IPv6 Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
ipv6-a1
Downloads: This chapterpdf (PDF - 679.0KB) The complete bookPDF (PDF - 2.09MB) | Feedback

ipv6-a1

ipv6-a1

allow

To limit the number of multicast router advertisements (RAs) per device per throttle period in an RA throttler policy, use the allow command in IPv6 RA throttle policy configuration mode. To reset the command to its defaults, use the no form of this command.

allow { at-least | { al-value | no-limit } } | { at-most | { am-value | no-limit } } | { inherited }

Syntax Description

at-least

The minimum number of multicast RAs accepted from the device before throttling occurs.

al-value

At-least value.

  • An integer from 0 through 32.
no-limit

No RA throttling will occur.

at-most

The maximum number of multicast RAs accepted from the device before throttling occurs.

am-value

At-most value.

  • An integer from 0 through 256.
inherited

The setting between target policies is inherited, or coalesced.

Command Default

The at-least value is 1.

The at-most value is 1.

Command Modes

IPv6 RA throttle policy configuration mode (config-nd-ra-throttle)

Command History

Release Modification

Cisco IOS XE Release 3.2SE

This command was introduced.

Usage Guidelines

The allow at-least and allow at-most command settings applied at the VLAN level provide the defaults for all devices on the VLAN. If the device that issued the RA has not yet sent the number of RAs configured by the allow at-least command setting, then the RA is multicast to all hosts. If the device that issued the RA has sent the number of RAs configured by the allow at-most command setting, then the RA is throttled; that is, the RA is multicast to all wired hosts and to wireless hosts with pending router solicitations (RSs).

If your deployment has the same setting for the allow at-least and allow at-most values for all devices on all ports, then you only need to apply the policy on the relevant VLAN or VLANs. If some of the wired ports in the deployment are connection wireless access points, then a policy with only the medium type configured needs to be applied on those specific ports.

Examples

Example

Device(config)# ipv6 nd ra-throttle policy policy1
Device(config-nd-ra-throttle)# allow at-least 2 at-most 2

clear bgp ipv6

To reset IPv6 Border Gateway Protocol (BGP) sessions, use the clear bgp ipv6command in privileged EXEC mode.

(explicit id )

Syntax Description

unicast

Specifies IPv6 unicast address prefixes.

multicast

Specifies IPv6 multicast address prefixes.

*

Resets all current BGP sessions.

autonomous-system-number

Resets BGP sessions for BGP neighbors within the specified autonomous system.

ip-address

Resets the TCP connection to the specified IPv4 BGP neighbor and removes all routes learned from the connection from the BGP table.

ipv6-address

Resets the TCP connection to the specified IPv6 BGP neighbor and removes all routes learned from the connection from the BGP table.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

peer-group-name

Resets the TCP connection to the specified IPv6 BGP neighbor and removes all routes learned from the connection from the BGP table.

soft

(Optional) Soft reset. Does not reset the session.

in out

(Optional) Triggers inbound or outbound soft reconfiguration. If the in or out option is not specified, both inbound and outbound soft resets are triggered.

Command Default

No reset is initiated.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.3(2)T

The unicast keyword was added to Cisco IOS Release 12.3(2)T.

12.0(26)S

The unicast and multicast keywords were added to Cisco IOS Release 12.0(26)S.

12.3(4)T

The multicastkeyword was added to Cisco IOS Release 12.3(4)T.

12.2(25)S

The multicastkeyword was added to Cisco IOS Release 12.2(25)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.

12.2(33)SXI

This command was integrated into Cisco IOS Release 12.2(33)SXI.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The clear bgp ipv6command is similar to the clear ip bgpcommand, except that it is IPv6-specific.

Use of the clear bgp ipv6 command allows a reset of the neighbor sessions with varying degrees of severity depending on the specified keywords and arguments.

Use the clear bgp ipv6 unicast command to drop neighbor sessions with IPv6 unicast address prefixes.

The unicast keyword is available in Cisco IOS Release 12.3(2)T and later releases. It is not available in releases prior to 12.3(2)T. Use of the unicast keyword is mandatory starting with Cisco IOS Release 12.3(2)T.

The multicastkeyword is available in Cisco IOS Release 12.0(26)S and later releases. It is not available in releases prior to 12.0(26)S. Use of either the unicast or multicast keyword is mandatory starting with Cisco IOS Release 12.0(26)S.

Use the clear bgp ipv6 *command to drop all neighbor sessions. The Cisco IOS software will then reset the neighbor connections. Use this form of the command in the following situations:

  • BGP timer specification change
  • BGP administrative distance changes

Use t he clear bgp ipv6 soft out or the clear bgp ipv6 unicast soft outcommand to drop only the outbound neighbor connections. Inbound neighbor sessions will not be reset. Use this form of the command in the following situations:

  • BGP-related access lists change or get additions
  • BGP-related weights change
  • BGP-related distribution lists change
  • BGP-related route maps change

Use the clear bgp ipv6 soft inor the clear bgp ipv6 unicast soft incommand to drop only the inbound neighbor connections. Outbound neighbor sessions will not be reset. To reset inbound routing table updates dynamically for a neighbor, you must configure the neighbor to support the router refresh capability. To determine whether a BGP neighbor supports this capability, use the show bgp ipv6 neighbors or the show bgp ipv6 unicast neighborscommand. If a neighbor supports the route refresh capability, the following message is displayed:

Received route refresh capability from peer.

If all BGP networking devices support the route refresh capability, use the clear bgp ipv6 {*| ip-address| ipv6-address| peer-group-name} in or the clear bgp ipv6 unicast{*| ip-address| ipv6-address| peer-group-name} incommand. Use of the soft keyword is not required when the route refresh capability is supported by all BGP networking devices, because the software automatically performs a soft reset.

Use this form of the command in the following situations:

  • BGP-related access lists change or get additions
  • BGP-related weights change
  • BGP-related distribution lists change
  • BGP-related route maps change

Examples

The following example clears the inbound session with the neighbor 7000::2 without the outbound session being reset:

Router# clear bgp ipv6 unicast 7000::2 soft in

The following example uses the unicast keyword and clears the inbound session with the neighbor 7000::2 without the outbound session being reset:

Router# clear bgp ipv6 unicast 7000::2 soft in

The following example clears the outbound session with the peer group named marketing without the inbound session being reset:

Router# clear bgp ipv6 unicast marketing soft out

The following example uses the unicast keyword and clears the outbound session with the peer group named peer-group marketing without the inbound session being reset:

Router# clear bgp ipv6 unicast peer-group marketing soft out

Related Commands

Command

Description

show bgp ipv6

Displays entries in the IPv6 BGP routing table.

clear ipv6 mtu

To clear the maximum transmission unit (MTU) cache of messages, use the clear ipv6 mtucommand in privileged EXEC mode.

clear ipv6 mtu

Syntax Description

This command has no arguments or keywords.

Command Default

Messages are not cleared from the MTU cache.

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Release 2.6

This command was introduced.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

If a router is flooded with ICMPv6 toobig messages, the router is forced to create an unlimited number of entries in the MTU cache until all available memory is consumed. Use the clear ipv6 mtu command to clear messages from the MTU cache.

