Cisco IOS Security command Guide
copy system:running-config nvram:startup-config : to save your configuration changes to the startup configuration so that the changes will not be lost if the software reloads or a power outage occurs
command | {begin | include | exclude} regular-expression : filtering output from the show and more commands (you can search and filter the ourput of show and more commands)
eg : Router# show interface | include protocol
Authentication, Authorization, and Accouting
Authentication Commands
aaa authentication arap : to enable an authentication, authorization, and accounting(AAA) authentication method for AppleTalk Remote Access(ARA) (in global configuration mode)
no aaa authentication arap
aaa authentication banner : to configure a personalized banner that will be displayed at user login (in global onfiguration mode)
no aaa authentication banner
aaa authentication enable default : to enable authentication. authorization, and accounting(AAA) authentication to determine if a user can access the privileged command level (in global configuration mode)
no aaa authentication enable default
aaa authentication fail-message : to configure a personalized banner that will be displayed when a user fails login (in global configuration mode)
no aaa authentication fail-message
aaa authentication login : to set authentication, authorization, and accounting(AAA) authentication at login (in global configuration mode)
no aaa authentication login
aaa authentication nasi : to specify authentication, authorization, and accounting(AAA) authentication for Netware Asynchronous Serices Interface(NASI) clients connecting through the access server (in global configuration mode)
no aaa authentication nasi
aaa authentication password-prompt : to change the text displayed when users are prompted for a password (in global configuration mode)
no aaa authentication password-prompt
aaa authentication ppp : to specify one or more authentication, authorization, and accounting(AAA) authentication methods for use on serial interfaces that are running PPP (in global configuration mode)
no aaa authentication ppp
aaa authentication username-prompt : to change the text displayed when users are prompted to enter a username (in global configuration mode)
no aaa authentication username-prompt
aaa dnis map authentication login group : to map a Dialed Number Information Service(DNIS) number to a particulat authentication authorization, and accounting(AAA) server group for the login service(this server group will be used for AAA authentication) (in global configuration mode)
no aaa dnis map authentication login group
aaa dnis map authentication ppp group : to map a Dialed Number Information Service(DNIS) number to a particular authentication server grop(this server group will be used for authentication, authorization, and accounting(AAA) authentication) (in global cofiguration mode)
no aaa dnis map authentication ppp group
aaa nas redirected-station : to include the original number inn the information sent to the authentication server when the number dialed by a device is redirected to another number for authentication (in global configuration mode)
no aaa nas redirected-station
aaa new-model : to enable the authentication, authorization, and accounting(AAA) access control model (in global configuration mode)
no aaa new-model
aaa pod server : to enable inbound user sessions to be disconnected when specific session attributes are presented (in global configuration mode)
no aaa pod server
aaa preauth : to enter authentication, authorization, and accounting(AAA) preauthentication configuration mode (in global configuration mode)
no aaa preauth
aaa processes : to allocate a specific number of background processes to be used to process authentication, authorization, and accounting(AAA) authentication and authorization requests for PPP (in global configuration mode)
no aaa processes
access-profile : to apply your per-user authorization attributes to an interface during a PPP session (in privileged EXEC mode)
no access-profile
arap authentication : to enable authentication, authorization, and accounting(AAA) authentication for AppleTalk Temote Access Protocol(ARAP) on a line (inn line configuration mode)
no arap authentication
clear ip trigger-authentication : to clear the list of remote hosts for which automated double authentication has been attempted (in privileged EXEC mode)
dnis(AAA preauthentication) : to preauthenticate calls on the basis of the Dialed Number Identification Service(DNIS) number
no dnis
group : to specify the authentication, authorization, and accounting(AAA) TACACS+ server group to use for preauthentication (in AAA preauthentication configuration mode)
no group
ip trigger-authentication : to enable the automated part of double authentication at a device (in global onfiguration mode)
no ip trigger-authentication
ip trigger-suthentication : to specify automated double authentication at an interface (in interface configuration mode)
no ip trigger-authentication
login authentication : to enable authentication, authorization, and accounting(AAA) authentication for login (in line configuration mode)
no login authentication
nasi authentication : to enable authentication, authorization, and accounting(AAA) authentication for NetWare Asynchronous Services Interface(NASI) clients connecting to a router (in line configuration mode)
no nasi authentication
ppp authentication : to enable Challenge Handshake Authentication Protocol(CHAP) or Password Authentication Protocol(PAP) or both and to specify the order in which CHAP and PAP authentication are selected on the interface (in interface configuration mode)
