|
|
This chapter explains the function and syntax of the Cisco Encryption Technology commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.
To define an encryption access list by number, use the extended IP access-list (encryption) command in global configuration mode. Use the no form of this command to remove a numbered encryption access list.
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [log] For Internet Control Message Protocol (ICMP), you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [log]
For Internet Group Management Protocol (IGMP), you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [log]
For TCP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [established] [log]
For User Datagram Protocol (UDP), you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} udp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [log]
Syntax Description
access-list-number Number of an encryption access list. This is a decimal number from 100 to 199. dynamic dynamic-name (Optional) Identifies this encryption access list as a dynamic encryption access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide. timeout minutes (Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide. deny Does not encrypt/decrypt IP traffic if the conditions are matched. permit Encrypts/decrypts IP traffic if the conditions are matched. protocol Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. Some protocols allow further qualifiers, as described in text that follows. source Number of the network or host from which the packet is being sent. There are three other ways to specify the source: source-wildcard Wildcard bits (mask) to be applied to source. There are three other ways to specify the source wildcard: destination Number of the network or host to which the packet is being sent. There are three other ways to specify the destination: destination-wildcard Wildcard bits to be applied to the destination. There are three other ways to specify the destination wildcard: icmp-type (Optional) ICMP packets can be matched for encryption by ICMP message type. The type is a number from 0 to 255. icmp-code (Optional) ICMP packets that are matched for encryption by ICMP message type can also be matched by the ICMP message code. The code is a number from 0 to 255. icmp-message (Optional) ICMP packets can be matched for encryption by an ICMP message type name or ICMP message type and code name. igmp-type (Optional) IGMP packets can be matched for encryption by IGMP message type or message name. A message type is a number from 0 to 15. operator (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. port (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names can be used only when filtering TCP. UDP port names can be used only when filtering UDP. established (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection. log (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was encrypted/decrypted or not; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets encrypted/decrypted or not in the prior 5-minute interval.
To terminate an encrypted session in progress, use the clear crypto connection command in global configuration mode.
clear crypto connection connection-id [slot | rsm | vip]
Syntax Description
connection-id Identifies the encrypted session to terminate. slot (Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. If no slot is specified, the Cisco IOS crypto engine will be selected. Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco 7200) or of the VIP2 (Cisco RSP7000 and 7500). rsm (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Route Switch Module on the Cisco Catalyst 5000 series switch. vip (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch.
The crypto cisco algorithm 40-bit-des command replaces this command. See the description of the crypto cisco algorithm 40-bit-des command in this chapter for more information.
The crypto cisco algorithm des command replaces this command. See the description of the crypto cisco algorithm des command in this chapter for more information.
To enable (select) either the ESA crypto engine or the Cisco IOS crypto engine in Cisco 7200 series routers, use the crypto card command in global configuration mode.
crypto card {enable | shutdown} slot
Syntax Description
enable Selects the ESA crypto engine by enabling the ESA. shutdown Selects the Cisco IOS crypto engine by shutting down the ESA. slot ESA chassis slot number.
To reset an Encryption Service Adapter (ESA), use the crypto card clear-latch command in global configuration mode. This command resets the ESA by clearing a hardware extraction latch that is set when an ESA is removed and reinstalled in the chassis.
crypto card clear-latch {slot | vip}
Syntax Description
slot Identifies the ESA to reset. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. On a Cisco 7200 series router, this is the ESA chassis slot number. On a Cisco RSP7000 or 7500 series router, this is the chassis slot number of the ESA's second-generation Versatile Interface Processor (VIP2). vip This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch.
To globally enable 40-bit Data Encryption Standard (DES) algorithm types, use the crypto cisco algorithm 40-bit-des command in global configuration mode. Use the no form of this command to globally disable a 40-bit DES algorithm type.
crypto cisco algorithm 40-bit-des [cfb-8 | cfb-64]
Syntax Description
cfb-8 (Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the 40-bit DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default. cfb-64 (Optional) Selects the 64-bit CFB mode of the 40-bit DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default.
To globally enable Data Encryption Standard (DES) algorithm types that use a 56-bit DES key, use the crypto cisco algorithm descommand in global configuration mode. Use the no form of this command to globally disable a DES algorithm type.
crypto cisco algorithm des [cfb-8 | cfb-64]
Syntax Description
cfb-8 (Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the basic DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default. cfb-64 (Optional) Selects the 64-bit CFB mode of the basic DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default.
