ip ftp password Syntax Description:


type (Optional) Type of encryption to use on the password. A value of 0 disables encryption. A value of 7 indicates proprietary encryption.

password

Password to use for FTP connections.

Command Description: To specify the password to be used for File Transfer Protocol (FTP) connections, use the ip ftp password global configuration command. To return the password to its default, use the no form of this command. Example: The following example configures the router to use the username red and the password blue for FTP connections: router(config)#ip ftp username red router(config)#ip ftp password blue Misconceptions: none Related commands: ip ftp password ip ftp source-interface ip ftp username Sample Configurations: supposed

Command Name: Mode: Syntax:

ip ftp source-interface router(config)#

ip ftp source-interface interface no ip ftp source-interface Syntax Description:


interface The interface type and number to use to obtain the source address for FTP connections.

Command Description: To specify the source IP address for File Transfer Protocol (FTP) connections, use the ip ftp source-interface global configuration command. To use the address of the interface where the connection is made, use the no form of this command. Example: The following example configures the router to use the IP address associated with the Ethernet 0 interface as the source address on all FTP packets, regardless of which interface is actually used to send the packet: router(config)#ip ftp source-interface ethernet 0 Misconceptions: none Related commands: ip ftp passive ip ftp password ip ftp username Sample Configurations:

Command Name: Mode: Syntax:

ip ftp username router(config)#

ip ftp username username no ip ftp username Syntax Description:


username Username for FTP connections.

Command Description: To configure the username for File Transfer Protocol (FTP) connections, use the ip ftp username global configuration command. To configure the router to attempt anonymous FTP, use the no form of this command. The remote username must be associated with an account on the destination server. Example: In the following example, the router is configured to use the username "red" and the password "blue" for FTP connections: router(config)# ip ftp username red router(config)# ip ftp password blue Misconceptions: none Related commands: ip ftp passive ip ftp password ip ftp source-interface Sample Configurations: ! resource-pool disable dial-tdm-clock priority 1 trunk-slot 1 port 0 spe link-info poll voice 5

spe default-firmware spe-firmware-1 ip subnet-zero ip cef distributed ip ftp username mgcusr ip ftp password lab no ip domain lookup ip host colos_tftp 10.100.00.00 ip host brios 255.255.255.255 ip dhcp smart-relay !

Command Name: Mode: Syntax: tunnel checksum no tunnel checksum Syntax Description:

tunnel checksum router(config-if)#

This command has no arguments or keywords. Command Description: To enable encapsulator-to-decapsulator checksumming of packets on a tunnel interface, use the tunnel checksum interface configuration command. To disable checksumming, use the no form of this command. Usage Guidelines This command currently applies to generic route encapsulation (GRE) only. Some passenger protocols rely on media checksums to provide data integrity. By default, the tunnel does not guarantee packet integrity. By enabling end-to-end checksums, the routers will drop corrupted packets. Example: In the following example, all protocols will have encapsulator-to-decapsulator checksumming of packets on the tunnel interface: router(config-if)# tunnel checksum Misconceptions: none Related commands: none Sample Configurations: ! interface tunnel 0 novell network 1e appletalk cable-range 4001-4001 128

ip address 10.1.2.3. 255.255.255.0 DECnet cost 4 tunnel source ethernet 0 tunnel destination 131.108.14.12 tunnel mode gre tunnel checksum needed tunnel key 42 tunnel sequence-datagrams

Command Name: Mode: Syntax:

tunnel destination router(config-if)#

tunnel destination {hostname | ip-address} no tunnel destination Syntax Description:


hostname Name of the host destination.

ip-address

IP address of the host destination expressed in decimal in four-part, dotted notation.

Command Description: To specify the destination for a tunnel interface, use the tunnel destination interface configuration command. To remove the destination, use the no form of this command. Usage Guidelines You cannot have two tunnels using the same encapsulation mode with exactly the same source and destination address. The workaround is to create a loopback interface and source packets off of the loopback interface. Example: router(config-if)# tunnel destination 10.108.164.19 Misconceptions: none Related commands: tunnel mode tunnel source Sample Configurations: ! interface tunnel 0

novell network 1e appletalk cable-range 4001-4001 128 ip address 10.1.2.3. 255.255.255.0 DECnet cost 4 tunnel source ethernet 0 tunnel destination 131.108.14.12 tunnel mode gre tunnel checksum needed tunnel key 42 tunnel sequence-datagrams

Command Name: Mode: Syntax:

tunnel key router(config-if)#

tunnel key key-number no tunnel key Syntax Description:


key-number Number from 0 to 4,294,967,295 that identifies the tunnel key.

Command Description: To enable an ID key for a tunnel interface, use the tunnel key interface configuration command. To remove the ID key, use the no form of this command. Usage Guidelines This command currently applies to generic route encapsulation (GRE) only. Tunnel ID keys can be used as a form of weak security to prevent improper configuration or injection of packets from a foreign source. Note IP multicast traffic is not supported when a tunnel ID key is configured unless the traffic is process-switched. You must configure the no ip mroute-cache command in interface configuration mode on the interface if an ID key is configured. This note applies only to Cisco IOS Release 12.0 and earlier releases. Note When GRE is used, the ID key is carried in each packet. We do not recommend relying on this key for security purposes. Example: The following example sets the tunnel key to 3: router(config-if)# tunnel key 3 Misconceptions: none Related commands: none

Sample Configurations: ! interface tunnel 0 novell network 1e appletalk cable-range 4001-4001 128 ip address 10.1.2.3. 255.255.255.0 DECnet cost 4 tunnel source ethernet 0 tunnel destination 131.108.14.12 tunnel mode gre tunnel checksum needed tunnel key 42 tunnel sequence-datagrams

Command Name: Mode Syntax:

tunnel mode router(config-if)#

tunnel mode {aurp | cayman | dvmrp | eon | gre | ipip | iptalk | mpls | nos} no tunnel mode Syntax Description:
aurp AppleTalk Update Routing Protocol (AURP).

cayman

Cayman TunnelTalk AppleTalk encapsulation.

dvmrp

Distance Vector Multicast Routing Protocol.

eon

EON compatible CLNS tunnel.

gre

Generic route encapsulation (GRE) protocol. This is the default.

ipip

IP over IP encapsulation.

iptalk

Apple IPTalk encapsulation.

mpls

MPLS encapsulation.

nos

KA9Q/NOS compatible IP over IP.

Command Description: To set the encapsulation mode for the tunnel interface, use the tunnel mode interface configuration command. To restore the default, use the no form of this command. Usage Guidelines

You cannot have two tunnels using the same encapsulation mode with exactly the same source and destination address. The workaround is to create a loopback interface and source packets off of the loopback interface. Cayman tunneling implements tunneling as designed by Cayman Systems. This enables our routers to interoperate with Cayman GatorBoxes. With Cayman tunneling, you can establish tunnels between two routers or between our router and a GatorBox. When using Cayman tunneling, you must not configure the tunnel with an AppleTalk network address. This means that there is no way to ping the other end of the tunnel. Use DVMRP when a router connects to an mrouted router to run DVMRP over a tunnel.You must configure Protocol-Independent Multicast (PIM) and an IP address on a DVMRP tunnel. GRE (generic routing encapsulation) tunneling can be done between our routers only. When using GRE tunneling for AppleTalk, you configure the tunnel with an AppleTalk network address. This means that you can ping the other end of the tunnel. Example: router(config-if)# tunnel mode gre ip Misconceptions: none Related commands: tunnel destination tunnel source Sample Configurations: ! interface tunnel 0 novell network 1e appletalk cable-range 4001-4001 128 ip address 10.1.2.3. 255.255.255.0 DECnet cost 4 tunnel source ethernet 0 tunnel destination 131.108.14.12 tunnel mode gre ip tunnel checksum needed tunnel key 42 tunnel sequence-datagrams

Command Name: Mode: Syntax:

tunnel sequence-datagrams router(config-if)#

tunnel sequence-datagrams no tunnel sequence-datagrams Syntax Description: This command has no arguments or keywords. Command Description: To configure a tunnel interface to drop datagrams that arrive out of order, use the tunnel sequence-datagrams interface configuration command. To disable this function, use the no form of this command. Usage Guidelines This command currently applies to generic route encapsulation (GRE) only. This command is useful when carrying passenger protocols that behave poorly when they receive packets out of order (for example, LLC2-based protocols). Example: The following example configures the tunnel to drop datagrams that arrive out of order: router(config-if)# tunnel sequence-datagrams Misconceptions: none Related commands: none Sample Configurations: ! interface tunnel 0 novell network 1e appletalk cable-range 4001-4001 128 ip address 10.1.2.3. 255.255.255.0 DECnet cost 4

tunnel tunnel tunnel tunnel tunnel tunnel

source ethernet 0 destination 131.108.14.12 mode gre checksum needed key 42 sequence-datagrams

Command Name: Mode: Syntax:

tunnel source router(config-if)#

tunnel source {ip-address | type number} no tunnel source Syntax Description:


ipaddress IP address to use as the source address for packets in the tunnel.

type

Interface type.

number

Specifies the port, connector, or interface card number. The numbers are assigned at the factory at the time of installation or when added to a system and can be displayed with the show interfaces command.

