• Cisco IOS Security command Guide


    copy system:running-config nvram:startup-config : to save your configuration changes to the startup configuration so that the changes will not be lost if the software reloads or a power outage occurs

    command | {begin | include | exclude} regular-expression : filtering output from the show and more commands (you can search and filter the ourput of show and more commands)

    eg : Router# show interface | include protocol 

    Authentication, Authorization, and Accouting

    Authentication Commands

    aaa authentication arap : to enable an authentication, authorization, and accounting(AAA) authentication method for AppleTalk Remote Access(ARA) (in global configuration mode)

    no aaa authentication arap

    aaa authentication banner : to configure a personalized banner that will be displayed at user login (in global onfiguration mode)

    no aaa authentication banner

    aaa authentication enable default : to enable authentication. authorization, and accounting(AAA) authentication to determine if a user can access the privileged command level (in global configuration mode)

    no aaa authentication enable default

    aaa authentication fail-message : to configure a personalized banner that will be displayed when a user fails login (in global configuration mode)

    no aaa authentication fail-message

    aaa authentication login : to set authentication, authorization, and accounting(AAA) authentication at login (in global configuration mode)

    no aaa authentication login

    aaa authentication nasi : to specify authentication, authorization, and accounting(AAA) authentication for Netware Asynchronous Serices Interface(NASI) clients connecting through the access server (in global configuration mode)

    no aaa authentication nasi

    aaa authentication password-prompt : to change the text displayed when users are prompted for a password (in global configuration mode)

    no aaa authentication password-prompt

    aaa authentication ppp : to specify one or more authentication, authorization, and accounting(AAA) authentication methods for use on serial interfaces that are running PPP (in global configuration mode)

    no aaa authentication ppp

    aaa authentication username-prompt : to change the text displayed when users are prompted to enter a username (in global configuration mode)

    no aaa authentication username-prompt

    aaa dnis map authentication login group : to map a Dialed Number Information Service(DNIS) number to a particulat authentication authorization, and accounting(AAA) server group for the login service(this server group will be used for AAA authentication) (in global configuration mode)

    no aaa dnis map authentication login group

    aaa dnis map authentication ppp group : to map a Dialed Number Information Service(DNIS) number to a particular authentication server grop(this server group will be used for authentication, authorization, and accounting(AAA) authentication) (in global cofiguration mode)

    no aaa dnis map authentication ppp group

    aaa nas redirected-station : to include the original number inn the information sent to the authentication server when the number dialed by a device is redirected to another number for authentication (in global configuration mode)

    no aaa nas redirected-station

    aaa new-model : to enable the authentication, authorization, and accounting(AAA) access control model (in global configuration mode)

    no aaa new-model

    aaa pod server : to enable inbound user sessions to be disconnected when specific session attributes are presented (in global configuration mode)

    no aaa pod server

    aaa preauth : to enter authentication, authorization, and accounting(AAA) preauthentication configuration mode (in global configuration mode)

    no aaa preauth

    aaa processes : to allocate a specific number of background processes to be used to process authentication, authorization, and accounting(AAA) authentication and authorization requests for PPP (in global configuration mode)

    no aaa processes

    access-profile : to apply your per-user authorization attributes to an interface during a PPP session (in privileged EXEC mode)

    no access-profile

    arap authentication : to enable authentication, authorization, and accounting(AAA) authentication for AppleTalk Temote Access Protocol(ARAP) on a line (inn line configuration mode)

    no arap authentication

    clear ip trigger-authentication : to clear the list of remote hosts for which automated double authentication has been attempted (in privileged EXEC mode)

    dnis(AAA preauthentication) : to preauthenticate calls on the basis of the Dialed Number Identification Service(DNIS) number 

    no dnis

    group : to specify the authentication, authorization, and accounting(AAA) TACACS+ server group to use for preauthentication (in AAA preauthentication configuration mode)

    no group

    ip trigger-authentication : to enable the automated part of double authentication at a device (in global onfiguration mode)

    no ip trigger-authentication

    ip trigger-suthentication : to specify automated double authentication at an interface (in interface configuration mode)

    no ip trigger-authentication

    login authentication : to enable authentication, authorization, and accounting(AAA) authentication for login (in line configuration mode)

    no login authentication

    nasi authentication : to enable authentication, authorization, and accounting(AAA) authentication for NetWare Asynchronous Services Interface(NASI) clients connecting to a router (in line configuration mode)

    no nasi authentication

    ppp authentication : to enable Challenge Handshake Authentication Protocol(CHAP) or Password Authentication Protocol(PAP) or both and to specify the order in which CHAP and PAP authentication are selected on the interface (in interface configuration mode)

    no ppp authentication

    ppp chap hostname : to create a pool of dialup routers that all appear to be the same host when authenticating with Challenge Handshake Authentication Protocol(CHAP) (in interface configuration mode)