Examples

The following example clears the MTU cache of messages:

Router# clear ipv6 mtu

Related Commands

Command

Description

ipv6 flowset

Configures flow-label marking in 1280-byte or larger packets sent by the router.

default-metric (OSPFv3)

To set default metric values for IPv4 and IPv6 routes redistributed into the Open Shortest Path First version 3 (OSPF) routing protocol, use the default-metric command in OSPFv3 router configuration mode, IPv6 address family configuration mode, or IPv4 address family configuration mode. To return to the default state, use the no form of this command.

default-metric metric-value

no default-metric metric-value

Syntax Description

metric-value

Default metric value appropriate for the specified routing protocol. The range is from 1 to 4294967295.

Command Default

Built-in, automatic metric translations, as appropriate for each routing protocol.

Command Modes


OSPFv3 router configuration mode (config-router)

IPv6 address family configuration (config-router-af)

IPv4 address family configuration (config-router-af)

Command History

Release

Modification

12.2(15)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

15.1(3)S

This command was modified. The feature can be enabled in an IPv4 or IPv6 OSPFv3 process.

Cisco IOS XE Release 3.4S

This command was modified. The feature can be enabled in an IPv4 or IPv6 OSPFv3 process.

15.2(1)T

This command was modified. The feature can be enabled in an IPv4 or IPv6 OSPFv3 process.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The default-metric command is used in conjunction with the redistribute router configuration command to cause the current routing protocol to use the same metric value for all redistributed routes. A default metric helps solve the problem of redistributing routes with incompatible metrics. Whenever metrics do not convert, using a default metric provides a reasonable substitute and enables the redistribution to proceed.

You can gain finer control over the metrics of redistributed routes by using the options for the redistribute command.

Examples

The following example shows how to enter IPv6 AF and configure OSPFv3 routing protocol redistributing routes from the OSPFv3 process named process1. All the redistributed routes are advertised with a metric of 10.

router ospfv3 100 
 address-family ipv6 unicast
 default-metric 10
 redistribute ospfv3 process1

The following example shows an OSPFv3 routing protocol redistributing routes from the OSPFv3 process named process1. All the redistributed routes are advertised with a metric of 10.

ipv6 router ospf 100
 default-metric 10
 redistribute ospfv3 process1

Related Commands

Command

Description

redistribute (OSPFv3)

Redistributes IPv6 routes from one routing domain into another routing domain.

router ospfv3

Enables OSPFv3 router configuration mode for the IPv4 or IPv6 address family.

deny (IPv6)

To set deny conditions for an IPv6 access list, use the deny command in IPv6 access list configuration mode. To remove the deny conditions, use the no form of this command.

deny protocol { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [routing] [ routing-type routing-number ] [ sequence value ] [ time-range name ] [undetermined-transport]

no deny protocol { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [routing] [ routing-type routing-number ] [ sequence value ] [ time-range name ] [undetermined-transport]

Internet Control Message Protocol

deny icmp { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ icmp-type [icmp-code] | icmp-message ] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [routing] [ routing-type routing-number ] [ sequence value ] [ time-range name ]

Transmission Control Protocol

deny tcp { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ack] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [established] [fin] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [ neq { port | protocol } ] [psh] [ range { port | protocol } ] [routing] [ routing-type routing-number ] [rst] [ sequence value ] [syn] [ time-range name ] [urg]

User Datagram Protocol

deny udp { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [ neq { port | protocol } ] [ range { port | protocol } ] [routing] [ routing-type routing-number ] [ sequence value ] [ time-range name ]

Syntax Description

protocol

Name or number of an Internet protocol. It can be one of the keywords ahp, esp, icmp, ipv6, pcp, sctp, tcp, udp, or hbh, or an integer in the range from 0 to 255 representing an IPv6 protocol number.

source-ipv6-prefix/prefix-length

The source IPv6 network or class of networks about which to set deny conditions.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

any

An abbreviation for the IPv6 prefix ::/0.

host source-ipv6-address

The source IPv6 host address about which to set deny conditions.

This source-ipv6-address argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

operator [port-number]

(Optional) Specifies an operand that compares the source or destination ports of the specified protocol. Operands are lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source-ipv6-prefix/prefix-length argument, it must match the source port.

If the operator is positioned after the destination-ipv6/prefix-length argument, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

The optional port-number argument is a decimal number or the name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names can be used only when filtering TCP. UDP port names can be used only when filtering UDP.

destination-ipv6-prefix/prefix-length

The destination IPv6 network or class of networks about which to set deny conditions.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

host destination-ipv6-address

The destination IPv6 host address about which to set deny conditions.

This destination-ipv6-address argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

auth

Allows matching traffic against the presence of the authentication header in combination with any protocol.

dest-option-type

(Optional) Matches IPv6 packets against the hop-by-hop option extension header within each IPv6 packet header.

doh-number

(Optional) Integer in the range from 0 to 255 representing an IPv6 destination option extension header.

doh-type

(Optional) Destination option header types. The possible destination option header type and its corresponding doh-number value are home-address—201.

dscp value

(Optional) Matches a differentiated services code point value against the traffic class value in the Traffic Class field of each IPv6 packet header. The acceptable range is from 0 to 63.

flow-label value

(Optional) Matches a flow label value against the flow label value in the Flow Label field of each IPv6 packet header. The acceptable range is from 0 to 1048575.

fragments

(Optional) Matches non-initial fragmented packets where the fragment extension header contains a non-zero fragment offset. The fragments keyword is an option only if the operator [port-number] arguments are not specified.

hbh

(Optional) Specifies a hop-by-hop options header.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list name and sequence number, whether the packet was denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets denied in the prior 5-minute interval.

log-input

(Optional) Provides the same function as the log keyword, except that the logging message also includes the input interface.

mobility

(Optional) Extension header type. Allows matching of any IPv6 packet including a mobility header, regardless of the value of the mobility-header-type field within that header.

mobility-type

(Optional) Mobility header type. Either the mh-number or mh-type argument must be used with this keyword.

mh-number

(Optional) Integer in the range from 0 to 255 representing an IPv6 mobility header type.

mh-type

(Optional) Name of a mobility header type. Possible mobility header types and their corresponding mh-number value are as follows:

  • 0—bind-refresh
  • 1—hoti
  • 2—coti
  • 3—hot
  • 4—cot
  • 5—bind-update
  • 6—bind-acknowledgment
  • 7—bind-error

routing

(Optional) Matches source-routed packets against the routing extension header within each IPv6 packet header.

routing-type

(Optional) Allows routing headers with a value in the type field to be matched independently. The routing-number argument must be used with this keyword.

routing-number

Integer in the range from 0 to 255 representing an IPv6 routing header type. Possible routing header types and their corresponding routing-number value are as follows:

  • 0—Standard IPv6 routing header
  • 2—Mobile IPv6 routing header

sequence value

(Optional) Specifies the sequence number for the access list statement. The acceptable range is from 1 to 4294967295.

time-range name

(Optional) Specifies the time range that applies to the deny statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.