no ppp authentication
ppp chap hostname : to create a pool of dialup routers that all appear to be the same host when authenticating with Challenge Handshake Authentication Protocol(CHAP) (in interface configuration mode)
no ppp chap hostname
ppp chap password : to enable a router calling a collection of routers that do not support this command(such as routers running older Cisco IOS software images) to configure a common Challenge Handshake Authentication Protocol(CHAP) secret password to use in response to challenges from an unknown peer (in interface configuration mode)
no ppp chap password
ppp chap refuse : to refuse Challenge Handshake Authentication Protocol(CHAP) authentication from peers requesting it (in interface configuration mode)
no ppp chap refuse
ppp chap wait : to specify that the router will not authenticate to a peer requesting Challenge Handshake Authentication Protocol(CHAP) authentication until after the peer has athenticated itself to the router (in interface configuration mode)
no ppp chap wait
ppp pap refuse : to refuse a peer request to authenticate remotely with PPP using Password Authentication Protocol (in interface configuration command)
no ppp pap refuse
ppp pap sent-username : to reenable remote Password Authentication Protocol(PAP) support for an interface and use the sent-username and password in the PAP authentication request packet to the peer (in interface configurtation mode)
no ppp pap sent-username
show ip trigger-authentication : to view the list of remote hosts for which automated double authentication has been attempted (in privilged EXEC mode)
show ppp queues : to monitor the number of requests processed by each authentication, authorization, and accounting(AAA) background process (in privileged EXEC mode)
timeout login response : to specify how long the system will wait for login input (such as username and password) before timing out (in line configuration mode)
no timeout login response
Authorization Commands
aaa authorization : to set parameters that restrict user access to a network (in global configuration mode)
no aaa authorization
aaa authorization config-commands : to reestablish the default created when the aaa authorization commands command was issued (in global configuration mode)
no aaa authorization config-commands
aaa authorization console : to apply authorization to a console (in global configuration mode)
no aaa authorization console
aaa authorization reverse-access : to configure a network access server to request authorization information from a security server before allowing a user to establish a reverse Telnet session (in global configurtion mode)
no aaa authorization reverse-access
aaa dnis map authorization network group : to map a Dialed Number Identification Service(DNIS) number to a particulat authentication, authorization, and accounting(AAA) server group (the user group that will be used for AAA authorization) (in global configuration mode)
no aaa dnis map authorization network group
authorization : to enable authentication, authorization, and accouting(AAA) authorization for a specific line or group of lines (in line configuration mode)
no authorization
ppp authorization : to enable authentication, authorization, and accounting(AAA) authorization on the selected interface (in interface configuration mode)
no ppp authorization
Accounting Commands
aaa accounting : to enable authentication, authorization, and accountign(AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+ (in global configuration mode)
no aaa accounting
aaa accounting connection h323 : to define the accounting method list H.323 with RADIUS as a method with either stop-only or start-stop accounting options (in global configuration mode)
no aaa accounting connection h323
aaa accounting delay-start : to delay generation of accounting "start" records until the user IP address is established (in global configuration mode)
no aaa accounting delay-start
aaa accounting nested : to specify that NETWORK records be generated, or nested, within EXEC "start" and "stop" records for PPP users who start EXEC terminal sessions (in global configuration mode)
no aaa accounting nested
aaa accounting resource start-stop group : to enable full resource accounting, which will generate both a "start" record at call setup and a "stop" record at call termnation (in global configuration mode)
no aaa accounting resource start-stop group
aaa accounting resource stop-faliure group : to enable resource failure stip accounting support, which will generate a "stop" record at any point prior to user authentication only if a call is terminated (in global configuration mode)
no aaa accounting resoure stop-failure group
aaa accounting send stop-record authentication failure : to generate accounting "stop" record for users who fail to authenticate at login or during session negotiation (in global configuration mode)
no aaa accounging send stop-record authentication failure
aaa accounting suppress null-username : to prevent the Cisco IOS software from sending accounting records for users whose username string is NULL (in global configuration mode)
no aaa accounting suppress null-username
aaa accounting update : to enable periodic interim accounting records to be sent to the accounting server (in global configuration mode)
no aaa accounting update
aaa dnis map accounting network : to map a Diald Number Information Service(DNIS) number to a particular authentication, authorization, and accounting(AAA) server group that will be used for AAA accounting (in global configuration mode)
no aaa dnis map accounting network
aaa sesion-mib : to enable disconnect by using Simple Network Management Protocol(SNMP) (in global onfiguration mode)