To change the maximum number of destinations (hosts or subnets) per source that you can define in encryption access list statements, use the crypto cisco connections command in global configuration mode. Use the no form of the command to restore the default.
crypto cisco connections number
Syntax Description
number Specifies the maximum number of destinations per source. Use a value from 3 to 500. This argument is not required when using the no form of the command.
To change the maximum number of sources (hosts or subnets) that you can define in encryption access list statements, use the crypto cisco entities command in global configuration mode. Use the no form of the command to restore the default.
crypto cisco entities number
Syntax Description
number Specifies the maximum number of sources. Use a value from 3 to 500. This argument is not required when using the no form of the command.
To specify the duration of encrypted sessions, use the crypto cisco key-timeout command in global configuration mode. Use the no form to restore the duration of encrypted sessions to the default of 30 minutes.
crypto cisco key-timeout minutes
Syntax Description
minutes Specifies the duration of encrypted sessions. Can be from 1 to 1440 minutes (24 hours) in 1 minute increments. Specified by an integer from 1 to 1440. When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored by the router.
To enable pregeneration of Diffie-Hellman (DH) public numbers, use the crypto cisco pregen-dh-pairs command in global configuration mode. Use the no form to disable pregeneration of DH public numbers for all crypto engines.
crypto cisco pregen-dh-pairs count [slot | rsm | vip]
Syntax Description
count Specifies how many DH public numbers to pregenerate and hold in reserve. Specified by an integer from 0 to 10. slot (Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. If no slot is specified, the Cisco IOS crypto engine will be selected. Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco 7200) or of the VIP2 (Cisco RSP7000 and 7500). rsm (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Route Switch Module on the Cisco Catalyst 5000 series switch. vip (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch.
The crypto card clear-latch command replaces this command. See the description of the crypto card clear-latch command in this chapter for more information.
The crypto card command replaces this command. See the description of the crypto card command in this chapter for more information.
The crypto key generate dss command replaces this command. See the description of the crypto key generate dss command in this chapter for more information.
The crypto key exchange dss command replaces this command. See the description of the crypto key exchange dss command in this chapter for more information.
To exchange Digital Signature Standard (DSS) public keys, the administrator of the peer encrypting router that is designated ACTIVE must use the crypto key exchange dss command in global configuration mode.
crypto key exchange dss ip-address key-name [tcp-port]
Syntax Description
ip-address IP address of the peer router (designated PASSIVE) participating with you in the key exchange. key-name Identifies the crypto engine---either the Cisco IOS crypto engine, a second-generation Versatile Interface Processor (VIP2) crypto engine, or an Encryption Service Adapter (ESA) crypto engine. This name must match the key-name argument assigned when you generated DSS keys using the crypto key generate dss command. tcp-port (Optional) Cisco IOS software uses the unassigned TCP port number of 1964 to designate a key exchange. (TCP port number 1964 has not been preassigned by the Internetworking Engineering Task Force [IETF].) You may use this optional keyword to select a different number to designate a key exchange, if your system already uses the port number 1964 for a different purpose. If this keyword is used, you must use the same value as the PASSIVE router's tcp-port value.
To enable an exchange of Digital Signature Standard (DSS) public keys, the administrator of the peer encrypting router that is designated PASSIVE must use the crypto key exchange dss passive command in global configuration mode.
crypto key exchange dss passive [tcp-port]
Syntax Description
tcp-port (Optional) Cisco IOS software uses the unassigned TCP port number of 1964 to designate a key exchange. (TCP port number 1964 has not been preassigned by the Internetworking Engineering Task Force [IETF].) You may use this optional keyword to select a different number to designate a key exchange, if your system already uses the port number 1964 for a different purpose. If this keyword is used, you must use the same value as the ACTIVE router's tcp-port value.
The crypto key exchange dss passive command replaces this command. See the description of the crypto key exchange dss passive command in this chapter for more information.
To generate a Digital Signature Standard (DSS) public/private key pair, use the crypto key generate dss command in global configuration mode.
crypto key generate dss key-name [slot | rsm | vip]
Syntax Description
key-name A name you assign to the crypto engine. This will name either the Cisco IOS crypto engine, a second-generation Versatile Interface Processor (VIP2) crypto engine, or an Encryption Service Adapter (ESA) crypto engine. Any character string is valid. Using a fully qualified domain name might make it easier to identify public keys. slot (Optional) Identifies the crypto engine. This argument is available only on If no slot is specified, the Cisco IOS crypto engine will be selected. Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco 7200) or of the VIP2 (Cisco RSP7000 and 7500). rsm (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. Identifies the Route Switch Module on the Cisco Catalyst 5000 series switch. vip (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. Identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch.
