Cisco IOS IPv6 Command Reference

clear ipv6 mobile traffic

To clear statistics associated with Mobile IPv6 traffic, use the clear ipv6 mobile traffic command in privileged EXEC mode.

clear ipv6 mobile traffic

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Usage Guidelines

The clear ipv6 mobile traffic command clears the statistics about the received binding updates and transmitted binding acknowledgments on a mobile node.

Examples

In the following example, statistics about binding updates and binding acknowledgments are cleared:

Router# clear ipv6 mobile traffic 

Router# show ipv6 mobile traffic

MIPv6 statistics:

  Rcvd: 0 total

      0 truncated, 0 format errors

      0 checksum errors

    Binding Updates received:0

      0 no HA option, 0 BU's length

      0 options' length, 0 invalid CoA

  Sent: 0 generated

    Binding Acknowledgements sent:0

      0 accepted (0 prefix discovery required)

      0 reason unspecified, 0 admin prohibited

      0 insufficient resources, 0 home reg not supported

      0 not home subnet, 0 not home agent for node

      0 DAD failed, 0 sequence number

    Binding Errors sent:0

      0 no binding, 0 unknown MH

  Home Agent Traffic:

    0 registrations, 0 deregistrations

    unknown time since last accepted HA registration

    unknown time since last failed HA registration

    unknown last failed registration code

    Traffic forwarded:

      0 tunneled, 0 reversed tunneled

    Dynamic Home Agent Address Discovery:

      0 requests received, 0 replies sent

    Mobile Prefix Discovery:

      0 solicitations received, 0 advertisements sent

Related Commands

clear ipv6 mtu

To clear the maximum transmission unit (MTU) cache of messages, use the clear ipv6 mtu command in privileged EXEC mode.

clear ipv6 mtu

Syntax Description

This command has no arguments or keywords.

Command Default

Messages are not cleared from the MTU cache.

Command Modes

Privileged EXEC (#)

Command History

Usage Guidelines

If a router is flooded with ICMPv6 toobig messages, the router is forced to create an unlimited number of entries in the MTU cache until all available memory is consumed. Use the clear ipv6 mtu command to clear messages from the MTU cache.

Examples

The following example clears the MTU cache of messages:

Router# clear ipv6 mtu

Related Commands

clear ipv6 multicast aaa authorization

To clear authorization parameters that restrict user access to an IPv6 multicast network, use the clear ipv6 multicast aaa authorization command in privileged EXEC mode.

clear ipv6 multicast aaa authorization [interface-type interface-number]

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

Using the clear ipv6 multicast aaa authorization command without the optional interface-type and interface-number arguments will clear all authorization parameters on a network.

Examples

The following example clears all configured authorization parameters on an IPv6 network:

Router# clear ipv6 multicast aaa authorization FastEthernet 1/0

Related Commands

clear ipv6 nat translation

To clear dynamic Network Address Translation—Protocol Translation (NAT-PT) translations from the dynamic state table, use the clear ipv6 nat translation command in privileged EXEC mode.

clear ipv6 nat translation *

Syntax Description

Command Default

Entries are deleted from the dynamic translation state table when they time out.

Command Modes

Privileged EXEC

Command History

Usage Guidelines

Use this command to clear entries from the dynamic translation state table before they time out. Static translation configuration is not affected by this command.

Examples

The following example shows the NAT-PT entries before and after the dynamic translation state table is cleared. Note that all the dynamic NAT-PT mappings are cleared, but the static NAT-PT configurations remain.

Router# show ipv6 nat translations

Prot  IPv4 source              IPv6 source 

      IPv4 destination         IPv6 destination 

---   ---                      --- 

      192.168.123.2            2001::2 

---   ---                      --- 

      192.168.122.10           2001::10 

tcp   192.168.124.8,11047      3002::8,11047 

      192.168.123.2,23         2001::2,23 

udp   192.168.124.8,52922      3002::8,52922 

      192.168.123.2,69         2001::2,69

Router# clear ipv6 nat translation *

Router# show ipv6 nat translations

Prot  IPv4 source              IPv6 source 

      IPv4 destination         IPv6 destination 

---   ---                      --- 

      192.168.123.2            2001::2 

---   ---                      --- 

      192.168.122.10           2001::10 

Related Commands

clear ipv6 neighbors

To delete all entries in the IPv6 neighbor discovery cache, except static entries, use the clear ipv6 neighbors command in privileged EXEC mode.

Syntax for Releases 15.0(1)M, 12.2(33)SXH, and 12.2(33)SRC, and Later Releases

clear ipv6 neighbors [interface type number [ipv6 ipv6-address] | statistics | vrf table-name [ipv6-address | statistics]]

Syntax for Release Cisco IOS XE Release 2.1 and Later Releases

clear ipv6 neighbors

Syntax Description

Command Modes

Privileged EXEC (#)

Command History

Examples

The following example deletes all entries, except static entries, in the neighbor discovery cache:

Router# clear ipv6 neighbors

The following example clears all IPv6 neighbor discovery cache entries, except static entries, on Ethernet interface 0/0:

Router# clear ipv6 neighbors interface Ethernet 0/0

The following examples clears a neighbor discovery cache entry for 2001:0DB8:1::1 on Ethernet interface 0/0:

Router# clear ipv6 neighbors interface Ethernet0/0 ipv6 2001:0DB8:1::1

Related Commands

clear ipv6 nhrp

To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, use the clear ipv6 nhrp command in privileged EXEC mode.

clear ipv6 nhrp [ipv6-address | counters]

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

This command does not clear any static (configured) IPv6-to-nonbroadcast multiaccess (NBMA) address mappings from the NHRP cache.

Examples

The following example shows how to clear all dynamic entries from the NHRP cache for the interface:

Router# clear ipv6 nhrp 

Related Commands

clear ipv6 ospf

To clear the Open Shortest Path First (OSPF) state based on the OSPF routing process ID, use the clear ipv6 ospf command in privileged EXEC mode.

clear ipv6 ospf [process-id] {process | force-spf | redistribution}

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

When the process keyword is used with the clear ipv6 ospf command, the OSPF database is cleared and repopulated, and then the shortest path first (SPF) algorithm is performed. When the force-spf keyword is used with the clear ipv6 ospf command, the OSPF database is not cleared before the SPF algorithm is performed.

Use the process-id option to clear only one OSPF process. If the process-id option is not specified, all OSPF processes are cleared.

Examples

The following example starts the SPF algorithm without clearing the OSPF database:

Router# clear ipv6 ospf force-spf

clear ipv6 ospf counters

To clear the Open Shortest Path First (OSPF) state based on the OSPF routing process ID, use the clear ipv6 ospf command in privileged EXEC mode.

clear ipv6 ospf [process-id] counters [neighbor [neighbor-interface | neighbor-id]]

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

Use the neighbor neighbor-interface option to clear counters for all neighbors on a specified interface. If the neighbor neighbor-interface option is not used, all OSPF counters are cleared.

Use the neighbor neighbor-id option to clear counters at a specified neighbor. If the neighbor neighbor-id option is not used, all OSPF counters are cleared.