no aaa session-mib disconnect
accounting : to enable authentication, authorization, and accounting(AAA) accountign services to a specified line or gorup of lines (in line configuration mode)
no accounting
accounting : to enable the accounting on the gatekeeper (i gatekeeper configuration mode)
no accounting
ppp accounting : to enable authentication, authorization, and accounting(AAA) accounting services on the selected interface (in interface configuration mode)
no ppp accounting
show accounting : to step through all ative sessions and to print all the accounting records for actively accounted functions (in EXEC mode)
no show accounting
Security Server Protocols
RADIUS Commands
aaa group server radius : to group different RADIUS server hosts into distinct lists and distinct methods (in global configuration mode)
no aaa group server radius
aaa nas port extended : to replace the NAS-Port attribute with RADIUS IETF attribute 26 and to display extended field information (in global configuration mode)
no aaa nas port extended
call guard-timer : to set a guard tmer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request (in controller configuration mode)
no call guard-timer
clid : to preauthenticate calls on the basis of the Calling Line Identificaton(DLIC) number(in AAA preautheitication configuration mode)
no clid
ctype : to preautheiticate calls on the basis of the call type (in AAA preautheitication configuration mode)
no ctype
deadtime : to configure deadlint within the context of RADIUS server groups (i server-group configuration mode)
no deadtime
dialer aaa to allow a dialer to access the authentication, authorization, and accounting(AAA) server for dialing information (in interface configuration mode)
no dialer aaa
dnis : to preauthenticate calls on the basis of the DNIS(Dialed Number Identification Service) number (in AAA preauthentication configuration mode)
no dnis
dnis bypass : to specify a group of DNIS(Dialed Number Identification Service) numbers that will be bypassed for preauthentication (in AAA preauthentication configuration mode)
no dnis bypass
group : to specify the authentication, authorization, and acounting(aaa) RADIUS server froup to use for preauthentication (in AAA preauthentication configuration mode)
no froup
ip radius source-interface : to force RADIUS to use the IP address of a specified interface for al outgoing RADIUS packets (in global configuration mode)
no ip radius source-interface
radius-server attribute 32 include-in-access-req : to send RADIUS attribute 32 (NAS-Identifier) in an access-request or acounting-request (in global configurtion mode)
no radius-server attribute 32 include-in-access-req
radius-server attribute 44 include-in-access-req : to send RADIUS attribute 44 (Accounting Session ID) in access request packets before user authentication (including requests for preauthentication) (in global configuration command)
no radius-server attribute 44 include-in-access-req
radius-server attribute 55 include-in-acct-req : to send the RADIUS attribute 55 (Event-Timestamp) in accounting packets (in global configuration mode)
no radius-server attribute 55 include-in-acct-req
radius-server attribute 69 clear : to receive nonencrypted tunnel passwords in attribute 69(Tunnel-Password) (in global configuration mode)
no radius-server attribute 69 clear
radius-server attribute 188 format non-standard : to send the number of remaining links in the multilink bundle in the accounting0request packet (in global configuration mode)
no radius-server attribute 188 format non-standard
radius-server attribute nas-port formar : to select the NAS-Port format used fot RADIUS accounting features, and to restore the default NAS-Port format (in global configuration mode)
no radius-server attribute nas-port format
radius-server challenge-noecho : to prevent user responses to Access-Challenge packets from being displayed on the screen (in global configuration mode)
no radius-server challenge-noecho
radius-server configure-nas : to hae the Cisco router or access server query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the debice starts up (in global configuration mode)
no radius-server configure-nas
radius-server deadtime : to improve RADIUS response times when some servers might be unavailable (in global configuration mode)
no radius-server deadtime
radius-server directed-request : to allow users logging into a Cisco network access server (NAS) to select a RADIUS server for authentication (in global configuration mode)
no radius-server directed-request
radius-server host : to specify a RADIUS server host (in global configuration mode)
no radius-server host
radius-server host no n-standard : to identify that the security server is using a vendor-proprietary implementation of RADIUS (in global configuration mode)
no radius-server host non-standard
radius-server key : to set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon (in global configuration mode)
no radius-server key
radius-server optional passwords : to specify that the first RADIUS request to a RADUS server be made without password verification (in global configuration mode)
no radius-server optional passwords
radius-server retransmit : to specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up (in global configuration mode)
no radius-server retransmit
radius-server timeout : to set the interval for which a router waits for a server host to reply (in global configuration mode)
no radius-server timeout
radius-server unique-ident : to assign a unique accounting session identification (Acce-Session-Id) (in global configuration mode)
no radius-server unique-ident