undetermined-transport

(Optional) Matches packets from a source for which the Layer 4 protocol cannot be determined. The undetermined-transport keyword is an option only if the operator [port-number] arguments are not specified.

icmp-type

(Optional) Specifies an ICMP message type for filtering ICMP packets. ICMP packets can be filtered by ICMP message type. The ICMP message type can be a number from 0 to 255, some of which include the following predefined strings and their corresponding numeric values:

  • 144—dhaad-request
  • 145—dhaad-reply
  • 146—mpd-solicitation
  • 147—mpd-advertisement

icmp-code

(Optional) Specifies an ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) Specifies an ICMP message name for filtering ICMP packets. ICMP packets can be filtered by an ICMP message name or ICMP message type and code. The possible names are listed in the “Usage Guidelines” section.

ack

(Optional) For the TCP protocol only: acknowledgment (ACK) bit set.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

fin

(Optional) For the TCP protocol only: Fin bit set; no more data from sender.

neq {port | protocol}

(Optional) Matches only packets that are not on a given port number.

psh

(Optional) For the TCP protocol only: Push function bit set.

range {port | protocol}

(Optional) Matches only packets in the range of port numbers.

rst

(Optional) For the TCP protocol only: Reset bit set.

syn

(Optional) For the TCP protocol only: Synchronize bit set.

urg

(Optional) For the TCP protocol only: Urgent pointer bit set.

Command Default

No IPv6 access list is defined.

Command Modes


IPv6 access list configuration (config-ipv6-acl)#

Command History

Release

Modification

12.0(23)S

This command was introduced.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.4(2)T

The icmp-type argument was enhanced. The dest-option-type, mobility, mobility-type, and routing-type keywords were added. The doh-number, doh-type, mh-number, mh-type, and routing-number arguments were added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Aggregation Series Routers.

12.4(20)T

The auth keyword was added.

12.2(33)SRE

This command was integrated into Cisco IOS Release 12.2(33)SRE.

15.2(3)T

This command was modified. Support was added for the hbh keyword.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The deny (IPv6) command is similar to the deny (IP) command, except that it is IPv6-specific.

Use the deny (IPv6) command following the ipv6 access-list command to define the conditions under which a packet passes the access list or to define the access list as a reflexive access list.

Specifying IPv6 for the protocol argument matches against the IPv6 header of the packet.

By 1default, the first statement in an access list is number 10, and the subsequent statements are numbered in increments of 10.

You can add permit, deny, remark, or evaluate statements to an existing access list without retyping the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to indicate where it belongs.

In Cisco IOS Release 12.2(2)T or later releases, 12.0(21)ST, and 12.0(22)S, IPv6 access control lists (ACLs) are defined and their deny and permit conditions are set by using the ipv6 access-list command with the deny and permit keywords in global configuration mode. In Cisco IOS Release 12.0(23)S or later releases, IPv6 ACLs are defined by using the ipv6 access-list command in global configuration mode and their permit and deny conditions are set by using the deny and permit commands in IPv6 access list configuration mode. Refer to the ipv6 access-list command for more information on defining IPv6 ACLs.


Note


In Cisco IOS Release 12.0(23)S or later releases, every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take effect. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.


Both the source-ipv6-prefix/prefix-length and destination-ipv6-prefix/prefix-length arguments are used for traffic filtering (the source prefix filters traffic based upon the traffic source; the destination prefix filters traffic based upon the traffic destination).


Note


IPv6 prefix lists, not access lists, should be used for filtering routing protocol prefixes.


The fragments keyword is an option only if the operator [port-number] arguments are not specified.

The undetermined-transport keyword is an option only if the operator [port-number] arguments are not specified.

The following is a list of ICMP message names:

  • beyond-scope
  • destination-unreachable
  • echo-reply
  • echo-request
  • header
  • hop-limit
  • mld-query
  • mld-reduction
  • mld-report
  • nd-na
  • nd-ns
  • next-header
  • no-admin
  • no-route
  • packet-too-big
  • parameter-option
  • parameter-problem
  • port-unreachable
  • reassembly-timeout
  • renum-command
  • renum-result
  • renum-seq-number
  • router-advertisement
  • router-renumbering
  • router-solicitation
  • time-exceeded
  • unreachable

Examples

The following example configures the IPv6 access list named toCISCO and applies the access list to outbound traffic on Ethernet interface 0. Specifically, the first deny entry in the list keeps all packets that have a destination TCP port number greater than 5000 from exiting out of Ethernet interface 0. The second deny entry in the list keeps all packets that have a source UDP port number less than 5000 from exiting out of Ethernet interface 0. The second deny also logs all matches to the console. The first permit entry in the list permits all ICMP packets to exit out of Ethernet interface 0. The second permit entry in the list permits all other traffic to exit out of Ethernet interface 0. The second permit entry is necessary because an implicit deny all condition is at the end of each IPv6 access list.

ipv6 access-list toCISCO
 deny tcp any any gt 5000
 deny ::/0 lt 5000 ::/0 log
 permit icmp any any
 permit any any
interface ethernet 0
 ipv6 traffic-filter toCISCO out

The following example shows how to allow TCP or UDP parsing although an IPsec AH is present:

IPv6 access list example1 
    deny tcp host 2001::1 any log sequence 5 
    permit tcp any any auth sequence 10 
    permit udp any any auth sequence 20 

Related Commands

Command

Description

ipv6 access-list

Defines an IPv6 access list and enters IPv6 access list configuration mode.

ipv6 traffic-filter

Filters incoming or outgoing IPv6 traffic on an interface.

permit (IPv6)

Sets permit conditions for an IPv6 access list.

show ipv6 access-list

Displays the contents of all current IPv6 access lists.

destination-glean

To enable IPv6 first-hop security binding table recovery using destination address gleaning, or to generate syslog messages about unrecognized binding table entries following a recovery, use the destination-glean command in IPv6 snooping configuration mode. To disable binding table recovery, use the no form of this command.

destination-glean { recovery | log-only } [ dhcp ]

no destination-glean

Syntax Description

recovery

Enables binding table recovery using destination address gleaning.

log-only

Generates a syslog message about unrecognized binding table entries following a recovery.

dhcp

Specifies that destination addresses should be recovered from Dynamic Host Configuration Protocol (DHCP).

Command Default

IPv6 first-hop security binding table recovery using destination address gleaning is not enabled.

Command Modes

IPv6 snooping configuration mode (config-ipv6-snooping)

Command History

Release

Modification

15.2(4)S

This command was introduced.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

When you configure IPv6 destination guard using the ipv6 destination-guard policy command, you can then also configure IPv6 first-hop security binding table recovery.

The ipv6 snooping policy command allows you to configure a snooping policy. You can configure first-hop security binding table recovery as part of this policy. The snooping policy should then be attached to a port or VLAN using the ipv6 snooping attach-policy command.

If you use the destination-glean command with the log-only keyword, only a syslog message will be generated and no recovery will be attempted.