Cisco 7200, RSP7000, and 7500 series routers.
To manually specify the Digital Signature Standard (DSS) public key of a peer encrypting router, use the crypto key pubkey-chain dss command in global configuration mode. Use the no form of this command to delete the DSS public key of a peer encrypting router.
crypto key pubkey-chain dssSyntax Description
This command has no arguments or keywords.
The crypto cisco key-timeout command replaces this command. See the description of the crypto cisco key-timeout command in this chapter for more information.
To delete the Digital Signature Standard (DSS) public/private key pair of a crypto engine, use the crypto key zeroize dss command in global configuration mode.
crypto key zeroize dss [slot | rsm | vip] |
Caution DSS keys cannot be recovered after they have been removed. Use this command only after careful consideration. |
Syntax Description
slot (Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. If no slot is specified, the Cisco IOS crypto engine will be selected. Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco 7200) or of the VIP2 (Cisco RSP7000 and 7500). rsm (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Route Switch Module on the Cisco Catalyst 5000 series switch. vip (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch.
 |
Note Issue the crypto map map-name seq-num command without a keyword to modify an existing crypto map entry. |
Syntax Description
map-name Name you assign to the crypto map set. seq-num Number you assign to the crypto map entry. cisco (Default value) Indicates that CET will be used instead of IPSec for protecting the traffic specified by this newly specified crypto map entry. If you use this keyword, none of the IPSec-specific crypto map configuration commands will be available. Instead, the CET-specific commands will be available.
To apply a previously defined crypto map to an interface, use the crypto map command in interface configuration mode. Use the no form of the command to eliminate the crypto map from the interface.
crypto map map-name
Syntax Description
map-name The name which identifies the crypto map. This is the name assigned when the crypto map was created. When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored.
The crypto cisco pregen-dh-pairs command replaces this command. See the description of the crypto cisco pregen-dh-pairs command in this chapter for more information.
The crypto key pubkey-chain dss command replaces this command. See the description of the crypto key pubkey-chain dss command in this chapter for more information.
The crypto cisco connections command replaces this command. See the description of the crypto cisco connections command in this chapter for more information.
The crypto cisco entities command replaces this command. See the description of the crypto cisco entities command in this chapter for more information.
The crypto key zeroize dss command replaces this command. See the description of the crypto key zeroize dss command in this chapter for more information.
To set conditions for a named encryption access list, use the deny command in access-list configuration mode. The deny command prevents IP traffic from being encrypted/decrypted if the conditions are matched. Use the no form of this command to remove a deny condition from an encryption access list.
deny source [source-wildcard] For ICMP, you can also use the following syntax:
deny icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | [icmp-message] [precedence precedence] [tos tos] [log]
For IGMP, you can also use the following syntax:
deny igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log]
For TCP, you can also use the following syntax:
deny tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [established] [precedence precedence] [tos tos] [log]
For UDP, you can also use the following syntax:
deny udp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [precedence precedence] [tos tos] [log]
Syntax Description
source Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source: source-wildcard (Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard: protocol Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later. source Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: source-wildcard Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard: destination Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: destination-wildcard Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: precedence precedence (Optional) Packets can be matched for encryption by precedence level, as specified by a number from 0 to 7 or by name. tos tos (Optional) Packets can be matched for encryption by type of service level, as specified by a number from 0 to 15 or by name. icmp-type (Optional) ICMP packets can be matched for encryption by ICMP message type. The type is a number from 0 to 255. icmp-code (Optional) ICMP packets which are matched for encryption by ICMP message type can also be matched by the ICMP message code. The code is a number from 0 to 255. icmp-message (Optional) ICMP packets can be matched for encryption by an ICMP message type name or ICMP message type and code name. igmp-type (Optional) IGMP packets can be matched for encryption by IGMP message type or message name. A message type is a number from 0 to 15. operator (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. port (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65,535. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP. established (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection. log (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
To define an encryption access list by name, use the ip access-list extended command in global configuration mode. Use the no form of this command to remove a named encryption access list.
ip access-list extended name
Syntax Description
name Name of the encryption access list. Names cannot contain a space or quotation mark and must begin with an alphabetic character to prevent ambiguity with numbered access lists.