Examples

The following example provides detailed information on a neighbor router:

Router# show ipv6 ospf neighbor detail

 Neighbor 10.0.0.1

    In the area 1 via interface Serial19/0

    Neighbor:interface-id 21, link-local address FE80::A8BB:CCFF:FE00:6F00

    Neighbor priority is 1, State is FULL, 6 state changes

    Options is 0x194AE05

    Dead timer due in 00:00:37

    Neighbor is up for 00:00:15

    Index 1/1/1, retransmission queue length 0, number of retransmission 1

    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)

    Last retransmission scan length is 1, maximum is 1

    Last retransmission scan time is 0 msec, maximum is 0 msec

The following example clears all neighbors on the specified interface:

Router# clear ipv6 ospf counters neighbor s19/0

The following example now shows that there have been 0 state changes since the clear ipv6 ospf counters neighbor s19/0 command was used:

Router# show ipv6 ospf neighbor detail

 Neighbor 10.0.0.1

    In the area 1 via interface Serial19/0

    Neighbor:interface-id 21, link-local address FE80::A8BB:CCFF:FE00:6F00

    Neighbor priority is 1, State is FULL, 0 state changes

    Options is 0x194AE05

    Dead timer due in 00:00:39

    Neighbor is up for 00:00:43

    Index 1/1/1, retransmission queue length 0, number of retransmission 1

    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)

    Last retransmission scan length is 1, maximum is 1

    Last retransmission scan time is 0 msec, maximum is 0 msec

Related Commands

clear ipv6 ospf events

To clear the Open Shortest Path First (OSPF) for IPv6 event log content based on the OSPF routing process ID, use the clear ipv6 ospf events command in privileged EXEC mode.

clear ipv6 ospf [process-id] events

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

Use the optional process-id argument to clear the IPv6 event log content of a specified OSPF routing process. If the process-id argument is not used, all event log content is cleared.

Examples

The following example enables the clearing of OSPF for IPv6 event log content for routing process 1:

Router# clear ipv6 ospf 1 events

clear ipv6 pim counters

To reset the Protocol Independent Multicast (PIM) traffic counters, use the clear ipv6 pim counters command in privileged EXEC mode.

clear ipv6 pim counters

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Usage Guidelines

Using the clear ipv6 pim counters command will reset all PIM traffic counters.

Examples

The following example resets the PIM traffic counters:

Router# clear ipv6 pim counters

Related Commands

clear ipv6 pim limit

To clear Protocol Independent Multicast (PIM) statistics, use the clear ipv6 pim limit command in privileged EXEC mode.

clear ipv6 pim [vrf vrf-name] limit [interface]

Syntax Description

Command Modes

Privileged EXEC (#)

Command History

Usage Guidelines

The clear ipv6 pim limit command clears IPv6 PIM interface statistics. If the optional interface argument is enabled, only statistics for the specified interface are cleared.

Examples

The following example clears PIM interface limit statistics:

Router# clear ipv6 pim limit

Related Commands

clear ipv6 pim reset

To delete all entries from the topology table and reset the Multicast Routing Information Base (MRIB) connection, use the clear ipv6 pim reset command in privileged EXEC mode.

clear ipv6 pim [vrf vrf-name] reset

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

Using the clear ipv6 pim reset command breaks the PIM-MRIB connection, clears the topology table, and then reestablishes the PIM-MRIB connection. This procedure forces MRIB resynchronization.

Caution Use the clear ipv6 pim reset command with caution, as it clears all PIM protocol information from the PIM topology table. Use of the clear ipv6 pim reset command should be reserved for situations where PIM and MRIB communication are malfunctioning.

Examples

The following example deletes all entries from the topology table and resets the MRIB connection:

Router# clear ipv6 pim reset

clear ipv6 pim topology

To clear the Protocol Independent Multicast (PIM) topology table, use the clear ipv6 pim topology command in privileged EXEC mode.

clear ipv6 pim [vrf vrf-name] topology [group-name | group-address]

Syntax Description

Command Default

When the command is used with no arguments, all group entries located in the PIM topology table are cleared of PIM protocol information.

Command Modes

Privileged EXEC

Command History

Usage Guidelines

This command clears PIM protocol information from all group entries located in the PIM topology table. Information obtained from the MRIB table is retained. If a multicast group is specified, only those group entries are cleared.

Examples

The following example clears all group entries located in the PIM topology table:

Router# clear ipv6 pim topology

clear ipv6 pim traffic

To clear the Protocol Independent Multicast (PIM) traffic counters, use the clear ipv6 pim traffic command in privileged EXEC mode.

clear ipv6 pim [vrf vrf-name] traffic

Syntax Description

Command Default

When the command is used with no arguments, all traffic counters are cleared.

Command Modes

Privileged EXEC

Command History

Usage Guidelines

This command clears PIM traffic counters. If the vrf vrf-name keyword and argument are used, only those counters are cleared.

Examples

The following example clears all PIM traffic counter:

Router# clear ipv6 pim traffic

clear ipv6 prefix-list

To reset the hit count of the IPv6 prefix list entries, use the clear ipv6 prefix-list command in privileged EXEC mode.

clear ipv6 prefix-list [prefix-list-name] [ipv6-prefix/prefix-length]

Syntax Description

Command Default

The hit count is automatically cleared for all IPv6 prefix lists.

Command Modes

Privileged EXEC

Command History

Usage Guidelines

The clear ipv6 prefix-list command is similar to the clear ip prefix-list command, except that it is IPv6-specific.

The hit count is a value indicating the number of matches to a specific prefix list entry.

Examples

The following example clears the hit count from the prefix list entries for the prefix list named first_list that match the network mask 2001:0DB8::/35.

Router# clear ipv6 prefix-list first_list 2001:0DB8::/35

Related Commands

clear ipv6 rip

To delete routes from the IPv6 Routing Information Protocol (RIP) routing table, use the clear ipv6 rip command in privileged EXEC mode.

clear ipv6 rip [name]

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

When the name argument is specified, only routes for that process are deleted from the IPv6 RIP routing table and, if installed, from the IPv6 routing table. If no name argument is specified, all IPv6 RIP routes are deleted.

Use the show ipv6 rip command to display IPv6 RIP routes.

Examples

The following example deletes all the IPv6 routes for the RIP process called one:

Router# clear ipv6 rip one

Related Commands

clear ipv6 route

To delete routes from the IPv6 routing table, use the clear ipv6 route command in privileged EXEC mode.

clear ipv6 route {ipv6-address | ipv6-prefix/prefix-length | *}

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

The clear ipv6 route command is similar to the clear ip route command, except that it is IPv6-specific.

When the ipv6-address or ipv6-prefix/prefix-length argument is specified, only that route is deleted from the IPv6 routing table. When the * keyword is specified, all routes are deleted from the routing table (the per-destination maximum transmission unit [MTU] cache is also cleared).