    no ppp chap hostname

    ppp chap password : to enable a router calling a collection of routers that do not support this command(such as routers running older Cisco IOS software images) to configure a common Challenge Handshake Authentication Protocol(CHAP) secret password to use in response to challenges from an unknown peer (in interface configuration mode)

    no ppp chap password

    ppp chap refuse : to refuse Challenge Handshake Authentication Protocol(CHAP) authentication from peers requesting it (in interface configuration mode)

    no ppp chap refuse

    ppp chap wait : to specify that the router will not authenticate to a peer requesting Challenge Handshake Authentication Protocol(CHAP) authentication until after the peer has athenticated itself to the router (in interface configuration mode)

    no ppp chap wait

    ppp pap refuse : to refuse a peer request to authenticate remotely with PPP using Password Authentication Protocol (in interface configuration command)

    no ppp pap refuse

    ppp pap sent-username : to reenable remote Password Authentication Protocol(PAP) support for an interface and use the sent-username and password in the PAP authentication request packet to the peer (in interface configurtation mode)

    no ppp pap sent-username

    show ip trigger-authentication : to view the list of remote hosts for which automated double authentication has been attempted (in privilged EXEC mode)

    show ppp queues : to monitor the number of requests processed by each authentication, authorization, and accounting(AAA) background process (in privileged EXEC mode)

    timeout login response : to specify how long the system will wait for login input (such as username and password) before timing out (in line configuration mode)

    no timeout login response

    Authorization Commands

    aaa authorization : to set parameters that restrict user access to a network (in global configuration mode)

    no aaa authorization

    aaa authorization config-commands : to reestablish the default created when the aaa authorization commands command was issued (in global configuration mode)

    no aaa authorization config-commands

    aaa authorization console : to apply authorization to a console (in global configuration mode)

    no aaa authorization console

    aaa authorization reverse-access : to configure a network access server to request authorization information from a security server before allowing a user to establish a reverse Telnet session (in global configurtion mode)

    no aaa authorization reverse-access

    aaa dnis map authorization network group : to map a Dialed Number Identification Service(DNIS) number to a particulat authentication, authorization, and accounting(AAA) server group (the user group that will be used for AAA authorization) (in global configuration mode)

    no aaa dnis map authorization network group

    authorization : to enable authentication, authorization, and accouting(AAA) authorization for a specific line or group of lines (in line configuration mode)

    no authorization

    ppp authorization : to enable authentication, authorization, and accounting(AAA) authorization on the selected interface (in interface configuration mode)

    no ppp authorization

    Accounting Commands

    aaa accounting : to enable authentication, authorization, and accountign(AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+ (in global configuration mode)

    no aaa accounting

    aaa accounting connection h323 : to define the accounting method list H.323 with RADIUS as a method with either stop-only or start-stop accounting options (in global configuration mode)

    no aaa accounting connection h323

    aaa accounting delay-start : to delay generation of accounting "start" records until the user IP address is established (in global configuration mode)

    no aaa accounting delay-start

    aaa accounting nested : to specify that NETWORK records be generated, or nested, within EXEC "start" and "stop" records for PPP users who start EXEC terminal sessions (in global configuration mode)

    no aaa accounting nested

    aaa accounting resource start-stop group : to enable full resource accounting, which will generate both a "start" record at call setup and a "stop" record at call termnation (in global configuration mode)

    no aaa accounting resource start-stop group

    aaa accounting resource stop-faliure group : to enable resource failure stip accounting support, which will generate a "stop" record at any point prior to user authentication only if a call is terminated (in global configuration mode)

    no aaa accounting resoure stop-failure group

    aaa accounting send stop-record authentication failure : to generate accounting "stop" record for users who fail to authenticate at login or during session negotiation (in global configuration mode)

    no aaa accounging send stop-record authentication failure

    aaa accounting suppress null-username : to prevent the Cisco IOS software from sending accounting records for users whose username string is NULL (in global configuration mode)

    no aaa accounting suppress null-username

    aaa accounting update : to enable periodic interim accounting records to be sent to the accounting server (in global configuration mode)

    no aaa accounting update

    aaa dnis map accounting network : to map a Diald Number Information Service(DNIS) number to a particular authentication, authorization, and accounting(AAA) server group that will be used for AAA accounting (in global configuration mode)

    no aaa dnis map accounting network

    aaa sesion-mib : to enable disconnect by using Simple Network Management Protocol(SNMP) (in global onfiguration mode)

    no aaa session-mib disconnect

    accounting : to enable authentication, authorization, and accounting(AAA) accountign services to a specified line or gorup of lines (in line configuration mode)

    no accounting

    accounting : to enable the accounting on the gatekeeper (i gatekeeper configuration mode)

    no accounting

    ppp accounting : to enable authentication, authorization, and accounting(AAA) accounting services on the selected interface (in interface configuration mode)

