Hackers Desk Reference

name Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.

dynamic-name (Optional) Name of a dynamic access list.

source (Optional) Source address in a dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access-list entry.

destination (Optional) Destination address in a dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access-list entry.

timeout minutes (Optional) Specifies a maximum time limit for each entry within this dynamic list. This is an absolute time, from creation, that an entry can reside in the list. The default is an infinite time limit and allows an entry to remain permanently.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command provides a way to enable the lock-and-key access feature.

You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the dynamic access list will remain, even after the user has terminated the session.

Example

In the following example, the software enables IP access on incoming packets in which the source address is 172.29.1.129 and the destination address is 192.168.52.12. All other source and destination pairs are discarded.

access-template 101 payroll host 172.29.1.129 host 192.168.52.12 timeout 2

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

access-list (extended) †

autocommand †

clear access-template

[12.7.6] clear access-template

To manually clear a temporary access list entry from a dynamic access list, use the clear access-template EXEC command.

clear access-template [access-list-number | name] [dynamic-name] [source] [destination]

Syntax Description

access-list-number (Optional) Number of the dynamic access list from which the entry is to be deleted.

name Name of an IP access list from which the entry is to be deleted. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.

source (Optional) Source address in a temporary access list entry to be deleted.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command is related to the lock-and-key access feature. It clears any temporary access list entries that match the parameters you define.

Example

The following example clears any temporary access list entries with a source of 172.20.1.12 from the dynamic access list named vendor:

clear access-template vendor 172.20.1.12

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

access-list (extended) †

access-template

[12.7.7] show ip accounting

To display the active accounting or checkpointed database or to display access-list violations, use the show ip accounting privileged EXEC command.

show ip accounting [checkpoint] [output-packets | access-violations] Syntax Description

passed access control and were successfully routed should be displayed. This is the default value if neither output-packets nor access-violations is specified.

access-violations (Optional) Indicates that information pertaining to packets that failed access lists and were not routed should be displayed.

Defaults

If neither the output-packets nor access-violations keyword is specified, show ip accounting displays information pertaining to packets that passed access control and were successfully routed.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

To use this command, you must first enable IP accounting on a per-interface basis.

Sample Displays

Following is sample output from the show ip accounting command: Router# show ip accounting

Following is sample output from the show ip accounting access-violations command. (The following displays information pertaining to packets that failed access lists and were not routed.)

Router# show ip accounting access-violations

Accounting data age is 41

Field Description

address to the destination address

For access-violations keyword, number of packets transmitted from the source address to the destination address that violated the access control list

Bytes For accounting keyword, number of bytes transmitted from the source address to the destination address

For access-violations keyword, number of bytes transmitted from the source address to the destination address that violated the access-control list

ACL Number of the access list of the last packet transmitted from the source to the destination that failed an access list

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

clear ip accounting †

ip accounting †

ip accounting-list †

ip accounting-threshold †

ip accounting-transits †

[12.7.8] Terminal Access Security Commands

This chapter describes the commands used to control access to the router.

enable

To log on to the router at a specified level, use the enable EXEC command.

enable [level]

Syntax Description

level (Optional) Defines the privilege level that a user logs in to on the router.

Default

Level 15

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

Note The enable command is associated with privilege level 0. If you configure AAA authorization for a privilege level greater than 0, this command will not be included in the privilege level command set.

Example

In the following example, the user is logging on to privilege level 5 on a router:

enable 5

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

disable †

privilege level (global)

privilege level (line)

[12.7.9] enable password

Use the enable password global configuration command to set a local password to control

access to various privilege levels. Use the no form of this command to remove the password requirement.

enable password [level level] {password | encryption-type encrypted-password}

no enable password [level level]

Syntax Description

password. Currently the only encryption type available is 7. If you specify encryptiontype, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router).

encrypted-password Encrypted password you enter, copied from another router configuration.

Default

No password is defined. The default is level 15.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

Use this command with the level option to define a password for a specific privilege level. After you specify the level and the password, give the password to the users who need to access this level. Use the privilege level (global) configuration command to specify commands accessible at various levels.

You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you copy and paste into this command a password that has already been encrypted by a Cisco router.

Caution If you specify an encryption type and then enter a cleartext password, you will

not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method.

If the service password-encryption command is set, the encrypted form of the password you create with the enable password command is displayed when a show startup-config command is entered.

You can enable or disable password encryption with the service password-encryption command.

An enable password is defined as follows:

*Must contain from 1 to 25 uppercase and lowercase alphanumeric characters.

*Must not have a number as the first character.

*Can have leading spaces, but they are ignored. However, intermediate and trailing spaces are recognized.

*Can contain the question mark (?) character if you precede the question mark with the key combination Crtl-V when you create the password; for example, to create the password abc?123, do the following:

*Enter abc.

*Type Crtl-V.

*Enter ?123.

When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-V; you can simply enter abc?123 at the password prompt.

Examples

In the following example, the password pswd2 is enabled for privilege level 2:

enable password level 2 pswd2

In the following example the encrypted password $1$i5Rkls3LoyxzS8t9, which has been copied from a router configuration file, is set for privilege level 2 using encryption type 7:

enable password level 2 7 $1$i5Rkls3LoyxzS8t9

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

disable †

enable †

enable secret

privilege level (global)

service password-encryption

show privilege

show startup-config †

[12.8.0] enable secret

Use the enable secret global configuration command to specify an additional layer of security over the enable password command. Use the no form of the command to turn off the enable secret function.

enable secret [level level] {password | encryption-type encrypted-password}

no enable secret [level level]

Syntax Description

level level (Optional) Level for which the password applies. You can specify up to sixteen privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or in the no form of the command, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command.

password. Currently the only encryption type available for this command is 5 . If you specify encryption-type, the next argument you supply must be an encrypted password (a password encrypted by a Cisco router).

encrypted-password Encrypted password you enter, copied from another router configuration.