radius-server vsa send : to configure the network access server to recognize and use vendor-specific attributes (in global configuration mode)
no radius-server vsa send
server : to configure the IP address of the RADIUS server for the group server (in server-group configuration mode)
no server
show radius statictics : to display the RADIUS statistics for accounting and authentication packets (in EXEC mode)
vpdn aaa attribute : to enable reporting of network access server (NAS) authentication, authorization, and accountign (AAA) attributes related to a virtual provate diaalup network (vPDN) to the AAA server (in global configuration mode)
no vpdn aaa attribute
TACACS+ Commands
aaa group server tacacs+ : to group different server hosts into distinct lists and distinct methods (in global configuration mode)
no aaa group server tacacs+
ip tacacs source-interface : to use the IP address of a specified interface for all outgoing TACACS+ packets (in global configuration mode)
no ip tacacs source-interface
server : to configure the IP address of the TACACS+ server for the group server (in tCACS+ group server configuration mode)
no server
show tacascs : to display statistics for a TACACS+ server (in EXEC configuration mode)
tacacs-server administration : to enable the handling of administrative messages by the Tcacs+ daemon (in global configuration mode)
no tacacs-server administration
tacacs-server directed-request : to send only a username to a specified server when a direct request is issued (in global configuration mode)
no tacacs-server directed-request
tacacs-server dns-alias-lookup : to eable IP Domain Name System(DNS) alias lookup for TACACS+ server (in global configuration mode)
no tacacs-server dns-alias-lookup
tacacs-server host : to specify a TACACS+ host (in global configuration mode)
no tacacs-server host
tacacs-server key : to set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon (in global configuration mode)
no tacacs-server key
tacacs-server packet : to modify TACACS+ packet option (in global configuration mode)
no tacacs-server packet
tacacs-server timeout : to set the interva for which the server waits for a server host to reply (in global configuration mode)
no tacacs-server timeout
Kerberos Commands
clear kerberos creds : to delete the contents of the credentials cache (in privileged EXEC mode)
kerberos clients mandatory : to cause the rsh, rcp, rlogin and telnet commands to fail if they cannot negotiate the Kerberos protocol with the reomte server (in global configuration mode)
no kerberos clients mandatory
kerberos credentials forward : to force all network application clients on the router to forward users‘ Kerberos credentials upon successful Kerberos authentication (in global configuration mode)
no kerberos crednetials forward
kerberos instance map : to map Kerberos instances to Cisco IOS privilege levels (in global configuration mode)
no kerberos instance map
kerberos loccal-realm : to specify the Kerberos realm in which the router is located (in global configuration mode)
no kerberos local-realm
kerberos preauth : to specify a preauthentication method to use to communicate with the key distribution center(KDC) (in globl configuration mode)
no kerberos preauth
kerberos realm : to map a host name or Domain Name System(DNS) domain to a Kerberos realm (in global configuration mode)
no kerberos realm
kerberos server : to specify the location of the Kerberos server for a given Kerberos realm (in global configuration mode)
no kerberos server
kerberos srvtab entry : to retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration (in global configuration mode)
no kerberos srvtab entry
kerberos srvtab remote : to retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration (in global configuration mode)
key config-key : to define a private DES key for the router (in global configuration)
no key config-key
show kerberos creds : to display the cotents of your credentials cache (in privileged EXEC mode)
Traffic Filtering and Firewalls
Lock-and-Key Commands
access-enable : to enable the router to create a temporary access list entry in a dynamic access list (in EXEC mode)
access-list dynamic-extend : to allow the absolte timer of the dynamic access control list(AL) to be extended an additional six minutes (in global configuration mode)
no access-list dynamic-extend
access-template : to manually place a temporary access list entry on a router to which you are connected (in EXEC mode)
clear access-template : to manually clear a temporary access list entry from a dynamic access list (in EXEC mode)
Reflexive Access List Commands
evaluate : to nest a reflexive access list within an access list (in access-list configuration mode)
no evaluate
ip reflexive-list timeout : to specify the length of time that reflexive access list entries will continue to exist when no packets in the session are detected (in global configuration mode)
no ip reflexive-list tmieout
permit : to create a reflexive access list and to enable its temporary entries to be automatically generated (in access-list configuration mode)
no permit
TCP Intercept Commands
ip tep intercept connection-timeout : to change how long a TCP connection will be managed by the TCP intercept after no activity (in global configuration mode)
no ip tcp intercept connection-timeout
ip tcp intercept drop-mode : to set the TCP intercept drop mode (in global configuration command)
no ip tcp intercept drop-mode
ip tcp intercept finrst-timeout : to change how long after receipt of a reset or FIN-exchange the software ceases to manage the connection (in global configuration mode)
no ip tcp intercept finrst-timeout
ip tcp intercept list : to enable TCP intercept (in global configuration mode)