Command Description: To set source address for a tunnel interface, use the tunnel source interface configuration command. To remove the source address, use the no form of this command. Usage Guidelines Encapsulation Mode Two tunnels cannot use the same encapsulation mode with exactly the same source and destination address. The workaround is to create a loopback interface and source packets off of the loopback interface. IP Addresses The IP address specified as the source address must be an address of an interface on the router. When using tunnels to Cayman boxes, you must set the tunnel source command to an explicit IP address on the same subnet as the Cayman box, not the tunnel itself. Example: router(config-if)# tunnel source ethernet0

Misconceptions: none Related commands: tunnel destination Sample Configurations: ! interface tunnel 0 novell network 1e appletalk cable-range 4001-4001 128 ip address 10.1.2.3. 255.255.255.0 DECnet cost 4 tunnel source ethernet 0 tunnel destination 131.108.14.12 tunnel mode gre tunnel checksum needed tunnel key 42 tunnel sequence-datagrams

Command Name: Mode: Syntax:

tunnel udlr receive-only router(config-if)#

tunnel udlr receive-only type number no tunnel udlr receive-only type number Syntax Description:
type number Interface type and number. The type and number arguments must match the unidirectional send-only interface type and number specified by the interface command. Thus, when packets are received over the tunnel, the upper layer protocols will treat the packets as if they are received over the unidirectional send-only interface.

Command Description: To configure a unidirectional, generic routing encapsulation (GRE) tunnel to act as a back channel that can receive messages, when another interface is configured for unidirectional link routing (UDLR) to send messages, use the tunnel udlr receive-only command in interface configuration mode. To remove the tunnel, use the no form of this command. Usage Guidelines Use this command to configure a router that has a unidirectional interface with send-only capabilities. One example of when you might configure this command is if you have traffic traveling via a satellite. The type and number arguments must match the send-only interface type and number specified by the interface command. You must configure the tunnel udlr send-only command at the opposite end of the tunnel. If you have a large number of receivers, you should configure UDLR by an alternative means: Internet Group Management Protocol (IGMP) UDLR. See the description of the ip igmp unidirectional-link command earlier in this chapter. Example: router(config-if)# tunnel udlr receive-only serial 0 Misconceptions: none

Related commands: interface interface tunnel tunnel udlr send-only Sample Configurations: ip multicast-routing ! interface serial 0 encapsulation hdlc ip address 10.1.0.1 255.255.0.0 ip pim sparse-dense-mode ! interface tunnel 0 tunnel source ethernet 0 tunnel destination tunnel udlr receive-only serial 0 ! router ospf network 10.0.0.0 0.255.255.255 area 0

Command Name: Mode: Syntax:

tunnel udlr send-only router(conifig-if)#

tunnel udlr send-only type number no tunnel udlr send-only type number Syntax Description:
type number Interface type and number. The type and number arguments must match the unidirectional receive-only interface type and number specified by the interface command. Thus, when packets are sent by upper layer protocols over the interface, they will be redirected and sent over this GRE tunnel.

Command Description: To configure a unidirectional, generic routing encapsulation (GRE) tunnel to act as a back channel that can send messages, when another interface is configured for unidirectional link routing (UDLR) to receive messages, use the tunnel udlr send-only command in interface configuration mode. To remove the tunnel, use the no form of this command. Usage Guidelines Use this command to configure a router that has a unidirectional interface with receive-only capabilities. The UDLR tunnel will act as a back channel. One example of when you might configure this command is if you have traffic traveling via a satellite. The type and number arguments must match the receive-only interface type and number specified by the interface command. You must configure the tunnel udlr receive-only command at the opposite end of the tunnel. Example: router(config-if)# tunnel udlr send-only serial 1 Misconceptions: none Related commands: interface interface tunnel

tunnel udlr receive-only Sample Configurations: ip multicast-routing ! ! Serial1 has receive-only capability ! interface serial 1 encapsulation hdlc ip address 10.1.0.2 255.255.0.0 ip pim sparse-dense-mode ! ! Configure tunnel as send-only UDLR tunnel. ! interface tunnel 0 tunnel source ethernet 0 tunnel destination tunnel udlr send-only serial 1

Command Name: Mode: Syntax:

clear ip audit configuration router#

clear ip audit configuration Syntax Description: This command has no arguments or keywords. Command Description: To disable Cisco IOS Firewall IDS, remove all intrusion detection configuration entries, and release dynamic resources, use the clear ip audit configuration privileged EXEC command. Usage Guidelines Use the clear ip audit configuration privileged EXEC command to disable Cisco IOS Firewall IDS, remove all intrusion detection configuration entries, and release dynamic resources. Example: The following example clears the existing IP audit configuration: router#clear ip audit configuration Misconceptions: none Related commands: clear ip audit statistics Sample Configurations:

Command Name: Mode: Syntax:

clear ip audit statistics router#

clear ip audit statistics

Syntax Description: This command has no arguments or keywords. Command Description: To reset statistics on packets analyzed and alarms sent, use the clear ip audit statistics privileged EXEC command. Example: The following example clears all IP audit statistics: router#clear ip audit statistics Misconceptions: none Related commands: clear ip audit configuration Sample Configurations:

Command Name: Mode: Syntax:

debug ip audit router#

debug ip audit {timers | object-creation | object-deletion | function trace | detailed | ftp-cmd | ftp-token | icmp | ip | rpc | smtp | tcp | tftp | udp} no debug ip audit {timers | object-creation | object-deletion | function trace | detailed | ftp-cmd | ftp-token | icmp | ip | rpc | smtp | tcp | tftp | udp} Syntax Description:
detailed

Audit Detailed debug records

ftp-cmd

Audit FTP commands and responses

ftp-token

Audit FTP tokens

function-trace

Audit function trace

icmp

Audit ICMP packets

ip

Audit IP packets

object-creation

Audit Object Creations

object-deletion

Audit Object Deletions

rpc

Audit RPC

smtp

Audit SMTP
Audit TCP

tcp

tftp

Audit TFTP

timers

Audit Timer related events

udp

Audit UDP

Command Description: To display the integrated Intrusion Detection System (IDS) configuration features information on the router use the debug ip audit in privileged EXEC mode. Use the no form of the command to disable debugging for a given option. Example: Router# debug ip audit timers Router# debug ip audit object-creation Router# debug ip audit object-deletion Router# debug ip audit function trace Router# debug ip audit detailed Router# debug ip audit ftp-cmd Router# debug ip audit ftp-token Router# debug ip audit icmp Router# debug ip audit ip Router# debug ip audit rpc Router# debug ip audit smtp Router# debug ip audit tcp

Router# debug ip audit tftp Router# debug ip audit udp Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

ip audit attack router(config)#

audit attack {action [alarm] [drop] [reset]} no ip audit attack Syntax Description:
action Specifies an action for the attack signature to take in response to a match.

alarm

(Optional) Sends an alarm to the console, NetRanger Director, or to a syslog server. Used with the action keyword.

drop

(Optional) Drops the packet. Used with the action keyword.

reset

(Optional) Resets the TCP session. Used with the action keyword.

Command Description: To specify the default actions for attack signatures, use the ip audit attack global configuration command. To set the default action for attack signatures, use the no form of this command. Example: In the following example, the default action for attack signatures is set to all three actions: router(config)#ip audit attack action alarm drop reset Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

ip audit info router(config)#

ip audit info {action [alarm] [drop] [reset]} no ip audit info Syntax Description:
action Sets an action for the info signature to take in response to a match.

alarm

(Optional) Sends an alarm to the console, NetRanger Director, or to a syslog server. Used with the action keyword.

drop

(Optional) Drops the packet. Used with the action keyword.

reset

(Optional) Resets the TCP session. Used with the action keyword.