    no ppp accounting

    show accounting : to step through all ative sessions and to print all the accounting records for actively accounted functions (in EXEC mode)

    no show accounting

    Security Server Protocols

    RADIUS Commands

    aaa group server radius : to group different RADIUS server hosts into distinct lists and distinct methods (in global configuration mode)

    no aaa group server radius

    aaa nas port extended : to replace the NAS-Port attribute with RADIUS IETF attribute 26 and to display extended field information (in global configuration mode)

    no aaa nas port extended

    call guard-timer : to set a guard tmer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request (in controller configuration mode)

    no call guard-timer

    clid : to preauthenticate calls on the basis of the Calling Line Identificaton(DLIC) number(in AAA preautheitication configuration mode)

    no clid

    ctype : to preautheiticate calls on the basis of the call type (in AAA preautheitication configuration mode)

    no ctype

    deadtime : to configure deadlint within the context of RADIUS server groups (i server-group configuration mode)

    no deadtime

    dialer aaa  to allow a dialer to access the authentication, authorization, and accounting(AAA) server for dialing information (in interface configuration mode)

    no dialer aaa

    dnis : to preauthenticate calls on the basis of the DNIS(Dialed Number Identification Service) number (in AAA preauthentication configuration mode)

    no dnis

    dnis bypass : to specify a group of DNIS(Dialed Number Identification Service) numbers that will be bypassed for preauthentication (in AAA preauthentication configuration mode)

    no dnis bypass

    group : to specify the authentication, authorization, and acounting(aaa) RADIUS server froup to use for preauthentication (in AAA preauthentication configuration mode)

    no froup

    ip radius source-interface : to force RADIUS to use the IP address of a specified interface for al outgoing RADIUS packets (in global configuration mode)

    no ip radius source-interface

    radius-server attribute 32 include-in-access-req : to send RADIUS attribute 32 (NAS-Identifier) in an access-request or acounting-request (in global configurtion mode)

    no radius-server attribute 32 include-in-access-req

    radius-server attribute 44 include-in-access-req : to send RADIUS attribute 44 (Accounting Session ID) in access request packets before user authentication (including requests for preauthentication) (in global configuration command)

    no radius-server attribute 44 include-in-access-req

    radius-server attribute 55 include-in-acct-req : to send the RADIUS attribute 55 (Event-Timestamp) in accounting packets (in global configuration mode)

    no radius-server attribute 55 include-in-acct-req

    radius-server attribute 69 clear : to receive nonencrypted tunnel passwords in attribute 69(Tunnel-Password) (in global configuration mode)

    no radius-server attribute 69 clear

    radius-server attribute 188 format non-standard : to send the number of remaining links in the multilink bundle in the accounting0request packet (in global configuration mode)

    no radius-server attribute 188 format non-standard

    radius-server attribute nas-port formar : to select the NAS-Port format used fot RADIUS accounting features, and to restore the default NAS-Port format (in global configuration mode)

    no radius-server attribute nas-port format

    radius-server challenge-noecho : to prevent user responses to Access-Challenge packets from being displayed on the screen (in global configuration mode)

    no radius-server challenge-noecho

    radius-server configure-nas : to hae the Cisco router or access server query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the debice starts up (in global configuration mode)

    no radius-server configure-nas

    radius-server deadtime : to improve RADIUS response times when some servers might be unavailable (in global configuration mode)

    no radius-server deadtime

    radius-server directed-request : to allow users logging into a Cisco network access server (NAS) to select a RADIUS server for authentication (in global configuration mode)

    no radius-server directed-request

    radius-server host : to specify a RADIUS server host (in global configuration mode)

    no radius-server host

    radius-server host no n-standard : to identify that the security server is using a vendor-proprietary implementation of RADIUS (in global configuration mode)

    no radius-server host non-standard

    radius-server key : to set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon (in global configuration mode)

    no radius-server key

    radius-server optional passwords : to specify that the first RADIUS request to a RADUS server be made without password verification (in global configuration mode)

    no radius-server optional passwords

    radius-server retransmit : to specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up (in global configuration mode)

    no radius-server retransmit

    radius-server timeout : to set the interval for which a router waits for a server host to reply (in global configuration mode)

    no radius-server timeout

    radius-server unique-ident : to assign a unique accounting session identification (Acce-Session-Id) (in global configuration mode)

    no radius-server unique-ident

    radius-server vsa send : to configure the network access server to recognize and use vendor-specific attributes (in global configuration mode)

    no radius-server vsa send

    server : to configure the IP address of the RADIUS server for the group server (in server-group configuration mode)

    no server

    show radius statictics : to display the RADIUS statistics for accounting and authentication packets (in EXEC mode)

    vpdn aaa attribute : to enable reporting of network access server (NAS) authentication, authorization, and accountign (AAA) attributes related to a virtual provate diaalup network (vPDN) to the AAA server (in global configuration mode)