Examples

The following example shows that destination addresses should be recovered from DHCP:

Device(config-ipv6-snooping)# destination-glean recovery dhcp

The following example shows that a syslog message will be generated for all missed destination addresses following a binding table recovery:

Device(config-ipv6-snooping)# destination-glean log-only

Related Commands

Command

Description

ipv6 destination-guard policy

Configures an IPv6 destination guard policy.

ipv6 snooping policy

Enters IPv6 snooping configuration mode.

device-role

To specify the role of the device attached to the port, use the device-role command in neighbor discovery (ND) inspection policy configuration mode or router advertisement (RA) guard policy configuration mode.

device-role { host | monitor | router }

Syntax Description

host

Sets the role of the device to host.

monitor

Sets the role of the device to monitor.

router

Sets the role of the device to router.

Command Default

The device role is host.

Command Modes


ND inspection policy configuration (config-nd-inspection)

RA guard policy configuration (config-ra-guard)

Command History

Release

Modification

12.2(50)SY

This command was introduced.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

15.0(2)SE

This command was integrated into Cisco IOS Release 15.0(2)SE.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The device-role command specifies the role of the device attached to the port. By default, the device role is host, and therefore all the inbound router advertisement and redirect messages are blocked. If the device role is enabled using the router keyword, all messages (router solicitation [RS], router advertisement [RA], or redirect) are allowed on this port.

When the router or monitor keyword is used, the multicast RS messages are bridged on the port, regardless of whether limited broadcast is enabled. However, the monitor keyword does not allow inbound RA or redirect messages. When the monitor keyword is used, devices that need these messages will receive them.


Note


With the introduction of Cisco IOS Release 15.2(4)S1, the trusted port has precedence over the device role for accepting RAs over a port to the router. Prior to this release, the device role router had precedence over the trusted port. The device role of the router still needs to be configured in order for the RS to be sent over the port.


Examples

The following example defines a Neighbor Discovery Protocol (NDP) policy name as policy1, places the device in ND inspection policy configuration mode, and configures the device as the host:

Router(config)# ipv6 nd inspection policy policy1
Router(config-nd-inspection)# device-role host

The following example defines an RA guard policy name as raguard1, places the device in RA guard policy configuration mode, and configures the device as the host:

Router(config)# ipv6 nd raguard policy raguard1
Router(config-ra-guard)# device-role host

Related Commands

Command

Description

ipv6 nd inspection policy

Defines the ND inspection policy name and enters ND inspection policy configuration mode.

ipv6 nd raguard policy

Defines the RA guard policy name and enters RA guard policy configuration mode.

drop-unsecure

To drop messages with no or invalid options or an invalid signature, use the drop-unsecurecommand in neighbor discovery ( ND) inspection policy configuration mode or or router advertisement (RA) guard policy configuration mode. To disable this function, use the no form of this command.

drop-unsecure

no drop-unsecure

Syntax Description

This command has no arguments or keywords.

Command Default

No ND inspection policies are configured.

Command Modes


ND inspection policy configuration (config-nd-inspection)

RA guard policy configuration (config-ra-guard)

Command History

Release

Modification

12.2(50)SY

This command was introduced.

15.0(2)SE

This command was integrated into Cisco IOS Release 15.0(2)SE.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The drop-unsecure command drops messages with no or invalid Cryptographically Generated Address (CGA) options or Rivest, Shamir, and Adleman (RSA) signature as per RFC 3971, Secure Discovery (SeND). However, note that messages with an RSA signature or CGA options that do not conform with or are not verified per RFC 3972, Cryptographically Generated Addresses (CGA), are dropped.

Use the drop-unsecure command after enabling ND inspection policy configuration mode using the ipv6 nd inspection policy command.

Examples

The following example defines an ND policy name as policy1, places the router in ND inspection policy configuration mode, and enables the router to drop messages with invalid CGA options or an invalid RSA signature:

Router(config)# ipv6 nd-inspection policy policy1
Router(config-nd-inspection)# drop-unsecure

Related Commands

Command

Description

ipv6 nd inspection policy

Defines the ND inspection policy name and enters ND inspection policy configuration mode.

ipv6 nd raguard policy

Defines the RA guard policy name and enters RA guard policy configuration mode.

enforcement

To set the enforcement level of a destination guard policy, use the enforcement command in destination-guard configuration mode.

enforcement { always | stressed }

Syntax Description

always

Sets the enforcement level to always.

stressed

Sets the enforcement level to forced only when the system is under stress.

Command Default

The enforcement level of a destination guard policy is set to always.

Command Modes

Destination-guard configuration (config-destguard)

Command History

Release

Modification

15.2(4)S

This command was introduced.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

Depending on the network architecture, the sources of binding table information, and the degree of change in the system, the binding table may not always have complete information about the node membership of a VLAN. The enforcement level policy element means that systems with authoritative knowledge of the VLAN membership should set the enforcement level to always. Systems with less confidence, or those with a strong desire to avoid inadvertent packet loss, should set the enforcement level to stressed.

Examples

The following example shows how to set the enforcement level to always:

Device(config)# ipv6 destination-guard policy destination
Device(config-destguard)# enforcement always

Related Commands

Command

Description

ipv6 destination-guard policy

Defines the destination guard policy.

graceful-restart

To enable the Open Shortest Path First version 3 (OSPFv3) graceful restart feature on a graceful-restart-capable router, use the graceful-restartcommand in OSPF router configuration mode. To disable graceful restart, use the no form of this command.

graceful-restart [ restart-interval interval ]

no graceful-restart

Syntax Description

restart-interval interval

(Optional) Graceful-restart interval in seconds. The range is from 1 to 1800, and the default is 120.

Command Default

The GR feature is not enabled on GR-capable routers.

Command Modes


OSPFv3 router configuration mode (config-router)

Command History

Release

Modification

Cisco IOS XE Release 2.1

This command was introduced.

15.0(1)M

This command was integrated into Cisco IOS Release 12.5(1)M.

12.2(33)SRE

This command was modified. It was integrated into Cisco IOS Release 12.2(33)SRE.

12.2(33)XNE

This command was modified. It was integrated into Cisco IOS Release 12.2(33)XNE.

15.1(3)S

This command was modified. The feature can be enabled in an IPv4 or IPv6 OSPFv3 process.

Cisco IOS XE Release 3.4S

This command was modified. The feature can be enabled in an IPv4 or IPv6 OSPFv3 process.

15.2(1)T

This command was modified. The feature can be enabled in an IPv4 or IPv6 OSPFv3 process.

15.1(1)SY

This command was modified. The feature can be enabled in an IPv4 or IPv6 OSPFv3 process.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The graceful-restart command can be enabled only on GR-capable routers.

Examples

The following examples enables graceful restart mode on a GR-capable router in IPv6 and IPv4:

Router(config)# ospfv3 router 1
Router(config-router)# graceful-restar

The following examples enables graceful restart mode on a GR-capable router in IPv6 only:

Router(config)# ipv6 router ospf 1234
Router(config-router)# graceful-restart

Related Commands

Command

Description

graceful-restart helper

Enables the OSPFv3 graceful restart feature on a GR-aware router.

router ospfv3

Enables OSPFv3 router configuration mode for the IPv4 or IPv6 address family.

