Packet Tracer 5.2 New IOS Commands: Context Based Access List

Date updated: 2/24/2009
Packet Tracer 5.2 New IOS commands

REQ-1 Context Based Access List
Tag
REQ-1.1
Requirement
Router(config)#no ip inspect name inspection-name protocol [timeoutseconds] Protocols covered = http, icmp, tcp, telnet, udp, dns, https, ntp, radius, snmp, ssh, syslog, tacacs, and tftp Router(config-if)#no ip inspect inspection-name {in | out} Router(config)#no ip inspect tcp synwait-time seconds Router(config)#no ip inspect tcp finwait-time seconds Router(config)#no ip inspect tcp idle-time seconds Router(config)#no ip inspect udp idle-time seconds Router(config)#no ip inspect dns-timeout seconds Router(config)#no ip inspect max-incomplete high number Router(config)#no ip inspect max-incomplete low number Router(config)#no ip inspect one-minute high number Router(config)#no ip inspect one-minute low number Router#show ip inspect { name WORD | config | interfaces | session [detail] | all } Router#debug ip inspect protocol protocol-name
Priority
5
REQ-1.2 REQ-1.3 REQ-1.4 REQ-1.5 REQ-1.6 REQ-1.7 REQ-1.8 REQ-1.9 REQ-1.10 REQ-1.11 REQ-1.12 REQ-1.13
5 5 5 5 5 5 5 5 5 5 5 5
REQ-2 Outside NAT

Tag
REQ-2.1 REQ-2.2 REQ-2.3
Requirement
Router(config)#no ip nat outside source list list-num pool pool-name Router(config)# no ip nat outside source {static global-ip local-ip} Router(config)# no ip nat outside source {static tcp | udp global-ip global-port local-ip local-port}
Priority
5 5 5
REQ-3 Improved TCP/IP

Tag
REQ-3.1.1
Requirement
Router(config)#service nagle
Priority
5
REQ-4 Emulation of SLARP feature

Tag
REQ-4.1
Requirement
Router(config-if)#keepalive <time in seconds>
Priority
5
REQ-5 AAA
Tag
REQ-5.1 REQ-5.2 REQ-5.3
Requirement
ACS service on generic server device Radius TACACS+
Priority
5 5 5
Copyright 2009 Cisco Systems.
Cisco Public Information
Tag
REQ-5.4 REQ-5.4.1 REQ-5.4.1.1 REQ-5.4.1.2 REQ-5.4.1.3 REQ-5.4.1.4 REQ-5.4.1.5 REQ-5.5 REQ-5.6 REQ-5.7 REQ-5.7.1 REQ-5.7.2 REQ-5.7.3 REQ-5.7.4 REQ-5.8 REQ-5.8.1
Requirement
AAA commands Commands to configure Router IOS to communicate with AAA server Router(config)#aaa new-model Router(config)# tacacs-server host ip-address [single-connection] Router(config)#tacacs-server key key (key to encrypt data between ACS and NAS) Router# show aaa [user | sessions | local user lockout] Router# clear aaa local user lockout TACACS+ Attributes and Features Persistent TCP session configurable on ACS and AAA server both Authentication TACACS+ Authentication Router(config)# aaa authentication login {default | list_name} group {group_name | tacacs | redius } [ method2 [ method3 [ method 4 ] ] ] Router(config-line)#login authentication list-name (console, vtty) Router#debug aaa authentication Authorization Router(config)#aaa authorization {network | exec | commands level | config-commands | reverse-access} {default | llist_name} method1 [method2] command only
Priority
5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
REQ-6 IPsec & GRE VPN

