Cisco IOS Security command Guide

copy system:running-config nvram:startup-config : to save your configuration changes to the startup configuration so that the changes will not be lost if the software reloads or a power outage occurs

command | {begin | include | exclude} regular-expression : filtering output from the show and more commands (you can search and filter the ourput of show and more commands)

eg : Router# show interface | include protocol

Authentication, Authorization, and Accouting

Authentication Commands

aaa authentication arap : to enable an authentication, authorization, and accounting(AAA) authentication method for AppleTalk Remote Access(ARA) (in global configuration mode)

no aaa authentication arap

aaa authentication banner : to configure a personalized banner that will be displayed at user login (in global onfiguration mode)

no aaa authentication banner

aaa authentication enable default : to enable authentication. authorization, and accounting(AAA) authentication to determine if a user can access the privileged command level (in global configuration mode)

no aaa authentication enable default

aaa authentication fail-message : to configure a personalized banner that will be displayed when a user fails login (in global configuration mode)

no aaa authentication fail-message

aaa authentication login : to set authentication, authorization, and accounting(AAA) authentication at login (in global configuration mode)

no aaa authentication login

aaa authentication nasi : to specify authentication, authorization, and accounting(AAA) authentication for Netware Asynchronous Serices Interface(NASI) clients connecting through the access server (in global configuration mode)

no aaa authentication nasi

aaa authentication password-prompt : to change the text displayed when users are prompted for a password (in global configuration mode)

no aaa authentication password-prompt

aaa authentication ppp : to specify one or more authentication, authorization, and accounting(AAA) authentication methods for use on serial interfaces that are running PPP (in global configuration mode)

no aaa authentication ppp

aaa authentication username-prompt : to change the text displayed when users are prompted to enter a username (in global configuration mode)

no aaa authentication username-prompt

aaa dnis map authentication login group : to map a Dialed Number Information Service(DNIS) number to a particulat authentication authorization, and accounting(AAA) server group for the login service(this server group will be used for AAA authentication) (in global configuration mode)

no aaa dnis map authentication login group

aaa dnis map authentication ppp group : to map a Dialed Number Information Service(DNIS) number to a particular authentication server grop(this server group will be used for authentication, authorization, and accounting(AAA) authentication) (in global cofiguration mode)

no aaa dnis map authentication ppp group

aaa nas redirected-station : to include the original number inn the information sent to the authentication server when the number dialed by a device is redirected to another number for authentication (in global configuration mode)

no aaa nas redirected-station

aaa new-model : to enable the authentication, authorization, and accounting(AAA) access control model (in global configuration mode)

no aaa new-model

aaa pod server : to enable inbound user sessions to be disconnected when specific session attributes are presented (in global configuration mode)

no aaa pod server

aaa preauth : to enter authentication, authorization, and accounting(AAA) preauthentication configuration mode (in global configuration mode)

no aaa preauth

aaa processes : to allocate a specific number of background processes to be used to process authentication, authorization, and accounting(AAA) authentication and authorization requests for PPP (in global configuration mode)

no aaa processes

access-profile : to apply your per-user authorization attributes to an interface during a PPP session (in privileged EXEC mode)

no access-profile

arap authentication : to enable authentication, authorization, and accounting(AAA) authentication for AppleTalk Temote Access Protocol(ARAP) on a line (inn line configuration mode)

no arap authentication

clear ip trigger-authentication : to clear the list of remote hosts for which automated double authentication has been attempted (in privileged EXEC mode)

dnis(AAA preauthentication) : to preauthenticate calls on the basis of the Dialed Number Identification Service(DNIS) number

no dnis

group : to specify the authentication, authorization, and accounting(AAA) TACACS+ server group to use for preauthentication (in AAA preauthentication configuration mode)

no group

ip trigger-authentication : to enable the automated part of double authentication at a device (in global onfiguration mode)

no ip trigger-authentication

ip trigger-suthentication : to specify automated double authentication at an interface (in interface configuration mode)

no ip trigger-authentication

login authentication : to enable authentication, authorization, and accounting(AAA) authentication for login (in line configuration mode)

no login authentication

nasi authentication : to enable authentication, authorization, and accounting(AAA) authentication for NetWare Asynchronous Services Interface(NASI) clients connecting to a router (in line configuration mode)

no nasi authentication

ppp authentication : to enable Challenge Handshake Authentication Protocol(CHAP) or Password Authentication Protocol(PAP) or both and to specify the order in which CHAP and PAP authentication are selected on the interface (in interface configuration mode)

no ppp authentication

ppp chap hostname : to create a pool of dialup routers that all appear to be the same host when authenticating with Challenge Handshake Authentication Protocol(CHAP) (in interface configuration mode)

no ppp chap hostname

ppp chap password : to enable a router calling a collection of routers that do not support this command(such as routers running older Cisco IOS software images) to configure a common Challenge Handshake Authentication Protocol(CHAP) secret password to use in response to challenges from an unknown peer (in interface configuration mode)