no ip tcp intercept list
ip tcp intercept mas-incomplete high : to define the maximum number of oncomplete connections allowed before the software enters aggressive mode (in global configuration mode)
no ip tcp intercept max-incomplete high
ip tcp intercept max-incomplete low : to define the number of incomplete connections below which the software leaves aggressive mode (in global configuration mode)
no ip tcp intercept ma-incomplete low
ip tcp intercept mode : to change the TCP intercept mode (in global configuration command)
no ip tcp intercept mode
ip tcp intercept one-minute high : to define the number of connection requests received in the last on-minutes sample period before the software enters aggerssive mode (in global configuration mode)
no ip tcp intercept one-minute high
ip tcp intercept one-minute low : to define the number of connection requests below which the software leaves aggressive mode (in global configuration mode)
no ip tcp intercept one-minute low
ip tcp intercept watch-timeout : to define how long the software will wait for a watched TCP intercept connection to reach established state before sending a reset to the server (in global configuration mode)
no ip tcp intercept watch-timeout
show tcp intercept connections : to display TCP incomplete and established connections (in EXEC mode)
show tcp intercept statistics : to display TCP intercept statistics (in EXEC mode)
Context-Based Access Control Commands
ip inspect alert-off : to disable Context-based Access Control (CBAC) alert messages, which are displayed on the console (in global configuration mode)
no ip inspect alert-off
ip inspect audit trail : to turn on Context-based Access Control(CBAC) audit trail messages, which will be displayed on the console after each CBAC session closes (in global configuration mode)
no ip inspect audit trail
ip inspect dns-timeout : to specify the Domain Name System (DNS) idle timeout (the length of tmie during which a DNS name lookup session will still be managed while there is no activity) (in global configuration mode)
no ip inspect dns-timeout
ip inspect : to apply a set of inspection rules to an interface (in interface configuration mode)
no ip inspect
ip inspect max-incomplete high : to define the number of existing half-open session that will cause the software to start deleting half-open sessions (in global configuration mode)
no ip inspect max-incomplete high
ip inspect max-incomplete low : to define the number of existing half-open sessions that will cause the software to stop deleting half-open sessions (in global configuration mode)
no ip inspect max-incomplete low
ip inspect name : to define a set of inspection rules (in global configuration mode)
no ip inspect name
ip inspect one-minute high : to define the rate of new unestablished sessions that will cause the software to start deleting half-open sessions (in global configuration mode)
no ip inspect one-minute high
ip inspect one-minute low : to define the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions (in global configuration mode)
no ip inspect one-minute low
ip inspect tcp finwait-time : to define how long a TCP session will still be managed after the firewall detects a FIN-exchange (in global configuration mode)
no ip inspect tcp finwait-time
ip inspect tcp idle-time : to specify the TCP idle timeout (the length of time a TCP session will still be managed while there is no activity) (in global configuation mode)
no ip inspect tcp ile-time
ip inspect tcp max-incomplete host : to specify threshold and blocking time values for TCP host-specific denial-of-service detection and prevention (in global configuration mode)
no ip inspect tcp max-incomplete host
ip inspect tcp synwait-time : to define how long the software will wait for a TCP session to reach the established state before dropping the session (in global configuration mode)
no ip inspect tcp synwait-time
ip inspet udp idle-time : to specify the User Datagram Protocol idle timeout (the length of time for which a DUP "session" will still be managed while there is no activity) (in global configuration model)
no ip inspect udp idle-time
no ip inspect : to turn off Context=based Access Control(CBAC) completely at a firewall (in glbal configuration mode)
show ip inspect : to view Context-based Access Control(CBAC) configuration and session information (in privileged EXEC mode)
Cisco IOS Firewall Intrusion Detection System Commands
clear ip audit configuration : to disable Cisco IOS Firewall IDS, remove all intrusion detection configuration entries, and release dynamic resources (in EXEC mode)
clear ip audit statistics : to reset statistics on packets analyzed and alarms sent (in EXEC mode)
ip audit : to apply an audit specification created with the ip audit command to a specific interface and for a specific direction (in interface donfiguration mode)
no ip audit
ip audit attack : to specify the default actions for attack signatures (in global configuration mode)
no ip audit attack
ip audit info : to specify the defaut actions for info signatures (in global configuration mode)
no ip audit info
ip audit name : to creates audit rules for info and attack signature types (in global configuration mode)
no ip audit name
ip audit nitify : to specify the method of event notification (in global configuration mode)
no ip audit notify
ip audit po local : to specify the local Post Office parameters used when sending event notifications to the NetRanger Director (in global configuration mode)
no ip audit po local
ip audit po max-events : to specify the maximum number of event notifications that are replaced in the router‘s event queue (in global configuration mode)