    no vpdn aaa attribute

    TACACS+ Commands

    aaa group server tacacs+ : to group different server hosts into distinct lists and distinct methods (in global configuration mode)

    no aaa group server tacacs+

    ip tacacs source-interface : to use the IP address of a specified interface for all outgoing TACACS+ packets (in global configuration mode)

    no ip tacacs source-interface

    server : to configure the IP address of the TACACS+ server for the group server (in tCACS+ group server configuration mode)

    no server

    show tacascs : to display statistics for a TACACS+ server (in EXEC configuration mode)

    tacacs-server administration : to enable the handling of administrative messages by the Tcacs+ daemon (in global configuration mode)

    no tacacs-server administration

    tacacs-server directed-request : to send only a username to a specified server when a direct request is issued (in global configuration mode)

    no tacacs-server directed-request

    tacacs-server dns-alias-lookup : to eable IP Domain Name System(DNS) alias lookup for TACACS+ server (in global configuration mode)

    no tacacs-server dns-alias-lookup

    tacacs-server host : to specify a TACACS+ host (in global configuration mode)

    no tacacs-server host

    tacacs-server key : to set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon (in global configuration mode)

    no tacacs-server key

    tacacs-server packet : to modify TACACS+ packet option (in global configuration mode)

    no tacacs-server packet

    tacacs-server timeout : to set the interva for which the server waits for a server host to reply (in global configuration mode)

    no tacacs-server timeout

    Kerberos Commands

    clear kerberos creds : to delete the contents of the credentials cache (in privileged EXEC mode)

    kerberos clients mandatory : to cause the rsh, rcp, rlogin and telnet commands to fail if they cannot negotiate the Kerberos protocol with the reomte server (in global configuration mode)

    no kerberos clients mandatory

    kerberos credentials forward : to force all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication (in global configuration mode)

    no kerberos crednetials forward

    kerberos instance map : to map Kerberos instances to Cisco IOS privilege levels (in global configuration mode)

    no kerberos instance map

    kerberos loccal-realm : to specify the Kerberos realm in which the router is located (in global configuration mode)

    no kerberos local-realm

    kerberos preauth : to specify a preauthentication method to use to communicate with the key distribution center(KDC) (in globl configuration mode)

    no kerberos preauth

    kerberos realm : to map a host name or Domain Name System(DNS) domain to a Kerberos realm (in global configuration mode)

    no kerberos realm

    kerberos server : to specify the location of the Kerberos server for a given Kerberos realm (in global configuration mode)

    no kerberos server

    kerberos srvtab entry : to retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration (in global configuration mode)

    no kerberos srvtab entry

    kerberos srvtab remote : to retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration (in global configuration mode)

    key config-key : to define a private DES key for the router (in global configuration)

    no key config-key

    show kerberos creds : to display the cotents of your credentials cache (in privileged EXEC mode)

    Traffic Filtering and Firewalls

    Lock-and-Key Commands

    access-enable : to enable the router to create a temporary access list entry in a dynamic access list (in EXEC mode)

    access-list dynamic-extend : to allow the absolte timer of the dynamic access control list(AL) to be extended an additional six minutes (in global configuration mode)

    no access-list dynamic-extend

    access-template : to manually place a temporary access list entry on a router to which you are connected (in EXEC mode)

    clear access-template : to manually clear a temporary access list entry from a dynamic access list (in EXEC mode)

    Reflexive Access List Commands

    evaluate : to nest a reflexive access list within an access list (in access-list configuration mode)

    no evaluate

    ip reflexive-list timeout : to specify the length of time that reflexive access list entries will continue to exist when no packets in the session are detected (in global configuration mode)

    no ip reflexive-list tmieout

    permit : to create a reflexive access list and to enable its temporary entries to be automatically generated (in access-list configuration mode)

    no permit

    TCP Intercept Commands

    ip tep intercept connection-timeout : to change how long a TCP connection will be managed by the TCP intercept after no activity (in global configuration mode)

    no ip tcp intercept connection-timeout

    ip tcp intercept drop-mode : to set the TCP intercept drop mode (in global configuration command)

    no ip tcp intercept drop-mode

    ip tcp intercept finrst-timeout : to change how long after receipt of a reset or FIN-exchange the software ceases to manage the connection (in global configuration mode)

    no ip tcp intercept finrst-timeout

    ip tcp intercept list : to enable TCP intercept (in global configuration mode)

    no ip tcp intercept list

    ip tcp intercept mas-incomplete high : to define the maximum number of oncomplete connections allowed before the software enters aggressive mode (in global configuration mode)

    no ip tcp intercept max-incomplete high

    ip tcp intercept max-incomplete low : to define the number of incomplete connections below which the software leaves aggressive mode (in global configuration mode)