no ppp chap password

ppp chap refuse : to refuse Challenge Handshake Authentication Protocol(CHAP) authentication from peers requesting it (in interface configuration mode)

no ppp chap refuse

ppp chap wait : to specify that the router will not authenticate to a peer requesting Challenge Handshake Authentication Protocol(CHAP) authentication until after the peer has athenticated itself to the router (in interface configuration mode)

no ppp chap wait

ppp pap refuse : to refuse a peer request to authenticate remotely with PPP using Password Authentication Protocol (in interface configuration command)

no ppp pap refuse

ppp pap sent-username : to reenable remote Password Authentication Protocol(PAP) support for an interface and use the sent-username and password in the PAP authentication request packet to the peer (in interface configurtation mode)

no ppp pap sent-username

show ip trigger-authentication : to view the list of remote hosts for which automated double authentication has been attempted (in privilged EXEC mode)

show ppp queues : to monitor the number of requests processed by each authentication, authorization, and accounting(AAA) background process (in privileged EXEC mode)

timeout login response : to specify how long the system will wait for login input (such as username and password) before timing out (in line configuration mode)

no timeout login response

Authorization Commands

aaa authorization : to set parameters that restrict user access to a network (in global configuration mode)

no aaa authorization

aaa authorization config-commands : to reestablish the default created when the aaa authorization commands command was issued (in global configuration mode)

no aaa authorization config-commands

aaa authorization console : to apply authorization to a console (in global configuration mode)

no aaa authorization console

aaa authorization reverse-access : to configure a network access server to request authorization information from a security server before allowing a user to establish a reverse Telnet session (in global configurtion mode)

no aaa authorization reverse-access

aaa dnis map authorization network group : to map a Dialed Number Identification Service(DNIS) number to a particulat authentication, authorization, and accounting(AAA) server group (the user group that will be used for AAA authorization) (in global configuration mode)

no aaa dnis map authorization network group

authorization : to enable authentication, authorization, and accouting(AAA) authorization for a specific line or group of lines (in line configuration mode)

no authorization

ppp authorization : to enable authentication, authorization, and accounting(AAA) authorization on the selected interface (in interface configuration mode)

no ppp authorization

Accounting Commands

aaa accounting : to enable authentication, authorization, and accountign(AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+ (in global configuration mode)

no aaa accounting

aaa accounting connection h323 : to define the accounting method list H.323 with RADIUS as a method with either stop-only or start-stop accounting options (in global configuration mode)

no aaa accounting connection h323

aaa accounting delay-start : to delay generation of accounting "start" records until the user IP address is established (in global configuration mode)

no aaa accounting delay-start

aaa accounting nested : to specify that NETWORK records be generated, or nested, within EXEC "start" and "stop" records for PPP users who start EXEC terminal sessions (in global configuration mode)

no aaa accounting nested

aaa accounting resource start-stop group : to enable full resource accounting, which will generate both a "start" record at call setup and a "stop" record at call termnation (in global configuration mode)

no aaa accounting resource start-stop group

aaa accounting resource stop-faliure group : to enable resource failure stip accounting support, which will generate a "stop" record at any point prior to user authentication only if a call is terminated (in global configuration mode)

no aaa accounting resoure stop-failure group

aaa accounting send stop-record authentication failure : to generate accounting "stop" record for users who fail to authenticate at login or during session negotiation (in global configuration mode)

no aaa accounging send stop-record authentication failure

aaa accounting suppress null-username : to prevent the Cisco IOS software from sending accounting records for users whose username string is NULL (in global configuration mode)

no aaa accounting suppress null-username

aaa accounting update : to enable periodic interim accounting records to be sent to the accounting server (in global configuration mode)

no aaa accounting update

aaa dnis map accounting network : to map a Diald Number Information Service(DNIS) number to a particular authentication, authorization, and accounting(AAA) server group that will be used for AAA accounting (in global configuration mode)

no aaa dnis map accounting network

aaa sesion-mib : to enable disconnect by using Simple Network Management Protocol(SNMP) (in global onfiguration mode)

no aaa session-mib disconnect

accounting : to enable authentication, authorization, and accounting(AAA) accountign services to a specified line or gorup of lines (in line configuration mode)

no accounting

accounting : to enable the accounting on the gatekeeper (i gatekeeper configuration mode)

no accounting

ppp accounting : to enable authentication, authorization, and accounting(AAA) accounting services on the selected interface (in interface configuration mode)

no ppp accounting

show accounting : to step through all ative sessions and to print all the accounting records for actively accounted functions (in EXEC mode)

no show accounting

Security Server Protocols

RADIUS Commands

aaa group server radius : to group different RADIUS server hosts into distinct lists and distinct methods (in global configuration mode)

no aaa group server radius

aaa nas port extended : to replace the NAS-Port attribute with RADIUS IETF attribute 26 and to display extended field information (in global configuration mode)

no aaa nas port extended

call guard-timer : to set a guard tmer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request (in controller configuration mode)

no call guard-timer

clid : to preauthenticate calls on the basis of the Calling Line Identificaton(DLIC) number(in AAA preautheitication configuration mode)