 
      

hop-limit

To verify the advertised hop-count limit, use the hop-limit command in RA guard policy configuration mode.

hop-limit { maximum | minimum } limit

Syntax Description

maximum limit

Verifies that the hop-count limit is lower than that set by the limit argument.

minimum limit

Verifies that the hop-count limit is greater than that set by the limit argument.

Command Default

No hop-count limit is specified.

Command Modes


RA guard policy configuration
(config-ra-guard)

Command History

Release

Modification

12.2(50)SY

This command was introduced.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

15.0(2)SE

This command was integrated into Cisco IOS Release 15.0(2)SE.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The hop-limit command enables verification that the advertised hop-count limit is greater than or less than the value set by the limit argument. Configuring the minimum limit keyword and argument can prevent an attacker from setting a low hop-count limit value on the hosts to block them from generating traffic to remote destinations; that is, beyond their default router. If the advertised hop-count limit value is unspecified (which is the same as setting a value of 0), the packet is dropped.

Configuring the maximum limit keyword and argument enables verification that the advertised hop-count limit is lower than the value set by the limit argument. If the advertised hop-count limit value is unspecified (which is the same as setting a value of 0), the packet is dropped.

Examples

The following example shows how the command defines a router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and sets a minimum hop-count limit of 3:

Router(config)# ipv6 nd raguard policy raguard1
Router(config-ra-guard)# hop-limit minimum 3

Related Commands

Command

Description

ipv6 nd raguard policy

Defines the RA guard policy name and enters RA guard policy configuration mode.

interval-option

To adjust the IPv6 router advertisement (RA) interval in an RA throttler policy, use the interval-option command in IPv6 RA throttle policy configuration mode. To reset the command to its defaults, use the no form of this command.

interval-option { ignore | inherit | pass-through | throttle }

Syntax Description

ignore

Interval option has no influence on throttling.

inherit

Merges the setting between target policies.

pass-through

All RAs with the interval option will be forwarded.

throttle

All RAs with the interval option will be throttled.

Command Default

Pass-through

Command Modes

IPv6 RA throttle policy configuration mode (config-nd-ra-throttle)

Command History

Release Modification

Cisco IOS XE Release 3.2SE

This command was introduced.

Usage Guidelines

The interval-option command configures an interval option for an RA throttler policy. An interval option, as defined by RFC 6275, is used in RA messages to advertise the interval at which the sending device sends unsolicited multicast RAs.

Examples

Example

Device(config)# ipv6 nd ra-throttle policy policy1
Device(config-nd-ra-throttle)# interval-option inherit

ipv6 access-list

To define an IPv6 access list and to place the device in IPv6 access list configuration mode, use the ipv6 access-listcommand in global configuration mode. To remove the access list, use the no form of this command.

ipv6 access-list access-list-name

no ipv6 access-list access-list-name

Syntax Description

access-list-name

Name of the IPv6 access list. Names cannot contain a space or quotation mark, or begin with a numeric.

Command Default

No IPv6 access list is defined.

Command Modes


Global configuration

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.0(23)S

Support for IPv6 address configuration mode and extended access list functionality (the filtering of traffic based on IPv6 option headers and optional, upper-layer protocol type information) was added. Additionally, the following keywords and arguments were moved from global configuration mode to IPv6 access list configuration mode: permit, deny, source-ipv6-prefix / prefix-length, any, destination-ipv6-prefix / prefix-length, priority. See the "Usage Guidelines" section for more details.

12.2(13)T

Support for IPv6 address configuration mode and extended access list functionality (the filtering of traffic based on IPv6 option headers and optional, upper-layer protocol type information) was added. Additionally, the following keywords and arguments were moved from global configuration mode to IPv6 access list configuration mode: permit, deny, source-ipv6-prefix / prefix-length, any, destination-ipv6-prefix / prefix-length, priority. See the "Usage Guidelines" section for more details.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

Duplicate remark statements can no longer be configured from the IPv6 access control list.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 series devices.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The ipv6 access-listcommand is similar to the ip access-listcommand, except that it is IPv6-specific.

In Cisco IOS Release 12.2(2)T or later releases, 12.0(21)ST, and 12.0(22)S, standard IPv6 access control list (ACL) functionality is used for basic traffic filtering functions--traffic filtering is based on source and destination addresses, inbound and outbound to a specific interface, and with an implicit deny statement at the end of each access list (functionality similar to standard ACLs in IPv4). IPv6 ACLs are defined and their deny and permit conditions are set by using the ipv6 access-listcommand with the deny and permit keywords in global configuration mode.

In Cisco IOS Release 12.0(23)S or later releases, the standard IPv6 ACL functionality is extended to support--in addition to traffic filtering based on source and destination addresses--filtering of traffic based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control (functionality similar to extended ACLs in IPv4). IPv6 ACLs are defined by using the ipv6 access-listcommand in global configuration mode and their permit and deny conditions are set by using the deny and permitcommands in IPv6 access list configuration mode. Configuring the ipv6 access-listcommand places the device in IPv6 access list configuration mode--the device prompt changes to Device(config-ipv6-acl)#. From IPv6 access list configuration mode, permit and deny conditions can be set for the defined IPv6 ACL.


Note


IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and an IPv6 ACL cannot share the same name.


In Cisco IOS Release 12.0(23)S or later releases, and 12.2(11)S or later releases, for backward compatibility, the ipv6 access-listcommand with the deny and permit keywords in global configuration mode is still supported; however, an IPv6 ACL defined with deny and permit conditions in global configuration mode is translated to IPv6 access list configuration mode.

Refer to the deny (IPv6) and permit (IPv6) commands for more information on filtering IPv6 traffic based on IPv6 option headers and optional, upper-layer protocol type information. See the "Examples" section for an example of a translated IPv6 ACL configuration.


Note


In Cisco IOS Release 12.0(23)S or later releases, every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take effect. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.



Note


IPv6 prefix lists, not access lists, should be used for filtering routing protocol prefixes.


Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply an IPv6 ACL to an IPv6 interface. Use the ipv6 access-class line configuration command with the access-list-name argument to apply an IPv6 ACL to incoming and outgoing IPv6 virtual terminal connections to and from the device.


Note


An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded, not originated, by the device.



Note


When using this command to modify an ACL that is already associated with a bootstrap router (BSR) candidate rendezvous point (RP) (see the ipv6 pim bsr candidate rp command) or a static RP (see the ipv6 pim rp-address command), any added address ranges that overlap the PIM SSM group address range (FF3x::/96) are ignored. A warning message is generated and the overlapping address ranges are added to the ACL, but they have no effect on the operation of the configured BSR candidate RP or static RP commands.


In Cisco IOS Release 12.2(33)SXH and subsequent Cisco IOS SX releases, duplicate remark statements can no longer be configured from the IPv6 access control list. Because each remark statement is a separate entity, each one is required to be unique.

Examples

The following example is from a device running Cisco IOS Release 12.0(23)S or later releases. The example configures the IPv6 ACL list named list1 and places the device in IPv6 access list configuration mode.