no ip audit po max-events
ip audit po protected : to specify whether an address is on a protected network (in global configuration mode)
no ip audit po protected
ip audit po remote : to specify one or more set of Post Office parameters for NetRanger Directors receiving event notifications from the router (in global configuration mode)
no ip audit po remote
ip audit signature : to attach a policy to a signature (in global configuration mode)
no ip audit signature
ip audit smtp : to specify the number of recipients in a mail message over which a spam attack is suspected (in global configuration mode)
no ip audit smtp
show ip audit configuration : to display additional configuration information, including default values that may not be displayed using the show run command (in EXEC mode)
show ip audit interface : to display the interface configuration (in EXEC mode)
show ip audit statistics : to display the number of packets audited and teh number of alarms sent, among other information (in EXEC mode)
Authentication Proxy Commands
clear ip auth-proxy cache : to clear authentication proxy entries from the router (in EXEC mode)
ip auth-proxy : to set the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associsted dynamic user access control list, is managed after a period of inactivity) (in global configuration mode)
no ip auth-proxy auth-cache-time
ip auth-proxy : to apply an authentication proxy rule at a firewall interface (in interface configuration mode)
no ip auth-proxy
ip auth-proxy auth-proxy-banner : to display a banner, such as the router name, in the authentication proxy login page (inn global configuration mode)
no ip auth-proxy auth-proxy-banner
ip auth-proxy ame : to create an authentication proxy rule (in global configuration mode)
no ip auth-proxy name
show ip auth-proxy : to display the authentication proxy entries or the running authentication proxy configuration (in privileged EXEC mode)
Port to Application Mapping Commands
ip port-map : to establish Port to Application Mapping(PAM) (in global configurtion mode)
no ip port-map
show ip port-map : to display the Port to Application Mapping (PAM) information (in privileged EXEC mode)
IP Security and Encryption
IPSec Network Security Commands
clear crypto sa : to delete IP Security security association (in EXEC mode)
crypto dynamic-map : to create a dynamic crypto map entry and enter the crypto map configuration command mode (in global configuration mode)
no crypto dynamic-map
crypto engine accelertor : to enable the IP Security (IPSec) accelertor (in global configuration mode)
no crypto engine accelerator
crypto ipsec security-association lifetime : to change global lifetime values used when negotiating IPSec security associations (in global configuration mode)
no crypto ipsec security-association lifetime
crypto ipsec transform-set : to define a transform set - an acceptable combination of secrity protocols and algorithms (in global configuration mode)
no crypto ipsec transform-set
crypto map : to create or modify a crypto map entry and enter the crypto map configuration mode (in global configuration mode)
no crypto map
crypto map : to apply a previously defined ceypto map set to an interfae (in interfae configuration mode)
no crypto map
crypto map local-address : to specify and name an identifying interface to be used by the crypto map for IPSec traffic (in global configuration mode)
no crypto map
match address : to specify an extended access list for a crypto map entry (in crypto map configuration mode)
no match address
mode : to change the mode for a transform set (in crypto transform configuration mode)
no mode
set peer : to specify an IP Security peer in a crypto map entry (in crypto map configuration mode)
no set peer
set pfs : to specify that IP Security should ask for perfect forward secrey(PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associatios (in crypto map configuration mode)
no set pfs
set security-association level per-host : to specify that separate IP Security security associations should be requested for each source/destinaton host pair (in crypto map configuration mode)
no set security-association level per-host
set security-association lifetime : to override (for a particulat crypto map entry) the global lifetime value, which is used when negotiating IP Security associations (in crypto map configuration mode)
no set security-association lifetime
set session-key : to manually specify the IP Security session keys within a crypto map entry (in crypto map configuration mode)
no set session-key
set transform-set : to specify which transform sets can be used with the crypto map entry (in crypto map configuration mode)
no set transform-set
show crypto dynamic-map : to view a dynamic crypto map set
show crypto engine accelerator logs : to display information about the last 32 CryptoGraphics eXtensions(CGX) Library packets processing commands and associated parameters sent from the VPN module driver to the VPN modeule hardware (in privileged EXEC mode)
show crypto engine accelerator sa-database : to display active(in-use) entries in the platform-specific virtual network (VPN) module database (in privileged EXEC mode)
show crypto ipsec sa : to view the settings used by current security associations (in EXEC mode)
show crypto ipsec security-association lifetime : to view the security-association lifetime value configured for a particular crypto map entry (in EXEC mode)
show crypto ipsec transform-set : to view the configured transform sets (in EXEC mode)
show crypto map : to view the crypto map configuration
Certification Authority Interoperability Commands
certificate : to manually add certificates (in certificate chain configuration mode)