no clid

ctype : to preautheiticate calls on the basis of the call type (in AAA preautheitication configuration mode)

no ctype

deadtime : to configure deadlint within the context of RADIUS server groups (i server-group configuration mode)

no deadtime

dialer aaa  to allow a dialer to access the authentication, authorization, and accounting(AAA) server for dialing information (in interface configuration mode)

no dialer aaa

dnis : to preauthenticate calls on the basis of the DNIS(Dialed Number Identification Service) number (in AAA preauthentication configuration mode)

no dnis

dnis bypass : to specify a group of DNIS(Dialed Number Identification Service) numbers that will be bypassed for preauthentication (in AAA preauthentication configuration mode)

no dnis bypass

group : to specify the authentication, authorization, and acounting(aaa) RADIUS server froup to use for preauthentication (in AAA preauthentication configuration mode)

no froup

ip radius source-interface : to force RADIUS to use the IP address of a specified interface for al outgoing RADIUS packets (in global configuration mode)

no ip radius source-interface

radius-server attribute 32 include-in-access-req : to send RADIUS attribute 32 (NAS-Identifier) in an access-request or acounting-request (in global configurtion mode)

no radius-server attribute 32 include-in-access-req

radius-server attribute 44 include-in-access-req : to send RADIUS attribute 44 (Accounting Session ID) in access request packets before user authentication (including requests for preauthentication) (in global configuration command)

no radius-server attribute 44 include-in-access-req

radius-server attribute 55 include-in-acct-req : to send the RADIUS attribute 55 (Event-Timestamp) in accounting packets (in global configuration mode)

no radius-server attribute 55 include-in-acct-req

radius-server attribute 69 clear : to receive nonencrypted tunnel passwords in attribute 69(Tunnel-Password) (in global configuration mode)

no radius-server attribute 69 clear

radius-server attribute 188 format non-standard : to send the number of remaining links in the multilink bundle in the accounting0request packet (in global configuration mode)

no radius-server attribute 188 format non-standard

radius-server attribute nas-port formar : to select the NAS-Port format used fot RADIUS accounting features, and to restore the default NAS-Port format (in global configuration mode)

no radius-server attribute nas-port format

radius-server challenge-noecho : to prevent user responses to Access-Challenge packets from being displayed on the screen (in global configuration mode)

no radius-server challenge-noecho

radius-server configure-nas : to hae the Cisco router or access server query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the debice starts up (in global configuration mode)

no radius-server configure-nas

radius-server deadtime : to improve RADIUS response times when some servers might be unavailable (in global configuration mode)

no radius-server deadtime

radius-server directed-request : to allow users logging into a Cisco network access server (NAS) to select a RADIUS server for authentication (in global configuration mode)

no radius-server directed-request

radius-server host : to specify a RADIUS server host (in global configuration mode)

no radius-server host

radius-server host no n-standard : to identify that the security server is using a vendor-proprietary implementation of RADIUS (in global configuration mode)

no radius-server host non-standard

radius-server key : to set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon (in global configuration mode)

no radius-server key

radius-server optional passwords : to specify that the first RADIUS request to a RADUS server be made without password verification (in global configuration mode)

no radius-server optional passwords

radius-server retransmit : to specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up (in global configuration mode)

no radius-server retransmit

radius-server timeout : to set the interval for which a router waits for a server host to reply (in global configuration mode)

no radius-server timeout

radius-server unique-ident : to assign a unique accounting session identification (Acce-Session-Id) (in global configuration mode)

no radius-server unique-ident

radius-server vsa send : to configure the network access server to recognize and use vendor-specific attributes (in global configuration mode)

no radius-server vsa send

server : to configure the IP address of the RADIUS server for the group server (in server-group configuration mode)

no server

show radius statictics : to display the RADIUS statistics for accounting and authentication packets (in EXEC mode)

vpdn aaa attribute : to enable reporting of network access server (NAS) authentication, authorization, and accountign (AAA) attributes related to a virtual provate diaalup network (vPDN) to the AAA server (in global configuration mode)

no vpdn aaa attribute

TACACS+ Commands

aaa group server tacacs+ : to group different server hosts into distinct lists and distinct methods (in global configuration mode)

no aaa group server tacacs+

ip tacacs source-interface : to use the IP address of a specified interface for all outgoing TACACS+ packets (in global configuration mode)

no ip tacacs source-interface

server : to configure the IP address of the TACACS+ server for the group server (in tCACS+ group server configuration mode)

no server

show tacascs : to display statistics for a TACACS+ server (in EXEC configuration mode)

tacacs-server administration : to enable the handling of administrative messages by the Tcacs+ daemon (in global configuration mode)

no tacacs-server administration

tacacs-server directed-request : to send only a username to a specified server when a direct request is issued (in global configuration mode)

no tacacs-server directed-request

tacacs-server dns-alias-lookup : to eable IP Domain Name System(DNS) alias lookup for TACACS+ server (in global configuration mode)