Device(config)# ipv6 access-list list1
Device(config-ipv6-acl)#

The following example is from a device running Cisco IOS Release 12.2(2)T or later releases, 12.0(21)ST, or 12.0(22)S. The example configures the IPv6 ACL named list2 and applies the ACL to outbound traffic on Ethernet interface 0. Specifically, the first ACL entry keeps all packets from the network FEC0:0:0:2::/64 (packets that have the site-local prefix FEC0:0:0:2 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0. The second entry in the ACL permits all other traffic to exit out of Ethernet interface 0. The second entry is necessary because an implicit deny all condition is at the end of each IPv6 ACL.

Device(config)# ipv6 access-list list2 deny FEC0:0:0:2::/64 any
Device(config)# ipv6 access-list list2 permit any any
Device(config)# interface ethernet 0
Device(config-if)# ipv6 traffic-filter list2 out

If the same configuration was entered on a device running Cisco IOS Release 12.0(23)S or later releases, the configuration would be translated into IPv6 access list configuration mode as follows:

ipv6 access-list list2 
  deny FEC0:0:0:2::/64 any
  permit ipv6 any any
interface ethernet 0
 ipv6 traffic-filter list2 out

Note


IPv6 is automatically configured as the protocol type in permit any any and deny any any statements that are translated from global configuration mode to IPv6 access list configuration mode.



Note


IPv6 ACLs defined on a device running Cisco IOS Release 12.2(2)T or later releases, 12.0(21)ST, or 12.0(22)S that rely on the implicit deny condition or specify a deny any any statement to filter traffic should contain permit statements for link-local and multicast addresses to avoid the filtering of protocol packets (for example, packets associated with the neighbor discovery protocol). Additionally, IPv6 ACLs that use deny statements to filter traffic should use a permit any any statement as the last statement in the list.



Note


An IPv6 device will not forward to another network an IPv6 packet that has a link-local address as either its source or destination address (and the source interface for the packet is different from the destination interface for the packet).


Related Commands

Command

Description

deny (IPv6)

Sets deny conditions for an IPv6 access list.

ipv6 access-class

Filters incoming and outgoing connections to and from the device based on an IPv6 access list.

ipv6 pim bsr candidate rp

Configures the candidate RP to send PIM RP advertisements to the BSR.

ipv6 pim rp-address

Configure the address of a PIM RP for a particular group range.

ipv6 traffic-filter

Filters incoming or outgoing IPv6 traffic on an interface.

permit (IPv6)

Sets permit conditions for an IPv6 access list.

show ipv6 access-list

Displays the contents of all current IPv6 access lists.

ipv6 address

To configure an IPv6 address based on an IPv6 general prefix and enable IPv6 processing on an interface, use the ipv6 addresscommand in interface configuration mode. To remove the address from the interface, use the no form of this command.

ipv6 address { ipv6-prefix/prefix-length | prefix-name sub-bits/prefix-length }

no ipv6 address { ipv6-address/prefix-length | prefix-name sub-bits/prefix-length }

Syntax Description

ipv6-address

The IPv6 address to be used.

/ prefix-length

The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

prefix-name

A general prefix, which specifies the leading bits of the network to be configured on the interface.

sub-bits

The subprefix bits and host bits of the address to be concatenated with the prefixes provided by the general prefix specified with the prefix-name argument.

The sub-bitsargument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

Command Default

No IPv6 addresses are defined for any interface.

Command Modes


Interface configuration

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was integrated into Cisco ASR 1000 Series devices.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

15.2(2)SNG

This command was implemented on the Cisco ASR 901 Series Aggregation Services devices.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The ipv6 address command allows multiple IPv6 addresses to be configured on an interface in various different ways, with varying options. The most common way is to specify the IPv6 address with the prefix length.

Addresses may also be defined using the general prefix mechanism, which separates the aggregated IPv6 prefix bits from the subprefix and host bits. In this case, the leading bits of the address are defined in a general prefix, which is globally configured or learned (for example, through use of Dynamic Host Configuration Protocol-Prefix Delegation (DHCP-PD)), and then applied using the prefix-name argument. The subprefix bits and host bits are defined using the sub-bits argument.

Using the no ipv6 address autoconfig command without arguments removes all IPv6 addresses from an interface.

IPv6 link-local addresses must be configured and IPv6 processing must be enabled on an interface by using the ipv6 address link-local command.

Examples

The following example shows how to enable IPv6 processing on the interface and configure an address based on the general prefix called my-prefix and the directly specified bits:

Device(config-if) ipv6 address my-prefix 0:0:0:7272::72/64

Assuming the general prefix named my-prefix has the value of 2001:DB8:2222::/48, then the interface would be configured with the global address 2001:DB8:2222:7272::72/64.

Related Commands

Command

Description

ipv6 address anycast

Configures an IPv6 anycast address and enables IPv6 processing on an interface.

ipv6 address eui-64

Configures an IPv6 address and enables IPv6 processing on an interface using an EUI-64 interface ID in the low-order 64 bits of the address.

ipv6 address link-local

Configures an IPv6 link-local address for an interface and enables IPv6 processing on the interface.

ipv6 unnumbered

Enables IPv6 processing on an interface without assigning an explicit IPv6 address to the interface.

no ipv6 address autoconfig

Removes all IPv6 addresses from an interface.

show ipv6 interface

Displays the usability status of interfaces configured for IPv6.

ipv6 address anycast

To configure an IPv6 anycast address and enable IPv6 processing on an interface, use the ipv6 address anycastcommand in interface configuration mode. To remove the address from the interface, use the no form of this command.

ipv6 address ipv6-prefix/prefix-length anycast

no ipv6 address [ ip6-prefix/prefix-length anycast ]

Syntax Description

ipv6-prefix

The IPv6 network assigned to the interface.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

/ prefix-length

The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

Command Default

No IPv6 addresses are defined for any interface.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

Using the no ipv6 address command without arguments removes all manually configured IPv6 addresses from an interface.

Examples

The following example shows how to enable IPv6 processing on the interface, assign the prefix 2001:0DB8:1:1::/64 to the interface, and configure the IPv6 anycast address 2001:0DB8:1:1:FFFF:FFFF:FFFF:FFFE:

ipv6 address 2001:0DB8:1:1:FFFF:FFFF:FFFF:FFFE/64 anycast

Related Commands

Command

Description

ipv6 address eui-64

Configures an IPv6 address and enables IPv6 processing on an interface using an EUI-64 interface ID in the low-order 64 bits of the address.

ipv6 address link-local

Configures an IPv6 link-local address for an interface and enables IPv6 processing on the interface.

ipv6 unnumbered

Enables IPv6 processing on an interface without assigning an explicit IPv6 address to the interface.

show ipv6 interface

Displays the usability status of interfaces configured for IPv6.

ipv6 address autoconfig

To enable automatic configuration of IPv6 addresses using stateless autoconfiguration on an interface and enable IPv6 processing on the interface, use the ipv6 address autoconfig command in interface configuration mode. To remove the address from the interface, use the no form of this command.

ipv6 address autoconfig [default]

no ipv6 address autoconfig

Syntax Description

default

(Optional) If a default device is selected on this interface, the default keyword causes a default route to be installed using that default device.

The default keyword can be specified only on one interface.

Command Default

No IPv6 address is defined for the interface.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.2(13)T

This command was introduced.