    no ip tcp intercept ma-incomplete low

    ip tcp intercept mode : to change the TCP intercept mode (in global configuration command)

    no ip tcp intercept mode

    ip tcp intercept one-minute high : to define the number of connection requests received in the last on-minutes sample period before the software enters aggerssive mode (in global configuration mode)

    no ip tcp intercept one-minute high

    ip tcp intercept one-minute low : to define the number of connection requests below which the software leaves aggressive mode (in global configuration mode)

    no ip tcp intercept one-minute low

    ip tcp intercept watch-timeout : to define how long the software will wait for a watched TCP intercept connection to reach established state before sending a reset to the server (in global configuration mode)

    no ip tcp intercept watch-timeout

    show tcp intercept connections : to display TCP incomplete and established connections (in EXEC mode)

    show tcp intercept statistics : to display TCP intercept statistics (in EXEC mode)

    Context-Based Access Control Commands

    ip inspect alert-off : to disable Context-based Access Control (CBAC) alert messages, which are displayed on the console (in global configuration mode)

    no ip inspect alert-off

    ip inspect audit trail : to turn on Context-based Access Control(CBAC) audit trail messages, which will be displayed on the console after each CBAC session closes (in global configuration mode)

    no ip inspect audit trail

    ip inspect dns-timeout : to specify the Domain Name System (DNS) idle timeout (the length of tmie during which a DNS name lookup session will still be managed while there is no activity) (in global configuration mode)

    no ip inspect dns-timeout

    ip inspect : to apply a set of inspection rules to an interface (in interface configuration mode)

    no ip inspect

    ip inspect max-incomplete high : to define the number of existing half-open session that will cause the software to start deleting half-open sessions (in global configuration mode)

    no ip inspect max-incomplete high

    ip inspect max-incomplete low : to define the number of existing half-open sessions that will cause the software to stop deleting half-open sessions (in global configuration mode)

    no ip inspect max-incomplete low

    ip inspect name : to define a set of inspection rules (in global configuration mode)

    no ip inspect name

    ip inspect one-minute high : to define the rate of new unestablished sessions that will cause the software to start deleting half-open sessions (in global configuration mode)

    no ip inspect one-minute high

    ip inspect one-minute low : to define the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions (in global configuration mode)

    no ip inspect one-minute low

    ip inspect tcp finwait-time : to define how long a TCP session will still be managed after the firewall detects a FIN-exchange (in global configuration mode)

    no ip inspect tcp finwait-time

    ip inspect tcp idle-time : to specify the TCP idle timeout (the length of time a TCP session will still be managed while there is no activity) (in global configuation mode)

    no ip inspect tcp ile-time

    ip inspect tcp max-incomplete host : to specify threshold and blocking time values for TCP host-specific denial-of-service detection and prevention (in global configuration mode)

    no ip inspect tcp max-incomplete host

    ip inspect tcp synwait-time : to define how long the software will wait for a TCP session to reach the established state before dropping the session (in global configuration mode)

    no ip inspect tcp synwait-time

    ip inspet udp idle-time : to specify the User Datagram Protocol idle timeout (the length of time for which a DUP "session" will still be managed while there is no activity) (in global configuration model)

    no ip inspect udp idle-time

    no ip inspect : to turn off Context=based Access Control(CBAC) completely at a firewall (in glbal configuration mode)

    show ip inspect : to view Context-based Access Control(CBAC) configuration and session information (in privileged EXEC mode)

    Cisco IOS Firewall Intrusion Detection System Commands

     clear ip audit configuration : to disable Cisco IOS  Firewall IDS, remove all intrusion detection configuration entries, and release dynamic resources (in EXEC mode)

    clear ip audit statistics : to reset statistics on packets analyzed and alarms sent (in EXEC mode)

    ip audit : to apply an audit specification created with the ip audit command to a specific interface and for a specific direction (in interface donfiguration mode)

    no ip audit

    ip audit attack : to specify the default actions for attack signatures (in global configuration mode)

    no ip audit attack

    ip audit info : to specify the defaut actions for info signatures (in global configuration mode)

    no ip audit info

    ip audit name : to creates audit rules for info and attack signature types (in global configuration mode)

    no ip audit name

    ip audit nitify : to specify the method of event notification (in global configuration mode)

    no ip audit notify

    ip audit po local : to specify the local Post Office parameters used when sending event notifications to the NetRanger Director (in global configuration mode)

    no ip audit po local

    ip audit po max-events : to specify the maximum number of event notifications that are replaced in the router's event queue (in global configuration mode)

    no ip audit po max-events

    ip audit po protected : to specify whether an address is on a protected network (in global configuration mode)

    no ip audit po protected

    ip audit po remote : to specify one or more set of Post Office parameters for NetRanger Directors receiving event notifications from the router (in global configuration mode)

    no ip audit po remote

    ip audit signature : to attach a policy to a signature (in global configuration mode)

    no ip audit signature

    ip audit smtp : to specify the number of recipients in a mail message over which a spam attack is suspected (in global configuration mode)

    no ip audit smtp

    show ip audit configuration : to display additional configuration information, including default values that may not be displayed using the show run command (in EXEC mode)

    show ip audit interface : to display the interface configuration (in EXEC mode)

    show ip audit statistics : to display the number of packets audited and teh number of alarms sent, among other information (in EXEC mode)