Examples

The following example deletes the IPv6 network 2001:0DB8::/35:

Router# clear ipv6 route 2001:0DB8::/35

Related Commands

clear ipv6 snooping counters

To remove counter entries, use the clear ipv6 snooping counters command in privileged EXEC mode.

clear ipv6 snooping counters [interface type number]

Syntax Description

Command Modes

Privileged EXEC (#)

Command History

Usage Guidelines

The clear ipv6 snooping counters command removes counters from all the configured interfaces. You can use the optional interface type number keyword and argument to remove counters from the specified interface.

Examples

The following example shows how to remove entries from the counter:

Router# clear ipv6 snooping counters

clear ipv6 spd

To clear the most recent Selective Packet Discard (SPD) state transition, use the clear ipv6 spd command in privileged EXEC mode.

clear ipv6 spd

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Usage Guidelines

The clear ipv6 spd command removes the most recent SPD state transition and any trend historical data.

Examples

The following example shows how to clear the most recent SPD state transition:

Router# clear ipv6 spd

clear ipv6 traffic

To reset IPv6 traffic counters, use the clear ipv6 traffic command in privileged EXEC mode.

clear ipv6 traffic [interface-type interface-number]

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

Using this command resets the counters in the output from the show ipv6 traffic command.

Examples

The following example resets the IPv6 traffic counters. The output from the show ipv6 traffic command shows that the counters are reset:

Router# clear ipv6 traffic

Router# show ipv6 traffic

IPv6 statistics:

  Rcvd:  1 total, 1 local destination

         0 source-routed, 0 truncated

         0 format errors, 0 hop count exceeded

         0 bad header, 0 unknown option, 0 bad source

         0 unknown protocol, 0 not a router

         0 fragments, 0 total reassembled

         0 reassembly timeouts, 0 reassembly failures

  Sent:  1 generated, 0 forwarded

         0 fragmented into 0 fragments, 0 failed

         0 encapsulation failed, 0 no route, 0 too big

  Mcast: 0 received, 0 sent

ICMP statistics:

  Rcvd: 1 input, 0 checksum errors, 0 too short

        0 unknown info type, 0 unknown error type

        unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port

        parameter: 0 error, 0 header, 0 option

        0 hopcount expired, 0 reassembly timeout,0 too big

        0 echo request, 0 echo reply

        0 group query, 0 group report, 0 group reduce

        0 router solicit, 0 router advert, 0 redirects

        0 neighbor solicit, 1 neighbor advert

Sent: 1 output

        unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port

        parameter: 0 error, 0 header, 0 option

        0 hopcount expired, 0 reassembly timeout,0 too big

        0 echo request, 0 echo reply

        0 group query, 0 group report, 0 group reduce

        0 router solicit, 0 router advert, 0 redirects

        0 neighbor solicit, 1 neighbor advert

UDP statistics:

  Rcvd: 0 input, 0 checksum errors, 0 length errors

        0 no port, 0 dropped

  Sent: 0 output

TCP statistics:

  Rcvd: 0 input, 0 checksum errors

  Sent: 0 output, 0 retransmitted

Related Commands

clear mls cef ipv6 accounting per-prefix

To clear information about the IPv6 per-prefix accounting statistics, use the clear mls cef ipv6 accounting per-prefix command in privileged EXEC mode.

clear mls cef ipv6 accounting per-prefix {all | ipv6-address/mask [instance]}

Syntax Description

Command Default

This command has no default settings.

Command Modes

Privileged EXEC

Command History

Usage Guidelines

When entering the ipv6-address/mask arguments, use this format, X:X:X:X::X/mask, where the valid values for mask are from 0 to 128.

Examples

This example shows how to clear all information about the per-prefix accounting statistics:

Router# clear mls cef ipv6 accounting per-prefix all

clear ospfv3 counters

To clear Open Shortest Path First version 3 (OSPFv3) counters, use the clear ospfv3 counters command in privileged EXEC mode.

clear ospfv3 [process-id] [address-family] counters [neighbor [neighbor-interface | neighbor-id]]

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

Use the neighbor neighbor-interface option to clear counters for all neighbors on a specified interface. If the neighbor neighbor-interface option is not used, all OSPFv3 counters are cleared.

Examples

The following example clears all neighbors on the serial 19/0 interface:

Router# clear ospfv3 counters neighbor s19/0

clear ospfv3 force-spf

To run shortest path first (SPF) calculations for an Open Shortest Path First version 3 (OSPFv3) process, use the clear ospfv3 counters command in privileged EXEC mode.

clear ospfv3 [process-id] [address-family] force-spf

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

Use the clear ospv3 force-spf command to run SPF calculations for either an IPv6 or an IPv4 OSPFv3 instance. If the optional process-ID argument is not used, SPF runs on all instances on the interface.

Examples

The following example enables SPF calculations for process 1:

Router# clear ospfv3 1 force-spf

clear ospfv3 process

To reset an Open Shortest Path First version 3 (OSPFv3) process, use the clear ospfv3 process command in privileged EXEC mode.

clear ospfv3 [process-id] [address-family] process

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

Use the clear ospv3 process command to reset either an IPv6 or IPv4 OSPFv3 process. If the optional process-ID argument is not used, all OSPFv3 processes are reset.

Examples

The following example resets the OSPFv3 process 2:

Router# clear ospfv3 2 process

clear ospfv3 redistribution

To clear Open Shortest Path First version 3 (OSPFv3) route redistribution, use the clear ospfv3 process command in privileged EXEC mode.

clear ospfv3 [process-id] [address-family] redistribution

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

Use the clear ospv3 process command to clear either IPv6 or IPv4 OSPFv3 redistribution. If the optional process-ID argument is not used, all processes on the interface are cleared.

Examples

The following example clears OSPFv3 redistribution on all OSPFv3 processes:

Router# clear ospfv3 redistribution

clear ospfv3 traffic

To reset counters and clear Open Shortest Path First version 3 (OSPFv3) traffic statistics, use the clear ospfv3 traffic command privileged EXEC mode.

clear ospfv3 [process-id] [address-family] traffic [interface]

Syntax Description

Command Modes

Privileged EXEC

Command History

Usage Guidelines

Use the clear ospv3 traffic command to reset traffic statistics for an IPv6 or IPv4 OSPFv3 process. If the optional process-ID argument is not used, all traffic statistics are cleared.

Examples

The following example resets the counters and clears the OSPFv3 traffics statistics:

Router# clear ospfv3 traffic

codec (DSP farm profile)

To specify the codecs that are supported by a digital signal processor (DSP) farm profile, use the codec command in DSP farm profile configuration mode. To remove the codec, use the no form of this command.

codec {codec-type [resolution] | [frame-rate framerate] | [bitrate bitrate] | [rfc-2190] | pass-through}

no codec {codec-type [resolution] | [frame-rate framerate] | [bitrate bitrate] | [rfc-2190] | pass-through}

Syntax Description

Command Default

The following transcoding defaults apply when you are configuring audio profiles only. When you configure video transcoding, you must specify the audio codecs.