12.2(33)SRE

This command was integrated into Cisco IOS Release 12.2(33)SRE.

Cisco IOS XE Release 2.5

This command was integrated into Cisco IOS XE Release 2.5.

12.2(33)XNE

This command was integrated into Cisco IOS Release 12.2(33)XNE.

15.1(2)SNG

This command was implemented on the Cisco ASR 901 Series Aggregation Services devices.

15.3(1)S

This command was integrated into Cisco IOS Release 15.3(1)S.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The ipv6 address autoconfig command causes the device to perform IPv6 stateless address auto-configuration to discover prefixes on the link and then to add the EUI-64 based addresses to the interface. Addresses are configured depending on the prefixes received in Router Advertisement (RA) messages.

Using the no ipv6 address autoconfig command without arguments removes all IPv6 addresses from an interface.

Examples

The following example assigns the IPv6 address automatically:

Device(config)# interface ethernet 0
Device(config-if)# ipv6 address autoconfig 

Related Commands

Command

Description

ipv6 address eui-64

Configures an IPv6 address and enables IPv6 processing on an interface using an EUI-64 interface ID in the low-order 64 bits of the address.

ipv6 address link-local

Configures an IPv6 link-local address for an interface and enables IPv6 processing on the interface.

ipv6 unnumbered

Enables IPv6 processing on an interface without assigning an explicit IPv6 address to the interface.

show ipv6 interface

Displays the usability status of interfaces configured for IPv6.

ipv6 address dhcp

To acquire an IPv6 address on an interface from the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server, use the ipv6 address dhcp command in the interface configuration mode. To remove the address from the interface, use the no form of this command.

ipv6 address dhcp [rapid-commit]

no ipv6 address dhcp

Syntax Description

rapid-commit

(Optional) Allows the two-message exchange method for address assignment.

Command Default

No IPv6 addresses are acquired from the DHCPv6 server.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.4(24)T

This command was introduced.

12.2(33)SRE

This command was integrated into Cisco IOS Release 12.2(33)SRE.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The ipv6 address dhcp interface configuration command allows any interface to dynamically learn its IPv6 address by using DHCP.

The rapid-commit keyword enables the use of the two-message exchange for address allocation and other configuration. If it is enabled, the client includes the rapid-commit option in a solicit message.

Examples

The following example shows how to acquire an IPv6 address and enable the rapid-commit option:

Router(config)# interface fastethernet 0/0
Router(config-if)# ipv6 address dhcp 
rapid-commit

You can verify your settings by using the show ipv6 dhcp interface command in privileged EXEC mode.

Related Commands

Command

Description

show ipv6 dhcp interface

Displays DHCPv6 interface information.

ipv6 address eui-64

To configure an IPv6 address for an interface and enables IPv6 processing on the interface using an EUI-64 interface ID in the low order 64 bits of the address, use the ipv6 address eui-64command in interface configuration mode. To remove the address from the interface, use the no form of this command.

ipv6 address ipv6-prefix/prefix-length eui-64

no ipv6 address [ ip v6-prefix/prefix-length eui-64 ]

Syntax Description

ipv6-prefix

The IPv6 network assigned to the interface.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

/ prefix-length

The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

Command Default

No IPv6 address is defined for the interface.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

If the value specified for the / prefix-length argument is greater than 64 bits, the prefix bits have precedence over the interface ID.

Using the no ipv6 address command without arguments removes all manually configured IPv6 addresses from an interface.

If the Cisco IOS software detects another host using one of its IPv6 addresses, it will display an error message on the console.

Examples

The following example assigns IPv6 address 2001:0DB8:0:1::/64 to Ethernet interface 0 and specifies an EUI-64 interface ID in the low order 64 bits of the address:

Router(config)# interface ethernet 0
Router(config-if)# ipv6 address 2001:0DB8:0:1::/64 eui-64

Related Commands

Command

Description

ipv6 address link-local

Configures an IPv6 link-local address for an interface and enables IPv6 processing on the interface.

ipv6 unnumbered

Enables IPv6 processing on an interface without assigning an explicit IPv6 address to the interface.

show ipv6 interface

Displays the usability status of interfaces configured for IPv6.

ipv6 address link-local

To configure an IPv6 link-local address for an interface and enable IPv6 processing on the interface, use the ipv6 address link-localcommand in interface configuration mode. To remove the address from the interface, use the no form of this command.

ipv6 address ipv6-address/prefix-length link-local [cga]

no ipv6 address [ ipv6-address/prefix-length link-local ]

Syntax Description

ipv6-address

The IPv6 address assigned to the interface.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

/ prefix-length

The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

link-local

Specifies a link-local address. The ipv6-address specified with this command overrides the link-local address that is automatically generated for the interface.

cga

(Optional) Specifies the CGA interface identifier.

Command Default

No IPv6 address is defined for the interface.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.0(21)ST

This command was integrated into Cisco IOS Release 12.0(21)ST.

12.0(22)S

This command was integrated into Cisco IOS Release 12.0(22)S.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.

12.4(24)T

The cga keyword was added

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

Using the no ipv6 address command without arguments removes all manually configured IPv6 addresses from an interface.

If the Cisco software detects another host using one of its IPv6 addresses, it will display an error message on the console.

The system automatically generates a link-local address for an interface when IPv6 processing is enabled on the interface, typically when an IPv6 address is configured on the interface. To manually specify a link-local address to be used by an interface, use the ipv6 address link-local command.

A double colon may be used as part of the ipv6-address argument when consecutive 16-bit values are denoted as zero. You can configure multiple IPv6 addresses per interfaces, but only one link-local address.

Examples

The following example assigns FE80::260:3EFF:FE11:6770 as the link-local address for Ethernet interface 0:

interface ethernet 0
 ipv6 address FE80::260:3EFF:FE11:6770 link-local

Related Commands

Command

Description

ipv6 address eui-64

Configures an IPv6 address and enables IPv6 processing on an interface using an EUI-64 interface ID in the low-order 64 bits of the address.

ipv6 unnumbered

Enables IPv6 processing on an interface without assigning an explicit IPv6 address to the interface.

show ipv6 interface

Displays the usability status of interfaces configured for IPv6.

ipv6 cef

To enable Cisco Express Forwarding for IPv6, use the ipv6 cef command in global configuration mode. To disable Cisco Express Forwarding for IPv6, use the no form of this command.

ipv6 cef

no ipv6 cef

Syntax Description

This command has no arguments or keywords.

Command Default

Cisco Express Forwarding for IPv6 is disabled by default.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.0(22)S

This command was introduced.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was implemented on Cisco ASR 1000 Series Aggregation Services Routers.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The ipv6 cef command is similar to the ip cef command, except that it is IPv6-specific.

The ipv6 cef command is not available on the Cisco 12000 series Internet routers because this distributed platform operates only in distributed Cisco Express Forwarding for IPv6 mode.


Note


The ipv6 cefcommand is not supported in interface configuration mode.