Command Description: To specify the default actions for info signatures, use the ip audit info global configuration command. To set the default action for info signatures, use the no form of this command. Example: In the following example, the default action for info signatures is set to all three actions: router(config)#ip audit info action alarm drop reset Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

ip audit name router(config)#

ip audit name audit-name {info | attack} [list standard-acl] [action [alarm] [drop] [reset]] no ip audit name audit-name {info | attack} Syntax Description:
audit-name Name for an audit specification.

info

Specifies that the audit rule is for info signatures.

attack

Specifies that the audit rule is for attack signatures.

list

(Optional) Specifies an ACL to attach to the audit rule.

standardacl

(Optional) Integer representing an access control list. Use with the list keyword.

action

(Optional) Specifies an action or actions to take in response to a match.

alarm

(Optional) Sends an alarm to the console, NetRanger Director, or to a syslog server. Use with the action keyword.

drop

(Optional) Drops the packet. Use with the action keyword.

reset

(Optional) Resets the TCP session. Use with the action keyword.

Command Description: To create audit rules for info and attack signature types, use the ip audit name global configuration command. To delete an audit rule, use the no form of this command.

Example: In the following example, an audit rule called INFO.2 is created, and configured with all three actions: router(config)#ip audit name INFO.2 info action alarm drop reset In the following example, an info signature is disabled and an audit rule called INFO.3 is created: router(config)#ip audit signature 1000 disable router(config)#ip audit name INFO.3 info action alarm drop reset In the following example, an audit rule called ATTACK.2 is created with an attached ACL 91, and the ACL is created: router(config)#ip audit name ATTACK.2 list 91 router(config)#access-list 91 deny 10.1.0.0 0.0.255.255 router(config)#access-list 91 permit any Misconceptions: none Related commands: none Sample Configurations: ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info action alarm ip audit name AUDIT.1 attack action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in

Command Name: Mode: Syntax:

ip audit notify router(config)#

ip audit notify {nr-director | log} no ip audit notify {nr-director | log} Syntax Description:
nr-director Send messages in NetRanger format to the NetRanger Director or Sensor.

log

Send messages in syslog format.

Command Description: To specify the method of event notification, use the ip audit notify global configuration command. To disable event notifications, use the no form of this command. Usage Guidelines If messages are sent to the NetRanger Director, then you must also configure the NetRanger Director's Post Office transport parameters using the ip audit po remote command. Example: In the following example, event notifications are specified to be sent in NetRanger format: router(config)#ip audit notify nr-director Misconceptions: none Related commands: ip audit po local ip audit po remote Sample Configurations: ip audit smtp spam 25 ip audit notify nr-director

ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info action alarm ip audit name AUDIT.1 attack action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in

Command Name: Mode: Syntax:

ip audit po local router(config)#

ip audit po local hostid id-number orgid id-number no ip audit po local [hostid id-number orgid id-number] Syntax Description:
hostid Specifies a NetRanger host ID.

id-number (hostid)

Unique integer in the range 1-65535 used in NetRanger communications to identify the local host. Use with the hostid keyword.

orgid

Specifies a NetRanger organization ID.

id-number (orgid)

Unique integer in the range 1-65535 used in NetRanger communications to identify the group to which the local host belongs. Use with the orgid keyword.

Command Description: To specify the local Post Office parameters used when sending event notifications to the NetRanger Director, use the ip audit po local global configuration command. To set the local Post Office parameters to their default settings, use the no form of this command. Usage Guidelines Use the ip audit po local global configuration command to specify the local Post Office parameters used when sending event notifications to the NetRanger Director. Example: In the following example, the local host is assigned a host ID of 10 and an organization ID of 500: router(config)#ip audit po local hostid 10 orgid 500 Misconceptions: none

Related commands: none Sample Configurations: ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info action alarm ip audit name AUDIT.1 attack action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in

Command Name: Mode: Syntax:

ip audit po max-events router(config)#

ip audit po max-events number-of-events no ip audit po max-events Syntax Description:


number-ofevents Integer in the range from 1 to 65535 that designates the maximum number of events allowable in the event queue. The default is 100 events.

Command Description: To specify the maximum number of event notifications that are placed in the router's event queue, use the ip audit po max-events global configuration command. To set the number of recipients to the default setting, use the no version of this command. Usage Guidelines Raising the number of events past 100 may cause memory and performance impacts because each event in the event queue requires 32 KB of memory. Example: In the following example, the number of events in the event queue is set to 250: router(config)#ip audit po max-events 250 Misconceptions: none Related commands: none Sample Configurations: ! ip audit notify log ip audit po max-events 100 !

Command Name: Mode: Syntax:

ip audit po protected router(config)#

ip audit po protected ip-addr [to ip-addr] no ip audit po protected [ip-addr] Syntax Description:
to (Optional) Specifies a range of IP addresses.

ip-addr

IP address of a network host.

Command Description: To specify whether an address is on a protected network, use the ip audit po protected global configuration command. To remove network addresses from the protected network list, use the no form of this command. If you specify an IP address for removal, that address is removed from the list. If you do not specify an address, then all IP addresses are removed from the list. Usage Guidelines You can enter a single address at a time or a range of addresses at a time. You can also make as many entries to the protected networks list as you want. When an attack is detected, the corresponding event contains a flag that denotes whether the source and/or destination of the packet belongs to a protected network or not. Example:

In the following example, a range of addresses is added to the protected network list: router(config)#ip audit po protected 10.1.1.0 to 10.1.1.255 In the following example, three individual addresses are added to the protected network list: router(config)#ip audit po protected 10.4.1.1 router(config)#ip audit po protected 10.4.1.8 router(config)#ip audit po protected 10.4.1.25 In the following example, an address is removed from the protected network list: router(config)#no ip audit po protected 10.4.1.1

Misconceptions: If no addresses are defined as protected, then all addresses are considered outside the protected network. Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

ip audit po remote router(config)#

ip audit po remote hostid host-id orgid org-id rmtaddress ipaddress localaddress ip-address [port port-number] [preference preference-number] [timeout seconds] [application {director | logger}] no ip audit po remote hostid host-id orgid org-id rmtaddress ipaddress Syntax Description:
host-id Unique integer in the range from 1 to 65535 used in NetRanger communications to identify the local host. Use with the hostid keyword.

hostid

Specifies a NetRanger host ID.

org-id

Unique integer in the range from 1 to 65535 used in NetRanger communications to identify the group in which the local host belongs. Use with the orgid keyword.

orgid

Specifies a NetRanger organization ID.

rmtaddress

Specifies the IP address of the NetRanger Director.

localaddress

Specifies the IP address of the Cisco IOS Firewall IDS router.

ip-address

IP address of the NetRanger Director or Cisco IOS Firewall IDS router's interface. Use with the rmtaddress and localaddress keywords.

port-number

(Optional) Integer representing the UDP port on which the NetRanger Director is listening for event notifications. Use with the port keyword.

port

(Optional) Specifies a User Datagram Protocol port through which to send messages.

preference

(Optional) Specifies a route preference for communication.

preferencenumber

(Optional) Integer representing the relative priority of a route to a NetRanger Director, if more than one route exists. Use with the preference keyword.

seconds

(Optional) Integer representing the heartbeat timeout value for Post Office communications. Use with the timeout keyword.

timeout

(Optional) Specifies a timeout value for Post Office communications.

application

(Optional) Specifies the type of application that is receiving the Cisco IOS Firewall IDS messages.

director

(Optional) Specifies that the receiving application is the NetRanger Director interface.

logger

(Optional) Specifies that the receiving application is a NetRanger Sensor.

Command Description: To specify one or more set of Post Office parameters for NetRanger Directors receiving event notifications from the router, use the ip audit po remote global configuration command. To remove a NetRanger Director's Post Office parameters as defined by host ID, organization ID, and IP address, use the no form of this command. Usage Guidelines A router can report to more than one NetRanger Director. In this case, use the ip audit po remote command to add each NetRanger Director to which the router sends notifications. More than one route can be established to the same NetRanger Director. In this case, you must give each route a preference number that establishes the relative priority of routes. The router always attempts to use the lowest numbered route, switching automatically to the next higher number when a route fails, and then switching back when the route begins functioning again. A router can also report to a NetRanger Sensor. In this case, use the ip audit po remote command and specify logger as the application. Example:

In the following example, two communication routes for the same dual-homed NetRanger Director are defined: router(config)#ip audit po remote hostid 30 orgid 500 rmtaddress 10.1.99.100 localaddress 10.1.99.1 preference 1 router(config)#ip audit po remote hostid 30 orgid 500 rmtaddress 10.1.4.30 localaddress 10.1.4.1 preference 2 The router uses the first entry to establish communication with the NetRanger Director defined with host ID 30 and organization ID 500. If this route fails, then the router will switch to the secondary communications route. As soon as the first route begins functioning again, the router switches back to the primary route and closes the secondary route. In the following example, a different Director is assigned a longer heartbeat timeout value because of network congestion, and is designated as a logger application: router(config)#ip audit po remote hostid 70 orgid 500 rmtaddress 10.1.8.1 localaddress 10.1.8.100 timeout 10 application director Misconceptions: none Related commands: none Sample Configurations: ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info action alarm ip audit name AUDIT.1 attack action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in

Command Name: Mode: Syntax:

ip audit signature router(config)#

ip audit signature signature-id {disable | list acl-list} no ip audit signature signature-id Syntax Description:
signatureid Unique integer specifying a signature as defined in the NetRanger Network Security Database.

disable

Disables the ACL associated with the signature.

list

Specifies an ACL to associate with the signature.

acl-list

Unique integer specifying a configured ACL on the router. Use with the list keyword.