Syntax Description
access-list-id (Optional) Identifies the extended access list by its name or number. This value should match the access-list-number or name argument of the extended access list being matched. name (Optional) Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched. Named access lists do not work on VIP interfaces.
To set conditions for a named encryption access list, use the permit command in access-list configuration mode. The permit command causes IP traffic to be encrypted/decrypted if the conditions are matched. Use the no form of this command to remove a permit condition from an encryption access list.
permit source [source-wildcard] For ICMP, you can also use the following syntax:
permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | [icmp-message] [precedence precedence] [tos tos] [log]]
For IGMP, you can also use the following syntax:
permit igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log]
For TCP, you can also use the following syntax:
permit tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [established] [precedence precedence] [tos tos] [log]
For UDP, you can also use the following syntax:
permit udp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [precedence precedence] [tos tos] [log]
Syntax Description
source Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source: source-wildcard (Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard: protocol Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later. source Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: source-wildcard Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard: destination Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: destination-wildcard Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: precedence precedence (Optional) Packets can be matched for encryption by precedence level, as specified by a number from 0 to 7 or by name. tos tos (Optional) Packets can be matched for encryption by type of service level, as specified by a number from 0 to 15 or by name. icmp-type (Optional) ICMP packets can be matched for encryption by ICMP message type. The type is a number from 0 to 255. icmp-code (Optional) ICMP packets which are matched for encryption by ICMP message type can also be matched by the ICMP message code. The code is a number from 0 to 255. icmp-message (Optional) ICMP packets can be matched for encryption by an ICMP message type name or ICMP message type and code name. igmp-type (Optional) IGMP packets can be matched for encryption by IGMP message type or message name. A message type is a number from 0 to 15. operator (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. port (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP. established (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection. log (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
To specify a 40-bit Data Encryption Standard (DES) algorithm type within a crypto map definition, use the set algorithm 40-bit-des command in crypto map configuration mode. Use the no form of this command to disable a 40-bit DES algorithm type within a crypto map definition.
set algorithm 40-bit-des [cfb-8 | cfb-64]If no DES algorithm is specified within a crypto map, all globally enabled DES algorithms will be matched to the map by default. Refer to the crypto cisco algorithm 40-bit-des or crypto cisco algorithm des command descriptions to learn about globally enabling DES algorithms.
Syntax Description
cfb-8 (Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the 40-bit DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default. cfb-64 (Optional) Selects the 64-bit CFB mode of the 40-bit DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default.
To enable basic Data Encryption Standard (DES) algorithm types within a crypto map definition, use the set algorithm des command in crypto map configuration mode. Use the no form of this command to disable a basic DES algorithm type within a crypto map definition.
set algorithm des [cfb-8 | cfb-64]
Syntax Description
cfb-8 (Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the basic DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default. cfb-64 (Optional) Selects the 64-bit CFB mode of the basic DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default.
To specify a peer encrypting router within a crypto map definition, use the set peer command in crypto map configuration mode. Use the no form of this command to eliminate a peer encrypting router from a crypto map definition.
set peer key-name
Syntax Description
key-name Identifies the crypto engine of the peer encrypting router.
The show crypto cisco algorithms command replaces this command. See the description of the show crypto cisco algorithms command in this chapter for more information.
To view the operational status of an Encryption Service Adapter (ESA), use the show crypto card command in privileged EXEC mode. This command is available only on Cisco 7200, RSP7000, or 7500 series routers with an installed ESA.
show crypto card [slot | vip]
Syntax Description
slot (Optional) This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. Identifies the ESA to show. Use the chassis slot number of the VIP2 containing the ESA. vip (Optional) This keyword is only available on Cisco Catalyst 5000 series switches. It identifies the Versatile Interface Processor on Cisco Catalyst 5000 series switches.
To view which Data Encryption Standard (DES) algorithm types are globally enabled for your router, use the show crypto cisco algorithms command in privileged EXEC mode. This displays all basic DES and 40-bit DES algorithm types that are globally enabled.
show crypto cisco algorithmsSyntax Description
This command has no arguments or keywords.
To view current and pending encrypted session connections, use the show crypto cisco connections command in privileged EXEC mode.
show crypto cisco connectionsSyntax Description
This command has no arguments or keywords.