Transcoding

•g711alaw

•g711ulaw

•g729abr8

•g729ar8

Conferencing

•g711alaw

•g711ulaw

•g729abr8

•g729ar8

•g729br8

•g729r8

MTP

•g711ulaw

Command Modes

DSP farm profile configuration (config-dspfarm-profile)

Command History

Usage Guidelines

Only one codec is supported for each MTP profile. To support multiple codecs, you must define a separate MTP profile for each codec.

For homogeneous video profiles, only one video format is supported

For heterogeneous and heterogeneous guaranteed-audio video profiles, multiple video formats and audio codecs are supported.

To change the configured codec in the profile, you must first enter a no maximum session command.

Table 8 shows the relationship between DSP farm functions and codecs.

Hardware MTPs support only G.711 a-law and G.711 mu-law. If you configure a profile as a hardware MTP and you want to change the codec to other than G.711, you must first remove the hardware MTP by using the no maximum sessions hardware command.

The pass-through keyword is supported for transcoding and MTP profiles only; the keyword is not supported for conferencing profiles. To support the Resource Reservation Protocol (RSVP) agent on a Skinny Client Control Protocol (SCCP) device, you must use the codec pass-through command. In the pass-through mode, the SCCP device processes the media stream by using a pure software MTP, regardless of the nature of the stream, which enables video and data streams to be processed in addition to audio streams. When the pass-through mode is set in a transcoding profile, no transcoding is done for the session; the transcoding device performs a pure software MTP function. The pass-through mode can be used for secure Real-Time Transport Protocol (RTP) sessions.

Examples

The following example shows how to set the call density and codec complexity to g729abr8:

Router(config)# dspfarm profile 123 transcode

Router(config-dspfarm-profile)# codec g729abr8

The following example shows how to set up a video conference with guaranteed-audio.

Router(config)# dspfarm profile 99 conference video guaranteed-audio

Router(config-dspfarm-profile)# codec h264 4cif

Router(config-dspfarm-profile)# codec h264 cif

Router(config-dspfarm-profile)# maximum conference-participants 8

Related Commands

compatible rfc1583

To calculate the method used to calculate external route preferences per RFC 1583, use the compatible rfc1583 command in router configuration mode. To disable RFC 1583 compatibility, use the no form of this command.

compatible rfc1583

no compatible rfc1583

Syntax Description

This command has no arguments or keywords.

Command Default

Compatible with RFC 1583.

Command Modes

OSPFv3 router configuration mode (config-router)

Command History

Usage Guidelines

RFC 2328 describes a new method of calculating path preferences for AS external routes:

•Intra-area paths using non-backbone areas are always the most preferred.

•The other paths—intra-area backbone paths and inter-area paths—are of equal preference.

Use the no compatible rfc1583 command to enable the calculation method used per RFC 2328. For more detailed information, see the "RFC 1583 Compatibility" section in RFC 2328.

Caution To minimize the chance of routing loops, all Open Shortest Path First (OSPF) routers in an OSPF routing domain should have RFC compatibility set identically.

Examples

The following example specifies that the router process is compatible with RFC 1583:

router ospf 1 

 compatible rfc1583

 !

context

Note Effective with Cisco IOS Release 15.0(1)M, the context command is replaced by the snmp context command. See the snmp context command for more information.

To associate a Simple Network Management Protocol (SNMP) context with a particular VPN routing and forwarding (VRF) instance, use the context command in VRF configuration mode. To disassociate an SNMP context from a VPN, use the no form of this command.

context context-name

no context

Syntax Description

Command Default

No SNMP contexts are associated with VPNs.

Command Modes

VRF configuration (config-vrf)

Command History

Usage Guidelines

Before you use the context command to associate an SNMP context with a VPN, you must do the following:

•Issue the snmp-server context command to create an SNMP context.

•Associate a VPN with a context so that the specific MIB data for that VPN exists in the context.

•Associate a VPN group with the context of the VPN using the context context-name keyword argument pair of the snmp-server group command.

SNMP contexts provide VPN users with a secure way of accessing MIB data. When a VPN is associated with a context, MIB data for that VPN exists in that context. Associating a VPN with a context helps service providers to manage networks with multiple VPNs. Creating and associating a context with a VPN enables a provider to prevent the users of one VPN from accessing information about other VPN users on the same networking device.

A route distinguisher (RD) is required to configure an SNMP context. An RD creates routing and forwarding tables and specifies the default route distinguisher for a VPN. The RD is added to the beginning of an IPv4 prefix to make it globally unique. An RD is either an autonomous system number (ASN) relative, which means that it is composed of an autonomous system number and an arbitrary number, or an IP address relative and is composed of an IP address and an arbitrary number.

Examples

The following example shows how to create an SNMP context named context1 and associate the context with the VRF named vrf1:

Router(config)# snmp-server context context1

Router(config)# ip vrf vrf1

Router(config-vrf)# rd 100:120

Router(config-vrf)# context context1

Related Commands

crypto ipsec profile

To define the IP Security (IPsec) parameters that are to be used for IPsec encryption between two IPsec routers and to enter IPsec profile configuration mode, use the crypto ipsec profile command in global configuration mode. To delete an IPsec profile, use the no form of this command.

crypto ipsec profile name

no crypto ipsec profile name

Syntax Description

Command Default

An IPsec profile is not defined.

Command Modes

Global configuration

Command History

Usage Guidelines

An IPsec profile abstracts the IPsec policy settings into a single profile that can be used in other parts of the Cisco IOS configuration.

The IPsec profile shares most of the same commands with the crypto map configuration, but only a subset of the commands are valid in an IPsec profile. Only commands that pertain to an IPsec policy can be issued under an IPsec profile; you cannot specify the IPsec peer address or the access control list (ACL) to match the packets that are to be encrypted.

After this command has been enabled, the following commands can be configured under an IPsec profile:

•default—Lists the commands that can be configured under the crypto ipsec profile command.

•description—Describes the crypto map statement policy.

•dialer—Specifies dialer-related commands.

•redundancy—Specifies a redundancy group name.

•set-identity—Specifies identity restrictions.

•set isakmp-profile—Specifies an ISAKMP profile.

•set pfs—Specifies perfect forward secrecy (PFS) settings.

•set security-association—Defines security association parameters.

•set-transform-set—Specifies a list of transform sets in order of priority.

After enabling this command, the only parameter that must be defined under the profile is the transform set via the set transform-set command.

For more information on transform sets, refer to the section "Defining Transform Sets" in the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide.

Examples

The following example shows how to configure a crypto map that uses an IPsec profile:

crypto ipsec transform-set cat-transforms esp-des esp-sha-hmac

 mode transport

!

crypto ipsec profile cat-profile

 set transform-set cat-transforms

 set pfs group2

!

interface Tunnel1

 ip address 192.168.1.1 255.255.255.252

 tunnel source FastEthernet2/0

 tunnel destination 10.13.7.67

 tunnel protection ipsec profile cat-profile

Related Commands

crypto isakmp identity

To define the ISAKMP identity used by the router when participating in the Internet Key Exchange (IKE) protocol, use the crypto isakmp identity command in global configuration mode. To reset the ISAKMP identity to the default value (address), use the no form of this command.

crypto isakmp identity {address | dn | hostname}

no crypto isakmp identity

Syntax Description

Command Default

The IP address is used for the ISAKMP identity.