Command Description: To attach a policy to a signature, use the ip audit signature global configuration command. You can set two policies: disable a signature or qualify the audit of a signature with an access list. To remove the policy, use the no form of this command. If the policy disabled a signature, then the no form of this command reenables the signature. If the policy attached an access list to the signature, the no form of this command removes the access list. Usage Guidelines This command is mostly used to disable the auditing of a signature or to exclude some hosts or network segments from being audited. If you are attaching an access control list to a signature, then you also need to create an audit rule with the ip audit name command and apply it to an interface with the ip audit command. Example: In the following example, a signature is disabled, another signature has ACL 99 attached to it, and ACL 99 is defined: router(config)#ip audit signature 6150 disable

router(config)#ip audit signature 1000 list 99 router(config)#access-list 99 deny 10.1.10.0 0.0.0.255 router(config)#access-list 99 permit any Misconceptions: none Related commands: none Sample Configurations: ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit signature 1234 disable ip audit name AUDIT.1 info list 90 action alarm ip audit name AUDIT.1 attack list 90 action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in access-list 90 deny 172.16.59.16 access-list 90 permit any

Command Name: Mode: Syntax:

ip audit smtp router(config)#

ip audit smtp spam number-of-recipients no ip audit smtp spam Syntax Description:


spam Specifies a threshold beyond which the Cisco IOS Firewall IDS alarms on spam e-mail.

number-ofrecipients

Integer in the range of 1-65535 that designates the maximum number of recipients in a mail message before a spam attack is suspected. Use with the spam keyword. The default is 250 recipients.

Command Description: To specify the number of recipients in a mail message over which a spam attack is suspected, use the ip audit smtp global configuration command. To set the number of recipients to the default setting, use the no form of this command. Example: In the following example, the number of recipients is set to 300: router(config)#ip audit smtp spam 300 Misconceptions: none Related commands: none Sample Configurations: ip ip ip ip audit audit audit audit smtp spam 25 notify nr-director notify log po local hostid 55 orgid 123

ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info action alarm ip audit name AUDIT.1 attack action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in

Command Name: Mode: Syntax:

ip audit router(config-if)#

ip audit audit-name {in | out} no ip audit audit-name {in | out} Syntax Description:
audit-name Name of an audit specification.

in

Inbound traffic.

out

Outbound traffic.

Command Description: To apply an audit specification created with the ip audit command to a specific interface and for a specific direction, use the ip audit interface configuration command. To disable auditing of the interface for the specified direction, use the no version of this command. Example:

In the following example, the audit specification MARCUS is applied to an interface and direction: router(config)#interface e0 router(config-if)#ip audit MARCUS in In the following example, the audit specification MARCUS is removed from the interface on which it was previously added: router(config)#interface e0 router(config-if)#no ip audit MARCUS in Misconceptions: none Related commands:

none Sample Configurations: ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info action alarm ip audit name AUDIT.1 attack action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in

Command Name: Mode: Syntax:

show ip audit configuration router>

show ip audit configuration Syntax Description: This command has no argument or keywords. Command Description: To display additional configuration information, including default values that may not be displayed using the show run command, use the show ip audit configuration EXEC command. Example: router>show ip audit configuration Misconceptions: none Related commands: clear ip audit statistics Sample Configurations: router>show ip audit configuration Event notification through syslog is enabled Event notification through Net Director is enabled Default action(s) for info signatures is alarm Default action(s) for attack signatures is alarm Default threshold of recipients for spam signature is 25 PostOffice:HostID:5 OrgID:100 Addr:10.2.7.3 Msg dropped:0 HID:1000 OID:100 S:218 A:3 H:14092 HA:7118 DA:0 R:0 CID:1 IP:172.21.160.20 P:45000 S:ESTAB (Curr Conn) Audit Rule Configuration Audit name AUDIT.1 info actions alarm

Command Name: Mode: Syntax:

show ip audit interface router>

show ip audit interface Syntax Description: This command has no arguments or keywords. Command Description: To display the interface configuration, use the show ip audit interface EXEC command. Example: router>show ip audit interface Misconceptions: none Related commands: none Sample Configurations: router>show ip audit interface Interface Configuration Interface Ethernet0 Inbound IDS audit rule is AUDIT.1 info actions alarm Outgoing IDS audit rule is not set Interface Ethernet1 Inbound IDS audit rule is AUDIT.1 info actions alarm Outgoing IDS audit rule is AUDIT.1 info actions alarm

Command Name: Mode: Syntax:

show ip audit statistics router>

show ip audit statistics Syntax Description: This command has no arguments or keywords. Command Description: To display the number of packets audited and the number of alarms sent, among other information, use the show ip audit statistics EXEC command. Example: router> show ip audit statistics Misconceptions: none Related commands: clear ip audit statistics Sample Configurations: router> show ip audit statistics Signature audit statistics [process switch:fast switch] signature 2000 packets audited: [0:2] signature 2001 packets audited: [9:9] signature 2004 packets audited: [0:2] signature 3151 packets audited: [0:12] Interfaces configured for audit 2 Session creations since subsystem startup or last reset 11 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [2:1:0] Last session created 19:18:27 Last statistic reset never HID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0

Command Name: Mode: Syntax:

certificate router(config-cert-chain)#

certificate certificate-serial-number no certificate certificate-serial-number Syntax Description:


certificate-serial-number Serial number of the certificate to add or delete.

Command Description: To manually add certificates, use the certificate command in certificate chain configuration mode. To delete your router's certificate or any registration authority certificates stored on your router, use the no form of this command. Usage Guidelines You could use this command to manually specify a certificate. However, this command is rarely used in this manner. Instead, this command is usually used only to add or delete certificates. Example: The following example deletes the router's certificate. In this example, the router had a general purpose RSA key pair with one corresponding certificate. The show command is used in this example to determine the serial number of the certificate to be deleted. myrouter# show crypto ca certificates Certificate Subject Name Name: myrouter.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF Key Usage: General Purpose CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set myrouter# configure terminal myrouter(config)# crypto ca certificate chain myca

myrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF % Are you sure you want to remove the certificate [yes/no]? yes % Be sure to ask the CA administrator to revoke this certificate. myrouter(config-cert-chain)# exit myrouter(config)# Misconceptions: none Related commands: crypto ca certificate chain Sample Configurations: The following example shows how to configure the router to autoenroll with a CA on start-up: crypto ca trustpoint frog enrollment url http://frog.phoobin.com/ subject-name OU=Spiral Dept., O=tiedye.com ip-address ethernet-0 auto-enroll regenerate password revokeme rsa-key frog 2048 ! crypto ca certificate chain frog certificate ca 0B 30820293 3082023D A0030201 0202010B 300D0609 04050030 79310B30 09060355 04061302 5553310B 30090603 15301306 0355040A 130C4369 73636F20 53797374 656D3120 17737562 6F726420 746F206B 6168756C 75692049 50495355 03131B79 6E692D75 31302043 65727469 66696361 7465204D 170D3030 30373134 32303536 32355A17 0D303130 37313430 310E300C 06035504 0A130543 6973636F 3120301E 06092A86 11706B69 2D343562 2E636973 636F2E63 6F6D305C 300D0609 01050003

2A864886 F70D0101 55040813 02434131 301E0603 55040B13 31243022 06035504 616E6167 6572301E 31323834 335A3032 4886F70D 01090216 2A864886 F70D0101

4B003048 B5A422C4 15E947F6 01EF7DD2 6C136AEB 02052030 1C060355 6D301D06 03551D0E 301F0603 551D2304 73308185 0603551D 13054369 73636F31 69636174 65204D61 73636F31 24302206 65204D61 6E616765 696697DF E887007F 5737246B 0A25550A quit