To view the current setting for the duration of encrypted sessions, use the show crypto cisco key-timeout command in privileged EXEC command.
show crypto cisco key-timeoutSyntax Description
This command has no arguments or keywords.
To view the number of Diffie-Hellman (DH) number pairs currently generated, use the show crypto cisco pregen-dh-pairs command in privileged EXEC mode.
show crypto cisco pregen-dh-pairs [slot | rsm | vip]
Syntax Description
slot (Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. If no slot is specified, the Cisco IOS crypto engine will be selected. Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco 7200) or of the VIP2 (Cisco RSP7000 and 7500). rsm (Optional) This keyword is only available on Cisco Catalyst 5000 series switches. It identifies the Route Switch Module on Cisco Catalyst 5000 series switches. vip (Optional) This keyword is only available on Cisco Catalyst 5000 series switches. It identifies the Versatile Interface Processor on Cisco Catalyst 5000 series switches.
The show crypto cisco connections command replaces this command. See the description of the show crypto cisco connections command in this chapter for more information.
To view all crypto engines within a Cisco 7200, RSP7000, or 7500 series router, use the show crypto engine brief command in privileged EXEC mode.
show crypto engine briefSyntax Description
This command has no arguments or keywords.
To view the Cisco IOS crypto engine of your router, use the show crypto engine configuration command in privileged EXEC command.
show crypto engine configurationSyntax Description
This command has no arguments or keywords.
To view the current active encrypted session connections for all crypto engines, use the show crypto engine connections active command in privileged EXEC mode.
show crypto engine connections active [slot | rsm | vip]
Syntax Description
slot (Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. If no slot is specified, the Cisco IOS crypto engine will be selected. Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco 7200) or of the VIP2 (Cisco RSP7000 and 7500). rsm (Optional) This keyword is only available on Cisco Catalyst 5000 series switches. It identifies the Route Switch Module on Cisco Catalyst 5000 series switches. vip (Optional) This keyword is only available on Cisco Catalyst 5000 series switches. It identifies the Versatile Interface Processor on Cisco Catalyst 5000 series switches.
To view information about packets dropped during encrypted sessions for all router crypto engines, use the show crypto engine connections dropped-packets command in privileged EXEC command.
show crypto engine connections dropped-packetsSyntax Description
This command has no arguments or keywords.
To view Digital Signature Standard (DSS) public keys (for all your router crypto engines) in hexadecimal form, use the show crypto key mypubkey dss command in EXEC mode.
show crypto key mypubkey dssSyntax Description
This command has no arguments or keywords.
To view peer router Digital Signature Standard (DSS) public keys known to your router, use the show crypto key pubkey-chain dss command in EXEC mode.
show crypto key pubkey-chain dss [name key-name | serial serial-number]
Syntax Description
name name Name assigned when the DSS public key was created with the crypto key pubkey-chain dss command. serial serial-number Serial number of the encrypting router's public DSS key.
The show crypto cisco key-timeout command replaces this command. See the description of the show crypto cisco key-timeout command in this chapter for more information.
To view the crypto map configuration, use the show crypto map command in privileged EXEC mode.
show crypto map [interface interface | tag map-name]
Syntax Description
interface interface (Optional) Shows only the crypto map set applied to the specified interface. tag map-name (Optional) Shows only the crypto map set with the specified map-name.
The show crypto key mypubkey dss command replaces this command. See the description of the show crypto key mypubkey dss command in this chapter for more information.
The show crypto cisco pregen-dh-pairs command replaces this command. See the description of the show crypto cisco pregen-dh-pairs command in this chapter for more information.
The show crypto key pubkey-chain dss command replaces this command. See the description of the show crypto key pubkey-chain dss command in this chapter for more information.
The show crypto key pubkey-chain dss command replaces this command. See the description of the show crypto key pubkey-chain dss command in this chapter for more information.
The show crypto key pubkey-chain dss command replaces this command. See the description of the show crypto key pubkey-chain dss command in this chapter for more information.
To set up a test encryption session, use the test crypto initiate-session command in privileged EXEC mode.
test crypto initiate-session src-ip-addr dst-ip-addr map-name seq-num
Syntax Description
src-ip-addr IP address of source host. Should be included in an encryption access list definition as a valid IP address source address. dst-ip-addr IP address of destination host. Should be included in an encryption access list definition as a valid IP address destination address. map-name Names the crypto map to be used. seq-num Names the crypto map sequence number.
Posted: Wed Jul 26 16:15:51 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.