no tacacs-server dns-alias-lookup

tacacs-server host : to specify a TACACS+ host (in global configuration mode)

no tacacs-server host

tacacs-server key : to set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon (in global configuration mode)

no tacacs-server key

tacacs-server packet : to modify TACACS+ packet option (in global configuration mode)

no tacacs-server packet

tacacs-server timeout : to set the interva for which the server waits for a server host to reply (in global configuration mode)

no tacacs-server timeout

Kerberos Commands

clear kerberos creds : to delete the contents of the credentials cache (in privileged EXEC mode)

kerberos clients mandatory : to cause the rsh, rcp, rlogin and telnet commands to fail if they cannot negotiate the Kerberos protocol with the reomte server (in global configuration mode)

no kerberos clients mandatory

kerberos credentials forward : to force all network application clients on the router to forward users‘ Kerberos credentials upon successful Kerberos authentication (in global configuration mode)

no kerberos crednetials forward

kerberos instance map : to map Kerberos instances to Cisco IOS privilege levels (in global configuration mode)

no kerberos instance map

kerberos loccal-realm : to specify the Kerberos realm in which the router is located (in global configuration mode)

no kerberos local-realm

kerberos preauth : to specify a preauthentication method to use to communicate with the key distribution center(KDC) (in globl configuration mode)

no kerberos preauth

kerberos realm : to map a host name or Domain Name System(DNS) domain to a Kerberos realm (in global configuration mode)

no kerberos realm

kerberos server : to specify the location of the Kerberos server for a given Kerberos realm (in global configuration mode)

no kerberos server

kerberos srvtab entry : to retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration (in global configuration mode)

no kerberos srvtab entry

kerberos srvtab remote : to retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration (in global configuration mode)

key config-key : to define a private DES key for the router (in global configuration)

no key config-key

show kerberos creds : to display the cotents of your credentials cache (in privileged EXEC mode)

Traffic Filtering and Firewalls

Lock-and-Key Commands

access-enable : to enable the router to create a temporary access list entry in a dynamic access list (in EXEC mode)

access-list dynamic-extend : to allow the absolte timer of the dynamic access control list(AL) to be extended an additional six minutes (in global configuration mode)

no access-list dynamic-extend

access-template : to manually place a temporary access list entry on a router to which you are connected (in EXEC mode)

clear access-template : to manually clear a temporary access list entry from a dynamic access list (in EXEC mode)

Reflexive Access List Commands

evaluate : to nest a reflexive access list within an access list (in access-list configuration mode)

no evaluate

ip reflexive-list timeout : to specify the length of time that reflexive access list entries will continue to exist when no packets in the session are detected (in global configuration mode)

no ip reflexive-list tmieout

permit : to create a reflexive access list and to enable its temporary entries to be automatically generated (in access-list configuration mode)

no permit

TCP Intercept Commands

ip tep intercept connection-timeout : to change how long a TCP connection will be managed by the TCP intercept after no activity (in global configuration mode)

no ip tcp intercept connection-timeout

ip tcp intercept drop-mode : to set the TCP intercept drop mode (in global configuration command)

no ip tcp intercept drop-mode

ip tcp intercept finrst-timeout : to change how long after receipt of a reset or FIN-exchange the software ceases to manage the connection (in global configuration mode)

no ip tcp intercept finrst-timeout

ip tcp intercept list : to enable TCP intercept (in global configuration mode)

no ip tcp intercept list

ip tcp intercept mas-incomplete high : to define the maximum number of oncomplete connections allowed before the software enters aggressive mode (in global configuration mode)

no ip tcp intercept max-incomplete high

ip tcp intercept max-incomplete low : to define the number of incomplete connections below which the software leaves aggressive mode (in global configuration mode)

no ip tcp intercept ma-incomplete low

ip tcp intercept mode : to change the TCP intercept mode (in global configuration command)

no ip tcp intercept mode

ip tcp intercept one-minute high : to define the number of connection requests received in the last on-minutes sample period before the software enters aggerssive mode (in global configuration mode)

no ip tcp intercept one-minute high

ip tcp intercept one-minute low : to define the number of connection requests below which the software leaves aggressive mode (in global configuration mode)

no ip tcp intercept one-minute low

ip tcp intercept watch-timeout : to define how long the software will wait for a watched TCP intercept connection to reach established state before sending a reset to the server (in global configuration mode)

no ip tcp intercept watch-timeout

show tcp intercept connections : to display TCP incomplete and established connections (in EXEC mode)

show tcp intercept statistics : to display TCP intercept statistics (in EXEC mode)