024100B3 0512A201 3B4243E1 378A9703 8AC5E3CE F77AF987 70997393 70CF34D6 63A86B9C 4347A81A 0551FC02 ABA62360 3C6C3902 03010001 A381F630 81F3300B 0603551D 0F040403 1D110415 30138211 706B692D 3435622E 63697363 6F2E636F 04160414 247D9558 169B9A21 23D289CC 2DDA2A9A 4F77C616 18301680 14BD742C E892E819 1D551D91 683F6DB2 D8847A6C 1F047E30 7C307AA0 3CA03AA4 38303631 0E300C06 0355040A 24302206 03550403 131B796E 692D7531 30204365 72746966 6E616765 72A23AA4 38303631 0E300C06 0355040A 13054369 03550403 131B796E 692D7531 30204365 72746966 69636174 72300D06 092A8648 86F70D01 01040500 03410015 BC7CECF9 7A8DA24F 1ED5A785 C5C60452 47860061 0C18093D 08958A77 25910E27 8B8B428E 32F8D948 3DD1784F 954C70

Command Name: Mode: Syntax: crl optional no crl optional Syntax Description:

crl optional router(ca-identity)#

This command has no arguments or keywords. Command Description: To allow other peers' certificates to still be accepted by your router even if the appropriate certificate revocation list (CRL) is not accessible to your router, use the crl optional command in ca-identity configuration mode. To return to the default behavior in which CRL checking is mandatory before your router can accept a certificate, use the no form of this command. Usage Guidelines When your router receives a certificate from a peer, it will download a certificate revocation list (CRL) from either the CA or a CRL distribution point as designated in the peer's certificate. Your router then checks the CRL to make sure the certificate the peer sent has not been revoked. (If the certificate appears on the CRL, your router will not accept the certificate and will not authenticate the peer.) With CA systems that support registration authorities (RAs), multiple CRLs exist. The peer's certificate will indicate which CRL applies and should be downloaded by your router. If your router does not have the applicable CRL and is unable to obtain one, your router will reject the peer's certificateunless you include the crl optional command in your configuration. If you use the crl optional command, your router will still try to obtain a CRL, but if it cannot obtain a CRL it can accept the peer's certificate anyway. When your router receives additional certificates from peers, your router will continue to attempt to download the appropriate CRL, even if it was previously unsuccessful, and even if the crl optional command is enabled. The crl optional command only specifies that when the router cannot obtain the CRL, the router is not forced to reject a peer's certificate outright. Example: router(ca-identity)#crl optional Misconceptions:

none Related commands: crypto ca identity Sample Configurations: crypto ca identity myca enrollment url http://ca_server enrollment retry-period 20 enrollment retry-count 100 crl optional

Command Name: Mode: Syntax:

crl query router(ca-root)#

crl query ldap-url no crl query ldap-url Syntax Description:


ldap-url Specifies the LDAP URL published by the configured root; for example, ldap://another_server.

Command Description: To query the certificate revocation list (CRL) published by the configured root with the Lightweight Directory Access Protocol (LDAP) URL, use the crl query trusted root configuration command. To remove the crl query LDAP URL, use the no form of this command. Usage Guidelines Use this command to query the CRL published by the configured trusted root. You should check the CRL to ensure that the certificate of the peer has not been revoked. Note The URL used to query the CRL must be an LDAP URL. Note After you enter this command, an entry is created in the router for the root subject-name command. The entry is based on information contained in the router. Example: router(ca-root)#crl query ldap://ciscoca-ultra Misconceptions: none Related commands: crl optional crypto ca identity crypto ca trusted-root root CEP root PROXY

root TFTP Sample Configurations:


crypto ca trusted-root netscape root CEP http://ciscoca-ultra:80 crl query ldap://ciscoca-ultra

Command Name: Mode: Syntax:

crypto ca authenticate router(config)#

crypto ca authenticate name Syntax Description:


name Specifies the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.

Command Description: To authenticate the certification authority (by getting the CA's certificate), use the crypto ca authenticate command in global configuration mode. Usage Guidelines This command is required when you initially configure CA support at your router. This command authenticates the CA to your router by obtaining the CA's self-signed certificate which contains the CA's public key. Because the CA signs its own certificate, you should manually authenticate the CA's public key by contacting the CA administrator when you perform this command. If you are using RA mode (using the enrollment mode ra command) when you issue the crypto ca authenticate command, then registration authority signing and encryption certificates will be returned from the CA as well as the CA certificate. This command is not saved to the router configuration. However, the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the RSA public key record (called the "RSA public key chain"). If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command. Example: In the following example, the router requests the CA's certificate. The CA sends its certificate and the router prompts the administrator to verify the CA's certificate by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If

the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid. router(config)#crypto ca authenticate myca Certificate has the following attributes: Fingerprint: 0123 4567 89AB CDEF 0123 Do you accept this certificate? [yes/no] y# Misconceptions: none Related commands: crypto ca identity debug crypto pki transactions show crypto ca certificates Sample Configurations:

Command Name: Mode: Syntax:

crypto ca certificate chain router(config)#

crypto ca certificate chain name Syntax Description:


name Specifies the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.

Command Description: To enter the certificate chain configuration mode, use the crypto ca certificate chain command in global configuration mode. (You need to be in certificate chain configuration mode to delete certificates.) Usage Guidelines This command puts you into certificate chain configuration mode. When you are in certificate chain configuration mode, you can delete certificates using the certificate command. Example: The following example deletes the router's certificate. In this example, the router had a generalpurpose RSA key pair with one corresponding certificate. The show command is used to determine the serial number of the certificate to be deleted. myrouter# show crypto ca certificates Certificate Subject Name Name: myrouter.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF Key Usage: General Purpose CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set myrouter# configure terminal myrouter(config)# crypto ca certificate chain myca

myrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF % Are you sure you want to remove the certificate [yes/no]? yes % Be sure to ask the CA administrator to revoke this certificate. myrouter(config-cert-chain)# exit myrouter(config)# Misconceptions: none Related commands: certificate crypto ca identity Sample Configurations:

Command Name: Mode: Syntax:

crypto ca certificate query router(config)#

crypto ca certificate query no crypto ca certificate query Syntax Description: This command has no arguments or keywords. Command Description: To specify that certificates and certificate revocation lists (CRLs) should not be stored locally but retrieved from the certification authority when needed, use the crypto ca certificate query command in global configuration mode. This command puts the router into query mode. To cause certificates and CRLs to be stored locally (the default), use the no form of this command. Usage Guidelines Normally, certain certificates and certificate revocation lists (CRLs) are stored locally in the router's NVRAM, and each certificate and CRL uses a moderate amount of memory. To save NVRAM space, you can use this command to put the router into query mode, which prevents certificates and CRLs from being stored locally; instead, they are retrieved from the CA when needed. This will save NVRAM space but could result in a slight performance impact. Example: The following example prevents certificates and CRLs from being stored locally on the router; instead, they are retrieved from the CA when needed. router(config)#crypto ca certificate query Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

crypto ca crl request router(config)#

crypto ca crl request name Syntax Description:


name Specifies the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.

Command Description: To request that a new certificate revocation list (CRL) be obtained immediately from the certification authority, use the crypto ca crl request command in global configuration mode. Usage Guidelines A CRL lists all the network's devices' certificates that have been revoked. Revoked certificates will not be honored by your router; therefore, any IPSec device with a revoked certificate cannot exchange IP Security traffic with your router. The first time your router receives a certificate from a peer, it will download a CRL from the CA. Your router then checks the CRL to make sure the peer's certificate has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.) A CRL can be reused with subsequent certificates until the CRL expires. If your router receives a peer's certificate after the applicable CRL has expired, it will download the new CRL. If your router has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, use the crypto ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL. This command is not saved to the configuration. Example: The following example immediately downloads the latest CRL to your router: router(config)#crypto ca crl request Misconceptions:

none Related commands: crypto ca identity Sample Configurations:

Command Name: Mode: Syntax:

crypto ca enroll router(config)#

crypto ca enroll name no crypto ca enroll name Syntax Description:


name Specifies the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.