Command Modes

Global configuration

Command History

Usage Guidelines

Use this command to specify an ISAKMP identity either by IP address, DN or host name. An ISAKMP identity is set whenever you specify preshared keys or RSA signature authentication.

The address keyword is typically used when only one interface (and therefore only one IP address) will be used by the peer for IKE negotiations, and the IP address is known.

The dn keyword should be used if the DN of a router certificate is to be specified and chosen as the ISAKMP identity during IKE processing. The dn keyword is used only for certificate-based authentication.

The hostname keyword should be used if more than one interface on the peer might be used for IKE negotiations, or if the interface's IP address is unknown (such as with dynamically assigned IP addresses).

As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.

Examples

The following example uses preshared keys at two peers and sets both their ISAKMP identities to the IP address.

At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified:

crypto isakmp identity address

crypto isakmp key sharedkeystring address 192.168.1.33

At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified:

crypto isakmp identity address

crypto isakmp key sharedkeystring address 10.0.0.1

Note In the preceding example if the crypto isakmp identity command had not been performed, the ISAKMP identities would have still been set to IP address, the default identity.

The following example uses preshared keys at two peers and sets both their ISAKMP identities to the hostname.

At the local peer the ISAKMP identity is set and the preshared key is specified:

crypto isakmp identity hostname

crypto isakmp key sharedkeystring hostname RemoteRouter.example.com

ip host RemoteRouter.example.com 192.168.0.1

At the remote peer the ISAKMP identity is set and the same preshared key is specified:

crypto isakmp identity hostname

crypto isakmp key sharedkeystring hostname LocalRouter.example.com

ip host LocalRouter.example.com 10.0.0.1 10.0.0.2

In the example, hostnames are used for the peers' identities because the local peer has two interfaces that might be used during an IKE negotiation.

In the example the IP addresses are also mapped to the hostnames; this mapping is not necessary if the routers' hostnames are already mapped in DNS.

Related Commands

crypto isakmp key

To configure a preshared authentication key, use the crypto isakmp key command in global configuration mode. To delete a preshared authentication key, use the no form of this command.

crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 ipv6-address/ipv6-prefix | hostname hostname} [no-xauth]

no crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 ipv6-address/ipv6-prefix | hostname hostname} [no-xauth]

Syntax Description

Command Default

There is no default preshared authentication key.

Command Modes

Global configuration

Command History

Usage Guidelines

You must use this command to configure a key whenever you specify preshared keys in an Internet Key Exchange (IKE) policy; you must enable this command at both peers.

If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peers—otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The crypto isakmp key command is the second task required to configure the preshared keys at the peers. (The first task is accomplished using the crypto isakmp identity command.)

Use the address keyword if the remote peer ISAKMP identity was set with its IP address.

With the address keyword, you can also use the mask argument to indicate the remote peer ISAKMP identity will be established using the preshared key only. If the mask argument is used, preshared keys are no longer restricted between two users.

Note If you specify mask, you must use a subnet address. (The subnet address 0.0.0.0 is not recommended because it encourages group preshared keys, which allow all peers to have the same group key, thereby reducing the security of your user authentication.)

When using IKE main mode, preshared keys are indexed by IP address only because the identity payload has not yet been received. This means that the hostname keyword in the identity statement is not used to look up a preshared key and will be used only when sending and processing the identity payloads later in the main mode exchange. The identity keyword can be used when preshared keys are used with IKE aggressive mode, and keys may be indexed by identity types other than IP address as the identity payload is received in the first IKE aggressive mode packet.

If crypto isakmp identity hostname is configured as identity, the preshared key must be configured with the peer's IP address for the process to work when using IKE in main mode.

Use the no-xauth keyword to prevent the router from prompting the peer for Xauth information (username and password). This keyword disables Xauth for static IPSec peers. The no-xauth keyword should be enabled when configuring the preshared key for router-to-router IPSec—not VPN-client-to-Cisco-IOS IPSec.

Output for the crypto isakmp key command will show that the preshared key is either encrypted or unencrypted. An output example for an unencrypted preshared key would be as follows:

crypto isakmp key test123 address 10.1.0.1

An output example for a type 6 encrypted preshared key would be as follows:

crypto isakmp key 6 RHZE[JACMUI\bcbTdELISAAB address 10.1.0.1

Examples

In the following example, the remote peer "RemoteRouter" specifies an ISAKMP identity by address:

crypto isakmp identity address

Now, the preshared key must be specified at each peer.

In the following example, the local peer specifies the preshared key and designates the remote peer by its IP address and a mask:

crypto isakmp key 0 sharedkeystring address 172.21.230.33  255.255.255.255

In the following example for IPv6, the peer specifies the preshared key and designates the remote peer with an IPv6 address:

crypto isakmp key 0 my-preshare-key-0 address ipv6 3ffe:1001::2/128

Related CommandsI

crypto isakmp peer

To enable an IP Security (IPSec) peer for Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto isakmp peer command in global configuration mode. To disable this functionality, use the no form of this command.

crypto isakmp peer {address {ipv4-address | ipv6 ipv6-address} | hostname fqdn-hostname}

no crypto isakmp peer {address {ipv4-address | ipv6 ipv6-address} | hostname fqdn-hostname}

Syntax Description

Command Default

None

Command Modes

Global configuration

Command History

Usage Guidelines

After enabling this command, you can use the set aggressive-mode client-endpoint and set aggressive-mode password commands to specify RADIUS tunnel attributes in the Internet Security Association and Key Management Protocol (ISAKMP) peer policy for IPSec peers.

Instead of keeping your preshared keys on the hub router, you can scale your preshared keys by storing and retrieving them from an AAA server. The preshared keys are stored in the AAA server as Internet Engineering Task Force (IETF) RADIUS tunnel attributes and are retrieved when a user tries to "speak" to the hub router. The hub router retrieves the preshared key from the AAA server and the spokes (the users) initiate aggressive mode to the hub by using the preshared key that is specified in the ISAKMP peer policy as a RADIUS tunnel attribute.

Examples

The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:

crypto isakmp peer ip-address 209.165.200.230 vrf vpn1

 set aggressive-mode client-endpoint user-fqdn user@cisco.com

 set aggressive-mode password cisco123

Related Commands

crypto isakmp policy

To define an Internet Key Exchange (IKE) policy, use the crypto isakmp policy command in global configuration mode. To delete an IKE policy, use the no form of this command.

crypto isakmp policy priority

no crypto isakmp policy priority

Syntax Description

Command Default

Default IKE policies are in use.

Command Modes

Global configuration (config)

Command History

Usage Guidelines

IKE policies define a set of parameters to be used during the IKE negotiation. Use this command to specify the parameters to be used during an IKE negotiation. (These parameters are used to create the IKE security association [SA].)