Tag
REQ-6.1 REQ-6.2 REQ-6.3 REQ-6.3.1 REQ-6.3.2 REQ-6.3.3 REQ-6.3.4 REQ-6.3.5 REQ-6.4 REQ-6.5 REQ-6.5.1 REQ-6.6 REQ-6.6.1 REQ-6.6.2 REQ-6.6.3 REQ-6.6.4 REQ-6.6.4.1 REQ-6.6.4.2
Requirement
Supports 5 steps of Ipsec. Support for SA (security associations) Support for IPsec encryption, authentication and data integrity algorithms. DES AES 3DES SHA1 DH key exchange AH ESP Transport mode, tunnel mode IKE ISAKMP, key exchange and negotiating security policies mechanics IKE phase 1 & 2 phase 1 in two modes main and aggressive, phase 2 in quick mode IKE modes (main, aggressive, quick) IKE policy establishment Router(config)#crypto isakmp policy priority IKE pre-share Router(config-isakm)#authentication pre-share Router(cofig-isakmp)#hash {sha | MD5} Router(config-isakmp)#encryption {des|3des|aes {128| 192|256}} Router(config-isakmp)#group{1 |2| 5} Router(config-isakmp)#lifetime seconds Router(config)#crypto isakmp key key address peer-ip-address Define IPSec transform set (parameters for IPsec tunnel) Router(config)#crypto ipsec transform-set transport-set-name transform1 [trasnform2] [trasnform3] [transform4] Create crypto map (defines IPSec peer)
Priority
5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
REQ-6.6.4.2.1
REQ-6.6.4.3 REQ-6.6.4.4 REQ-6.6.4.5 REQ-6.6.4.6 REQ-6.6.4.7 REQ-6.7 REQ-6.7.1 REQ-6.8
Tag
REQ-6.8.1 REQ-6.8.2 REQ-6.8.3 REQ-6.8.4 REQ-6.9 REQ-6.9.1 REQ-6.10 REQ-6.11 REQ-6.12 REQ-6.13 REQ-6.14 REQ-6.14.1 REQ-6.14.2 REQ-6.14.3 REQ-6.14.4 REQ-6.14.5 REQ-6.14.6 REQ-6.15 REQ-6.16 REQ-6.17 REQ-6.18 REQ-6.18.1 REQ-6.18.2 REQ-6.18.3 REQ-6.18.4 REQ-6.18.5 REQ-6.18.6 REQ-6.18.7 REQ-6.18.8 REQ-6.18.9 REQ-6.18.10 REQ-6.18.11 REQ-6.18.12
Requirement
Router(config)#Crypto map crypto-map-name sequence-number ipsecisakmp Router(config-crypto-map)#set peer ip-address Router(config-crypto-map)#match address access-list-id Router(config-crypto-map)#set transform-set transform-set-name [transform-set-name2 transform-set-name6] Apply the crypto map to the interfaces (config-if)#crypto map crypto-map-name Router#show crypto isakmp {sa | policy} Router#show crypto ipsec {sa | transform-set} Router#show crypto map Router#debug crypto {isakmp | ipsec} GRE Router(config)#interface tunnel tunnel-id Router(config-if)#tunnel source interface-name-id Router(config-if)#tunnel destination ip-address Router# show crytpo isakmp sa Router# show crypto ipsec sa Router#show interfaces (add tunnel interfaces) VPN to pass through wireless VPN software for PC VPN to work with NAT VPN software for PC (EASY VPN) Router(config)# [no] ip local pool { named-address-pool} {first-ipaddress[last-IP-address] Router(config)# [no] crypto isakmp client configuration group {groupname} Router(config-isakmp-group)#[no] key name Router(config-isakmp-group)#[no] Pool name Router(config-isakmp-group)#[no] netmask ipaddress Router(config)# [no] crypto dynamic-map dynamic-map-name dynamicseq-num Router(config-crypto-map)#[no] set transform-set transform-set-name [transform-set-name2.transform-set-name6] Router(config-crypto-map) #[no] reverse-route Router(config)# [no] crypto map map-name client configuration address respond Router(config)#[no] crypto map map-name isakmp authorization list list-name Router(config)# [no] crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name Router(config)#[no] crypto map map-name client authentication list listname
Priority
5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
REQ-7 Firewall
Tag
REQ-7.1 REQ-7.1.1 REQ-7.1.2 REQ-7.1.3 REQ-7.1.4 REQ-7.2 REQ-7.2.1
Requirement
Setting audit trails an alerts Router(config)#logging on Router(config)#logging host ip-address Router(config)#ip inspect audit-trail Router(config)#[no] ip inspect alert-off (real time alert) Support for inspection rules for application protocols Router(config)#ip inspect name inspection-name protocol [alert {on | off} ] [ audit-trail { on | off }] [ timeout sconds]
Priority
5 5 5 5 5 5 5
Tag
REQ-7.2.2 REQ-7.2.3 REQ-7.2.4 REQ-7.2.5 REQ-7.2.6 REQ-7.2.7 REQ-7.2.8 REQ-7.2.9 REQ-7.3 REQ-7.4
Requirement
Router(config-if)#ip inspect inspect-name {in | out} Router#show ip inspect name inspection-name Router#show ip inspect config Router#show ip inspect interfaces Router#show ip inspect session [detail] Router#show ip inspect statistics Router#show ip inspect all Router#debug ip inspect {function-trace | object-creation | objectdeletion | events | timers | protocol | detailed} Creates a session entry in the session table Dynamically removes the ACL when entry times out application terminates
Priority
5 5 5 5 5 5 5 5 5 5
REQ-8 IPS
Tag
REQ-8.1 REQ-8.2 REQ-8.3 REQ-8.4 REQ-8.5 REQ-8.6 REQ-8.7 REQ-8.8 REQ-8.9 REQ-8.10 REQ-8.11 REQ-8.12 REQ-8.13 REQ-8.14 REQ-8.15 REQ-8.16 REQ-8.17 REQ-8.18 REQ-8.19 REQ-8.20
Requirement
Router(config)# [no] ip ips fail closed Router(config)# [no] ip ips name ips-rule-name [list access-list] Router(config)# [no] ip ips config location location retries retries Router# mkdir dir-name Router# rmdir dir-name Router(config)# [no] ip ips signature-category Router(config-ips-category)# [no] category {all | ios_ips basic} Router(config-ips-category-action)# [no] retired {true | false} Router(config-if)# [no] ip virtual-reassembly Router(config-if)#ip ips rule-name {in | out } Router(config)# [no] ip ips notify log Router(config)# no ip ips signature-definition Router(config-sigdef)# signature <1-65535> [<0-65535>] Router(config-sigdef-sig)# engine Router(config-sigdef-sig-engine)# event-action [deny-packet-inline | produce-alert] Router(config-sigdef-sig)# status Router(config-sigdef-sig-status)# enabled | retired [ true | false ] Router#show ip ips configuration Router# show ip ips signature sigid sigid subid subid Supports only ICMP signature file.
Priority
5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
REQ-9 SNMPv1, SNMPv2