Command Description: To obtain your router's certificate(s) from the certification authority, use the crypto ca enroll command in global configuration mode. To delete a current enrollment request, use the no form of this command. Usage Guidelines This command requests certificates from the CA for all of your router's RSA key pairs. This task is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.) Your router needs a signed certificate from the CA for each of your router's RSA key pairs; if you previously generated general purpose keys, this command will obtain the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs. If you already have a certificate for your keys you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.) The crypto ca enroll command is not saved in the router configuration. Note If your router reboots after you issue the crypto ca enroll command but before you receive the certificate(s), you must reissue the command. Responding to Prompts When you issue the crypto ca enroll command, you are prompted a number of times. First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's

certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests. Note This password is not stored anywhere, so you need to remember this password. If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity. You are also prompted to indicate whether or not your router's serial number should be included in the obtained certificate. The serial number is not used by IP Security or Internet Key Exchange but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number. Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec. If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command. Example: In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, who checks the number. The fingerprint is correct, so the router administrator accepts the certificate. There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation. myrouter(config)# crypto ca enroll myca % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: mypassword Re-enter password: mypassword

% The subject name in the certificate will be: myrouter.example.com % Include the router serial number in the subject name? [yes/no]: yes % The serial number in the certificate will be: 03433678 % Include an IP address in the subject name [yes/no]? yes Interface: ethernet0/0 Request certificate from CA [yes/no]? yes % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The 'show crypto ca certificate' command will also show the fingerprint. myrouter(config)# Some time later, the router receives the certificate from the CA and displays the following confirmation message: myrouter(config)# Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210 %CRYPTO-6-CERTRET: Certificate received from Certificate Authority myrouter(config)# If necessary, the router administrator can verify the displayed Fingerprint with the CA administrator. If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead: %CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate Authority The subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the above example, the RSA key pair was named "myrouter.example.com." (The router assigned this name.) Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message: %CRYPTO-6-CERTRET: Certificate received from Certificate Authority Misconceptions: none Related commands: crypto ca identity debug crypto pki messages

debug crypto pki transactions show crypto ca certificates Sample Configurations: crypto ca trustpoint MS enroll terminal crypto ca authenticate MS ! crypto ca enroll MS crypto ca import MS certificate

Command Name: Mode: Syntax:

crypto ca identity router(config)#

crypto ca identity name no crypto ca identity name Syntax Description:


name Creates a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name.

Command Description: To declare the certification authority that your router should use, use the crypto ca identity command in global configuration mode. To delete all identity information and certificates associated with the CA, use the no form of this command. Usage Guidelines Use this command to declare a CA. Performing this command puts you into the ca-identity configuration mode, where you can specify characteristics for the CA with the following commands:

enrollment url (Specify the URL of the CAalways required.) enrollment mode ra (Specify RA mode, required only if your CA system provides a registration authority [RA]). query url (Specify the URL of the Lightweight Directory Access Protocol server, required only if your CA supports an RA and the LDAP protocol.) enrollment retry period (Specify a period of time the router should wait between sending certificate request retriesoptional.) enrollment retry count (Specify how many certificate request retries your router will send before giving upoptional.) crl optional (Specify that your router can still accept other peers' certificates if the certificate revocation list is not accessibleoptional.)

Example: The following example declares a CA and identifies characteristics of the CA. In this example, the name "myca" is created for the CA, which is located at http://ca_server.

The CA does not use an RA or LDAP, and the CA's scripts are stored in the default location. This is the minimum possible configuration required to declare a CA. crypto ca identity myca enrollment url http://ca_server The following example declares a CA when the CA uses an RA. The CA's scripts are stored in the default location, and the CA uses the SCEP instead of LDAP. This is the minimum possible configuration required to declare a CA that uses an RA. crypto ca identity myca_with_ra enrollment url http://ca_server enrollment mode ra query url ldap://serverx The following example declares a CA that uses an RA and a nonstandard cgi-bin script location. This example also specifies a nonstandard retry period and retry count, and permits the router to accept certificates when CRLs are not obtainable. crypto ca identity myca_with_ra enrollment url http://example_ca/cgi-bin/somewhere/scripts.exe enrollment mode ra query url ldap://serverx enrollment retry-period 20 enrollment retry-count 100 crl optional In the previous example, if the router does not receive a certificate back from the CA within 20 minutes of sending a certificate request, the router will resend the certificate request. The router will keep sending a certificate request every 20 minutes until a certificate is received or until 100 requests have been sent. If the CA cgi-bin script location is not /cgi-bin/pkiclient.exe at the CA (the default CA cgi-bin script location) you need to also include the nonstandard script location in the URL, in the form of http://CA_name/script_location where script_location is the full path to the CA scripts. Misconceptions: none Related commands: crl optional enrollment mode ra enrollment retry count enrollment retry period enrollment url query url Sample Configurations:

Command Name: Mode: Syntax:

crypto ca trusted-root router(config)#

crypto ca trusted-root name no crypto ca trusted-root name Syntax Description:


name Creates a name for the trusted root.

Command Description: To configure a trusted root with a selected name, use the crypto ca trusted-root global configuration command. To deconfigure a trusted root, use the no form of this command. Usage Guidelines This command allows you to configure a trusted root with a selected name. You want to configure a trusted root so that your router can verify certificates issued to peers. Thus, your router does not have to enroll with the certification authority that issued the certificates to the peers. This command enables trusted root configuration mode. You can specify characteristics for the trusted root with the following commands:

crl queryQueries the certificate revocation list (CRL) published by the configured root with the Lightweight Directory Access Protocol URL (optional). crl optionalSpecifies that your router can still accept other peers' certificates if the CRL is not accessible (optional). root CEPSpecifies Simple Certificate Enrollment Protocol, which is formerly known as Cisco Enrollment Protocol (CEP), (or TFTP) to get the root certificate (required). root PROXYSpecifies the Hypertext Transfer Protocol (HTTP) proxy server for getting the root certificate (required). root TFTPSpecifies TFTP (or SCEP) to get the root certificate (required).

Example: The following example shows configuring a trusted root. In this example, the name "netscape" is created for the trusted root. router(config)#crypto ca trusted-root netscape Misconceptions:

none Related commands: crl optional crl query crypto ca authenticate crypto ca identity root CEP root PROXY root TFTP Sample Configurations: ! crypto ca trusted-root griffin root SCEP http://griffin:80 root proxy http://megatron:8080 !

Command Name: Mode: Syntax:

crypto key generate rsa router(config)#

crypto key generate rsa [usage-keys] Syntax Description:


usagekeys (Optional) Specifies that two special-usage key pairs should be generated, instead of one general-purpose key pair.

Command Description: To generate RSA key pairs, use the crypto key generate rsa command in global configuration mode. Usage Guidelines Use this command to generate RSA key pairs for your Cisco device (such as a router). RSA keys are generated in pairsone public RSA key and one private RSA key. If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys Note Before issuing this command, make sure your router has a hostname and IP domain name configured (with the hostname and ip domain-name commands). You will be unable to complete the crypto key generate rsa command without a host name and IP domain name. This command is not saved in the router configuration; however, the keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device). There are two mutually exclusive styles of RSA key pairs: special-usage keys and generalpurpose keys. When you generate RSA key pairs, you will be prompted to select whether to generate special-usage keys or general-purpose keys. Special Usage Keys If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange policy that specifies RSA signatures as the authentication method, and the other pair used with any IKE policy that specifies RSA encrypted nonces as the authentication method.

A CA is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA encrypted nonces. (However, you could specify more than one IKE policy, and have RSA signatures specified in one policy and RSA encrypted nonces in another policy.) If you plan to have both types of RSA authentication methods in your IKE policies, you might prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both purposes, increasing that key's exposure.) General-Purpose Keys If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA-encrypted nonces. Therefore, a general-purpose key pair might get used more frequently than a special usage key pair. Modulus Length When you generate RSA keys, you will be prompted to enter a modulus length. A longer modulus could offer stronger security, but takes longer to generate and takes longer to use. (The Cisco IOS software does not support a modulus greater than 2048 bits.) A length of less than 512 is normally not recommended. (In certain situations, the shorter modulus may not function properly with IKE, so Cisco recommends using a minimum modulus of 1024.) Example: The following example generates special-usage RSA keys: crypto key generate rsa usage-keys The name for the keys will be: myrouter.example.com Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? return Generating RSA keys.... [OK]. Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? return Generating RSA keys.... [OK]. The following example generates general-purpose RSA keys. (Note, you cannot generate both special usage and general-purpose keys; you can only generate one or the other.) myrouter(config)# crypto key generate rsa The name for the keys will be: myrouter.example.com

Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? return Generating RSA keys.... [OK]. Misconceptions: none Related commands: none Sample Configurations:

Command Name: Mode: Syntax:

crypto key zeroize rsa router(config)#

crypto key zeroize rsa Syntax Description: This command has no arguments or keywords. Command Description: To delete all RSA keys from your router, use the crypto key zeroize rsa command in global configuration mode. Usage Guidelines This command deletes all RSA keys that were previously generated by your router. If you issue this command, you must also perform two additional tasks:

Ask the certification authority administrator to revoke your router's certificates at the CA; you must supply the challenge password you created when you originally obtained the router's certificates with the crypto ca enroll command. Manually remove the router's certificates from the configuration using the certificate command.