This command invokes the Internet Security Association Key Management Protocol (ISAKMP) policy configuration (config-isakmp) command mode. While in the ISAKMP policy configuration command mode, some of the commands for which you can specify parameters are as follows:

•authentication; default = RSA signatures

•encryption (IKE policy); default = 56-bit DES-CBC

•group (IKE policy); default = 768-bit Diffie-Hellman

•hash (IKE policy); default = SHA-1

•lifetime (IKE policy); default = 86,400 seconds (one day)

If you do not specify any given parameter, the default value will be used for that parameter.

To exit the config-isakmp command mode, type exit.

You can configure multiple IKE policies on each peer participating in IPsec. When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer.

Examples

The following example shows how to manually configure two policies for the peer:

crypto isakmp policy 15

 hash md5

 authentication rsa-sig

 group 2

 lifetime 5000

crypto isakmp policy 20

 authentication pre-share

 lifetime 10000

The above configuration results in the following policies:

Router# show crypto isakmp policy

Protection suite priority 15

	encryption algorithm:	DES - Data Encryption Standard (56 bit keys)

	hash algorithm:	Message Digest 5

	authentication method:	Rivest-Shamir-Adleman Signature

	Diffie-Hellman Group:	#2 (1024 bit)

	lifetime:	5000 seconds, no volume limit

Protection suite priority 20

	encryption algorithm:	DES - Data Encryption Standard (56 bit keys)

	hash algorithm:	Secure Hash Standard

	authentication method:	preshared Key

	Diffie-Hellman Group:	#1 (768 bit)

	lifetime:	10000 seconds, no volume limit

Default protection suite

	encryption algorithm:	DES - Data Encryption Standard (56 bit keys)

	hash algorithm:	Secure Hash Standard

	authentication method:	Rivest-Shamir-Adleman Signature

	Diffie-Hellman Group:	#1 (768 bit)

	lifetime:	86400 seconds, no volume limit

The following sample output from the show crypto isakmp policy command displays the default IKE policies when the manually configured IKE policies with priorities 15 and 20 have been removed.

Router(config)# no crypto isakmp policy 15

Router(config)# no crypto isakmp policy 20

Router(config)# exit

R1# show crypto isakmp policy

Default IKE policy

Protection suite of priority 65507

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65508

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65509

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Message Digest 5

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65510

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Message Digest 5

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65511

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65512

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65513

        encryption algorithm:   Three key triple DES

        hash algorithm:         Message Digest 5

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65514

        encryption algorithm:   Three key triple DES

        hash algorithm:         Message Digest 5

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Related Commands

crypto isakmp profile

To define an Internet Security Association and Key Management Protocol (ISAKMP) profile and to audit IP security (IPsec) user sessions, use the crypto isakmp profile command in global configuration mode. To delete a crypto ISAKMP profile, use the no form of this command.

crypto isakmp profile profile-name [accounting aaa-list]

no crypto isakmp profile profile-name [accounting aaa-list]

Syntax Description

Command Defaults

No profile exists if the command is not used.

Command Modes

Global configuration

Command History

Usage Guidelines

Defining an ISAKMP Profile

An ISAKMP profile can be viewed as a repository of Phase 1 and Phase 1.5 commands for a set of peers. The Phase 1 configuration includes commands to configure such things as keepalive, identity matching, and the authorization list. The Phase 1.5 configuration includes commands to configure such things as extended authentication (Xauth) and mode configuration.

The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. Also, there must be at least one match identity command defined in the ISAKMP profile for it to be complete.

After enabling this command and entering ISAKMP profile configuration mode, you can configure the following commands:

•accounting—Enables authentication, authorization, and accounting (AAA) accounting.

•ca trust-point—Specifies certificate authorities.

•client—Specifies client configuration settings.

•default—Lists subcommands for the crypto isakmp profile command.

•description—Specifies a description of this profile.

•initiate mode—Initiates a mode.

•isakmp authorization—ISAKMP authorization parameters.

•keepalive—Sets a keepalive interval.

•keyring—Specifies a keyring.

•local-address—Specifies the interface to use as the local address of this ISAKMP profile.

•match—Matches the values of the peer.

•qos-group—Applies a quality of service (QoS) policy class map for this profile.

•self-identity—Specifies the identity.

•virtual-template—Specifies the virtual template for the dynamic interface.

•vrf—Specifies the Virtual Private Network routing and forwarding (VRF) instance to which the profile is related.

Auditing IPSec User Sessions

Use this command to audit multiple user sessions that are terminating on the IPSec gateway.

Note The crypto isakmp profile command and the crypto map (global IPSec) command are mutually exclusive. If a profile is present (the crypto isakmp profile command has been used), with no accounting configured but with the global command present (the crypto isakmp profile command without the accounting keyword), accounting will occur using the attributes in the global command.

Dynamic Virtual Tunnel Interfaces

Support for dynamic virtual tunnel interfaces allows for the virtual profile to be mapped into a specified virtual template.

Examples

ISAKAMP Profile Matching Peer Identities Example

The following example shows how to define an ISAKMP profile and match the peer identities:

crypto isakmp profile vpnprofile

 match identity address 10.76.11.53

ISAKAMP Profile with Accounting Example

The following accounting example shows that an ISAKMP profile is configured:

aaa new-model

!

!

aaa authentication login cisco-client group radius

aaa authorization network cisco-client group radius 

aaa accounting network acc start-stop broadcast group radius

aaa session-id common

!

crypto isakmp profile cisco

vrf cisco

match identity group cclient

 client authentication list cisco-client

 isakmp authorization list cisco-client

 client configuration address respond

 accounting acc

!

crypto dynamic-map dynamic 1

 set transform-set aswan 

 set isakmp-profile cisco

 reverse-route

!

!

radius-server host 172.16.1.4 auth-port 1645 acct-port 1646

radius-server key nsite

Related Commands

crypto key generate rsa

To generate Rivest, Shamir, and Adelman (RSA) key pairs, use the crypto key generate rsa command in global configuration mode.

crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label] [exportable] [modulus modulus-size] [storage devicename:][redundancy][on devicename:]

Syntax Description

Command Default

RSA key pairs do not exist.

Command Modes

Global configuration

Command History

Usage Guidelines

Use this command to generate RSA key pairs for your Cisco device (such as a router).

RSA keys are generated in pairs—one public RSA key and one private RSA key.

If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.

Note Before issuing this command, ensure that your router has a hostname and IP domain name configured (with the hostname and ip domain-name commands). You will be unable to complete the crypto key generate rsa command without a hostname and IP domain name. (This situation is not true when you generate only a named key pair.)

Note Secure Shell (SSH) may generate an additional RSA key pair if you generate a key pair on a router having no RSA keys. The additional key pair is used only by SSH and will have a name such as {router_FQDN}.server. For example, if a router name is "router1.cisco.com," the key name is "router1.cisco.com.server."

This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.

Note If the configuration is not saved to NVRAM, the generated keys are lost on the next reload of the router.

There are two mutually exclusive types of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either special-usage keys or general-purpose keys.