    Authentication Proxy Commands

    clear ip auth-proxy cache : to clear authentication proxy entries from the router (in EXEC mode)

    ip auth-proxy : to set the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associsted dynamic user access control list, is managed after a period of inactivity) (in global configuration mode)

    no ip auth-proxy auth-cache-time

    ip auth-proxy : to apply an authentication proxy rule at a firewall interface (in interface configuration mode)

    no ip auth-proxy

    ip auth-proxy auth-proxy-banner : to display a banner, such as the router name, in the authentication proxy login page (inn global configuration mode)

    no ip auth-proxy auth-proxy-banner

    ip auth-proxy ame : to create an authentication proxy rule (in global configuration mode)

    no ip auth-proxy name

    show ip auth-proxy : to display the authentication proxy entries or the running authentication proxy configuration (in privileged EXEC mode)

    Port to Application Mapping Commands

    ip port-map : to establish Port to Application Mapping(PAM) (in global configurtion mode)

    no ip port-map

    show ip port-map : to display the Port to Application Mapping (PAM) information (in privileged EXEC mode)

    IP Security and Encryption

    IPSec Network Security Commands

    clear crypto sa : to delete IP Security security association (in EXEC mode)

    crypto dynamic-map : to create a dynamic crypto map entry and enter the crypto map configuration command mode (in global configuration mode)

    no crypto dynamic-map

    crypto engine accelertor : to enable the IP Security (IPSec) accelertor (in global configuration mode)

    no crypto engine accelerator

    crypto ipsec security-association lifetime : to change global lifetime values used when negotiating IPSec security associations (in global configuration mode)

    no crypto ipsec security-association lifetime

    crypto ipsec transform-set : to define a transform set - an acceptable combination of secrity protocols and algorithms (in global configuration mode)

    no crypto ipsec transform-set

    crypto map : to create or modify a crypto map entry and enter the crypto map configuration mode (in global configuration mode)

    no crypto map

    crypto map : to apply a previously defined ceypto map set to an interfae (in interfae configuration mode)

    no crypto map

    crypto map local-address : to specify and name an identifying interface to be used by the crypto map for IPSec traffic (in global configuration mode)

    no crypto map

    match address : to specify an extended access list for a crypto map entry (in crypto map configuration mode)

    no match address

    mode : to change the mode for a transform set (in crypto transform configuration mode)

    no mode

    set peer : to specify an IP Security peer in a crypto map entry (in crypto map configuration mode)

    no set peer

    set pfs : to specify that IP Security should ask for perfect forward secrey(PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associatios (in crypto map configuration mode)

    no set pfs

    set security-association level per-host : to specify that separate IP Security security associations should be requested for each source/destinaton host pair (in crypto map configuration mode)

    no set security-association level per-host

    set security-association lifetime : to override (for a particulat crypto map entry) the global lifetime value, which is used when negotiating IP Security associations (in crypto map configuration mode)

    no set security-association lifetime

    set session-key : to manually specify the IP Security session keys within a crypto map entry (in crypto map configuration mode)

    no set session-key

    set transform-set : to specify which transform sets can be used with the crypto map entry (in crypto map configuration mode)

    no set transform-set

    show crypto dynamic-map : to view a dynamic crypto map set

    show crypto engine accelerator logs : to display information about the last 32 CryptoGraphics eXtensions(CGX) Library packets processing commands and associated parameters sent from the VPN module driver to the VPN modeule hardware (in privileged EXEC mode)

    show crypto engine accelerator sa-database : to display active(in-use) entries in the platform-specific virtual network (VPN) module database (in privileged EXEC mode)

    show crypto ipsec sa : to view the settings used by current security associations (in EXEC mode)

    show crypto ipsec security-association lifetime : to view the security-association lifetime value configured for a particular crypto map entry (in EXEC mode)

    show crypto ipsec transform-set : to view the configured transform sets (in EXEC mode)

    show crypto map : to view the crypto map configuration

    Certification Authority Interoperability Commands

    certificate : to manually add certificates (in certificate chain configuration mode)

    no certificate

    crl optional : to allow the certificates of other peers to be accepted without tryig to obtain the approriate CRL (in ca-identity configuration mode)

    no crl optional

    crl query : 

    no crl query

    crypto ca authenticate : to authenticate the certification authority (by getting the CA's certificate) (in globa configuration mode)