Note This command cannot be undone (after you save your configuration), and after RSA keys have been deleted you cannot use certificates or the CA or participate in certificate exchanges with other IP Security peers unless you reconfigure CA interoperability by regenerating RSA keys, getting the CA's certificate, and requesting your own certificate again. This command is not saved to the configuration. Example: The following example deletes the general purpose RSA key pair that was previously generated for the router. After deleting the RSA key pair, the administrator contacts the CA administrator and requests that the router's certificate be revoked. The administrator then deletes the router's certificate from the configuration. router(config)#crypto key zeroize rsa router(config)#crypto ca certificate chain router(config-cert-chain)#no certificate Misconceptions:

none Related commands: certificate crypto ca certificate chain Sample Configurations:

Command Name: Mode: Syntax:

enrollment mode ra router(ca-identity)#

enrollment mode ra no enrollment mode ra Syntax Description: This command has no arguments or keywords. Command Description: To turn on registration authority mode, use the enrollment mode ra command in ca-identity configuration mode. To turn off RA mode, use the no form of the command. Usage Guidelines This command is required if your CA system provides a registration authority (RA). This command provides compatibility with RA systems. Example: The following example shows the minimum configuration required to declare a CA when the CA provides an RA: router(config)#crypto ca identity myca router(ca-identity)#enrollment url http://ca_server router(ca-identity)#enrollment mode ra router(ca-identity)#ldap://serverx Misconceptions: none Related commands: crypto ca identity Sample Configurations: crypto ca identity myca_with_ra enrollment url http://example_ca/cgi-bin/somewhere/scripts.exe enrollment mode ra query url ldap://serverx

enrollment retry-period 20 enrollment retry-count 100 crl optional

Command Name: Mode: Syntax:

enrollment retry count router(ca-identity)#

enrollment retry count number no enrollment retry count Syntax Description:


number Specify how many times the router will resend a certificate request when the router does not receive a certificate from the CA from the previous request. Specify from 1 to 100 retries.

Command Description: To specify how many times a router will resend a certificate request, use the enrollment retry count command in ca-identity configuration mode. To reset the retry count to the default of 0, which indicates an infinite number of retries, use the no form of the command. Usage Guidelines After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period), the router will send another certificate request. The router will continue to send requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries (the retry count) is exceeded. By default, the router will keep sending requests forever, but you can change this to a finite number with this command. A retry count of 0 indicates that there is no limit to the number of times the router should resend the certificate request. By default, the retry count is 0. Example: The following example declares a CA, changes the retry period to 10 minutes, and changes the retry count to 60 retries. The router will resend the certificate request every 10 minutes until the router receives the certificate or until approximately 10 hours pass since the original request was sent, whichever occurs first. (10 minutes x 60 tries = 600 minutes = 10 hours.) router(config)#crypto ca identity myca router(ca-identity)#enrollment url http://ca_server router(ca-identity)#enrollment retry-period 10 router(ca-identity)#enrollment retry-count 60

Misconceptions: none Related commands: crypto ca identity enrollment retry period Sample Configurations:
! no ip domain lookup ip domain name tac.com ip host caserver1 171.69.89.125 ! ! crypto ca trustpoint caserver1 enrollment retry count 5 enrollment retry period 2 enrollment mode ra enrollment url http://171.69.89.125:80/certsrv/mscep/mscep.dll usage ike serial-number ip-address FastEthernet0 subject-name OU=MADRID O=SPAIN crl optional rsakeypair ipsecpki auto-enroll 100 regenerate crypto ca certificate chain caserver1 certificate ca 0E7EC1B68A2F14BD4C4515AF44C45732 308202BE 30820268 A0030201 0202100E 7EC1B68A 2F14BD4C 4515AF44 C4573230 0D06092A 864886F7 0D010105 05003076 310B3009 06035504 06130255 53310B30 !--- Certificate is abbreviated for easier viewing. quit certificate 611652F700000000003A 30820407 308203B1 A0030201 02020A61 1652F700 00000000 3A300D06 092A8648 86F70D01 01050500 3076310B 30090603 55040613 02555331 0B300906 03550408 !--- Certificate is abbreviated for easier viewing. quit certificate 61165F5B00000000003B 30820407 308203B1 A0030201 02020A61 165F5B00 00000000 3B300D06 092A8648 86F70D01 01050500 3076310B 30090603 55040613 02555331 0B300906 03550408

!--- Certificate is abbreviated for easier viewing. quit ! crypto isakmp policy 10 hash md5 crypto isakmp identity hostname !

Command Name: Mode: Syntax:

enrollment retry period router(ca-identity)#

enrollment retry period minutes no enrollment retry period Syntax Description:


minutes Specify the number of minutes the router waits before resending a certificate request to the certification authority, when the router does not receive a certificate from the CA by the previous request. Specify from 1 to 60 minutes. By default, the router retries every 1 minute.

Command Description: To specify the wait period between certificate request retries, use the enrollment retry period command in ca-identity configuration mode. To reset the retry period to the default of 1 minute, use the no form of this command. Usage Guidelines After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period) the router will send another certificate request. The router will continue to send requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries is exceeded. (By default, the router will keep sending requests forever, but you can change this to a finite number of permitted retries with the enrollment retry count command.) Use the enrollment retry-period command to change the retry period from the default of 1 minute between retries. Example: The following example declares a CA and changes the retry period to 5 minutes: router(config)#crypto ca identity myca router(ca-identity)#enrollment url http://ca_server router(ca-identity)#enrollment retry-period 5 Misconceptions: none

Related commands: crypto ca identity enrollment retry count Sample Configurations: ! ip domain name cisco.com ip host caserver2 171.69.89.111 ip host caserver1 171.69.89.125 ! ! crypto ca trustpoint caserver1 enrollment retry period 5 enrollment mode ra enrollment url http://171.69.89.125:80/certsrv/mscep/mscep.dll usage ike serial-number fqdn 2611-vpn.cisco.com ip-address Ethernet0/0 password 7 1107160B12 subject-name OU=PARIS O=FRANCE crl optional rsakeypair ciscovpn auto-enroll regenerate !

Command Name: Mode: Syntax:

enrollment url router(ca-identity)#

enrollment url url no enrollment url url Syntax Description:


url Specify the URL of the CA where your router should send certificate requests, for example, http://ca_server. This URL must be in the form of http:// CA_name, where CA_name is the CA's host Domain Name System name or IP address. If the CA cgi-bin script location is not /cgi-bin/pkiclient.exe at the CA (the default CA cgi-bin script location) you need to also include the non-standard script location in the URL, in the form of http://CA_name/script_location where script_location is the full path to the CA scripts.

Command Description: To specify the certification authority location by naming the CA's URL, use the enrollment url command in ca-identity configuration mode. To remove the CA's URL from the configuration, use the no form of this command. Usage Guidelines Use this command to specify the CA's URL. This command is required when you declare a CA with the crypto ca identity command. The URL must include the CA script location if the CA scripts are not loaded into the default cgi-script location. The CA administrator should be able to tell you where the CA scripts are located. To change a CA's URL, repeat the enrollment url command to overwrite the older URL. Example:

The following example shows the absolute minimum configuration required to declare a CA: router(config)#crypto ca identity myca router(ca-identity)#enrollment url http://ca_server

Misconceptions: none Related commands: crypto ca identity Sample Configurations:

! ip domain name cisco.com ip host caserver2 171.69.89.111 ip host caserver1 171.69.89.125 ! ! crypto ca trustpoint caserver1 enrollment retry period 5 enrollment mode ra enrollment url http://171.69.89.125:80/certsrv/mscep/mscep.dll usage ike serial-number fqdn 2611-vpn.cisco.com ip-address Ethernet0/0 password 7 1107160B12 subject-name OU=PARIS O=FRANCE crl optional rsakeypair ciscovpn auto-enroll regenerate !

Command Name: Mode: Syntax: query url url no query url url Syntax Description:
url

query url router(ca-identity)#

Specify the URL of the Lightweight Directory Access Protocol server; for example, ldap://another_server. This URL must be in the form of ldap://server_name where server_name is the host Domain Name System name or IP address of the LDAP server.

Command Description: To specify LDAP protocol support, use the query url command in ca-identity configuration mode. To remove the query URL from the configuration and specify the default query protocol, Simple Certificate Enrollment Protocol (SCEP), use the no form of this command. Usage Guidelines This command is required if the CA supports a registration authority (RA) and the LDAP protocol; LDAP is a query protocol used when the router retrieves certificates and CRLs. The CA administrator should be able to tell you whether the CA supports LDAP or SCEP; if the CA supports the LDAP protocol, the CA administrator can tell you the LDAP location where certificates and certificate revocation lists should be retrieved. To change the query URL, repeat the query url command to overwrite the older URL. This command is only valid if you also use the enrollment mode ra command. Example: The following example shows the configuration required to declare a CA when the CA supports LDAP: router(config)#router(crypto ca identity myca router(ca-identity)#enrollment url http://ca_server router(ca-identity)#enrollment mode ra router(ca-identity)#query url ldap://bobs_server Misconceptions:

none Related commands: crypto ca identity Sample Configurations:

Command Name: Mode: Syntax: root CEP url Syntax Description:


url

root CEP router(ca-root)#

Specifies the given URL of the configured root.