Special-Usage Keys

If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair will be used with any IKE policy that specifies RSA encrypted keys as the authentication method.

A CA is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA-encrypted nonces. (However, you could specify more than one IKE policy and have RSA signatures specified in one policy and RSA-encrypted nonces in another policy.)

If you plan to have both types of RSA authentication methods in your IKE policies, you may prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key.)

General-Purpose Keys

If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted keys. Therefore, a general-purpose key pair might get used more frequently than a special-usage key pair.

Named Key Pairs

If you generate a named key pair using the key-label argument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate.

Modulus Length

When you generate RSA keys, you will be prompted to enter a modulus length. The longer the modulus, the stronger the security. However a longer modules takes longer to generate (see Table 9 for sample times) and takes longer to use.

Cisco IOS software does not support a modulus greater than 4096 bits. A length of less than 512 bits is normally not recommended. In certain situations, the shorter modulus may not function properly with IKE, so we recommend using a minimum modulus of 2048 bits.

Note As of Cisco IOS Release 12.4(11)T, peer public RSA key modulus values up to 4096 bits are automatically supported.

The largest private RSA key modulus is 4096 bits. Therefore, the largest RSA private key a router may generate or import is 4096 bits. However, RFC 2409 restricts the private key size to 2048 bits or less for RSA encryption.

The recommended modulus for a CA is 2048 bits; the recommended modulus for a client is 2048 bits.

Additional limitations may apply when RSA keys are generated by cryptographic hardware. For example, when RSA keys are generated by the Cisco VPN Services Port Adapter (VSPA), the RSA key modulus must be a minimum of 384 bits and must be a multiple of 64.

Specifying a Storage Location for RSA Keys

When you issue the crypto key generate rsa command with the storage devicename: keyword and argument, the RSA keys will be stored on the specified device. This location will supersede any crypto key storage command settings.

Specifying a Device for RSA Key Generation

As of Cisco IOS Release 12.4(11)T and later releases, you may specify the device where RSA keys are generated. Devices supported include NVRAM, local disks, and USB tokens. If your router has a USB token configured and available, the USB token can be used as cryptographic device in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication of credentials to be performed on the token. The private key never leaves the USB token and is not exportable. The public key is exportable.

RSA keys may be generated on a configured and available USB token, by the use of the on devicename: keyword and argument. Keys that reside on a USB token are saved to persistent token storage when they are generated. The number of keys that can be generated on a USB token is limited by the space available. If you attempt to generate keys on a USB token and it is full you will receive the following message:

% Error in generating keys:no available resources 

Key deletion will remove the keys stored on the token from persistent storage immediately. (Keys that do not reside on a token are saved to or deleted from nontoken storage locations when the copy or similar command is issued.)

For information on configuring a USB token, see "Storing PKI Credentials" chapter in the Cisco IOS Security Configuration Guide, Release 12.4T. For information on using on-token RSA credentials, see the "Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment" chapter in the Cisco IOS Security Configuration Guide, Release 12.4T.

Specifying RSA Key Redundancy Generation on a Device

You can specify redundancy for existing keys only if they are exportable.

Examples

The following example generates a general-usage 1024-bit RSA key pair on a USB token with the label "ms2" with crypto engine debugging messages shown:

Router(config)# crypto key generate rsa label ms2 modulus 2048 on usbtoken0:

The name for the keys will be: ms2 

% The key modulus size is 2048 bits 

% Generating 1024 bit RSA keys, keys will be on-token, non-exportable... 

Jan 7 02:41:40.895: crypto_engine: Generate public/private keypair [OK] 

Jan 7 02:44:09.623: crypto_engine: Create signature 

Jan 7 02:44:10.467: crypto_engine: Verify signature 

Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_CREATE_PUBKEY(hw)(ipsec) 

Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_PUB_DECRYPT(hw)(ipsec) 

Now, the on-token keys labeled "ms2" may be used for enrollment.

The following example generates special-usage RSA keys:

Router(config)# crypto key generate rsa usage-keys

The name for the keys will be: myrouter.example.com

Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. 
Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus[512]? <return>

Generating RSA keys.... [OK].

Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. 
Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus[512]? <return>

Generating RSA keys.... [OK].

The following example generates general-purpose RSA keys:

Note You cannot generate both special-usage and general-purpose keys; you can generate only one or the other.

Router(config)# crypto key generate rsa general-keys

The name for the keys will be: myrouter.example.com

Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose 
Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus[512]? <return>

Generating RSA keys.... [OK].

The following example generates the general-purpose RSA key pair "exampleCAkeys":

crypto key generate rsa general-keys label exampleCAkeys

crypto ca trustpoint exampleCAkeys

 enroll url http://exampleCAkeys/certsrv/mscep/mscep.dll

 rsakeypair exampleCAkeys 1024 1024

The following example specifies the RSA key storage location of "usbtoken0:" for "tokenkey1":

crypto key generate rsa general-keys label tokenkey1 storage usbtoken0:

The following example specifies the redundancy keyword:

Router(config)# crypto key generate rsa label MYKEYS redundancy

The name for the keys will be: MYKEYS

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]:

% Generating 512 bit RSA keys, keys will be non-exportable with redundancy...[OK]

Related Commands

crypto keyring

To define a crypto keyring to be used during Internet Key Exchange (IKE) authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.

crypto keyring keyring-name [vrf fvrf-name]

no crypto keyring keyring-name [vrf fvrf-name]

Syntax Description

Command Default

All the Internet Security Association and Key Management Protocol (ISAKMP) keys that were defined in the global configuration are part of the default global keyring.

Command Modes

Global configuration (config)

Command History

Usage Guidelines

A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the ISAKMP profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.

Examples

The following example shows that a keyring and its usage have been defined:

crypto keyring vpnkeys

  pre-shared-key address 10.72.23.11 key vpnsecret

crypto isakmp profile vpnprofile

  keyring vpnkeys

Related Commands

crypto map (global IPsec)

To enter crypto map configuration mode and create or modify a crypto map entry, to create a crypto profile that provides a template for configuration of dynamically created crypto maps, or to configure a client accounting list, use the crypto map command in global configuration mode. To delete a crypto map entry, profile, or set, use the no form of this command.

crypto map [ipv6] map-name seq-num [ipsec-manual]

crypto map [ipv6] map-name seq-num [ipsec-isakmp [dynamic dynamic-map-name | discover | profile profile-name]]

no crypto map [ipv6] map-name [seq-num]

crypto map [ipv6] map-name client accounting list aaalist

no crypto map [ipv6] map-name [client accounting list]

crypto map map-name seq num [gdoi]

no crypto map map-name [seq-num]

Syntax Description

Command Default

No crypto maps exist.
Peer discovery is disabled.

Command Modes

Global configuration (config)

Command History

Usage Guidelines

Use this command to create a new crypto map entry or profile. Use the crypto map ipv6 map-name seq-num command without any keyword to modify an existing IPv6 crypto map entry or profile. For IPv4 crypto maps, use the crypto map map-name seq-num command without any keyword to modify the existing crypto map entry or profile.