    crypto ca certificate chain : to enter the certificate chain configuration mode) (in global configuration mode)

    crypto ca certificate query : to specify that certificates and certificate revocation lists (CRLs) should not be stored locally but retrieved from the certification authority when needed (in global configuration mode)

    no crypto ca certificate query

    ceypto ca crl request : to request that a new certificate revocation liset (CRL) be obtained immediately from the certification authority (in global configuration mode)

    crypto ca enroll : to obtain your router's certificate from the certification authority (in global configuration mode)

    no crypto ca enroll

    crypto ca identity : to declare the certification authority that your router should use (in global configuration mode)

    no crypto ca identity

    crypto ca trusted-root : to configure a trusted root with a selected name (in global configuration mode)

    no crypto ca trusted-root

    crypto key zeroize rsa : to delete all RSA keys from your router (in global configuration mode)

    enrollment mode ra : to turn on refistration authority mode (in ca-identity configuration mode)

    no enrollment mode ra

    enrollment retry count : to specify how many times a router will resent a certificate request (in ca-identity configuration mode)

    no enrollment retry count

    enrollment retry period : to specify the wait period between certificate request retries (in ca-identity configuration mode)

    no enrollment retry period

    enrollment url : to specify the certification authority location by namign the CA's URL (in ca-identity configuration mode)

    no enrollment url

    query url

    no query url

    root CEP : to define the Simple Certificate Enrollment Protocol (SCEP), which gets the root certificate of a given certification authority

    root PROXY : to define the Hypertext Transfer Protocol proxy server for getting the root certificate (in trusted root configuration mode)

    root TFTP : to define the TFTP protocol, which gets the root certificate of a given certificate of a given certification authority (in trusted root configuration mode)

    show crypto ca certificates : to view information about your certificate, the certification authority certificate, and any registration authority certificates (in EXEC mode)

    show crypto ca crls : to display the current certificate revocation list (CRL) on router (in EXEC mode)

    show crypto ca roots : to display the roots configured in the router (in EXEC mode)

    Internet Key Exchange Security Protocol Commands

    address : to specify the IP address of the remote peer's RSA public key you will manually configure (in public key configuration mode)

    addressed-key : to specify which peer's RSA public key you will manually configure (in public key chain cinfigurationn mode)

    authentication : to specify the authentication method within an Internet Key Exchange policy (in ISAKMP policy configuration mode)

    no authentication

    clear crypto isakmp : to cleat active Internet Key Exchagne connections (in EXEC mode)

    crypto isakmp client configuration address-pool local : to configure the IP address local pool to reference Internet Key Exchange on your router (in global configuration mode)

    no crypto isakmp client configuration address-pool local

    crypto isakmp enable : to globally enable Internet Key Exchange at your peer router (in global configuration mode)

    no crypto isakmp enable

    crypto isakmp identity : to define the identity used by the router when  participating in the Internet Key Exchange protocol (in global configuration mode)

    no crypto isakmp identity

    crypto isakmp keepalive : to send Internet Key Exchange (IKE) keepalive messages from one router to another router (in global configuration mode)

    no crypto isakmp keepalive

    crypto isakmp key : to configure a preshared authentication key (in global configuration mode)

    no crypto isakmp key

    crypto isakmp policy : to define an Internet Key Exchange policy (in global configuration mode)

    no crypto isakmp policy

    crypto key generate rsa : to generate Rivest, Shamir, and Adelman(RSA) key pairs (in global configuration mode)

    crypto key pubkeu-chain rsa : to enter public key configuration mode (so you can manually specify other devices' RSA public keys) (in global configuration mode)

    crypto map client authentication list : to configure Internet Key Exchange extended authentication(Xauth) on your router (in global configuration mode)

    no crypto map client authentication list

    crypto map client configuration address : to configure IKE Mode Configuration on your router (in global configuration mode)

    no crpto map client configuration address

    crypto map isakmp authorization list : to enable Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode)

    no crypto map isakmp authorization list

    encryption : to specify the encryption algorithm within an Internet Key Exchange policy (in ISAKMP policy configuration mode)

    no encryption

    group : to specify the Diffie-Hellman group identitier within an Internet Key Exchange policy (in ISAKMP policy configuration mode)

    no group

    hash : to specify the hash algorith within an Internet Key Exchange policy (in ISAKMP policy configuration mode)

    no hash

    key-string : to manually specify a remote peer's RSA public key (in public key configuration mdoe)

    lifetime : to specify the lifetime of an Internet Key Exchange security association(SA) (in Internet Security Association Key Management Protocol policy configuration mode)

    no lifetime

    named-key : to specify which peer's RSA public public key you will manually configure (in publi key chain configuration mode)

    show crypto isakmp policy : to view the parameters for each Internet Key Exchagne policy (in EXEC mode)

    show crypto isakmp sa : to view all current Internet Key Exchange security associations (SAs) at a peer (in EXEC mode)

    show crypto key mypubkey rsa : to view the RSA public keys of your router (in EXEC mode)

    show crypto key pubkey-chain rsa : to view peer's RSA public keys stored on your router (in EXEC mode)