Context-Based Access Control Commands

ip inspect alert-off : to disable Context-based Access Control (CBAC) alert messages, which are displayed on the console (in global configuration mode)

no ip inspect alert-off

ip inspect audit trail : to turn on Context-based Access Control(CBAC) audit trail messages, which will be displayed on the console after each CBAC session closes (in global configuration mode)

no ip inspect audit trail

ip inspect dns-timeout : to specify the Domain Name System (DNS) idle timeout (the length of tmie during which a DNS name lookup session will still be managed while there is no activity) (in global configuration mode)

no ip inspect dns-timeout

ip inspect : to apply a set of inspection rules to an interface (in interface configuration mode)

no ip inspect

ip inspect max-incomplete high : to define the number of existing half-open session that will cause the software to start deleting half-open sessions (in global configuration mode)

no ip inspect max-incomplete high

ip inspect max-incomplete low : to define the number of existing half-open sessions that will cause the software to stop deleting half-open sessions (in global configuration mode)

no ip inspect max-incomplete low

ip inspect name : to define a set of inspection rules (in global configuration mode)

no ip inspect name

ip inspect one-minute high : to define the rate of new unestablished sessions that will cause the software to start deleting half-open sessions (in global configuration mode)

no ip inspect one-minute high

ip inspect one-minute low : to define the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions (in global configuration mode)

no ip inspect one-minute low

ip inspect tcp finwait-time : to define how long a TCP session will still be managed after the firewall detects a FIN-exchange (in global configuration mode)

no ip inspect tcp finwait-time

ip inspect tcp idle-time : to specify the TCP idle timeout (the length of time a TCP session will still be managed while there is no activity) (in global configuation mode)

no ip inspect tcp ile-time

ip inspect tcp max-incomplete host : to specify threshold and blocking time values for TCP host-specific denial-of-service detection and prevention (in global configuration mode)

no ip inspect tcp max-incomplete host

ip inspect tcp synwait-time : to define how long the software will wait for a TCP session to reach the established state before dropping the session (in global configuration mode)

no ip inspect tcp synwait-time

ip inspet udp idle-time : to specify the User Datagram Protocol idle timeout (the length of time for which a DUP "session" will still be managed while there is no activity) (in global configuration model)

no ip inspect udp idle-time

no ip inspect : to turn off Context=based Access Control(CBAC) completely at a firewall (in glbal configuration mode)

show ip inspect : to view Context-based Access Control(CBAC) configuration and session information (in privileged EXEC mode)

Cisco IOS Firewall Intrusion Detection System Commands

clear ip audit configuration : to disable Cisco IOS  Firewall IDS, remove all intrusion detection configuration entries, and release dynamic resources (in EXEC mode)

clear ip audit statistics : to reset statistics on packets analyzed and alarms sent (in EXEC mode)

ip audit : to apply an audit specification created with the ip audit command to a specific interface and for a specific direction (in interface donfiguration mode)

no ip audit

ip audit attack : to specify the default actions for attack signatures (in global configuration mode)

no ip audit attack

ip audit info : to specify the defaut actions for info signatures (in global configuration mode)

no ip audit info

ip audit name : to creates audit rules for info and attack signature types (in global configuration mode)

no ip audit name

ip audit nitify : to specify the method of event notification (in global configuration mode)

no ip audit notify

ip audit po local : to specify the local Post Office parameters used when sending event notifications to the NetRanger Director (in global configuration mode)

no ip audit po local

ip audit po max-events : to specify the maximum number of event notifications that are replaced in the router‘s event queue (in global configuration mode)

no ip audit po max-events

ip audit po protected : to specify whether an address is on a protected network (in global configuration mode)

no ip audit po protected

ip audit po remote : to specify one or more set of Post Office parameters for NetRanger Directors receiving event notifications from the router (in global configuration mode)

no ip audit po remote

ip audit signature : to attach a policy to a signature (in global configuration mode)

no ip audit signature

ip audit smtp : to specify the number of recipients in a mail message over which a spam attack is suspected (in global configuration mode)

no ip audit smtp

show ip audit configuration : to display additional configuration information, including default values that may not be displayed using the show run command (in EXEC mode)

show ip audit interface : to display the interface configuration (in EXEC mode)

show ip audit statistics : to display the number of packets audited and teh number of alarms sent, among other information (in EXEC mode)

Authentication Proxy Commands

clear ip auth-proxy cache : to clear authentication proxy entries from the router (in EXEC mode)

ip auth-proxy : to set the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associsted dynamic user access control list, is managed after a period of inactivity) (in global configuration mode)

no ip auth-proxy auth-cache-time

ip auth-proxy : to apply an authentication proxy rule at a firewall interface (in interface configuration mode)

no ip auth-proxy

ip auth-proxy auth-proxy-banner : to display a banner, such as the router name, in the authentication proxy login page (inn global configuration mode)

no ip auth-proxy auth-proxy-banner

ip auth-proxy ame : to create an authentication proxy rule (in global configuration mode)

no ip auth-proxy name

show ip auth-proxy : to display the authentication proxy entries or the running authentication proxy configuration (in privileged EXEC mode)

Port to Application Mapping Commands

ip port-map : to establish Port to Application Mapping(PAM) (in global configurtion mode)

no ip port-map

show ip port-map : to display the Port to Application Mapping (PAM) information (in privileged EXEC mode)