Note


Some distributed architecture platforms, such as the Cisco 7500 series routers, support both Cisco Express Forwarding for IPv6 and distributed Cisco Express Forwarding for IPv6. When Cisco Express Forwarding for IPv6 is configured on distributed platforms, Cisco Express Forwarding switching is performed by the Route Processor (RP).



Note


You must enable Cisco Express Forwarding for IPv4 by using the ip cef global configuration command before enabling Cisco Express Forwarding for IPv6 by using the ipv6 cef global configuration command.


Cisco Express Forwarding for IPv6 is advanced Layer 3 IP switching technology that functions the same and offer the same benefits as Cisco Express Forwarding for IPv4. Cisco Express Forwarding for IPv6 optimizes network performance and scalability for networks with dynamic, topologically dispersed traffic patterns, such as those associated with web-based applications and interactive sessions.

Examples

The following example enables standard Cisco Express Forwarding for IPv4 operation and then standard Cisco Express Forwarding for IPv6 operation globally on the router.

ip cef
ipv6 cef

Related Commands

Command

Description

ip route-cache

Controls the use of high-speed switching caches for IP routing.

ipv6 cef accounting

Enables Cisco Express Forwarding for IPv6 and distributed Cisco Express Forwarding for IPv6 network accounting.

ipv6 cef distributed

Enables distributed Cisco Express Forwarding for IPv6.

show cef

Displays which packets the line cards dropped or displays which packets were not express-forwarded.

show ipv6 cef

Displays entries in the IPv6 FIB.

ipv6 cef accounting

To enable Cisco Express Forwarding for IPv6 and distributed Cisco Express Forwarding for IPv6 network accounting, use the ipv6 cef accountingcommand in global configuration mode or interface configuration mode. To disable Cisco Express Forwarding for IPv6 network accounting, use the noform of this command.

ipv6 cef accounting accounting-types

no ipv6 cef accounting accounting-types

Specific Cisco Express Forwarding Accounting Information Through Interface Configuration Mode

ipv6 cef accounting non-recursive { external | internal }

no ipv6 cef accounting non-recursive { external | internal }

Syntax Description

accounting-types

The accounting-types argument must be replaced with at least one of the following keywords. Optionally, you can follow this keyword by any or all of the other keywords, but you can use each keyword only once.

  • load-balance-hash --Enables load balancing hash bucket counters.
  • non-recursive --Enables accounting through nonrecursive prefixes.
  • per-prefix --Enables express forwarding of the collection of the number of packets and bytes to a destination (or prefix).
  • prefix-length --Enables accounting through prefix length.

non-recursive

Enables accounting through nonrecursive prefixes.

This keyword is optional when used in global configuration mode after another keyword is entered. See the accounting-types argument.

external

Counts input traffic in the nonrecursive external bin.

internal

Counts input traffic in the nonrecursive internal bin.

Command Default

Cisco Express Forwarding for IPv6 network accounting is disabled by default.

Command Modes


Global configuration (config)
Interface configuration (config-if)

Command History

Release

Modification

12.0(22)S

This command was introduced.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(25)S

The non-recursiveand load-balance-hashkeywords were added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 Series Routers.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The ipv6 cef accountingcommand is similar to the ip cef accountingcommand, except that it is IPv6-specific.

Configuring Cisco Express Forwarding for IPv6 network accounting enables you to collect statistics on Cisco Express Forwarding for IPv6 traffic patterns in your network.

When you enable network accounting for Cisco Express Forwarding for IPv6 by using the ipv6 cef accountingcommand in global configuration mode, accounting information is collected at the Route Processor (RP) when Cisco Express Forwarding for IPv6 mode is enabled and at the line cards when distributed Cisco Express Forwarding for IPv6 mode is enabled. You can then display the collected accounting information using the show ipv6 cef EXEC command.

For prefixes with directly connected next hops, the non-recursive keyword enables express forwarding of the collection of packets and bytes through a prefix. This keyword is optional when this command is used in global configuration mode after you enter another keyword on the ipv6 cef accountingcommand.

This command in interface configuration mode must be used in conjunction with the global configuration command. The interface configuration command allows a user to specify two different bins (internal or external) for the accumulation of statistics. The internal bin is used by default. The statistics are displayed through the show ipv6 cef detailcommand.

Per-destination load balancing uses a series of 16 hash buckets into which the set of available paths are distributed. A hash function operating on certain properties of the packet is applied to select a bucket that contains a path to use. The source and destination IP addresses are the properties used to select the bucket for per-destination load balancing. Use the load-balance-hash keyword with the ipv6 cef accounting command to enable per-hash-bucket counters. Enter the show ipv6 cef prefix internal command to display the per-hash-bucket counters.

Examples

The following example enables the collection of Cisco Express Forwarding for IPv6 accounting information for prefixes with directly connected next hops:

Router(config)# ipv6 cef accounting non-recursive

Related Commands

Command

Description

ip cef accounting

Enable Cisco Express Forwarding network accounting (for IPv4).

show cef

Displays information about packets forwarded by Cisco Express Forwarding.

show ipv6 cef

Displays entries in the IPv6 FIB.

ipv6 cef distributed

To enable distributed Cisco Express Forwarding for IPv6, use the ipv6 cef distributedcommand in global configuration mode. To disable Cisco Express Forwarding for IPv6, use the no form of this command.

ipv6 cef distributed

no ipv6 cef distributed

Syntax Description

This command has no arguments or keywords.

Command Default

Distributed Cisco Express Forwarding for IPv6 is disabled on the Cisco 7500 series routers and enabled on the Cisco 12000 series Internet routers.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.0(22)S

This command was introduced.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was implemented on Cisco ASR 1000 Series Aggregation Services Routers.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

Usage Guidelines

The ipv6 cef distributedcommand is similar to the ip cef distributedcommand, except that it is IPv6-specific.

Enabling distributed Cisco Express Forwarding for IPv6 globally on the router by using the ipv6 cef distributedin global configuration mode distributes the Cisco Express Forwarding processing of IPv6 packets from the Route Processor (RP) to the line cards of distributed architecture platforms.


Note


The ipv6 cef distributed command is not supported on the Cisco 12000 series Internet routers because distributed Cisco Express Forwarding for IPv6 is enabled by default on this platform.



Note


To forward distributed Cisco Express Forwarding for IPv6 traffic on the router, configure the forwarding of IPv6 unicast datagrams globally on your router by using the ipv6 unicast-routing global configuration command, and configure an IPv6 address and IPv6 processing on an interface by using the ipv6 address interface configuration command.



Note


You must enable distributed Cisco Express Forwarding for IPv4 by using the ip cef distributedglobal configuration command before enabling distributed Cisco Express Forwarding for IPv6 by using the ipv6 cef distributedglobal configuration command.


Cisco Express Forwarding is advanced Layer 3 IP switching technology. Cisco Express Forwarding optimizes network performance and scalability for networks with dynamic, topologically dispersed traffic patterns, such as those associated with web-based applications and interactive sessions.

Examples

The following example enables distributed Cisco Express Forwarding for IPv6 operation:

ipv6 cef distributed

Related Commands

Command

Description

ip route-cache

Controls the use of high-speed switching caches for IP routing.

show ipv6 cef

Displays entries in the IPv6 FIB.

1