    Other Security Features

    Passwords and Privileges Commands

    enable password : to set a local password to control acess to various privilege levels (in global configuration mode)

    no enable password

    enable secret : to specify an additional layer of security over the enable password command (in global configuration mode)

    no enable secret

    password : to specify a password on a line (in line configuration mode)

    no password

    privilege : to configure a new privilege level for users and associate commands with that privilege level (in global configuration mode)

    no privilege

    privilege level : to set the default privilege level for a line (in line configuration mode)

    no privilege level

    service password-encryption : to encrypt passwords (in global configuration mode)

    no service password-encryption

    show privilege : to display your current level of privilege (in EXEC mode)

    username : to establish a username-based authentication system (in global configuration mode)

    IP Security Options Commands

    dnsix-dmdp retries : to set the retransmit count used by the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) Message Delivery Protocol(DMDP) (in global configuration mode)

    no dnsix-dmdp retries

    dnsix-nat authorized-redirection : to specify the address of a collection center that is authorized to change the primary and secondary address of the host to receive audit messages (in global configuration mode)

    no dnsix-nat authorized-redirection

    dnsix-nat primary : to specify the IP address of the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are set (in global configuration mode)

    no dnsix-nat primary

    dnsix-nat secondary : to specify an alternate IP address for the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are sent (in global configuration mode)

    no dnsix-nat secondary

    dnsix-nat source : to start the audit-writing module and to define the audit trail source address (in global configuration mode)

    no dnsix-nat source

    dnsix-nat transmit-count : to have the audit writing module collect multiple audit messages in the ubffer before sending the messages to a collection center (in global configuration mode)

    no dnsix-nat transmit-count

    ip security add : to add a basic security option to all outgoing packets (in interface configuration mode)

    no ip security add

    ip security aeso : to attach Auxiliary Extended Security Options(AESOs) to an interface (in interface configuration moe)

    no ip security aeso

    ip security dedicated : to set the level of classification and authority on the interface (in interface configuration mode)

    no ip security dedicated

    ip security eso-info : to configure system-wide defaults for extended IP Security Option (IPSO) information (in global configuration mode)

    no ip security eso-info

    ip security eso-max : to specify the maximum sensitivity level for an interface (in interface configuration mode)

    no ip security eso-max

    ip security eso-min : to configure the minimum sensitivity for an interface (in interface configuration mode)

    no ip security eso-min

    ip security extendd-allowed : to accept packets on an interface that has an extended security optionn present (in interface configuration mode)

    no ip security extended-allowed

    ip security first : to prioritize the presence of security options on a packet (in interface configuration mode)

    no ip security first

    ip security ignore-authorities : to have the Cisco IOS software ignore the authorities field of all incoming packets (in interface configuration mode)

    no ip security ignore-authorities

    ip security implicit-labelling : to force the Cisco IOS software to accept packets on the interface, even if they do not include a security option (in interface configuration mode)

    no ip security implicit-labelling

    ip security multilevel : to set the range of classifications and authorities on an interface (in interface configuration mode)

    no ip security multilevel

    ip security reserved-allowed : to treat as valid any packets that have Reserved1 through Reserved4 security levels (in interface configuration mode)

    no ip security reserved-allowed

    ip security strip : to remove any basis security option on outgoing packets on an interface (in interface configuration mode)

    no ip security strip

    show dnsix : to display state information and the current configuration of the DNSIX audit writing module (in privileged EXEC mode)

    Unicast Reverse Path Forwarding Commands

    ip verify unicast reverse-path : to enable Unicast Reverse Path Forwarding (Unicast RPF) (in interface configuration mode)

    no ip verify unicast reverse-path

    Secure Shell Commands

    disconnect ssh : to terminate a Secure Shell (SSH) connection on your router (in privileged EXEC mode)

    ip ssh : to configure Secure Shell (SSH) control parameters on your router (in global configuration mode)

    no ip ssh

    show ip ssh : to display the version and configuration data for Secure Shell (SSH) (in privielged EXEC mode)

    show ssh : to display the status of Secure Shell(SSH) server conection (in privileged EXEC mode)

    ssh : to start an encrypted session with a remote networking device (in EXEC mode)

  • 相关阅读:
    DataGrip连接MySql数据库
    IDEA版本控制-Git
    IDEA关联MySql数据库
    ESXi平滑升级
    Dell服务器安装vGPU
    索引
    数据类型
    部署Zabbix监控平台
    部署Cacti监控平台
    常用系统监控命令
  • 原文地址:https://www.cnblogs.com/jilili/p/4280334.html
Copyright © 2020-2023  润新知