Tag
REQ-9.1 REQ-9.2 REQ-9.2.1 REQ-9.3 REQ-9.4
Requirement
Managers, Agents, MIB SNMP v1 & v2 command set, get, getbulk Authentication message (Community Strings) Router(config)# [no] snmp-server community-string
Priority
5 5 5 5 5
REQ-10: Parser Views and Command Privileges

Tag
REQ-10.1 REQ-10.1.1 REQ-10.1.2
Requirement
Parser Views Router# enable view [view-name] Router(config)# [no] parser view view-name
Priority
5 5 5
Tag
REQ-10.1.3 REQ-10.1.4 REQ-10.1.5 REQ-10.2 REQ-10.2.1 REQ-10.2.2 REQ-10.2.3 REQ-10.2.4 REQ-10.2.5
Requirement
Router(config-view)# [no] secret password Router(config-view)# commands exec include LINE Router# show parser view Command Privileges Router(config)# [no] enable {password | secret} level level {password | encryption-type encrypted-password} Router(config)# [no] privilege mode [all] {level level | reset} command Router(config)# [no] username name privilege level secret password Router(config-line)# [no] privilege level level Router# show privilege
Priority
5 5 5 5 5 5 5 5 5
REQ-11 NTP
Tag
REQ-11.1 REQ-11.2 REQ-11.2.1 REQ-11.2.2 REQ-11.2.3 REQ-11.2.4 REQ-11.2.5
Requirement
Single-level NTP server on server device NTP client on routers Router# show ntp status Router(config)# [no] ntp authentication-key key-number md5 password [encryption-type] Router(config)# [no] ntp authenticate Router(config)# [no] ntp trusted-key key-number Router(config)# [no] ntp server server-ip [key key-number]
Priority
5 5 5 5 5 5 5
REQ-12 Zone-Based Policy Firewall