no certificate
crl optional : to allow the certificates of other peers to be accepted without tryig to obtain the approriate CRL (in ca-identity configuration mode)
no crl optional
crl query :
no crl query
crypto ca authenticate : to authenticate the certification authority (by getting the CA‘s certificate) (in globa configuration mode)
crypto ca certificate chain : to enter the certificate chain configuration mode) (in global configuration mode)
crypto ca certificate query : to specify that certificates and certificate revocation lists (CRLs) should not be stored locally but retrieved from the certification authority when needed (in global configuration mode)
no crypto ca certificate query
ceypto ca crl request : to request that a new certificate revocation liset (CRL) be obtained immediately from the certification authority (in global configuration mode)
crypto ca enroll : to obtain your router‘s certificate from the certification authority (in global configuration mode)
no crypto ca enroll
crypto ca identity : to declare the certification authority that your router should use (in global configuration mode)
no crypto ca identity
crypto ca trusted-root : to configure a trusted root with a selected name (in global configuration mode)
no crypto ca trusted-root
crypto key zeroize rsa : to delete all RSA keys from your router (in global configuration mode)
enrollment mode ra : to turn on refistration authority mode (in ca-identity configuration mode)
no enrollment mode ra
enrollment retry count : to specify how many times a router will resent a certificate request (in ca-identity configuration mode)
no enrollment retry count
enrollment retry period : to specify the wait period between certificate request retries (in ca-identity configuration mode)
no enrollment retry period
enrollment url : to specify the certification authority location by namign the CA‘s URL (in ca-identity configuration mode)
no enrollment url
query url
no query url
root CEP : to define the Simple Certificate Enrollment Protocol (SCEP), which gets the root certificate of a given certification authority
root PROXY : to define the Hypertext Transfer Protocol proxy server for getting the root certificate (in trusted root configuration mode)
root TFTP : to define the TFTP protocol, which gets the root certificate of a given certificate of a given certification authority (in trusted root configuration mode)
show crypto ca certificates : to view information about your certificate, the certification authority certificate, and any registration authority certificates (in EXEC mode)
show crypto ca crls : to display the current certificate revocation list (CRL) on router (in EXEC mode)
show crypto ca roots : to display the roots configured in the router (in EXEC mode)
Internet Key Exchange Security Protocol Commands
address : to specify the IP address of the remote peer‘s RSA public key you will manually configure (in public key configuration mode)
addressed-key : to specify which peer‘s RSA public key you will manually configure (in public key chain cinfigurationn mode)
authentication : to specify the authentication method within an Internet Key Exchange policy (in ISAKMP policy configuration mode)
no authentication
clear crypto isakmp : to cleat active Internet Key Exchagne connections (in EXEC mode)
crypto isakmp client configuration address-pool local : to configure the IP address local pool to reference Internet Key Exchange on your router (in global configuration mode)
no crypto isakmp client configuration address-pool local
crypto isakmp enable : to globally enable Internet Key Exchange at your peer router (in global configuration mode)
no crypto isakmp enable
crypto isakmp identity : to define the identity used by the router when participating in the Internet Key Exchange protocol (in global configuration mode)
no crypto isakmp identity
crypto isakmp keepalive : to send Internet Key Exchange (IKE) keepalive messages from one router to another router (in global configuration mode)
no crypto isakmp keepalive
crypto isakmp key : to configure a preshared authentication key (in global configuration mode)
no crypto isakmp key
crypto isakmp policy : to define an Internet Key Exchange policy (in global configuration mode)
no crypto isakmp policy
crypto key generate rsa : to generate Rivest, Shamir, and Adelman(RSA) key pairs (in global configuration mode)
crypto key pubkeu-chain rsa : to enter public key configuration mode (so you can manually specify other devices‘ RSA public keys) (in global configuration mode)
crypto map client authentication list : to configure Internet Key Exchange extended authentication(Xauth) on your router (in global configuration mode)
no crypto map client authentication list
crypto map client configuration address : to configure IKE Mode Configuration on your router (in global configuration mode)
no crpto map client configuration address
crypto map isakmp authorization list : to enable Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode)
no crypto map isakmp authorization list
encryption : to specify the encryption algorithm within an Internet Key Exchange policy (in ISAKMP policy configuration mode)
no encryption
group : to specify the Diffie-Hellman group identitier within an Internet Key Exchange policy (in ISAKMP policy configuration mode)
no group
hash : to specify the hash algorith within an Internet Key Exchange policy (in ISAKMP policy configuration mode)
no hash
key-string : to manually specify a remote peer‘s RSA public key (in public key configuration mdoe)
lifetime : to specify the lifetime of an Internet Key Exchange security association(SA) (in Internet Security Association Key Management Protocol policy configuration mode)