IP Security and Encryption

IPSec Network Security Commands

clear crypto sa : to delete IP Security security association (in EXEC mode)

crypto dynamic-map : to create a dynamic crypto map entry and enter the crypto map configuration command mode (in global configuration mode)

no crypto dynamic-map

crypto engine accelertor : to enable the IP Security (IPSec) accelertor (in global configuration mode)

no crypto engine accelerator

crypto ipsec security-association lifetime : to change global lifetime values used when negotiating IPSec security associations (in global configuration mode)

no crypto ipsec security-association lifetime

crypto ipsec transform-set : to define a transform set - an acceptable combination of secrity protocols and algorithms (in global configuration mode)

no crypto ipsec transform-set

crypto map : to create or modify a crypto map entry and enter the crypto map configuration mode (in global configuration mode)

no crypto map

crypto map : to apply a previously defined ceypto map set to an interfae (in interfae configuration mode)

no crypto map

crypto map local-address : to specify and name an identifying interface to be used by the crypto map for IPSec traffic (in global configuration mode)

no crypto map

match address : to specify an extended access list for a crypto map entry (in crypto map configuration mode)

no match address

mode : to change the mode for a transform set (in crypto transform configuration mode)

no mode

set peer : to specify an IP Security peer in a crypto map entry (in crypto map configuration mode)

no set peer

set pfs : to specify that IP Security should ask for perfect forward secrey(PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associatios (in crypto map configuration mode)

no set pfs

set security-association level per-host : to specify that separate IP Security security associations should be requested for each source/destinaton host pair (in crypto map configuration mode)

no set security-association level per-host

set security-association lifetime : to override (for a particulat crypto map entry) the global lifetime value, which is used when negotiating IP Security associations (in crypto map configuration mode)

no set security-association lifetime

set session-key : to manually specify the IP Security session keys within a crypto map entry (in crypto map configuration mode)

no set session-key

set transform-set : to specify which transform sets can be used with the crypto map entry (in crypto map configuration mode)

no set transform-set

show crypto dynamic-map : to view a dynamic crypto map set

show crypto engine accelerator logs : to display information about the last 32 CryptoGraphics eXtensions(CGX) Library packets processing commands and associated parameters sent from the VPN module driver to the VPN modeule hardware (in privileged EXEC mode)

show crypto engine accelerator sa-database : to display active(in-use) entries in the platform-specific virtual network (VPN) module database (in privileged EXEC mode)

show crypto ipsec sa : to view the settings used by current security associations (in EXEC mode)

show crypto ipsec security-association lifetime : to view the security-association lifetime value configured for a particular crypto map entry (in EXEC mode)

show crypto ipsec transform-set : to view the configured transform sets (in EXEC mode)

show crypto map : to view the crypto map configuration

Certification Authority Interoperability Commands

certificate : to manually add certificates (in certificate chain configuration mode)

no certificate

crl optional : to allow the certificates of other peers to be accepted without tryig to obtain the approriate CRL (in ca-identity configuration mode)

no crl optional

crl query :

no crl query

crypto ca authenticate : to authenticate the certification authority (by getting the CA‘s certificate) (in globa configuration mode)

crypto ca certificate chain : to enter the certificate chain configuration mode) (in global configuration mode)

crypto ca certificate query : to specify that certificates and certificate revocation lists (CRLs) should not be stored locally but retrieved from the certification authority when needed (in global configuration mode)

no crypto ca certificate query

ceypto ca crl request : to request that a new certificate revocation liset (CRL) be obtained immediately from the certification authority (in global configuration mode)

crypto ca enroll : to obtain your router‘s certificate from the certification authority (in global configuration mode)

no crypto ca enroll

crypto ca identity : to declare the certification authority that your router should use (in global configuration mode)

no crypto ca identity

crypto ca trusted-root : to configure a trusted root with a selected name (in global configuration mode)

no crypto ca trusted-root

crypto key zeroize rsa : to delete all RSA keys from your router (in global configuration mode)

enrollment mode ra : to turn on refistration authority mode (in ca-identity configuration mode)

no enrollment mode ra

enrollment retry count : to specify how many times a router will resent a certificate request (in ca-identity configuration mode)

no enrollment retry count

enrollment retry period : to specify the wait period between certificate request retries (in ca-identity configuration mode)

no enrollment retry period

enrollment url : to specify the certification authority location by namign the CA‘s URL (in ca-identity configuration mode)

no enrollment url

query url

no query url

root CEP : to define the Simple Certificate Enrollment Protocol (SCEP), which gets the root certificate of a given certification authority

root PROXY : to define the Hypertext Transfer Protocol proxy server for getting the root certificate (in trusted root configuration mode)

root TFTP : to define the TFTP protocol, which gets the root certificate of a given certificate of a given certification authority (in trusted root configuration mode)

show crypto ca certificates : to view information about your certificate, the certification authority certificate, and any registration authority certificates (in EXEC mode)

show crypto ca crls : to display the current certificate revocation list (CRL) on router (in EXEC mode)

show crypto ca roots : to display the roots configured in the router (in EXEC mode)