Tag
REQ-12.1 REQ-12.1.1 REQ-12.1.2 REQ-12.1.3 REQ-12.1.4 REQ-12.2 REQ-12.3 REQ-12.4 REQ-12.5 REQ-12.6 REQ-12.7 REQ-12.8 REQ-12.9 REQ-12.10 REQ-12.11
Requirement
Router(config)# [no] class-map type inspect [match-all | matchany]class-map-name Router(config-cmap)# [no] match {any | not | } Router(config-cmap)# [no] match protocol protocol Router(config-cmap)# [no] match class-map class-map-name Router(config-cmap)# [no] match access-group access-list-name Router(config)# [no] policy-map type inspect policy-map-name Router(config-pmap)# [no] class {type inspect class-map-name | classdefault} Router(config-pmap-c)# [no] inspect Router(config-pmap-c)# [no] pass Router(config-pmap-c)# [no] drop log Router(config)# [no] zone security zone-name Router(config)# [no] zone-pair security zone-pair-name source sourcezone-name destination destination-zone-name Router(config-sec-zone-pair)# [no] service-policy type inspect policymap-name Router(config-if)# [no] zone-member security zone-name Router# show policy-map type inspect zone-pair session
Priority
5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
REQ-13 Syslog and Logging

Tag
REQ-13.1 REQ-13.1.1 REQ-13.1.2
Requirement
Syslog Server Server device supports syslog server to receive log messages Server device supports displaying of received log messages
Priority
5 5 5
Tag
REQ-13.2 REQ-13.2.1 REQ-13.2.2 REQ-13.2.3 REQ-13.3 REQ-13.3.1 REQ-13.3.2 REQ-13.3.3
Requirement
Syslog Client on routers and switches Router(config)# [no] logging server-ip Router(config)# [no] logging trap debugging Router# show logging Other logging commands Router(config)# [no] service timestamps {debug | log} datetime sec Router(config)# [no] logging console [critical] Router(config)# [no] logging buffered buffer-size
Priority
5 5 5 5 5 5 5 5
REQ-14 DiffServ QoS