no lifetime
named-key : to specify which peer‘s RSA public public key you will manually configure (in publi key chain configuration mode)
show crypto isakmp policy : to view the parameters for each Internet Key Exchagne policy (in EXEC mode)
show crypto isakmp sa : to view all current Internet Key Exchange security associations (SAs) at a peer (in EXEC mode)
show crypto key mypubkey rsa : to view the RSA public keys of your router (in EXEC mode)
show crypto key pubkey-chain rsa : to view peer‘s RSA public keys stored on your router (in EXEC mode)
Other Security Features
Passwords and Privileges Commands
enable password : to set a local password to control acess to various privilege levels (in global configuration mode)
no enable password
enable secret : to specify an additional layer of security over the enable password command (in global configuration mode)
no enable secret
password : to specify a password on a line (in line configuration mode)
no password
privilege : to configure a new privilege level for users and associate commands with that privilege level (in global configuration mode)
no privilege
privilege level : to set the default privilege level for a line (in line configuration mode)
no privilege level
service password-encryption : to encrypt passwords (in global configuration mode)
no service password-encryption
show privilege : to display your current level of privilege (in EXEC mode)
username : to establish a username-based authentication system (in global configuration mode)
IP Security Options Commands
dnsix-dmdp retries : to set the retransmit count used by the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) Message Delivery Protocol(DMDP) (in global configuration mode)
no dnsix-dmdp retries
dnsix-nat authorized-redirection : to specify the address of a collection center that is authorized to change the primary and secondary address of the host to receive audit messages (in global configuration mode)
no dnsix-nat authorized-redirection
dnsix-nat primary : to specify the IP address of the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are set (in global configuration mode)
no dnsix-nat primary
dnsix-nat secondary : to specify an alternate IP address for the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are sent (in global configuration mode)
no dnsix-nat secondary
dnsix-nat source : to start the audit-writing module and to define the audit trail source address (in global configuration mode)
no dnsix-nat source
dnsix-nat transmit-count : to have the audit writing module collect multiple audit messages in the ubffer before sending the messages to a collection center (in global configuration mode)
no dnsix-nat transmit-count
ip security add : to add a basic security option to all outgoing packets (in interface configuration mode)
no ip security add
ip security aeso : to attach Auxiliary Extended Security Options(AESOs) to an interface (in interface configuration moe)
no ip security aeso
ip security dedicated : to set the level of classification and authority on the interface (in interface configuration mode)
no ip security dedicated
ip security eso-info : to configure system-wide defaults for extended IP Security Option (IPSO) information (in global configuration mode)
no ip security eso-info
ip security eso-max : to specify the maximum sensitivity level for an interface (in interface configuration mode)
no ip security eso-max
ip security eso-min : to configure the minimum sensitivity for an interface (in interface configuration mode)
no ip security eso-min
ip security extendd-allowed : to accept packets on an interface that has an extended security optionn present (in interface configuration mode)
no ip security extended-allowed
ip security first : to prioritize the presence of security options on a packet (in interface configuration mode)
no ip security first
ip security ignore-authorities : to have the Cisco IOS software ignore the authorities field of all incoming packets (in interface configuration mode)
no ip security ignore-authorities
ip security implicit-labelling : to force the Cisco IOS software to accept packets on the interface, even if they do not include a security option (in interface configuration mode)
no ip security implicit-labelling
ip security multilevel : to set the range of classifications and authorities on an interface (in interface configuration mode)
no ip security multilevel
ip security reserved-allowed : to treat as valid any packets that have Reserved1 through Reserved4 security levels (in interface configuration mode)
no ip security reserved-allowed
ip security strip : to remove any basis security option on outgoing packets on an interface (in interface configuration mode)
no ip security strip
show dnsix : to display state information and the current configuration of the DNSIX audit writing module (in privileged EXEC mode)
Unicast Reverse Path Forwarding Commands
ip verify unicast reverse-path : to enable Unicast Reverse Path Forwarding (Unicast RPF) (in interface configuration mode)
no ip verify unicast reverse-path
Secure Shell Commands
disconnect ssh : to terminate a Secure Shell (SSH) connection on your router (in privileged EXEC mode)
ip ssh : to configure Secure Shell (SSH) control parameters on your router (in global configuration mode)
no ip ssh
show ip ssh : to display the version and configuration data for Secure Shell (SSH) (in privielged EXEC mode)
show ssh : to display the status of Secure Shell(SSH) server conection (in privileged EXEC mode)
ssh : to start an encrypted session with a remote networking device (in EXEC mode)
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。