Internet Key Exchange Security Protocol Commands

address : to specify the IP address of the remote peer‘s RSA public key you will manually configure (in public key configuration mode)

addressed-key : to specify which peer‘s RSA public key you will manually configure (in public key chain cinfigurationn mode)

authentication : to specify the authentication method within an Internet Key Exchange policy (in ISAKMP policy configuration mode)

no authentication

clear crypto isakmp : to cleat active Internet Key Exchagne connections (in EXEC mode)

crypto isakmp client configuration address-pool local : to configure the IP address local pool to reference Internet Key Exchange on your router (in global configuration mode)

no crypto isakmp client configuration address-pool local

crypto isakmp enable : to globally enable Internet Key Exchange at your peer router (in global configuration mode)

no crypto isakmp enable

crypto isakmp identity : to define the identity used by the router when  participating in the Internet Key Exchange protocol (in global configuration mode)

no crypto isakmp identity

crypto isakmp keepalive : to send Internet Key Exchange (IKE) keepalive messages from one router to another router (in global configuration mode)

no crypto isakmp keepalive

crypto isakmp key : to configure a preshared authentication key (in global configuration mode)

no crypto isakmp key

crypto isakmp policy : to define an Internet Key Exchange policy (in global configuration mode)

no crypto isakmp policy

crypto key generate rsa : to generate Rivest, Shamir, and Adelman(RSA) key pairs (in global configuration mode)

crypto key pubkeu-chain rsa : to enter public key configuration mode (so you can manually specify other devices‘ RSA public keys) (in global configuration mode)

crypto map client authentication list : to configure Internet Key Exchange extended authentication(Xauth) on your router (in global configuration mode)

no crypto map client authentication list

crypto map client configuration address : to configure IKE Mode Configuration on your router (in global configuration mode)

no crpto map client configuration address

crypto map isakmp authorization list : to enable Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode)

no crypto map isakmp authorization list

encryption : to specify the encryption algorithm within an Internet Key Exchange policy (in ISAKMP policy configuration mode)

no encryption

group : to specify the Diffie-Hellman group identitier within an Internet Key Exchange policy (in ISAKMP policy configuration mode)

no group

hash : to specify the hash algorith within an Internet Key Exchange policy (in ISAKMP policy configuration mode)

no hash

key-string : to manually specify a remote peer‘s RSA public key (in public key configuration mdoe)

lifetime : to specify the lifetime of an Internet Key Exchange security association(SA) (in Internet Security Association Key Management Protocol policy configuration mode)

no lifetime

named-key : to specify which peer‘s RSA public public key you will manually configure (in publi key chain configuration mode)

show crypto isakmp policy : to view the parameters for each Internet Key Exchagne policy (in EXEC mode)

show crypto isakmp sa : to view all current Internet Key Exchange security associations (SAs) at a peer (in EXEC mode)

show crypto key mypubkey rsa : to view the RSA public keys of your router (in EXEC mode)

show crypto key pubkey-chain rsa : to view peer‘s RSA public keys stored on your router (in EXEC mode)

Other Security Features

Passwords and Privileges Commands

enable password : to set a local password to control acess to various privilege levels (in global configuration mode)

no enable password

enable secret : to specify an additional layer of security over the enable password command (in global configuration mode)

no enable secret

password : to specify a password on a line (in line configuration mode)

no password

privilege : to configure a new privilege level for users and associate commands with that privilege level (in global configuration mode)

no privilege

privilege level : to set the default privilege level for a line (in line configuration mode)

no privilege level

service password-encryption : to encrypt passwords (in global configuration mode)

no service password-encryption

show privilege : to display your current level of privilege (in EXEC mode)

username : to establish a username-based authentication system (in global configuration mode)

IP Security Options Commands

dnsix-dmdp retries : to set the retransmit count used by the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) Message Delivery Protocol(DMDP) (in global configuration mode)

no dnsix-dmdp retries

dnsix-nat authorized-redirection : to specify the address of a collection center that is authorized to change the primary and secondary address of the host to receive audit messages (in global configuration mode)

no dnsix-nat authorized-redirection

dnsix-nat primary : to specify the IP address of the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are set (in global configuration mode)

no dnsix-nat primary

dnsix-nat secondary : to specify an alternate IP address for the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are sent (in global configuration mode)

no dnsix-nat secondary

dnsix-nat source : to start the audit-writing module and to define the audit trail source address (in global configuration mode)

no dnsix-nat source

dnsix-nat transmit-count : to have the audit writing module collect multiple audit messages in the ubffer before sending the messages to a collection center (in global configuration mode)

no dnsix-nat transmit-count

ip security add : to add a basic security option to all outgoing packets (in interface configuration mode)

no ip security add

ip security aeso : to attach Auxiliary Extended Security Options(AESOs) to an interface (in interface configuration moe)

no ip security aeso

ip security dedicated : to set the level of classification and authority on the interface (in interface configuration mode)

no ip security dedicated

ip security eso-info : to configure system-wide defaults for extended IP Security Option (IPSO) information (in global configuration mode)

no ip security eso-info

ip security eso-max : to specify the maximum sensitivity level for an interface (in interface configuration mode)