After a crypto map entry is created, you cannot change the parameters specified at the global configuration level because these parameters determine the configuration commands that are valid at the crypto map level. For example, after a map entry has been created using the ipsec-isakmp keyword, you cannot change it to the option specified by the ipsec-manual keyword; you must delete and reenter the map entry.

After you define crypto map entries, you can assign the crypto map set to interfaces using the crypto map (interface IPsec) command.

Crypto Map Functions

Crypto maps provide two functions: filtering and classifying the traffic to be protected and defining the policy to be applied to that traffic. The first affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.

IPsec crypto maps define the following:

•What traffic should be protected

•To which IPsec peers the protected traffic can be forwarded—these are the peers with which an SA can be established

•Which transform sets are acceptable for use with the protected traffic

•How keys and SAs should be used or managed (or what the keys are, if IKE is not used)

Multiple Crypto Map Entries with the Same Map Name Form a Crypto Map Set

A crypto map set is a collection of crypto map entries, each with a different seq-num argument but the same map-name argument. Therefore, for an interface, you could have certain traffic forwarded to one IPsec peer with specified security applied to that traffic and other traffic forwarded to the same or different IPsec peer with different IPsec security applied. To accomplish differential forwarding, you would create two crypto maps, each with the same map-name argument but different seq-num argument. Crypto profiles must have unique names within a crypto map set.

Note If a deny statement (which specifies the conditions under which a packet cannot pass the access control list) in an access control list belongs to a crypto map in a crypto map set, the IPsec logic causes a jump to the next crypto map in the crypto map set, hoping for a better possible match. VPN Service Adapter (VSA) hardware has a restriction of 14 jumps.

Sequence Numbers

The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.

For example, assume that a crypto map set contains three crypto map entries: mymap 10, mymap 20, and mymap 30. The crypto map set named "mymap" is applied to serial interface 0. When traffic passes through serial interface 0, traffic is evaluated first for mymap 10. If the traffic matches any access list permit statement entry in the extended access list in mymap 10, the traffic will be processed according to the information defined in mymap 10 (which includes establishing IPsec SAs when necessary). If the traffic does not match the mymap 10 access list, the traffic will be evaluated for mymap 20, and then mymap 30, until the traffic matches a permit entry in a map entry. (If the traffic does not match a permit entry in any crypto map entry, it will be forwarded without any IPsec security.)

Dynamic Crypto Maps

Refer to the "Usage Guidelines" section of the crypto dynamic-map command for a discussion on dynamic crypto maps.

Crypto map entries that reference dynamic map sets should be the lowest priority map entries, allowing inbound SA negotiation requests to try to match the static maps first. If the request does not match any of the static maps, it will be evaluated against the dynamic map set.

If a crypto map entry references a dynamic crypto map set, make it the lowest priority map entry by giving it the highest seq-num value of all the map entries in a crypto map set.

Create dynamic crypto map entries using the crypto dynamic-map command. After you create a dynamic crypto map set, add the dynamic crypto map set to a static crypto map set with the crypto map (global IPsec) command using the dynamic keyword.

Note IPv6 keywords are not supported on dynamic crypto maps.

TED

Tunnel Endpoint Discovery (TED) is an enhancement to the IPsec feature. Defining a dynamic crypto map allows you to dynamically determine an IPsec peer; however, only the receiving router has this ability. With TED, the initiating router can dynamically determine an IPsec peer for secure IPsec communications.

Dynamic TED helps to simplify the IPsec configuration on individual routers within a large network. Each node has a simple configuration that defines the local network that the router is protecting and the IPsec transforms that are required.

Note TED helps only in discovering peers; otherwise, TED does not function any differently from normal IPsec. Thus, TED does not improve the scalability of IPsec (in terms of performance or the number of peers or tunnels).

Crypto Map Profiles

Crypto map profiles are created using the profile profile-name keyword and argument combination. Crypto map profiles are used as configuration templates for dynamically creating crypto maps on demand for use with the L2TP Security feature. The relevant SAs in the crypto map profile will be cloned and used to protect IP traffic on the L2TP tunnel.

Note The set peer and match address commands are ignored by crypto profiles and should not be configured in the crypto map definition.

Examples

The following example shows the minimum required crypto map configuration when IKE will be used to establish the SAs:

crypto map mymap 10 ipsec-isakmp

 match address 101

 set transform-set my_t_set1

 set peer 10.0.0.1

The following example shows the minimum required IPv6 crypto map configuration when IKE will be 
used to establish the SAs:

 
crypto map ipv6 CM_V6 10 ipsec-isakmp

 match address ACL_IPV6_1

  set peer 2001:DB8:0:ABCD::1

The following example shows the minimum required crypto map configuration when the SAs are manually established:

crypto transform-set someset ah-md5-hmac esp-des

crypto map mymap 10 ipsec-manual

 match address 102

 set transform-set someset

 set peer 10.0.0.5

 set session-key inbound ah 256 98765432109876549876543210987654

 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc

 set session-key inbound esp 256 cipher 0123456789012345

 set session-key outbound esp 256 cipher abcdefabcdefabcd

The following example shows the minimum required IPv6 crypto map configuration when the SAs are manually established:

crypto map ipv6 CM_V6 ipsec-manual

 match address ACL_V6_2

 set transform-set someset

 set peer 2001:DB8:0:ABCD::1

 set session-key inbound ah 256 98765432109876549876543210987654

 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc

 set session-key inbound esp 256 cipher 0123456789012345

 set session-key outbound esp 256 cipher abcdefabcdefabcd

The following example shows how to configure an IPsec crypto map set that includes a reference to a dynamic crypto map set.

Crypto map "mymap 10" allows SAs to be established between the router and either or both the remote IPsec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of the two transform sets to be negotiated with the remote peer for traffic matching access list 102.

Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound SA negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow permitted by the access list 103, IPsec will accept the request and set up SAs with the remote peer without previously knowing about the remote peer. If the request is accepted, the resulting SAs (and temporary crypto map entry) are established according to the settings specified by the remote peer.

The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match any access list permit statement in this list are dropped for not being IPsec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPsec SA are also dropped.

crypto map mymap 10 ipsec-isakmp

 match address 101

 set transform-set my_t_set1

 set peer 10.0.0.1

 set peer 10.0.0.2

crypto map mymap 20 ipsec-isakmp

 match address 102

 set transform-set my_t_set1 my_t_set2

 set peer 10.0.0.3

crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap

!

crypto dynamic-map mydynamicmap 10

 match address 103

 set transform-set my_t_set1 my_t_set2 my_t_set3

The following example shows how to configure TED on a Cisco router:

crypto map testtag 10 ipsec-isakmp dynamic dmap discover

The following example shows how to configure a crypto profile to be used as a template for dynamically created crypto maps when IPsec is used to protect an L2TP tunnel:

crypto map l2tpsec 10 ipsec-isakmp profile l2tp

The following example shows how to configure a crypto map for a GDOI group member:

crypto map diffint 10 gdoi

 set group diffint

Related Commands