Command Description: To define the Simple Certificate Enrollment Protocol (SCEP), which gets the root certificate of a given certification authority, use the root CEP trusted root configuration command. Usage Guidelines After configuring a trusted root, use this command to get the root certificate of a given CA using the SCEP protocol. To ensure authenticity of the root certificate, the router administrator is expected to compare the root certificate fingerprint with the image in the server administrator. The fingerprint of the root certificate is an MD5 hash of the complete root certificate. Note SCEP is formerly known as Cisco Enrollment Protocol; the functionality remains the same. Example: The following example shows defining SCEP as the desired protocol to get the root certificate of the CA. In this example, the URL is defined as "http://ciscoca-ultra:80". router(config)#crypto ca trusted-root netscape router(ca-root)#root CEP http://ciscoca-ultra:80 Misconceptions: none Related commands: crl query crypto ca identity crypto ca trusted-root root PROXY

root TFTP Sample Configurations:

Command Name: Mode: Syntax: root PROXY url Syntax Description:


url

root PROXY router(ca-root)#

Specifies the URL of the HTTP proxy server; for example, http://proxy_server.

Command Description: To define the Hypertext Transfer Protocol proxy server for getting the root certificate, use the root PROXY trusted root configuration command. Usage Guidelines After configuring a trusted root and defining the protocol, use this command to define the HTTP proxy server for getting the given root certificate of a certification authority. Example: The following example defines the HTTP proxy server for getting the root certificate of a certification authority. In this example, SCEP is the defined protocol, and the HTTP proxy server is "megatron." router(config)#crypto ca trusted-root griffin router(ca-root)#root CEP http://griffin:80 router(ca-root)#root proxy http://megatron:8080 Misconceptions: none Related commands: crl query crypto ca identity root CEP root TFTP Sample Configurations:

Command Name: Mode: Syntax:

root TFTP router(ca-root)#

root TFTP server-hostname filename

Syntax Description:
server-hostname Creates a name for the server.

filename

Creates a name for the file that will store the root certificate.

Command Description: To define the TFTP protocol, which gets the root certificate of a given certification authority, use the root TFTP trusted root configuration command. Usage Guidelines After configuring a trusted root, use this command to get the root certificate of a given CA using the TFTP protocol. This command enables an authenticated root certificate to be stored as a file on the TFTP server. Note This command should be used if your CA server does not support Simple Certificate Enrollment Protocol, which is formerly known as Cisco Enrollment Protocol (CEP). Example: The following example shows defining TFTP as the desired protocol to get the root certificate of a certification authority. In this example, the name "banana" is created for the trusted root, "strawberry" is the server hostname, and "ca-cert/banana" is the filename where the root certificate is stored. router(config)#crypto ca trusted-root banana router(ca-root)#root tftp strawberry ca-cert/banana Misconceptions: none Related commands:

crl query crypto ca identity crypto ca trusted-root root CEP root PROXY Sample Configurations:

Command Name: Mode: Syntax:

show crypto ca certificates router>

show crypto ca certificates Syntax Description: This command has no arguments or keywords. Command Description: To view information about your certificate, the certification authority certificate, and any registration authority certificates, use the show crypto ca certificates command in EXEC mode. Usage Guidelines This command shows information about the following certificates:

Your certificate, if you have requested one from the CA (see the crypto ca enroll command) The CA's certificate, if you have received the CA's certificate (see the crypto ca authenticate command) RA certificates, if you have received RA certificates (see the crypto ca authenticate command)r

Example: The following is sample output from the show crypto ca certificates command after you authenticated the CA by requesting the CA's certificate and public key with the crypto ca authenticate command: CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set The CA certificate might show Key Usage as "Not Set." The following is sample output from the show crypto ca certificates command, and shows the router's certificate and the CA's certificate. In this example, a single, general purpose RSA key pair was previously generated, and a certificate was requested but not received for that key pair. Certificate Subject Name Name: myrouter.example.com

IP Address: 10.0.0.1 Serial Number: 04806682 Status: Pending Key Usage: General Purpose Fingerprint: 428125BD A3419600 3F6C7831 6CD8FA95 00000000 CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set Note that in the previous sample, the router's certificate Status shows "Pending." After the router receives its certificate from the CA, the Status field changes to "Available" in the show output. The following is sample output from the show crypto ca certificates command, and shows two router's certificates and the CA's certificate. In this example, special usage RSA key pairs were previously generated, and a certificate was requested and received for each key pair. Certificate Subject Name Name: myrouter.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: 428125BDA34196003F6C78316CD8FA95 Key Usage: Signature Certificate Subject Name Name: myrouter.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: AB352356AFCD0395E333CCFD7CD33897 Key Usage: Encryption CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set The following is sample output from the show crypto ca certificates command when the CA supports an RA. In this example, the CA and RA certificates were previously requested with the crypto ca authenticate command. CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set RA Signature Certificate Status: Available Certificate Serial Number: 34BCF8A0 Key Usage: Signature RA KeyEncipher Certificate

Status: Available Certificate Serial Number: 34BCF89F Key Usage: Encryption Misconceptions: none Related commands: crypto ca authenticate crypto ca enroll debug crypto pki messages debug crypto pki transactions Sample Configurations:

Command Name: Mode: Syntax: show crypto ca crls Syntax Description:

show crypto ca crls router>

This command has no arguments or keywords. Command Description: To display the current certificate revocation list (CRL) on router, use the show crypto ca crls command in EXEC configuration mode. Example: The following is sample output of the show crypto ca crls command: router# show crypto ca crls CRL Issuer Name: OU = sjvpn, O = cisco, C = us LastUpdate: 16:17:34 PST Jan 10 2002 NextUpdate: 17:17:34 PST Jan 11 2002 Retrieved from CRL Distribution Point: LDAP: CN = CRL1, OU = sjvpn, O = cisco, C = us Misconceptions: none Related commands: crypto ca crl request Sample Configurations:

Command Name: Mode: Syntax: show crypto ca roots Syntax Description:

show crypto ca roots router>

This command has no arguments or keywords. Command Description: To display the roots configured in the router, use the show crypto ca roots EXEC configuration command. Example: router# show crypto ca roots Misconceptions: none Related commands: crypto ca authenticate crypto ca identity crypto ca trusted-root root CEP root PROXY root TFTP Sample Configurations: router# show crypto ca roots Root netscape: Subject Name: CN=Certificate Manager OU=On 07/01 O=cisco C=US Serial Number:01 Certificate configured. Root identity:netscape CEP URL:http://cisco-ultra

CRL query url: ldap://cisco-ultra

Command Name: Mode: Syntax: clear crypto sa

clear crypto sa router#

clear crypto sa peer {ip-address | peer-name} clear crypto sa map map-name clear crypto sa entry destination-address protocol spi clear crypto sa counters Syntax Description:
peer Deletes any IPSec security associations for the specified peer.

ip-address

Specifies a remote peer's IP address.

peer-name

Specifies a remote peer's name as the fully qualified domain name, for example remotepeer.example.com.

map

Deletes any IPSec security associations for the named crypto map set.

map-name

Specifies the name of a crypto map set.

entry

Deletes the IPSec security association with the specified address, protocol, and SPI.

destinationaddress

Specifies the IP address of your peer or the remote peer.

protocol

Specifies either the Encapsulation Security Protocol or Authentication Header.

spi

Specifies an SPI (found by displaying the security association database).

counters

Clears the traffic counters maintained for each security association; counters does not clear the security associations themselves.

Command Description: To delete IP Security security associations, use the clear crypto sa privileged EXEC command. Usage Guidelines This command clears (deletes) IPSec security associations. If the security associations were established via Internet Key Exchange, they are deleted and future IPSec traffic will require new security associations to be negotiated. (When IKE is used, the IPSec security associations are established only when needed.) If the security associations are manually established, the security associations are deleted and reinstalled. (When IKE is not used, the IPSec security associations are created as soon as the configuration is completed.) If peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted.

The peer keyword deletes any IPSec security associations for the specified peer. The map keyword deletes any IPSec security associations for the named crypto map set. The entry keyword deletes the IPSec security association with the specified address, protocol, and SPI.

If any of the above command