no ip security eso-max

ip security eso-min : to configure the minimum sensitivity for an interface (in interface configuration mode)

no ip security eso-min

ip security extendd-allowed : to accept packets on an interface that has an extended security optionn present (in interface configuration mode)

no ip security extended-allowed

ip security first : to prioritize the presence of security options on a packet (in interface configuration mode)

no ip security first

ip security ignore-authorities : to have the Cisco IOS software ignore the authorities field of all incoming packets (in interface configuration mode)

no ip security ignore-authorities

ip security implicit-labelling : to force the Cisco IOS software to accept packets on the interface, even if they do not include a security option (in interface configuration mode)

no ip security implicit-labelling

ip security multilevel : to set the range of classifications and authorities on an interface (in interface configuration mode)

no ip security multilevel

ip security reserved-allowed : to treat as valid any packets that have Reserved1 through Reserved4 security levels (in interface configuration mode)

no ip security reserved-allowed

ip security strip : to remove any basis security option on outgoing packets on an interface (in interface configuration mode)

no ip security strip

show dnsix : to display state information and the current configuration of the DNSIX audit writing module (in privileged EXEC mode)

Unicast Reverse Path Forwarding Commands

ip verify unicast reverse-path : to enable Unicast Reverse Path Forwarding (Unicast RPF) (in interface configuration mode)

no ip verify unicast reverse-path

Secure Shell Commands

disconnect ssh : to terminate a Secure Shell (SSH) connection on your router (in privileged EXEC mode)

ip ssh : to configure Secure Shell (SSH) control parameters on your router (in global configuration mode)

no ip ssh

show ip ssh : to display the version and configuration data for Secure Shell (SSH) (in privielged EXEC mode)

show ssh : to display the status of Secure Shell(SSH) server conection (in privileged EXEC mode)

ssh : to start an encrypted session with a remote networking device (in EXEC mode)

时间: 2024-10-17 19:05:11

Cisco IOS Security command Guide的相关文章

Cisco IOS debug command reference

Command A through D debug aaa accounting through debug auto-config debug aaa accounting : to display information on accountable events as they occur(in privileged EXEC mode) no debug aaa accounting : to disable debugging output debug aaa authenticati

Cisco IOS Debug Command Reference E through H

debug eap through debug he-module subslot periodic debug eap : to display information about Extensible Authentication Protocol(EAP)(in privileged EXEC mode) no debug eap debug ecfmpal : to enable debugging of the data path of the Ethernet Connectivit

Cisco IOS basic system management command reference

absolute : to specify an absolute time for a time-range (in time-range configuration mode) no absolute buffer-length : to specify the maximum length of the data stream to be forwarded (in line configuration mode) no buffer-length buffers : to make ad

Cisco IOS Software Activation Command Reference

clear license agent : to clear license agent statistics counters or connection statistics (in privileged EXEC mode) debug license : to enable controlled Cisco IOS software license debugging activity on a device (in privileged EXEC mode) no debug lice

Cisco IOS LAN Base、IP Base 和IP Service的区别

Details: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3560-x-series-switches/white_paper_c11-579326.html The LAN Base feature set offers enhanced intelligent services that include comprehensive Layer 2 features, with up-to 255 V

An Overview of Cisco IOS Versions and Naming

An Overview of Cisco IOS Versions and Naming http://www.ciscopress.com/articles/article.asp?p=2106547 By Sean Wilkins. Article is provided courtesy of Cisco Press. Date: Jun 28, 2013. SaveDiggDel.icio.usPrint Article Information Article Description V

Cisco IOS及IOS XE Software DHCPv6拒绝服务漏洞 -中国寒龙出品

受影响系统:Cisco IOS 15.xCisco IOS XE 3.x描述:--------------------------------------------------------------------------------BUGTRAQ ID: 70140CVE(CAN) ID: CVE-2014-3359 Cisco IOS是多数思科系统路由器和网络交换机上使用的互联网络操作系统. Cisco IOS 15.0, 15.1, 15.2, 15.4.IOS XE 3.3.xSE,

Cisco IOS拒绝服务漏洞 -中国寒龙出品

受影响系统:Cisco IOS 15.x描述:--------------------------------------------------------------------------------BUGTRAQ ID: 70129CVE(CAN) ID: CVE-2014-3361 Cisco IOS是多数思科系统路由器和网络交换机上使用的互联网络操作系统. Cisco IOS 15.0, 15.1, 15.2, 15.4没有正确通过NAT实现SIP,在实现上存在远程拒绝服务漏洞,攻击

Cisco IOS及IOS XE Software多个DNS拒绝服务漏洞 -中国寒龙

受影响系统:Cisco IOS 15.xCisco IOS XE 3.x描述:--------------------------------------------------------------------------------BUGTRAQ ID: 70132CVE(CAN) ID: CVE-2014-3357 Cisco IOS是多数思科系统路由器和网络交换机上使用的互联网络操作系统. Cisco IOS 15.0, 15.1, 15.2, 15.4.IOS XE 3.3.xSE,