Tag
REQ-14.1 REQ-14.1.1 REQ-14.1.2 REQ-14.1.3 REQ-14.1.4 REQ-14.1.5 REQ-14.1.6 REQ-14.1.7 REQ-14.2 REQ-14.2.1 REQ-14.2.2 REQ-14.3 REQ-14.3.1 REQ-14.3.2 REQ-14.3.3 REQ-14.3.4 REQ-14.3.5 REQ-14.3.6 REQ-14.3.7 REQ-14.3.8 REQ-14.3.9 REQ-14.3.10 REQ-14.3.11 REQ-14.3.12 REQ-14.3.13 REQ-14.3.14 REQ-14.3.15 REQ-14.3.16 REQ-14.3.17 REQ-14.3.18 REQ-14.3.19 REQ-14.3.20 REQ-14.3.21 REQ-14.3.22 REQ-14.3.23 REQ-14.3.24 REQ-14.3.25 REQ-14.3.26 REQ-14.3.27
Requirement
Layer 2 QoS 802.1p User Priority in 802.1Q encapsulation Switch(config-if)# [no] switchport voice vlan vlan-id Switch(config-if)# [no] mls qos trust {cos | dscp | device ciscophone} Switch(config-if)# [no] mls qos cos cos Switch(config-if)# [no] switchport priority extend cos cos-value Switch# show interfaces interface-name switchport Switch# show mls qos interfaces interface-name Layer 3 QoS IP Precedence DSCP Modular QoS CLI (MQC) Router(config)# [no] class-map [match-all | match-any] class-mapname Router(config-cmap)# [no] description description Router(config-cmap)# [no] match {any | not | } Router(config-cmap)# [no] match protocol protocol Router(config-cmap)# [no] match qos-group group Router(config-cmap)# [no] match access-group access-list-name Router(config-cmap)# [no] match class-map class-map-name Router(config-cmap)# [no] match destination-address mac mac Router(config-cmap)# [no] match precedence precedence Router(config-cmap)# [no] match ip dscp dscp-value Router(config-cmap)# [no] match cos cos-value Router(config-cmap)# [no] match ip rtp start-port-number port-range Router(config-cmap)# [no] match input-interface interface-name Router(config)# [no] policy-map policy-map-name Router(config-pmap)# [no] class {class-name | class-default} Router(config-pmap-c)# [no] bandwidth bandwidth Router(config-pmap-c)# [no] bandwidth percent percent Router(config-pmap-c)# [no] bandwidth remaining percent percent Router(config-pmap-c)# [no] queue-limit limit Router(config-pmap-c)# [no] priority priority Router(config-pmap-c)# [no] priority percent percent [burst] Router(config-pmap-c)# [no] shape average bandwidth Router(config-pmap-c)# [no] service-policy policy-map-name Router(config-pmap-c)# [no] fair-queue queues Router(config-pmap-c)# [no] set ip dscp ... Router(config-pmap-c)# [no] set precedence precedence Router(config-pmap-c)# [no] random-detect [precedence ]
Priority
5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
Tag
REQ-14.3.28 REQ-14.3.29 REQ-14.3.30 REQ-14.3.31 REQ-14.3.32 REQ-14.3.33 REQ-14.3.34 REQ-14.3.35 REQ-14.4 REQ-14.4.1 REQ-14.4.2 REQ-14.4.3 REQ-14.4.4 REQ-14.4.5 REQ-14.4.6 REQ-14.4.7 REQ-14.5 REQ-14.5.1 REQ-14.5.2 REQ-14.5.3 REQ-14.5.4 REQ-14.6 REQ-14.6.1 REQ-14.6.2 REQ-14.7 REQ-14.7.1 REQ-14.7.2 REQ-14.7.3 REQ-14.7.4 REQ-14.7.5 REQ-14.7.6 REQ-14.8 REQ-14.8.1 REQ-14.8.2 REQ-14.8.3
Requirement
Router(config-pmap-c)# [no] random-detect [dscp ] Router(config-if)# [no] service-policy {input | output} policy-mapname Router(config-if)# [no] fair-queue [cdt [dynamic-queues [reservablequeues]]] Router# show class-map Router# show policy-map [interface interface-name] Router# show queue [interface-name] Router# show queueing Router# show interfaces [interface-name] Custom Queuing Router(config)# [no] queue-list queue-list-number protocol protocol queue-number list acl Router(config)# [no] queue-list queue-list-number protocol protocol queue-number {tcp | udp} port-number Router(config)# [no] queue-list queue-list-number default queuenumber Router(config)# [no] queue-list queue-list-number queue queuenumber limit limit Router(config)# [no] queue-list queue-list-number queue queuenumber byte-count byte-count Router(config-if)# [no] custom-queue-list queue-list-number Router# [no] debug custom-queue Priority Queuing Router(config)# [no] priority-list queue-list-number protocol protocol {high | medium | normal | low} tcp port-number Router(config)# [no] priority-list queue-list-number default queuename Router(config)# [no] priority-list queue-list-number queue-limit highlimit medium-limit normal-limit low-limit Router(config-if)# [no] priority-group priority-list-number ACL Router(config)# [no] access-list precedence precedence Router(config)# [no] access-list dscp dscp NBAR Deep packet inspections to classify traffic Router(config-cmap)# [no] match protocol http Router(config-cmap)# [no] match protocol http url url Router(config-cmap)# [no] match protocol http host host Router(config-cmap)# [no] match protocol http mime mime-type Router(config-cmap)# [no] match protocol rtp [audio | video | payload-type type] Visualizations Display of queuing and dropping packets Display of different queues on devices Combine all packets on same device as one queue icon and display how full it is.
Priority
5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5

Packet Tracer 5.2 New IOS Commands: Context Based Access List

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Packet Tracer 5.2 New IOS Commands: Context Based Access List

Uploaded by

Copyright:

Available Formats

Date updated: 2/24/2009